Mona's Services are accessible on web and mobile application platforms (our 'Platforms'). We are digitally expressing our commitment to safeguarding the privacy of our visitors, business and individual users alike.
Our Services are not offered to children under the age of 18 years. If you are under 18, please do not use our Services or provide any personal data to us. If you are a parent or guardian to a child under the age of 18 and become aware that your child has provided personal data to us, please contact our Data Protection Officer (DPO) using the details in Section 13 below in order for us to delete such personal data.
This notice applies where we are acting as a data controller with respect to the personal data of such persons; in other words, where we determine the purposes and means of the processing of that personal data.
We use cookies on our website. Insofar as those cookies are not strictly necessary for the provision of our website and services, we will ask you to consent to our use of cookies when you first visit our website.
In this notice, 'we', 'us' and 'our' refer to Mona. Some of our Services are provided through subsidiaries or affiliates under the same group company. This Privacy Notice applies regardless of which of our entities we employ to provide you our Services. For more information about us, see Section 12.
We collect personal data in the following ways:
We process your personal data as part of our onboarding process (also known as know-your-customer (KYC) data) ('account data'). We will verify your account data by using our own systems or that of a third-party verification firm. The account data may include your name, email address, business name, bank verification number, phone number etc.
We may process different types of data including:
We prioritize the protection of your data by implementing robust technical and organizational measures to maintain the confidentiality and integrity of personal information. Our security features include advanced encryption, firewalls, and strict physical access controls. Access to personal data is restricted to authorized personnel who require it to perform their duties, and our employees are contractually bound to maintain confidentiality.
In the rare event of a data breach, we have procedures to respond swiftly and manage the incident effectively. We will notify affected individuals and relevant authorities within 72 hours if a breach poses risks to data protection rights, detailing the nature of the breach, likely consequences, and steps taken to mitigate any potential impact.
We encourage all users to contribute to data security by using strong passwords, keeping their account information updated, and reporting any suspicious activity to us immediately.
We may use personal data to run our Platforms, provide our Services, or manage credit control. The legal reasons for this include our legitimate interests in properly administering our Platforms or fulfilling a contract with you, such as processing payment transactions between you and your customers.
We may process your contact, account, and transaction data to create and send targeted marketing messages via email, SMS, or phone. The legal basis for this is either your consent or our legitimate interests in promoting our business and sharing marketing offers with visitors and users.
We may process communication data to publish it on our website and elsewhere based on your specific instructions. The legal basis for this is your consent.
We may use your contact, account, transaction, and communication data to manage our relationships, communicate with you (not including direct marketing), provide support, and handle complaints. This processing is based on our legitimate interests in communicating with visitors and users of our Platforms, maintaining relationships, and properly managing our website and Services.
We may analyse your usage and transaction data to understand how our Platforms and Services are used, as well as to evaluate other interactions with our business. This processing is based on your consent or our legitimate interests in monitoring, improving, and securing our Platforms and Services.
We may process your personal data for the purposes of creating and maintaining our databases, back-up copies of our databases and our business records generally. The legal basis for this processing is either processing where necessary to comply with a legal obligation to which we are subject or our legitimate interests, namely ensuring that we have access to all the information we need to properly and efficiently run our business in accordance with this notice.
We may process your personal data for the purposes of security and the prevention of fraud and other financial crimes. The legal basis of this processing is our legitimate interests, namely the protection of our Platforms, Services and business, and the protection of the interest of others.
We may process your personal data to manage credit risks or obtain professional advice. This processing is based on our legitimate interests in protecting our business from risks and keeping us as a going concern.
We may use your personal data to establish, exercise, or defend legal claims, whether in court or through administrative procedures. This is based on our legitimate interests in protecting our legal rights and those of others.
We may also process your personal data where such processing is necessary for compliance with a legal obligation to which we are subject or in order to protect your vital interests or the vital interests of another natural person.
Mona keeps your personal data close to the chest—we do not sell, trade, or rent it out to anyone. We also will not share or spill your information to any third party without your say-so, unless it is needed to deliver our Services or as explained in this notice.
We may disclose your personal data to professional advisers, insofar as reasonably necessary for the purposes of obtaining professional advice.
We may disclose contact, account and/or transaction data to subcontractors insofar as reasonably necessary for providing you with our Services.
Financial transactions relating to our Services are processed by our partner banks and other financial institutions (OFIs). We will share transaction data with them only to the extent necessary for the purposes of performing our Services, settling disputes and dealing with complaints and queries relating to our Services.
In addition to the specific disclosures of personal data set out in this Section 4, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
In this Section 5, we provide information about the circumstances in which your personal data may be transferred to a country outside of Nigeria.
We may transfer your personal data outside of Nigeria and process that personal data in other jurisdictions and may permit our suppliers and subcontractors to do so, for the purposes set out in this notice.
Sometimes this is because we rely on servers or hosting facilities for our website/mobile application outside of Nigeria. Other times, it is because we engage the services/products of third-party service providers, subcontractors and affiliates to be able to provide you with our Services. Details of our third-party service providers, subcontractors and affiliates can be requested from Mona at support@mona.ng.
We are committed to protecting your personal data in line with all relevant data protection regulations that apply to us. As required under the Implementation Framework for the Nigeria Data Protection Regulation, we conduct a detailed assessment to confirm that the country where your data will be transferred is among the countries Whitelisted by the National Information Technology Development Agency (NITDA).
If the recipient's country is not among White-Listed Countries, we will only transfer Personal Data out of Nigeria under one of the following conditions:
In addition to Section 5.5 above, and to ensure your data is secure, we use legal agreements/standard contractual clauses that either guarantee proper protection or confirm that the country receiving your data has adequate data protection laws. We also take extra precautions to make sure the country's standards match ours, ensuring your information remains safe throughout the process. This approach is important because it helps us maintain the privacy and security of your data, no matter where it is transferred.
We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected, including to meet legal, regulatory, accounting, or reporting obligations. The specific retention period depends on the type of data and the purpose for which it is processed.
In certain cases, statutory laws or regulatory requirements may require us to retain your personal data for longer periods. For example, financial data and account data will be retained for a minimum period of 5 years following the date of the most recent contact between you and us in accordance with the Money Laundering (prevention and prohibition) Act, 2022.
Notwithstanding the other provisions of this Section 6, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
Your principal rights under data protection law are:
These rights are subject to certain limitations and exceptions as enunciated in the Nigeria Data Protection Act, 2024.
You may exercise any of your rights in relation to your personal data by written notice to us, using the contact details of our DPO set out in Section 13 below.
A cookie is a small file with a unique code (a mix of letters and numbers) that a web server gives to your browser to hold onto. Every time your browser asks the server for a new page, it hands that code back to help the server remember who you are.
Cookies may be either 'persistent' cookies or 'session' cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies may not contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.
We use Google Analytics. Google Analytics gathers information about the use of our website by means of cookies. The information gathered is used to create reports about the use of our website. You can find out more about Google's use of information by visiting https://www.google.com/policies/privacy/partners/
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. Kindly note that disabling all cookies that are strictly necessary will likely affect our Platforms' functionality.
We may update this notice by publishing a new version on our website.
You should check this page occasionally to review any changes.
We will notify you of significant changes by email.
This website, mobile app and all associated intellectual property is owned and operated by Mona Financial Technology Limited.
You can contact us:
In accordance with the Nigeria Data Protection Act, 2023, we have appointed a Data Protection Officer who is responsible for implementing our privacy and data protection principles.
In line with the legal requirements under the Nigeria Data Protection Act, 2023, we have appointed a Data Protection Officer who is generally responsible for implementing our privacy and data protection principles in accordance with applicable law and ensuring your rights as enunciated in this Privacy Notice are respected.
Our data protection officer can be contacted at: dpo@mona.ng