Moneva

Privacy policy

Last Updated: 1. Juli, 2025
Effective Date: 1. Juli, 2025

Company: MNVA Operations ("Moneva", "we", "us" or "our")

Introduction

This Privacy Policy explains how we collect, use, disclose, and protect personal information of users ("you") of the Moneva mobile application, website, and related services (collectively, the "Services"). It also outlines your rights regarding your personal data and how you can exercise those rights. We are committed to handling your personal information in a lawful, fair, and transparent manner, in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), where applicable.

By using Moneva's Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Policy, please do not use the Services.

1. Definitions

For clarity in this Privacy Policy:

  • Personal Data: Any information that relates to an identified or identifiable individual. This includes obvious things like your name, email, or phone number, as well as less obvious things like device identifiers or IP addresses if they can be linked to you. If data is truly anonymous (not capable of identifying you), it is not considered Personal Data under most privacy laws.
  • Processing: Anything that is done with personal data, such as collecting, storing, using, analyzing, transferring, or deleting that data.
  • Data Controller: The entity that determines the purposes and means of processing personal data. For the personal data we collect through Moneva, MNVA Operations is the data controller.
  • Data Processor: A party that processes personal data on behalf of a data controller. For example, if we use a cloud provider to host our databases, that provider is a data processor acting on our instructions.
  • Services: This refers to the Moneva mobile app, website, and any other products, services, or offerings provided by MNVA Operations that link to this Privacy Policy.
  • User/you: The individual using the Services, whose personal data may be collected.
  • Consent: Your freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to you.

If there are any terms in this Privacy Policy you are not familiar with or are specific to certain laws (like "special categories of data" under GDPR), we will explain them in context below.

2. Information We Collect

We collect several categories of information from and about users of our Services. This includes information you provide directly, information automatically collected through technology, and information obtained from third parties.

2.1 Information You Provide to Us

You may provide personal data to us when using Moneva, such as:

  • Account Registration Information: When you create a Moneva account, we will ask for basic contact details. This includes your name, email address, and phone number. We may also ask you to create a username or provide other identifiers.
  • Identity Verification Data: To comply with KYC/AML regulations, we will collect more detailed information. This may include your date of birth, physical address, nationality, and government-issued identification numbers (like passport or ID card number, driver's license number, or national ID number). We may also collect copies of identification documents (e.g., a photo of your passport or ID) and, in some cases, a photo or video selfie to verify your identity against your ID document. We do not collect sensitive personal data unless necessary – for example, we do not need information on your race, religion, or biometrics except a photo for identity verification (and we treat that carefully).
  • Financial Information: If you link a bank account or other payment method to Moneva, we will collect information necessary to facilitate that link – such as your bank account number, routing number, or card numbers (for card linking, though usually handled by partners), as well as any necessary account holder information. Note: We do not store your full bank login credentials; if we use a third-party open banking provider to connect your accounts, they handle the credential and just give us access tokens. If you participate in the card program, we might receive partial card data or references from the issuer (not the full PAN, except maybe last 4 digits for display).
  • Transaction Information: When you use the Services to transact (send or receive funds, spend with the card, buy investments, etc.), we collect details of those transactions. This may include: the amount, date and time, the asset or currency, the blockchain addresses or financial account details involved (e.g., the bank account you sent money to), and a description or notes you add. For fiat transactions we might also have reference numbers or sender/recipient names if you provide them.
  • Communications: If you contact customer support or otherwise communicate with us (like via email, chat, or phone), we will collect the information you share. This could include the content of your messages, any attachments, and your contact details to respond. We may also record phone calls for training and quality assurance (we will inform you at the start of a call if it's being recorded, where required by law).
  • Feedback and Surveys: If you participate in user surveys or provide feedback, we'll collect whatever information you volunteer. This might include insights about how you use Moneva, your general financial habits, or opinions on features.
  • Optional Profile Information: In the app, we might allow you to set additional profile info (like a profile picture, username, or other preferences). Providing this info is optional. Any profile picture or display name you set might be visible to others (for example, if we enable peer-to-peer payments and you send someone money, they might see your display name or avatar).
  • Referral Information: If you choose to refer a friend to Moneva and we provide a mechanism to do so, you might provide someone else's contact info (like their email) to send them an invite. We would use that data to send the invitation, and not for other purposes unless that person becomes a user.

We will make it clear when personal information is being requested, and whether it's mandatory (for regulatory or contractual reasons) or optional. If you choose not to provide certain information, some features might not be available (for example, if you don't complete KYC, you won't be able to use the fiat-related services).

2.2 Information We Collect Automatically

When you use Moneva, we automatically collect some data about your device and how you interact with our Services. This includes:

  • Device Information: We gather info about the device you use to access the Services. This may include details like: device model, operating system and version, unique device identifiers (e.g., UDID, Android ID, or similar), device language, and mobile network information. If you use a web browser, we collect browser type and version. We use this information primarily for compatibility (to ensure the app works well on popular devices/browsers) and security (detecting unusual device usage).
  • Usage Data: We track how you use our app or website. This includes the features you tap or click on, the pages or screens you view, the time spent on certain sections, and other interaction details. For example, we might log that you navigated to the "Invest" tab and viewed a particular stock token page. We may also collect clickstream data (the sequence of actions you take). This usage info helps us understand which features are popular or if users encounter difficulties (through things like error events or rage clicks).
  • Transaction Logs: Apart from the personal transaction info you provide, we maintain logs of blockchain interactions by the app (like when you send crypto, the app will log the transaction hash and status). We also log API calls our app makes (e.g., calls to our servers to request an exchange rate or confirm a transfer). These logs might include timestamps, success/failure codes, and so on, which we use for troubleshooting and audit purposes.
  • Cookies and Similar Technologies: When you use our website, we use cookies (small text files stored in your browser) and similar tracking technologies like web beacons or pixel tags. Cookies might be:
    • Necessary cookies: for login sessions or preferences.
    • Analytics cookies: to collect information about site usage (for example, Google Analytics may set cookies to track page view statistics).
    • Functional cookies: to remember choices you make (like language selection). We do not use advertising cookies (since we currently don't run third-party ads on our site). You can control cookies through your browser settings and through any cookie consent banner we provide. However, note that blocking certain cookies might affect functionality (for instance, you might not stay logged in without a session cookie).
  • Mobile Analytics & Crash Reporting: In our mobile app, we may use built-in tools or third-party SDKs that help us understand app performance and issues. For example, we might integrate Firebase Analytics or similar, which collects aggregated usage stats and crash reports. Crash reports can include the state of the app when it crashed, device type, and OS version, but typically not personal data from the user's content. This helps us identify and fix bugs.
  • Location Data: We do not track your precise GPS location by default. However, we may derive an approximate location from your IP address (to understand what country or region you're in, which can help with fraud detection and legal compliance). If you give us permission (via your device settings), we might use precise location for certain features (like finding ATMs, or extra fraud checks to see if a card transaction location matches your phone location). If enabled, you can disable location permission at any time in your device settings.
  • Logging of Access: Our servers automatically record information when you access or use our site and Services. These logs may include IP address, the pages visited, time and date of access, and in some cases, how you navigated to our site (e.g., via a referral link or search query). IP addresses can be considered personal data because they can identify a specific device on the internet. We use IP logs for security (like recognizing if an IP is making too many failed logins), and for aggregated analytics (like what regions our users come from).

2.3 Information from Third Parties

We may receive personal information about you from third-party sources, which we combine with information we have. These third-party sources include:

  • Verification and Compliance Services: As part of the KYC/AML process, we might use external vendors to verify identity documents or perform background checks. These providers (for instance, identity verification companies) might return information to us like verification status, risk scores, or public watchlist status (e.g., flagged if you appear on a sanctions list or adverse media). We will receive confirmations such as "ID verified" or "name matched to phone number", and in some cases the vendor might provide raw data (like an OCR'd text from your ID) which we treat as personal data as well.
  • Financial Partners: If you link a bank account via an open banking API or other partner, that partner might send us information. For example, if you connect your bank for payments, we might get confirmation of account ownership or some transaction data (with your consent) to pre-verify your account. Similarly, card issuance partners might share with us information related to your card usage (like card transaction details needed to display in-app or for risk checks).
  • Analytics Providers: We might obtain aggregate demographic or interest data from analytics firms that cannot identify you personally, but give us insights (e.g., an analytics service might tell us that X% of our users are likely between 25-34 years old based on statistical inference, or that users who came via a certain campaign tend to use the card feature more).
  • Marketing or Referral Partners: If you arrived at Moneva through a referral or affiliate program, the third party (affiliate marketer) might send us your name or email to track that you signed up via their link. Also, if we run ads on platforms and you click them, those platforms might send us info like which ad campaign led you to us (using trackers, not your personal info per se, but something like "user from Google ad campaign X"). We try to minimize personal data in these cases.
  • Public Databases and Social Media: If allowed by law, we may also reference public records or social media information to verify facts about you. For example, as part of KYC we might look at public corporate registries if you're signing up a business, or if you contact us via social media, we may receive profile info from that platform.
  • Other Users: If someone refers you, as mentioned, they gave us your contact. Or if someone sends you money via Moneva, they might input your details (like if an existing user uses the app to send to your email or phone, we will get that info to notify you).

We obtain data from third parties only where they have a lawful basis to provide it to us (for instance, you have consented to them sharing it, or we have a legal right to obtain it for anti-fraud).

2.4 Special Categories of Data

We do not actively collect any "special" categories of personal data about you (such as data about your health, genetic or biometric data for identification, political opinions, philosophical beliefs, union membership, sexual orientation, etc.), unless required by law (for example, a government ID might incidentally reveal some info like religion on passports from certain countries, or biometric data if using facial recognition for ID match, but we treat that with extra care and only use it for verification). We also do not intentionally collect data on criminal convictions/offenses except as part of sanctioned or fraud checks (which might indicate if you appear on crime databases).

We ask that you not send or upload any sensitive personal data to our platform beyond what is requested (for example, don't write confidential medical info into a support chat).

3. How We Use Your Information

We use personal data for various purposes to operate our business and provide you with our Services. Our use of data can be categorized by purpose and, where applicable, the legal basis under data protection law (like GDPR).

3.1 Providing and Improving the Service

  • Account Setup and Maintenance: We use your registration information to create your account and allow you to log in. We use your contact info to authenticate your account (e.g., sending verification codes to your email or phone) and to communicate with you about account-related matters (welcome emails, password reset, etc.). Legal basis: Contract performance (we need to do this to provide you the service you signed up for).
  • Enabling Transactions: We process your personal and financial information to facilitate the transactions you request. For example, using your bank account info to process a deposit or withdrawal, or using your wallet addresses to send crypto transactions. We use identity data to ensure you are authorized for certain transactions (like large transfers). Legal basis: Contract performance; also legitimate interests in ensuring transactions go to the right place.
  • Providing Card Services: If you get a Moneva Card, we share necessary info with the card issuer (see Section 4 on sharing). We also use data from them (like card transactions) to show you your card activity, send you alerts (like "Your card was used at Merchant X for $Y"), and let you manage the card (block/unblock etc.). Legal basis: Contract performance.
  • Operating Earn and Investments: If you use Earn, we use your data to allocate your assets to yield strategies and track the interest due to you. For investments, we use data to facilitate trades and keep records of your holdings. This includes calculating rewards, sending confirmations, and so forth. Legal basis: Contract performance.
  • Customer Support: When you contact us with questions or issues, we use your information (and any additional info you provide) to assist you. For example, if you tell us you're having trouble linking a bank, we will access the relevant parts of your data to troubleshoot. We also may use support communications to improve our service (training staff, fixing recurring problems identified through support). Legal basis: Contract performance for providing support; legitimate interest in service improvement.
  • Feature Improvement & Development: We analyze usage data and feedback to improve existing features and develop new ones. For instance, if many users never use a particular feature, we might redesign it. Or we might use crash reports and error logs to fix bugs. We might run analytics on how a new beta feature is used to decide if it should be launched broadly. These insights are usually aggregated, but may incidentally involve personal data. Legal basis: Legitimate interests in improving our services (we believe it benefits us and users, with minimal impact on privacy since mostly aggregated). We ensure any analytics are minimally invasive (pseudonymized where possible).
  • Personalization: We may use data to personalize your experience. For example, remembering your preferences like language or the last page you visited, so we can present relevant content. Or showing you targeted in-app messages (like if you have never used the Card feature, we might show a tip about it). This is light personalization, not behavioral advertising. Legal basis: Legitimate interest in improving user experience; or consent in jurisdictions where needed (for example, if personalization uses cookies, we might rely on cookie consent).

3.2 Security and Compliance

  • Fraud Detection and Prevention: We use personal data to monitor for and prevent fraud and abuse. This includes analyzing transactions for unusual patterns, verifying login attempts (like notifying you or blocking if a login comes from a new device or location), using device and usage data to identify potentially compromised accounts, and employing risk scoring. For example, if our system flags that an IP address has attempted to log in to hundreds of accounts, we'll block it. If a bank deposit comes from an account name not matching your name, we may pause and investigate. Legal basis: Legitimate interests (to protect our platform and users from fraud) and legal obligation (since we must adhere to anti-fraud and AML rules).
  • AML/KYC Compliance: We process your identity information and transaction history to comply with anti-money laundering (AML), "Know Your Customer" (KYC), counter-terrorist financing, and sanctions laws. This involves verifying your identity, checking your details against sanctions and watchlists, monitoring transactions, and keeping required records. We may also have to report certain transactions to authorities (e.g., suspicious activity reports or transactions over certain thresholds). Legal basis: Legal obligation (we are required by law to do this); also legitimate interests in ensuring legal compliance.
  • Security Measures: We use information to secure your account and our infrastructure. This includes using your phone/email to send 2-factor authentication codes, detecting brute force login attempts, and deploying anti-abuse measures (like rate limiting an IP). We also maintain logs to investigate security incidents. If we suspect an account is compromised, we might use your contact info to reach out and confirm actions. Legal basis: Legitimate interests in security; in some aspects, contract (we promise to safeguard accounts, which is part of the service).
  • Enforcing Terms and Policies: We may use data to enforce our Terms of Service and other policies. For instance, if we find that a user is engaging in prohibited activity, we will examine their data to take action (like freezing funds or banning the account). We might also use data to handle legal disputes (e.g., investigating claims and proving what happened). Legal basis: Legitimate interests in enforcing our contract and protecting our rights, or legal obligation if responding to lawful requests.
  • Legal Process Compliance: If we need to respond to court orders, subpoenas, or lawful requests from authorities, we will use and possibly disclose relevant data (see Section 4.3 on sharing). That usage is purely to comply with legal obligations. Legal basis: Legal obligation.

3.3 Communications

  • Service and Transactional Communications: We use your contact information to send essential communications about the Services. This includes:
    • Confirmations and receipts (e.g., "Your transfer is complete" or "Your buy order executed").
    • Alerts (like security alerts for new device login, or balance threshold alerts if you set them up).
    • Notices about changes to terms or policies, or other service updates.
    • Support responses when you contact us.
    These are not marketing; they are necessary communications. Legal basis: Contract performance (keeping you informed as part of the service) or legal obligation (e.g., notifying you of changes in terms).
  • Marketing Communications: If you opt-in (or if applicable law allows us based on an existing customer relationship), we may send you promotional communications about new features, offers, newsletters, or events. For example, an email announcing a new supported crypto or a referral program. You can opt-out of marketing emails at any time by clicking the unsubscribe link or adjusting preferences. We will only send SMS marketing if you specifically consent, where required by law. Legal basis: Consent (where required) or legitimate interest (for existing customers in some jurisdictions, it's considered in legitimate interest to inform about related services, but we will always honor opt-outs).
  • In-App and Push Notifications: With your permission, we may send push notifications to your device for things like transaction alerts or promotions. You can control push notification preferences at the OS level or in-app settings. In-app, we might show pop-ups or messages (like feature announcements). Legal basis: Legitimate interest (improving engagement and security with timely alerts), but we respect device-level consent toggles for push.
  • Surveys and Feedback Requests: Occasionally, we might request your feedback via a survey. Participating is optional. We'd use your responses to improve our service or for research on user satisfaction. Legal basis: Consent (if you choose to participate) or legitimate interest (getting user insights to improve, but since optional, it's minimally invasive).

3.4 Aggregated and Anonymized Data

We may also create aggregated, anonymized, or de-identified data from your personal information and other individuals' information. For example, we might aggregate usage data to calculate the percentage of users in a certain country that use a specific feature, or average transaction volumes. This aggregated data contains no personal identifiers and cannot be linked back to you. We use this data to analyze and improve our business, and for other lawful business purposes. We may also share aggregated data with partners or the public (e.g., in a blog stating "Moneva users collectively transferred $X million last month"), but without any identifying elements.

3.5 Legal Bases for Processing (GDPR-specific)

If you are in a jurisdiction like the European Economic Area (EEA) or UK where GDPR (or equivalent) applies, we rely on the following legal grounds for processing your personal data:

  • Contractual Necessity: We process data that is necessary to provide the Services under our Terms of Service with you. (E.g., using your bank info to process a payment you requested).
  • Legal Obligation: We process data to comply with laws, such as financial regulations, KYC/AML laws, tax laws (if applicable for reporting), etc.
  • Legitimate Interests: We process data for our legitimate business purposes in ways that do not override your rights and freedoms. For example, improving the app's functionality, securing our system, preventing fraud, and sending service improvement-related communications might be based on legitimate interest. When we rely on this, we consider and balance any potential impact on you.
  • Consent: In certain cases, we rely on your consent (e.g., for sending marketing emails, or using cookies for analytics beyond essential ones). Where we rely on consent, you have the right to withdraw it at any time (with future effect). Withdrawal doesn't affect the lawfulness of processing done before you withdrew consent.

If we ever need to process data for a new purpose that is not compatible with those above, we will seek your consent or provide notice and possibly an opportunity to object, as required by law.

4. How We Share Your Information

We do not sell your personal information to third parties for monetary consideration. We only share your information in the following circumstances, and with appropriate safeguards in place:

4.1 Service Providers (Processors)

We share personal data with trusted third-party companies and individuals who provide services on our behalf, such as:

  • Cloud Hosting and Storage: e.g., companies that provide data center, server, or cloud storage (our databases, backups, etc. are stored with them).
  • Identity Verification Services: third parties that verify identity documents, perform facial matching, or run AML screenings.
  • Payment and Banking Partners: banks or payment processors that handle fiat transactions, card issuance, etc. For instance, if we have a partner bank for virtual accounts, we share your identity and necessary account info to create the virtual account. For card issuance, we share data with the issuing bank (like KYC info, and they provide card details back).
  • Blockchain Analytics & Fraud Prevention: sometimes we may use specialized analytics (companies that scan blockchain transactions to flag potentially illicit addresses, etc., to comply with AML).
  • Email and SMS Providers: systems that send out verification codes, alerts, and emails on our behalf (like SendGrid for emails or Twilio for SMS).
  • Customer Support Tools: if we use a CRM or support ticketing system, the info you provide in a support request might go through that third-party software.
  • Analytics Services: e.g., Google Analytics or similar, which process usage data to give us insights (they act as processors in giving aggregated data).
  • Marketing and Communications: if we use an email campaign tool or push notification service.

These service providers are contractually required to use your data only as needed to perform services for us and not for their own purposes. They are also obligated to protect your data (often under confidentiality and data protection addendums). We strive to choose reputable providers with high standards of security.

4.2 Business Partners and Third-Party Integrations

In some cases, we share data with third parties where they might be considered independent controllers of your data, because it's needed to provide the services you requested. Key scenarios:

  • Card Issuer and Network: When issuing and using the Moneva Card, information is shared with the issuing bank and card network (Visa/Mastercard). This includes personal info required for KYC by the issuer (like your name, DOB, address, government ID info) and ongoing sharing for compliance and transaction processing (e.g., they will know your transaction details). The issuer uses and protects your info under their own privacy obligations, and you will likely be subject to their privacy policy as well when you sign up for the card. We limit what is shared to the necessary minimum.
  • Banking/Remittance Partners: If Moneva uses a licensed money transmitter or banking partner for sending money internationally, we share your and the beneficiary's info needed to complete the transfer (such as name, account number, possibly address). They in turn might share back a confirmation or any compliance flags. These partners might be considered controllers under regulations, since they have their own legal duties.
  • Investment Partner/Broker: For tokenized stocks, we likely have a third-party provider who is a registered broker or an issuer of tokens. When you sign up for that feature, we may share identification and suitability info with them (possibly you fill extra forms, which we send to them). They may also provide us with info like your holdings and trades to display in app. Both parties ensure compliance with securities laws. They would have their own privacy obligations as a financial institution.
  • Other Users (when you interact): If you make a transaction that involves another user or third-party:
    • When you send funds to someone (another Moneva user), that user might see certain info like your username or name (whatever is necessary for them to identify from whom the money came). We won't share sensitive info, but a memo or note you add might be seen by the recipient.
    • If there is a public aspect (for example, if we had a feature to let you share a payment link or QR code, that might reveal your public address or a username).
  • Aggregators or Account Linking: If you choose to use a third-party app that connects to Moneva (for example, a financial aggregator app that uses an API with your permission to fetch your balances), we will share data with that third party at your direction. This is similar to using a service like Plaid: with your consent, they access your account info.

We only share with such partners to the extent needed and after ensuring there's a lawful basis (like your consent or contract). We also require contractual protections when possible (like data sharing agreements).

4.3 Legal and Regulatory Disclosures

We may disclose your personal data as necessary or appropriate to:

  • Comply with Laws: If we are under a duty to disclose or share your data to comply with any legal obligation, such as court orders, subpoenas, or to meet national security or law enforcement requirements. For example, financial institutions often must respond to government requests for customer info in investigations, or file reports about certain transactions.
  • Enforce our Rights: If necessary to enforce our Terms of Service or other agreements, or to investigate potential violations thereof. This could involve sharing data with attorneys or debt collectors if we're pursuing a claim, or to law enforcement if someone committed fraud or abuse impacting us.
  • Protect Safety and Rights: We may disclose data if we believe it's necessary to protect the rights, property, or safety of Moneva, our users, or the public. For instance, sharing information with law enforcement about scammers or immediate threats. Also, if you are involved in a dispute (say another user claims you defrauded them), at our discretion and consistent with privacy laws, we might provide relevant information to that user or to the authorities to help resolve the issue.
  • Examinations and Audits: Our industry might be subject to regulatory audits (e.g., if a financial regulator or independent auditor asks to review records for compliance). In such cases, personal data might be reviewed. Those parties are typically under obligations to keep data confidential.

We strive to limit the data we provide to only what's required. Whenever feasible, we will object to overbroad requests or ask for clarification through legal channels. Where permitted, we might notify you if your data is being sought by a third party (but in many cases the law prohibits notifying the user, e.g., in certain law enforcement contexts).

4.4 Business Transfers

If MNVA Operations or Moneva is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your information may be transferred as part of such a transaction. We will ensure the acquiring entity or new entity continues to be bound by confidentiality and privacy obligations in line with this Policy (or notify you and get consent if required by law for any change of use).

For example, if another company buys us, your information would likely be one of the assets transferred. Or if we spin-off a portion of our services into a new company, user data for that service would go along. In such events, we would provide notice (e.g., via email or in-app) to let you know of the change in control and any choices you may have.

4.5 With Your Consent

Apart from the above, we will share your personal data with others only if you have given consent to do so. For instance, if you agree to participate in a joint promotion with a partner that requires sharing your data with them, we will make that clear and ask your permission. You can revoke such consent at any time, but once data is shared based on consent, we may not be able to retrieve it from the third party.

Also, if we ever want to share your data for purposes not covered by this Policy, we would seek your consent.

4.6 Anonymized Data

As mentioned, we may share aggregated or anonymized information that cannot reasonably be used to identify you. This is not considered personal data and may be shared freely (for example, publishing industry reports or sharing stats with business partners).

5. Cookies and Tracking Technologies

Cookies are small files placed on your browser or device by websites, apps, or ads you interact with. Moneva uses cookies and similar technologies (like web beacons, pixels, and mobile identifiers) for a variety of purposes:

  • Essential Cookies: These are necessary for our website to function properly. For example, they enable you to log in and stay logged in (session cookies), or remember your cookie consent preferences. Without these, the site might not work as intended. These typically do not require consent.
  • Analytics Cookies: These cookies collect information about how visitors use our site, so we can understand traffic patterns and improve the site. We might use Google Analytics or similar, which sets cookies to identify your browser and track usage (e.g., which pages you visit, how long, and any errors encountered). We configure these tools to anonymize IP addresses if possible. Data collected is aggregated (we look at overall usage trends, not single user behavior in isolation). We treat this data as personal to the extent it includes identifiers, but use it for analytics.
  • Functionality Cookies: If we implement these, they allow the site to remember choices you make (like language or region selection) and provide enhanced features. Some may also be used to remember preferences, so you don't have to re-enter information (e.g. pre-filling a form with your name). While not strictly necessary, they improve your experience.
  • Advertising Cookies: Currently, we do not host third-party ads on our platform, so we don't use cookies for advertising or cross-site tracking. If in future we do marketing that involves cookies (like retargeting ads on other platforms), we will update this policy and obtain consent as required.
  • Web Beacons/Pixels: These are tiny images or scripts that load when you do certain things (like open an email or visit a page) and can signal that event to us. For instance, our emails might contain a pixel to tell us if you opened the email, which helps measure engagement. You can usually block these by not downloading images or using certain email settings. We mainly use them for analytics on our communications.
  • Do Not Track Signals: Some browsers have a "Do Not Track" (DNT) feature. At this time, there is no consensus on how to respond to DNT signals. Our site may not respond differently to a DNT signal, but you can still control cookies as described. We will update our practices if a standard emerges and as required by law.

Your Choices for Cookies:

When you first visit our site, you may see a cookie banner (if required by law in your region, like in the EU) explaining the types of cookies and giving you a chance to allow or disable certain categories. You can manage your preferences at that point or later through a "Cookie Settings" link on our site (if provided).

Additionally, you can control cookies through your web browser settings. You can usually refuse all cookies or accept only certain types. Every browser is different, so check the "help" section of your browser for details on cookie management. Note that blocking all cookies may cause the website to not function properly (especially for essential cookies).

On our mobile app, cookies per se are not used, but similar tracking for analytics happens via SDKs. If you want to opt-out of analytics or crash reporting on the app, you may have to uninstall or refrain from use, as these are baked in. However, some platforms offer options: e.g., Apple and Google allow you to limit ad tracking or reset your advertising ID which some analytics tie into. We also honor if you've enabled "Limit Ad Tracking" on iOS or "Opt out of Ads Personalization" on Android by not using your info for any advertising purposes.

For any questions about our use of cookies or how to opt-out, you can contact [email protected].

6. Data Retention

We retain personal data for as long as necessary to fulfill the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements.

  • Account Information: For active accounts, we keep your information for as long as you maintain your account. Once you close your account, we will remove or anonymize personal data within a reasonable timeframe, unless we are required to retain it for legal reasons.
  • Transactional Records: Given financial regulations, we often must keep a record of transactions and identifications for a minimum period. For example, KYC records and transaction logs may be kept for 5 years after account closure (this duration can vary by jurisdiction; for instance, EU AML laws often require 5 years, with a possible extension). We keep this data secure and restrict access to it, using it only if needed for audits, disputes, or investigations.
  • Communications: Emails and support chats we generally retain as long as your account is active plus a period in case of reactivation or follow-ups. Recorded calls, if any, we might keep for a shorter period (e.g., 90 days) unless needed for a specific training or legal purpose.
  • Analytics Data: Analytics platforms often allow us to set retention controls. For Google Analytics, we might choose a standard retention (like 14 months for user-level data). We use aggregated data for trends indefinitely, but user-level identifiers in analytics are either anonymized or deleted per our settings.
  • Backup & Cache: Data may remain in backups or cache for a short time even after deletion in production. We have processes to eventually purge backup data as well, or to isolate it. Typically, backups are rotated and old ones are destroyed on a schedule (e.g., rolling 30-day backups). We ensure that if we restore from backup for any reason, we re-delete any data that was supposed to be deleted.
  • Criteria for Retention: The exact periods are determined based on: the nature of the data, the purpose for collection, and legal or regulatory requirements. We try not to keep data longer than needed. When personal data is no longer necessary, we will securely delete or anonymize it. For example, if we had collected an email for a one-time survey and it's done, we'd delete those emails if not needed.

If you have specific questions about data retention for certain data or want us to delete your data, please see "Your Rights" below on how to request deletion.

7. Data Security

We take the security of your personal information seriously and use a variety of technical and organizational measures to protect it.

  • Encryption: We use encryption to protect data in transit and at rest. Our application and APIs enforce HTTPS (TLS) for data in transit, preventing eavesdropping on the network. Sensitive data in our databases (like passwords, private keys if any, personal identification numbers) are encrypted using strong algorithms. For instance, passwords are salted & hashed (never stored in plaintext), and sensitive personal fields or documents may be stored encrypted.
  • Access Controls: Access to personal data internally is strictly limited under a role-based access control model. Only staff who have a business need (e.g., compliance officers, customer support handling your inquiry) can access relevant data. We employ authentication measures (unique accounts, strong passwords, 2FA for our employees, etc.) and maintain logs of access. If contractors or subprocessors access data, they are subject to contractual confidentiality and security obligations.
  • Network and System Security: We maintain firewalls and monitoring to guard against unauthorized access. Regular security assessments are performed on our infrastructure, including vulnerability scanning and penetration testing by external experts. Our servers are kept updated with security patches. We also have DDoS protection and rate-limiting to mitigate attacks.
  • Data Segmentation: We separate environments (production vs testing) and ensure that production user data is not used in lower environments without anonymization. If we ever use production data for testing (rare, usually not needed), we scrub personal details.
  • Employee Training: We train our staff about the importance of data privacy and security. We have policies in place to ensure employees handle data properly and report any potential security issues immediately.
  • Incident Response: We have an incident response plan. In the event of a data breach or security incident affecting personal data, we will promptly notify affected users and relevant authorities as required by law. We aim to be transparent and provide guidance on steps users should take to protect themselves (if applicable).
  • Third-Party Security: When we engage third-party processors, we vet their security practices. We require them to implement appropriate security measures, often through Data Processing Agreements aligned with GDPR and other frameworks.
  • No Guarantee: Despite our efforts, no system is 100% secure. We therefore cannot guarantee the absolute security of your information, especially information transmitted over the internet (like communications you send us via email, which may not be end-to-end encrypted). You also have a role in security: Protect your account credentials, use a strong password unique to Moneva, enable 2FA if available, and guard your wallet's private keys or recovery phrases well (we will never ask you for those). If you suspect any unauthorized access or suspicious activity in your account, notify us immediately at [email protected].

We continuously review and enhance our security protocols as threats evolve. For more details on our security practices, you can contact us or refer to any security documentation we publish.

8. International Data Transfers

Moneva is a global service. Your personal data may be transferred to and stored in countries other than your own. These countries may have data protection laws different from (and potentially not as protective as) the laws of your jurisdiction.

For users in regions like the European Economic Area (EEA), United Kingdom, or others with data transfer restrictions:

  • Our Operations: We utilize cloud services or have team members in multiple countries. If you're in the EEA/UK, know that your data will likely be transferred to countries outside the EEA, possibly including the United States and others, for processing.
  • Adequacy and Safeguards: Whenever we transfer personal data out of the EEA/UK, we ensure a similar degree of protection by implementing at least one of these safeguards:
    • Adequacy Decision: If the data is sent to a country that the European Commission (or UK, as applicable) has deemed to have an "adequate" level of data protection, we rely on that decision.
    • Standard Contractual Clauses (SCCs): We may use the European Commission's approved standard contractual clauses (or the UK's equivalent) which legally commit the recipient to protect the data to GDPR standards.
    • Other Measures: If needed, we might supplement SCCs with additional technical or contractual measures (like encryption in transit and at rest, commitments to handle government access requests carefully, etc.) in line with the Schrems II decision recommendations.
    • Consent or Other Derogations: In rare cases, we might rely on your explicit consent for a transfer or another derogation under GDPR (e.g., transfer necessary for performance of a contract).
  • Service Providers Abroad: Many of our third-party service providers are global companies. We ensure that if they store or process data outside the EEA, they also abide by SCCs or have other transfer mechanisms (some are certified under frameworks like the EU-US Data Privacy Framework, if applicable and once in effect).
  • Internal Transfers: If MNVA Operations has affiliated entities in different countries, we may transfer data within our corporate group. Those internal transfers also adhere to SCCs or binding corporate rules if we had them.

For users outside the EEA/UK: By using our Services, you understand that your data may be transferred to our facilities and to those third parties we share it with, as described in this policy, which may be located in other countries. We will protect it as described, but if your local laws require certain protections, we will comply accordingly.

If you'd like more information about international transfers or would like to obtain a copy of the SCCs we use, you can contact us (see Contact Details). Please note, some details might be redacted for confidentiality, but we can confirm the mechanisms in place.

9. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal data. We are committed to honoring these rights. Below we outline rights generally provided under GDPR (for EU/EEA users) and CCPA (for California residents), among others, and how you can exercise them:

9.1 Rights Under GDPR (for users in the EEA, UK, and similar jurisdictions)

If you are a data subject in the EEA, UK, Switzerland, or other jurisdiction with similar laws, you have the following rights (subject to certain exceptions and limitations):

  • Right to Access: You can request confirmation of whether we're processing your personal data, and if so, request a copy of the data we hold about you. This allows you to check what personal data we have and that we're processing it lawfully.
  • Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to have it corrected or updated. For example, you can update your contact info in-app, or ask us to fix a misspelled name.
  • Right to Erasure (Right to be Forgotten): You can request deletion of your personal data when:
    • It's no longer necessary for the purposes we collected it.
    • You withdraw consent (if the processing was based on consent) and no other legal basis exists.
    • You object to processing (see below) and we have no overriding legitimate grounds.
    • We unlawfully processed your data.
    • We have to erase it to comply with a legal obligation.
    Keep in mind, this right is not absolute. We may retain data if necessary for legal obligations or other exemptions (e.g., we can't delete your transaction records if required for AML laws, or if we need data to establish or defend legal claims). If we deny an erasure request, we will explain why (unless restricted by law).
  • Right to Restrict Processing: You can ask us to limit processing of your data in certain circumstances:
    • If you contest the accuracy of the data, we'll restrict processing until we verify accuracy.
    • If processing is unlawful, but you don't want deletion, just restriction.
    • If we no longer need the data but you need it for a legal claim.
    • If you objected to processing (pending verification of overriding grounds).
    When processing is restricted, we will store your data but not use it, except to exercise or defend legal claims or if you consent.
  • Right to Data Portability: You have the right to obtain personal data you provided to us in a structured, commonly used, machine-readable format, and to request we transfer it to another controller where technically feasible. This applies when processing is based on consent or contract and done by automated means. E.g., you could ask for a copy of your transaction history to port to another service.
  • Right to Object:
    • You can object to our processing of your personal data when it's based on legitimate interests, if you believe it impacts your rights and freedoms. We will then review your objection and only continue if we have compelling legitimate grounds or need to for legal claims.
    • If we process data for direct marketing, you have an absolute right to object and opt-out. That includes profiling related to direct marketing. We will honor those objections promptly (e.g., no more marketing emails if you object).
  • Right Not to be Subject to Automated Decisions: If we have any fully automated decision-making (including profiling) that has legal or similarly significant effects on you, you have the right to not be subject to such decisions unless exceptions apply. Currently, Moneva doesn't make significant decisions without human involvement (e.g., an automated fraud flag may freeze an account, but a human reviews it quickly). If we ever implement something like automated loan approval, we would provide info and rights to contest the decision or get human intervention.
  • Right to Withdraw Consent: If we rely on consent for any processing, you can withdraw that consent at any time. For instance, you can unsubscribe from marketing emails (withdraw consent for marketing). Withdrawal of consent won't affect the lawfulness of processing done before the withdrawal.
  • Right to Complaint: You have the right to lodge a complaint with a data protection supervisory authority, particularly in the EU/EEA country where you live or work, or where an alleged infringement occurred. We would appreciate the chance to address your concerns directly first, but this right exists regardless.

To exercise these rights, please contact us at [email protected] with your request. We may need to verify your identity before fulfilling the request (to ensure we don't give your data to someone else). We will respond within one month of receiving a valid request. If your request is complex or we have many requests, we may extend by an additional two months, but will inform you of the extension within the first month.

Generally, we charge no fee for these requests. However, if a request is manifestly unfounded or excessive (e.g., repetitive requests), we may either charge a reasonable fee or refuse to act on it, as permitted by GDPR. We will explain our reasoning in such cases.

9.2 Rights Under CCPA (for California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you specific rights regarding your personal information:

  • Right to Know: You can request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. This includes:
    • The categories of personal information we collected about you.
    • The categories of sources for the personal information.
    • Our business or commercial purpose for collecting (or selling, if applicable) that personal information.
    • The categories of third parties with whom we share that personal info.
    • The specific pieces of personal info we collected about you (a data portability request).
    • If we sold or disclosed your personal info for a business purpose, two separate lists disclosing:
      • sales (by category of personal info and category of recipient) and
      • disclosures for a business purpose (by category of personal info and category of recipient).
      Note: Moneva does not sell personal information (as "sell" is defined by CCPA, meaning exchange for monetary or other valuable consideration). We also do not knowingly sell info of minors under 16 without affirmative authorization.
  • Right to Delete: You can request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (similar to GDPR's right to erasure). If it's necessary for us or our service providers to maintain the info for certain purposes (like completing a transaction, security, legal compliance, etc.), we may deny deletion for those reasons per CCPA. But we will inform you if so.
  • Right to Opt-Out of Sale: Because we don't sell data, this isn't applicable. If in future we consider "selling" data in CCPA terms, we would provide a "Do Not Sell My Personal Information" link. For now, rest assured, we do not sell.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA rights. This means we won't deny you services, charge you different prices, or provide a different quality of service just because you exercised your rights. However, CCPA does allow businesses to offer financial incentives for personal information (e.g., loyalty programs). If we ever have such programs, participation would be optional and based on consent.

To exercise your CCPA rights to know or delete, you (or your authorized agent) can contact us at [email protected] or via any webform/portal provided. We will verify your identity by asking for information that matches our records (we may ask for details about your recent activity or profile info). If an authorized agent makes the request, we may require proof you gave them signed permission, and potentially verify your identity directly.

We aim to respond to verifiable consumer requests within 45 days. If more time is needed (up to another 45 days, totaling 90), we'll inform you in writing. Any disclosures we provide will cover the 12-month period preceding receipt of your request. We won't provide certain sensitive pieces (like account passwords or government IDs in full) for security.

For "Shine the Light" (CA Civil Code § 1798.83): California customers may request a list of categories of personal info we have disclosed to third parties for direct marketing purposes in the prior calendar year, and the names of those third parties. However, as noted, we do not share personal info with third parties for their direct marketing.

9.3 Other Region Rights

  • UK and others: The UK GDPR is essentially the same as EU's for individual rights, so everything under GDPR applies. Other countries like Canada, Australia, Singapore, etc., have rights like access and correction. We extend similar courtesy to all users where feasible.
  • Brazil (LGPD): Brazilian users have rights similar to GDPR including confirmation of processing, access, correction, anonymization/blocking/deletion of unnecessary or excessive data, data portability, information about sharing, and right to revoke consent.
  • Nevada: We don't sell data, but Nevada residents can still request we not sell in future; we will note that.

We intend to honor all applicable rights. Even if you're not in one of these jurisdictions, you can still contact us with concerns about your data, and we'll do our best to help (because we believe in transparency and fairness).

9.4 Exercising Your Rights & Contact

To exercise any privacy rights or make requests, please contact our Data Protection Officer or privacy team at [email protected]. Clearly state your request and any relevant details (which right, what data, etc.). We may ask for additional info to verify your identity or clarify the scope.

If you are unsatisfied with our response, you have the option to reach out to your local data protection authority or regulator.

We encourage you to keep your account information up-to-date by logging into your account settings. There, you can correct or modify some information directly (like updating contact details).

10. Children's Privacy

Moneva is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. As stated in our Terms of Service, you must be 18 or older to use our Services. If we become aware that a person under 18 has provided us with personal data, we will take steps to delete such data and terminate the minor's account.

Parents or guardians: If you believe your child (under 18) has provided us with personal information, please contact us immediately at [email protected]. We will take prompt action to investigate and address the issue.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. When we make changes, we will:

  • Post the updated Privacy Policy on our website and app, and update the "Last Updated" date at the top.
  • If changes are significant, we will provide a more prominent notice (such as via email to our users or a notification in the app) to inform you of the update.
  • In some cases, if required by law, we might seek your consent to material changes (especially if any change affects how we handle data that was collected under a different consent).

We encourage you to review this Privacy Policy periodically for any updates. Continued use of the Services after any modifications to the Privacy Policy will constitute your acknowledgment of the changes and agreement to abide by the updated policy.

For historical reference, we will maintain an archive or change log of previous privacy policies upon request, to the extent required.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to contact us:

We will address your inquiry as promptly as possible, generally within 30 days.

Thank you for trusting Moneva with your financial needs. We value your privacy and are committed to safeguarding your personal information.