MonyTrack Privacy Policy

1. Introduction

MonyTrack ("MonyTrack", "we", "us", or "our"), a company incorporated under the laws of the Federal Republic of Nigeria, is committed to protecting the privacy, confidentiality, and security of personal and business data entrusted to us.

This Privacy Policy explains how we collect, use, process, disclose, and safeguard information when you access or use our platform, including our web applications, APIs, and financial services.

This policy is designed in compliance with the Nigeria Data Protection Act (NDPA) 2023 and aligns with international best practices, including principles of the General Data Protection Regulation (GDPR) where applicable.

By using MonyTrack, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Data Controller and Data Processor

MonyTrack acts in different capacities depending on the nature of the data processed:

Data Controller: We act as a Data Controller for personal and business data relating to your account registration, identity verification, platform usage, and service delivery.

Data Processor: We act as a Data Processor where we process data strictly on your behalf, including employee payroll data, vendor information, and customer invoicing data.

Regulatory Authority: Nigeria Data Protection Commission (NDPC)

Data Protection Officer (DPO): MonyTrack Data Protection Office

DPO Contact: privacy@monytrack.com

3. Information We Collect

We collect and process the following categories of information:

3.1 KYC/KYB Data

To comply with regulatory requirements, we collect:

• Names of directors and beneficial owners
• Bank Verification Numbers (BVN)
• National Identification Numbers (NIN)
• Tax Identification Numbers (TIN)
• CAC registration documents and business information
• Proof of address and utility bills
• Shareholder information and ownership structure
• Photograph and identification documents

3.2 Financial Data

• Bank account details
• Transaction history and balances
• Payment instructions and approvals
• Reconciliation data and financial records

3.3 Operational Data

• Employee payroll data (names, salaries, pension PINs, tax details)
• Vendor and supplier information
• Customer data for invoicing and collections

3.4 Technical Data

• IP addresses
• Device and browser information
• System logs and usage analytics
• Cookies and session identifiers

3.5 Communication Data

• Emails and correspondence
• Customer support interactions
• Feedback and survey responses

3.6 Biometric Data

When verifying your identity through BVN or NIN, biometric data (such as facial recognition) may be processed by our identity verification partners. We do not store raw biometric data; verification results are stored as confirmation records only.

3.7 Third-Party Source Data

We may obtain information from external sources to verify your identity and assess risk, including:

• Identity verification providers (NIBSS, YouVerify, Smile ID, etc.)
• Credit bureaus (where applicable)
• Corporate registries (CAC)
• Sanctions and PEP screening databases

4. Lawful Basis for Processing

We process personal data under the following lawful bases:

Contractual Necessity: To provide and maintain the services you have requested.

Legal Obligations: To comply with applicable laws, including:

• CBN AML/CFT regulations
• FIRS tax reporting requirements
• NDPA obligations

Consent: Where you have explicitly agreed (e.g., marketing communications or integrations).

Legitimate Interests: Including fraud prevention, system security, product improvement, and risk management.

5. How We Use Your Information

We use your information for the following purposes:

Payment Processing: Executing transfers, managing approval workflows, and settling transactions.

Compliance & Reporting: Filing PAYE taxes, processing pension remittances, and supporting statutory reporting.

FIRS Integration: Transmitting e-invoice data in compliance with applicable tax regulations.

Fraud Detection & Risk Management: Monitoring transactions and account activity to prevent unauthorized use.

Product Improvement: Enhancing platform functionality, including AI-powered reconciliation and insights.

Customer Support & Communication: Providing updates, responding to inquiries, and improving user experience.

6. Data Sharing and Disclosure

We do not sell personal or business data. We only disclose data under the following circumstances:

6.1 Financial Institutions

Partner banks and payment providers to facilitate transactions and account services.

6.2 Regulatory Authorities

• Central Bank of Nigeria (CBN)
• Federal Inland Revenue Service (FIRS)
• Nigeria Data Protection Commission (NDPC)
• Economic and Financial Crimes Commission (EFCC)
• Nigerian Financial Intelligence Unit (NFIU)
• Other competent authorities where legally required

6.3 Service Providers

• Cloud infrastructure providers (e.g., AWS, Azure)
• Identity verification services
• Payment processors and APIs

All service providers are bound by strict data protection agreements.

6.4 User-Authorized Integrations

Third-party services you explicitly connect to your MonyTrack account.

7. Data Security and Storage

We implement industry-standard security measures to protect your data:

Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit

Access Controls: Role-based access and strong authentication mechanisms

Monitoring: Continuous monitoring, logging, and threat detection

Infrastructure Security: Secure cloud environments with redundancy and failover mechanisms

Data Retention

We retain data for different periods based on category and legal requirements:

• Financial & transactional data: Minimum 7 years (statutory requirement)
• KYC/KYB documentation: Duration of relationship plus 7 years
• Technical logs & analytics: 12-24 months
• Marketing consent records: Duration of consent plus 3 years
• Support correspondence: 3 years from last interaction

8. Your Data Rights

Under the NDPA 2023, you (and your data subjects) have the right to:

• Access your personal data
• Rectify inaccurate or incomplete data
• Erase data (subject to legal retention obligations)
• Restrict processing under certain conditions
• Port data to another service provider
• Object to processing based on legitimate interests
• Withdraw consent at any time

To exercise these rights, contact: privacy@monytrack.com

Response Timeframe: We will acknowledge your request within 7 days and provide a substantive response within 30 days. Complex requests may require an additional 30 days, and we will notify you if an extension is needed.

9. Automated Decision-Making

MonyTrack uses automated systems and AI-powered tools in certain processes:

• Transaction Monitoring: Automated fraud detection and AML screening
• Reconciliation: AI-assisted matching of financial records
• Risk Assessment: Automated evaluation for account approval and limits

Your Rights: Where automated decisions significantly affect you, you have the right to:

• Request human review of the decision
• Express your point of view
• Contest the decision

To request human review of an automated decision, contact compliance@monytrack.com.

10. International Data Transfers

Where data is transferred outside Nigeria, we ensure appropriate safeguards, including:

• Countries with adequate data protection standards
• Standard Contractual Clauses (SCCs)
• NDPC-approved transfer mechanisms

Data Storage Locations: Your data may be processed and stored in:

• Nigeria (primary)
• European Union (cloud infrastructure)
• United States (cloud infrastructure and certain service providers)

11. Data Breach Notification

In the event of a data breach that poses a risk to your rights:

• We will notify the NDPC within 72 hours
• We will notify affected users without undue delay
• We will take immediate steps to mitigate the impact

12. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain secure sessions
• Improve platform performance
• Analyze usage patterns

You may control cookies via your browser settings; however, disabling cookies may affect functionality.

13. API and Third-Party Data Processing

Where you use MonyTrack APIs or integrations:

• You are responsible for ensuring lawful data collection and sharing
• MonyTrack processes such data strictly based on your instructions
• You are responsible for securing API credentials and integrations

Data Processing Agreement (DPA): Enterprise clients processing employee or customer data through MonyTrack may request a formal DPA by contacting privacy@monytrack.com.

14. Children's Privacy

MonyTrack services are not intended for individuals under the age of 18.

We do not knowingly collect or process data from minors.

15. Complaints and Escalation

If you have concerns about how we handle your data, we encourage you to follow this escalation process:

Step 1 - Internal Resolution: Contact our Data Protection Office at privacy@monytrack.com. We will investigate and respond within 30 days.

Step 2 - Management Review: If unsatisfied with our response, you may request escalation to our Compliance team at compliance@monytrack.com.

Step 3 - Regulatory Complaint: You have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng

16. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in legal, regulatory, or operational requirements.

Where changes are material, we will notify you through appropriate channels. Continued use of the platform constitutes acceptance of the updated policy.

17. Contact Information

For privacy-related inquiries or to exercise your rights:

MonyTrack

Data Protection Office

Privacy Inquiries: privacy@monytrack.com

General Support: support@monytrack.com

For the complete terms governing your use of MonyTrack, please refer to our Terms of Service.