Privacy Policy

Data controller

The controller responsible for processing your personal data is:

Entitymonni (in the process of incorporation as an S.L. in Spain)

Tax IDPending commercial registration

AddressPlaça Catalunya, Sant Feliu de Llobregat, Spain

monni acts as the data controller for data collected directly from its users. For banking data obtained through Open Banking, Yapily Ltd. acts as a data processor under our instructions (see section 05).

Data we collect

We only collect the data necessary to provide the service:

Data you provide to us

Account and registration: name, email and password (stored with bcrypt hashing).
Waitlist: email address to send you early access and related communications.
Communications: messages you send us by email or through support.

Banking and financial data (Open Banking)

Account information: IBAN, available balance and accounting balance.
Transaction history: amounts, dates, descriptions and merchants.
Account holder identity data provided by your bank.

Read-only access: monni can never initiate payments, move funds or modify data at your bank. We always require your explicit consent.

Automatically generated data

Usage data: screens visited, features used and frequency of use.
Technical data: IP address, device type, operating system and app version.
Error logs for diagnosis and service improvement.

Data we do NOT collect

Banking credentials (your bank username/password). We never ask for them.
Special category data: racial origin, health, sexual life, beliefs, etc.
Data from minors under 16 (see section 11).

Legal basis for processing

In accordance with the GDPR and applicable data protection legislation, we process your data under the following legal bases:

Processing activity	Legal basis
Account management	Performance of contract (Art. 6.1.b GDPR)
Open Banking connection	Explicit consent (Art. 6.1.a GDPR)
AI-based transaction categorisation	Performance of contract (Art. 6.1.b GDPR)
Marketing communications and waitlist	Explicit consent (Art. 6.1.a GDPR)
Usage analytics and service improvement	Legitimate interest (Art. 6.1.f GDPR)
Compliance with legal obligations	Legal obligation (Art. 6.1.c GDPR)

Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

Purposes of processing

We use your data to:

Provide the service: connect your accounts, categorise transactions with AI and show you your financial status in real time.
Personalise the experience: tailor analysis, alerts and recommendations to your actual situation.
Communicate important changes: service notifications, security updates and changes to this policy.
Marketing (only with your consent): news, financial tips and early access to features.
Prevent fraud: detect unauthorised access and protect the integrity of your account.
Improve the service: aggregated usage analysis to optimise the experience.
Meet legal obligations: respond to requests from competent authorities.

We do not use your data for third-party advertising and we never sell it.

Open Banking and Yapily

To connect your bank accounts, monni uses Yapily Ltd., an Open Banking provider authorised and regulated under the PSD2 Directive. Yapily acts as a data processor under our instructions.

How the connection works

monni redirects you to your bank's authentication portal.
You authenticate directly with your bank (monni never sees your credentials).
Your bank issues an authorisation token with the scope you have approved.
Yapily uses that token to retrieve data and transmit it to us in encrypted form.

Scope of access

Read-only: monni cannot initiate payments or move money.
Access tokens have a limited duration and are only renewed with your consent.
You can revoke access at any time from monni or directly from your bank.

Yapily Privacy Policy: yapily.com/legal/privacy-policy

Cookies and similar technologies

We use cookies and similar technologies to ensure the service works and to improve your experience.

Type	Purpose	Duration
Essential	Authentication, session and security. Required for basic functionality.	Session / 30 days
Preferences	Save your settings (theme, language, configuration).	1 year
Analytics	Understand how the app is used in an aggregated, anonymous way.	90 days

We do not use advertising cookies. You can manage them from your browser settings, although disabling essential cookies may prevent the application from working correctly.

Data retention

We only keep your data for as long as necessary for each purpose:

Data type	Retention period
Account data (email, name)	While account is active + 3 years
Banking data and transactions	While connection is active + 1 year
Waitlist data	Until you unsubscribe or the service launches
Usage and technical logs	90 days
Consent records	6 years (legal obligation)

After these periods, data is securely deleted or anonymised for statistical use.

Recipients and transfers

Service providers

We only share your data with providers that help us deliver the service and that have signed the data processing agreements required by the GDPR:

Provider	Role	Location
Yapily Ltd.	Open Banking / PSD2	UK / EU
Anthropic	AI processing (anonymised data)	USA (EU standard clauses)
Railway	Cloud infrastructure (compute and storage)	USA (EU standard clauses)
Transactional email provider	Sending emails (confirmations, alerts)	EU

International transfers

When we transfer data outside the EEA, we do so under Standard Contractual Clauses approved by the European Commission (Art. 46.2.c GDPR).

We do not sell your data to third parties or share it with advertisers.

Your rights

As an EU user, the GDPR gives you the following rights:

Access (Art. 15): request a copy of the data we process about you.
Rectification (Art. 16): correct inaccurate or incomplete data.
Erasure (Art. 17): have your data deleted when it is no longer necessary.
Portability (Art. 20): receive your data in a structured, machine-readable format.
Objection (Art. 21): object to processing based on legitimate interest.
Restriction (Art. 18): restrict processing while we resolve a dispute.
Withdraw consent: at any time, without retroactive effect.

How to exercise your rights

Write to us at privacy@monni.app stating the right you wish to exercise and your identity. We will respond within a maximum of 30 days.

Complaint to the supervisory authority

If you believe we have infringed your rights, you can lodge a complaint with the Spanish Data Protection Agency (AEPD).

Security

We apply technical and organisational measures to protect your data against unauthorised access, accidental loss or destruction:

Encryption in transit (TLS 1.3) and at rest (AES-256).
Two-factor authentication available for all accounts.
Access to production data restricted to strictly necessary personnel.
Periodic security audits and penetration testing.
Notification to the supervisory authority within 72 hours in the event of a breach posing risk to users.

If you discover a vulnerability, please report it responsibly to privacy@monni.app.

Minors

monni is intended exclusively for people over 18 years of age. We do not knowingly collect data from minors. If you believe a minor has provided their data, contact us at privacy@monni.app and we will delete it immediately.

Changes to this policy

We may update this policy to reflect changes to the service, legislation or our practices. When we do:

We will update the "Last updated" date at the top.
We will notify you by email if the changes are substantial.
If the changes require new consent, we will ask for it explicitly before applying them.

Contact

For any questions about this policy or the processing of your data:

Privacy & GDPRprivacy@monni.app

General supporthola@monni.app

We respond within 72 hours on business days.