The legal framework
Built on European law.
nullpay.’s architecture implements what GDPR requires: data minimization by design. French regulation provides a clear path for this model.
GDPR data minimization
Article 25
Data Protection By Design and By Default
Controllers must implement appropriate technical measures to ensure that, by default, only personal data necessary for each specific purpose are processed.
Article 5(1)(c)
Data Minimization
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Collecting the link between payment and redemption is not necessary for the business purpose. Not collecting it is GDPR compliance, not evasion.
Full text: GDPR (EUR-Lex)
CNIL and payment privacy
The CNIL (France’s data protection authority) published a white paper supporting privacy-preserving payment systems.
White paper — 2021
“Quand la confiance paie”
Explores privacy-preserving approaches to payment systems, including data minimization and tokenization as a privacy-enhancing technology.
Blind signatures in institutional settings
EDPB SPE Expert Report — 2025
An expert report commissioned by the European Data Protection Board concluded that blind signatures are a credible path for the Digital Euro’s token-based offline modality.
EDPB SPE Expert Report — Digital Euro Token-Based Offline Modality
GNU Taler
EU Horizon Europe funded. 11 partners, 8 countries. Piloting with real banks (GLS Bank Germany, MagNet Bank Hungary). Core principle: “Income transparent, spending anonymous.”