Privacy Policy
How MonamiPay collects, uses and protects your personal data.
1. Who We Are
MonamiPay Limited ("MonamiPay", "we", "us", "our") is a company registered in England and Wales (company number: 14156299). Our registered office is at [REGISTERED ADDRESS]. MonamiPay operates a mobile-first remittance platform enabling customers to send money internationally.
MonamiPay is registered with the Information Commissioner's Office (ICO) as a data controller under registration number [INSERT]. We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For any questions about this Privacy Policy or how we handle your personal data, please contact us at: privacy@monamipay.com
2. What Personal Data We Collect
2.1 Data You Provide Directly
| Data Category | Examples | When Collected |
|---|---|---|
| Identity data | Full legal name; date of birth; nationality; country of birth | Registration; KYC verification |
| Contact data | Email address; UK mobile number; residential address | Registration; address verification |
| Identity document data | Passport or national ID number; document expiry date; document images | KYC verification |
| Biometric data | Facial image (selfie); liveness check data | KYC biometric verification — Sumsub platform |
| Financial data | Bank account details (for sending); transfer amount; transfer history | When making a transfer |
| Source of funds | Employment details; income source; purpose of transfer | EDD (enhanced due diligence) cases |
| Recipient data | Recipient name; recipient bank account number; recipient bank name; recipient country | When adding a recipient |
| Communication data | Messages sent to customer support; WhatsApp messages; email correspondence | Customer support interactions |
| Waitlist data | Email address; name (if provided) | Joining the pre-launch waitlist |
2.2 Data Collected Automatically
| Data Category | Examples | Purpose |
|---|---|---|
| Device data | Device type; operating system; app version; device identifier | Fraud prevention (SEON); security |
| Usage data | Pages visited; features used; transfer flow interactions | Service improvement; analytics |
| Technical data | IP address; browser type; time zone | Fraud prevention; security monitoring |
| Location data | Country of access (derived from IP) | Compliance screening; fraud prevention |
| Cookies and similar technologies | Session cookies; analytics cookies | See Cookie Policy section below |
3. Lawful Basis for Processing
| Processing Activity | Lawful Basis | Relevant Law |
|---|---|---|
| Identity verification (KYC) | Legal obligation — we are required by the Money Laundering Regulations 2017 to verify your identity | MLR 2017; UK GDPR Art. 6(1)(c) |
| Processing your money transfer | Contract performance — necessary to provide the service you have requested | UK GDPR Art. 6(1)(b) |
| AML/sanctions screening | Legal obligation — required by MLR 2017; FCA requirements | MLR 2017; UK GDPR Art. 6(1)(c) |
| Transaction monitoring | Legal obligation and legitimate interests — detecting and preventing financial crime | MLR 2017; UK GDPR Art. 6(1)(c) and (f) |
| Fraud prevention (SEON) | Legitimate interests — protecting customers and MonamiPay from fraud and financial crime | UK GDPR Art. 6(1)(f) |
| Customer support | Contract performance — necessary to respond to your requests | UK GDPR Art. 6(1)(b) |
| Marketing communications (where opted in) | Consent | UK GDPR Art. 6(1)(a) |
| Analytics and service improvement | Legitimate interests — improving our product and customer experience | UK GDPR Art. 6(1)(f) |
| Biometric processing (liveness check) | Explicit consent — you consent when completing the liveness check in the app | UK GDPR Art. 9(2)(a) |
4. How We Use Your Personal Data
We use your personal data for the following purposes:
- Verifying your identity and eligibility to use our services
- Processing your money transfer instructions
- Complying with our legal obligations under the Money Laundering Regulations 2017, FCA requirements, and HMRC MSB obligations
- Screening your identity, transactions, and recipients against sanctions lists, PEP databases, and adverse media sources
- Detecting, preventing, and investigating fraud and financial crime
- Providing customer support
- Sending you service notifications about your transfers (SMS, email, push notification)
- Sending you marketing communications about MonamiPay products and services (where you have consented or where permitted under UK PECR)
- Improving and developing our platform and services
- Complying with legal and regulatory requirements and responding to requests from regulators
5. Sharing Your Personal Data
5.1 Sub-Processors and Service Providers
We share your personal data with the following categories of third-party service providers who process data on our behalf under Data Processing Agreements (DPAs):
| Service Provider | Purpose | Location |
|---|---|---|
| Sumsub | Identity verification (KYC): document AI verification; biometric liveness; risk scoring | EU / Global — SCCs in place |
| ComplyAdvantage | AML/sanctions screening; PEP and adverse media checks; transaction monitoring | UK/EU — UK GDPR compliant |
| SEON Technologies | Fraud prevention: device intelligence; velocity rules; fraud scoring | EU — UK GDPR compliant |
| Currencycloud (Visa) | Payment infrastructure: GBP collections; FX conversion; SWIFT payments | UK — FCA authorised |
| Amazon Web Services (AWS) | Cloud infrastructure: data hosting, storage, processing (eu-west-2, London) | UK — ISO 27001; UK GDPR compliant |
| Twilio | SMS notifications for transfer status updates | US — SCCs and UK addendum in place |
| SendGrid (Twilio) | Email notifications for transfer status and account communications | US — SCCs and UK addendum in place |
| Intercom/Zendesk | Customer support platform — in-app chat and support ticket management | US — SCCs and UK addendum in place |
5.2 Other Sharing
- Nigeria payout partner (CBN-licensed): recipient bank account details and transfer instruction are shared with our payout partner to deliver funds to your recipient
- Regulatory authorities: we may share data with the FCA, HMRC, the National Crime Agency (NCA — for Suspicious Activity Reports), or other regulators where required by law
- Law enforcement: we will share data with law enforcement agencies where required by a valid court order or legal obligation
- Business transfers: if MonamiPay is acquired, merged, or undergoes a restructuring, your data may be transferred to the successor entity
We do not sell your personal data to third parties for marketing purposes.
6. International Transfers
Some of our service providers are located outside the UK. Where we transfer your personal data outside the UK, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the ICO — for transfers to countries without an adequacy decision
- The UK International Data Transfer Agreement (IDTA) — for transfers to the US and other non-adequate countries
- Adequacy decisions — where the UK has recognised the recipient country as providing adequate protection
A full list of safeguards for each international transfer is available on request from privacy@monamipay.com
7. Data Retention
| Data Category | Retention Period | Legal Basis for Retention |
|---|---|---|
| KYC / identity verification records | 5 years from the date our business relationship ends | MLR 2017 Regulation 40 |
| Transaction records | 5 years from the date of the transaction | MLR 2017 Regulation 40 |
| SAR-related records | 5 years from the date of the report | MLR 2017 Regulation 40; POCA 2002 |
| Customer support communications | 3 years from the last interaction | Legitimate interests; contract |
| Marketing consent records | Until consent is withdrawn + 1 year | UK GDPR Art. 7; ICO guidance |
| Fraud prevention data | Up to 6 years where fraud is suspected | Legitimate interests; legal claims |
| Waitlist data | Until the service launches or you unsubscribe, whichever is sooner | Consent |
| Technical/log data (analytics) | Up to 2 years | Legitimate interests |
Where we are legally required to retain data (particularly under the Money Laundering Regulations 2017), we cannot delete it earlier even if you request erasure.
8. Your Rights
Under UK GDPR you have the following rights. To exercise any of these rights, contact us at privacy@monamipay.com. We will respond within 30 days.
| Right | What It Means | Limitations |
|---|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you (Subject Access Request / DSAR) | We may redact third-party data |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data | — |
| Erasure (Art. 17) | Request deletion of your personal data ('right to be forgotten') | Cannot apply where we have a legal obligation to retain (e.g. MLR 2017 — 5-year retention) |
| Restriction (Art. 18) | Request that we restrict processing while a dispute is resolved | — |
| Portability (Art. 20) | Request your data in a structured, machine-readable format | Applies to data processed by automated means under consent or contract |
| Object (Art. 21) | Object to processing based on legitimate interests | We can override if we have compelling legitimate grounds |
| Withdraw consent | Withdraw consent at any time where processing is based on consent | Does not affect lawfulness of prior processing |
| Lodge a complaint | Complain to the ICO (ico.org.uk) if you believe we have breached UK GDPR | ICO helpline: 0303 123 1113 |
9. Automated Decision-Making
MonamiPay uses automated processing for the following purposes:
- KYC risk scoring (Sumsub): your identity documents and biometric data are assessed automatically to determine a risk score. Low-risk applicants are approved automatically. Medium and high-risk cases are reviewed by our MLRO.
- Sanctions screening (ComplyAdvantage): your name and date of birth are automatically screened against sanctions lists. Any match is reviewed by our MLRO before a decision is made.
- Fraud scoring (SEON): your device and digital footprint are automatically scored for fraud risk. High-risk scores are reviewed by our compliance team before a decision is made.
No purely automated decision that produces a legal or similarly significant effect on you is made without human review. Our MLRO reviews all cases escalated by automated systems. If you wish to contest an automated decision or request human review, contact us at privacy@monamipay.com
10. Cookies
Our website (monamipay.com) uses the following types of cookies:
| Cookie Type | Purpose | Legal Basis |
|---|---|---|
| Strictly necessary | Essential for the website to function (e.g. session management; security) | No consent required — necessary for service |
| Analytics | Understanding how visitors use the website (e.g. Google Analytics — anonymised) | Consent — you can opt out via our cookie banner |
| Marketing | Tracking effectiveness of paid advertising (e.g. Meta Pixel, Google Ads) | Consent — you can opt out via our cookie banner |
You can manage your cookie preferences at any time via the cookie settings link in our website footer. See our full Cookie Policy for the full details. Withdrawing consent for non-essential cookies will not affect your ability to use the website.
11. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- AES-256 encryption for all personal data stored on our systems
- TLS 1.3 encryption for all data transmitted between your device and our platform
- Multi-factor authentication (MFA) for all staff accounts
- Role-based access control — staff can only access data necessary for their role
- Annual penetration testing by CREST-accredited external security firms
- Continuous security monitoring via Datadog
If you believe your account has been compromised or you have discovered a security vulnerability, please contact us immediately at security@monamipay.com
12. Children's Privacy
MonamiPay's services are not intended for and should not be used by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@monamipay.com and we will delete it promptly.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if you have an account with us) and by updating the 'Last reviewed' date at the top of this page. We encourage you to review this policy periodically.
14. Contact Us
| Contact | Detail |
|---|---|
| Data Controller | MonamiPay Limited |
| Registered address | [INSERT REGISTERED ADDRESS] |
| Data protection enquiries | privacy@monamipay.com |
| Security concerns | security@monamipay.com |
| ICO Registration | [INSERT ICO NUMBER] |
| ICO (supervisory authority) | ico.org.uk | 0303 123 1113 |