Privacy Policy

C3 Pay App

1. About this privacy policy

This privacy policy applies to the personal data processing of current customers.

2. Data controller

Edenred Prepaid Cards Management Service LLC (“Edenred UAE”) is a prepaid cards management Services provider, offering its service to Corporate Clients across the UAE to process salary for their employees in compliance with the WPS regulations. Edenred UAE, whose head office is located at Floor 43, Single Business Tower, Business Bay, Dubai (UAE), is the data controller of your personal data processed for the purpose(s) defined hereafter.

3. Origin of the data

We process the personal data that you provide directly to us when you contact us, fill out our forms, sign a contract with us, and/or visit our website.

4. Purposes of the processing

Your personal data is processed by Edenred UAE for the purposes of:

• Edenred’s AML/CFT, Sanction and Customer Due Diligence Policy
• Satisfaction of Edenred’s Compliance Review process.
• Compliance with Regulatory, such as AML regulations, or Contractual Obligations
• Communications from Edenred regarding purchases, changes to our Privacy Policy and/or Terms and Conditions.
• Internal administrative and accounting, auditing, data analysis, analytics, marketing and research purposes.
• Data storage of users’ preference
• User account management as well as user support

5. Categories of personal data concerned

Personal Details such as:

• Personal details and civil status (First name, last name, birth date, nationality, gender)
• Identification details (Passport Number and Expiry Date, Passport Copy, Emirates Identity Card Number and Expiry Date, Emirates Identity Card Copy, Selfie verification)
• Address details (an Identity Card with Proof of Address, or documents such as Title Deeds, Rental Agreement or Water and Electricity bills)
• Contact details (Mobile phone, email address)
• Financial details (WPS Person ID, WPS Establishment, Balance)

6. Legal basis of the processing

Those personal data processing activities are respectively legally grounded on:

• UAE Cabinet resolution Decision No. 58 of 2020 regulating Beneficial Owner Procedures
• UAE Cabinet resolution Decision No. 10 of 2019 on the implementation of decree law 20 of 2018 on Anti- Money Laundering and Combating the Financing of Terrorism and Illegal Organisations
• UAE Cabinet resolution Decision No.74 of 2020 on the implementation of the Targeted Financial Sanctions of the UNSC
• Ministerial Resolution No. 598 of 2022 on exception Regarding Wages Protection System
• Administrative Decision No. 23 of 2022

7. Mandatory fields

The fields that are marked with an Asterix (*) are mandatory. Therefore, if you do not provide the information requested, we won’t be able to manage your request.

8. Recipients of the personal data

Your personal data will be accessible to the authorized personnel of Edenred UAE each of them with dedicated access rights according to their scope of work.

Your personal data will not be disclosed to third parties except, as necessary. along with their own subcontractors, which are expressly authorized by Edenred UAE for the performance of the service provider.

Moreover, your personal data may be disclosed to the following recipients:

• Public Administration, Law enforcement agencies, Courts, and/or Tribunals as required by law or to defend against claims.
• Accounting audit companies for compliance with our legal obligations in matters of accounting.
• Service providers that need access to your data in order to provide the services that we have contracted to them. The required confidentiality and data processing contracts are signed between these providers and us in order to protect your privacy.
• Other third parties and their advisors in the context of any structural modification operation of our company, or the contribution or transfer of any business or branch of business, as well as transmitting the same to said third party in the case of execution of the operation. Said data disclosure will be carried out on the basis of our legitimate interest consisting in the correct governance of the same.

9. Transfer of the personal data

Edenred UAE ensures that your personal data collected for the previously stated purposes will not be transferred outside the UAE in the absence of the following:

• The country to which the Personal Data is being transferred to has adequate controls, laws, provisions, rules and measures to ensure the privacy and confidentiality of said Data, including your individual rights. (Personal Data Protection Law)
• Transfer of data must be in compliance with the conditions stated in the Federal Decree law 45 of 2021 on personal data protection – Article. 23 about cross-border and sharing of personal data for processing purposes In absence of an adequate level of protection.
• The UAE has a bilateral or multilateral Agreement with regards to Data Protection. (Personal Data Protection Law)

10. Retention of the personal data

Your personal data is retained by Edenred UAE for “at least 5 years” the time that is necessary for the realization of the processing purposes. Following this event, your data will be sorted out and the remaining data will only be retained for legal purposes, such as for compliance, in accordance with the local laws and regulations,

11. Biometric Data (Facial Verification) Policy

11.1 Collection and Purpose of Biometric Data

The Application collects two distinct categories of facial images (“Selfies”) for identity-verification and security purposes:

1. Onboarding Selfie: Collected during account registration and used to establish a reference biometric template for identity verification.
2. Login Verification Selfie: Collected when the user attempts to access the Application from a new or unrecognized device. This Selfie is used to verify the user’s identity by comparing it against the Onboarding Selfie.

Both types of Selfies are used exclusively for security, authentication, and fraud-prevention purposes.

11.2 Use of Third-Party Biometric Processing Services

The Application utilizes a third-party biometric-matching provider operating strictly as a data processor.

This provider processes Selfies in real time for identity verification and is contractually prohibited from storing, retaining, or reusing biometric data.

No biometric data is shared with any additional third parties.

11.3 Retention of Biometric Data

11.3.1 Onboarding Selfie

The Onboarding Selfie is retained only while the user’s account remains active. It is permanently deleted when:

• The user requests account deletion via Profile -> Delete Account, or
• The account becomes inactive pursuant to our operational and business-continuity policies, or
• The account is terminated for any lawful reason.

Upon account deletion or closure, the Onboarding Selfie is irreversibly removed from our systems.

11.3.2 Login Verification Selfie

A Login Verification Selfie captured during a sign-in from a new or unrecognized device is temporarily stored for a maximum of fourteen (14) days.

Purpose of fourteen-day retention: This limited retention period enables our fraud-prevention and security teams to investigate suspected fraudulent activity, verify the legitimacy of a login attempt, and review the biometric comparison in cases of dispute or security alerts.

After the 14 day period expires—and regardless of the outcome of the verification—the Login Verification Selfie is automatically and permanently deleted.

11.4 Non-Retention of Additional Biometric Data

• No additional face data or biometric identifiers are created, stored, or retained.
• Real-time comparison data generated during the matching process is not retained.
• No Selfies are reused for any purpose other than identity verification.

11.5 Disclosure of Biometric Data to Third Parties

We do not sell, rent, disclose, or share biometric data with any third parties except the third-party processor that performs automated facial comparison on our behalf.

This processor acts solely under our instructions and is prohibited from storing, retaining, disclosing, or using biometric data for any purpose other than performing the requested comparison.

12. Updates to this privacy policy

We may update this Privacy Policy from time to time and will notify you of said changes and updates as required by the data protection legislation.

13. Exercise of rights for data subject

In accordance with the applicable regulation, you are entitled to access to, rectify but also erase your data (unless your personal data is necessary to comply with a legal obligation). Under certain circumstances and the conditions set forth in the applicable law, you also have a right to object to and to obtain restriction of the data processing activity, to withdraw your consent where the processing of your personal data is based on your consent, and a right to data portability.

You can exercise your rights, enclosing proof of identity where required, by sending an email to or by writing to Edenred UAE – P.O. Box 34920, Dubai (UAE)

For any other type of requests or complaints, you can contact the Data Protection Correspondent by sending an email to eae.dpo@edenred.com

If you want to exercise your rights, please click here.