Monica Privacy Policy

1. About this Policy

This Privacy Policy (the "Policy") explains how Monica Technologies Limited ("Monica", "we", "us", "our") collects, uses, discloses, retains and protects personal data when you use the Monica mobile application, the website at monica.cash and all related services (the "Services"). It is published in compliance with the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Regulation 2019 (NDPR), and it sits alongside our Terms of Service, our AML/CFT Policy and our Compliance Statement.

2. Who we are (Data Controller)

Monica Technologies Limited, a private limited company incorporated under the laws of the Federal Republic of Nigeria with its registered office in Lagos State, is the data controller of personal data processed in connection with the Services. Where we engage vendors to process data on our behalf (for example, KYC verification providers, cloud hosting providers, custody partners), those vendors act as data processors under written contracts that meet the requirements of section 29 of the NDPA.

3. Scope

This Policy applies to:

• visitors to the Monica website;
• users of the Monica mobile application (iOS and Android);
• customers and prospective customers who interact with us by email, in app chat, social channels, telephone or post;
• individuals whose personal data we process for fraud prevention, AML/CFT and regulatory reporting purposes.

The Policy does not apply to third-party services that link to or from Monica (for example, your wallet provider, the Google Play Store, the Apple App Store, your bank or any external website you reach through a link). Those services have their own privacy notices, which we encourage you to read.

4. Personal data we collect

We collect only the personal data needed to deliver the Services, comply with Applicable Law and prevent financial crime. The categories are:

• Identity data. the verified name returned by NIBSS for the Nigerian bank account you register with Monica (Verification Tier 1) and, where you upgrade to Verification Tier 2, your National Identification Number (NIN) together with the biographical data returned by NIMC (legal name, date of birth, and the address on the NIN record).
• Contact data. residential address, email address, mobile number and emergency contact (where you choose to provide one).
• Financial data. the Nigerian bank account details (bank name, account number, account name as verified by NIBSS name enquiry) you wish to receive Naira into.
• Transaction data. details of every Order, deposit address, onchain transaction hash, value, asset, network, counterparties (where available), date and time, NIBSS settlement reference and outcome.
• Wallet and blockchain data. deposit addresses we generate for you, sending addresses observed on incoming transfers, and onchain analytics signals relevant to AML/CFT risk scoring.
• Device and technical data. IP address, device identifier, device model and operating system, app version, language, time zone, crash logs, diagnostic data and security-event logs.
• Location data. approximate geolocation derived from your IP address. We do not collect precise GPS location.
• Communications data. the content of messages you send us through in app chat, email, WhatsApp or social channels; call recordings where you contact us by telephone (we will tell you when calls are recorded).
• Marketing preferences. your choices about marketing emails and push notifications.
• Survey and research data. responses you choose to give to optional surveys or research.

We do not knowingly collect special categories of personal data. In particular, we do not request information about race, religion, political opinions, trade-union membership, health, sex life or sexual orientation, except where you volunteer it in an unsolicited message to us.

5. How we collect your personal data

• Directly from you. when you create an Account, complete KYC, submit an Order, contact our support team, or interact with the Services.
• Automatically. through our app and website (device and technical data, transaction and behavioural data, cookies and similar technologies).
• From trusted third parties. from NIBSS (Nigerian bank account name-enquiry at Verification Tier 1), NIMC (NIN verification at Verification Tier 2), our blockchain analytics vendor (sanctions and risk signals attached to a sending address), sanctions and PEP data providers, our card-issuing partner (for virtual dollar card holders) and our cloud and security infrastructure providers (security logs, threat intelligence).
• From public sources. very occasionally from public registers (such as the Corporate Affairs Commission) or public sanctions lists.

6. Why we use your data and our lawful bases

We process your personal data on the lawful bases set out in section 25 of the NDPA as summarised below.

7. Who we share your data with

We share personal data only where necessary and only with parties that are bound by appropriate legal and contractual safeguards. Recipients include:

• Identity verification providers. for NIBSS name-enquiry at Verification Tier 1 and for NIN verification with NIMC at Verification Tier 2;
• NIBSS, your bank and the receiving bank. to settle Naira via instant transfer and confirm account ownership;
• Custody and settlement partners. for the safekeeping of cryptocurrency awaiting conversion;
• Blockchain analytics providers. to screen incoming wallet addresses against AML/CFT risk signals;
• Sanctions, PEP and adverse-media data providers;
• Card issuing and scheme partners. for the virtual dollar card service, where you elect to use it;
• Cloud hosting, security and engineering platforms. for the operation, security and monitoring of the Services;
• Professional advisers. legal counsel, auditors, accountants, insurers and consultants, under strict confidentiality obligations;
• Regulators, courts and law-enforcement authorities. where required to comply with a lawful order, regulatory request, court process or to assert or defend our legal rights, including the Nigerian Financial Intelligence Unit (NFIU), the Economic and Financial Crimes Commission (EFCC), the Nigeria Police Force, the Securities and Exchange Commission (SEC), the Central Bank of Nigeria (CBN), the Nigeria Data Protection Commission (NDPC) and equivalent foreign authorities acting through Mutual Legal Assistance Treaties or recognised channels;
• A purchaser or successor. if Monica or substantially all of its assets are acquired by a third party, personal data may be transferred as part of the transaction, subject to this Policy.

We do not sell your personal data. We do not share your personal data with advertisers for the purpose of cross-context behavioural advertising.

8. International data transfers

Some of the vendors that support the Services are located outside Nigeria. Where we transfer personal data outside Nigeria we do so only in compliance with sections 41 and 42 of the NDPA, relying on one or more of the lawful transfer mechanisms recognised by the Nigeria Data Protection Commission, including transfers to jurisdictions assessed as providing adequate protection, transfers protected by standard contractual clauses, and transfers necessary for the performance of our contract with you. A list of the categories of overseas recipients is available on request.

9. How long we keep your data

We retain personal data only for as long as we need it for the purposes for which it was collected and to comply with law. Indicative retention periods are:

• Identity, KYC, transaction and AML/CFT records. for a minimum of five (5) years from the end of the customer relationship or the completion of the relevant transaction, whichever is later, in line with the Money Laundering (Prevention and Prohibition) Act 2022 and NFIU regulations.
• Tax-relevant records. for at least six (6) years after the end of the relevant tax year, in line with applicable Nigerian tax law.
• Customer support and complaint correspondence. for up to three (3) years after the matter is closed, or longer if needed to defend a legal claim.
• Marketing data. until you withdraw your consent or for up to twenty-four (24) months after your last interaction, whichever is sooner.
• Technical and security logs. for up to twelve (12) months rolling, or longer where retained as evidence of a specific incident.
• Cookies and similar identifiers. as set out in section 14 below.

Where data is no longer required, we either delete it securely or irreversibly anonymise it so that it can no longer be linked to you.

10. How we protect your data

We apply technical and organisational measures appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest, network segmentation, least-privilege access controls, multi-factor authentication for staff, institutional-grade operations for the majority of Monica's treasury cryptocurrency, continuous monitoring, recurring penetration testing, code review, vendor due diligence, employee background checks, role-based training and a documented incident-response plan. Our internal control framework draws on the principles of ISO 27001 and SOC 2, although Monica does not represent that it currently holds either certification.

11. Your rights under the NDPA

As a data subject, the NDPA gives you the following rights (subject to the conditions and exceptions in the NDPA):

• Right of access. to confirm whether we process your personal data and obtain a copy together with prescribed information.
• Right of rectification. to have inaccurate or incomplete personal data corrected or completed.
• Right of erasure. to have your personal data deleted where one of the grounds in the NDPA applies (and where we are not required by law to retain it).
• Right to restriction of processing. to have us limit how we use your personal data while a request or dispute is investigated.
• Right to data portability. to receive personal data you provided to us in a structured, commonly-used, machine-readable format and to have it transmitted to another controller where technically feasible.
• Right to object. to object to processing carried out on the basis of legitimate interests, and to object to direct marketing at any time.
• Right to withdraw consent. where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Right not to be subject to a solely automated decision. including profiling, that produces legal or similarly significant effects on you, except as permitted by the NDPA.
• Right to lodge a complaint. with the Nigeria Data Protection Commission (see section 20).

12. How to exercise your rights

To exercise any of the rights above, email [email protected] from the email address registered on your Account. We may ask you to verify your identity before we act on a request, in order to protect your personal data against unauthorised disclosure.

We will respond to your request without undue delay and in any event within thirty (30) days of receipt, in line with the NDPA. Where a request is complex or where we have received a large number of requests, we may extend the response period by up to a further two (2) months, telling you why and when you can expect a response. There is no charge for a reasonable request; we may charge a reasonable fee or refuse the request where it is manifestly unfounded or excessive.

13. Automated decisions and profiling

We use automated systems to support identity verification, sanctions and PEP screening, transaction monitoring and fraud detection. Some of these systems may produce a decision that affects you (for example, an Order is flagged for review or an Account is restricted while an investigation continues). Where the decision could have a legal or similarly significant effect on you and is based solely on automated processing, you have the right to request human review and to contest the decision by contacting [email protected]. We do not use your personal data for automated decisions that determine pricing or for cross-context advertising profiling.

14. Cookies and similar technologies

The website uses cookies, pixels and similar technologies to provide essential functionality, remember your preferences, secure your session, and understand aggregate usage. We classify them as follows:

• Strictly necessary. required for the site or app to function, including authentication, security tokens, fraud prevention and load-balancing. These are placed without consent because the service cannot function without them.
• Functional. remember your choices (such as theme, language) to improve the experience. We only set these where you consent.
• Analytics. help us understand aggregate usage and improve the Services. We only set these where you consent.
• Marketing. help us measure the effectiveness of our marketing and tailor messages to people who have shown interest. We only set these where you consent.

You can withdraw or change your cookie preferences at any time using the cookie banner or your browser controls. Blocking some cookies may affect how the Services work for you.

15. Marketing communications

We send marketing emails and push notifications only where you have consented, or where you are an existing customer and we are providing information about a similar service and you have not opted out. Every marketing email contains a one-click unsubscribe link; you can also turn off push notifications in your device settings or in app preferences.

16. Children

The Services are not directed at, and we do not knowingly accept users under, the age of eighteen (18) years. If we become aware that we have collected personal data from a child without verifiable parental or guardian consent, we will delete it.

17. Security incidents and breach notification

We maintain a written incident response plan. If we suffer a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Nigeria Data Protection Commission within seventy-two (72) hours of becoming aware of it, in line with the NDPA. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay and provide information about the nature of the breach, the likely consequences, the measures we have taken or propose to take, and where you can obtain more information.

18. Data Protection Officer

Monica has appointed a Data Protection Officer in line with section 32 of the NDPA. The DPO is responsible for monitoring our compliance with the NDPA, advising on data protection impact assessments, training staff and acting as the point of contact for data subjects and for the Nigeria Data Protection Commission.

Data Protection Officer
Monica Technologies Limited
[email protected]
Lagos, Nigeria

19. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified through the Services or by email at least seven (7) days before they take effect. The "Last updated" date at the top of the Policy reflects the latest substantive revision. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

20. Contact and complaints

If you have a question, request or concern about how Monica handles your personal data, please contact our Data Protection Officer at [email protected]. We will use reasonable efforts to resolve your concerns directly.

You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC), the supervisory authority for data protection in Nigeria. The NDPC's published contact details and complaint channels are available at ndpc.gov.ng. We would, however, appreciate the opportunity to address your concerns before you approach the NDPC.

Operator: Monica Technologies Limited · Lagos, Nigeria
General support: [email protected]
Data Protection Officer / Compliance / Law-enforcement requests: [email protected]