GDPR

How MONOBANK applies the EU and UK General Data Protection Regulations to the monobank.com website and the MONOBANK mobile application.

This notice describes how Monobank Inc. (“MONOBANK”, “we”, “our”, “us”) complies with the EU General Data Protection Regulation (“EU GDPR”) and the United Kingdom General Data Protection Regulation (“UK GDPR”) when you visit the monobank.com website (and any of its subdomains we operate) or use the MONOBANK mobile application for iOS and Android (together, the “Services”).

It supplements, and should be read together with, our Privacy Policy. Where there is a difference between the two, the Privacy Policy governs how we process personal data; this notice explains the GDPR-specific points.

When this notice applies

This notice applies to you if you are in the European Economic Area, the United Kingdom, or another jurisdiction that recognizes the EU GDPR or UK GDPR as the applicable data protection framework, and you use the Services.

Where the Services give you access to a regulated financial product provided by a licensed partner, that partner acts as an independent data controller for the personal data they need to provide that product. The partner’s own GDPR notice is presented to you separately and governs that processing.

Who is the controller

For personal data processed through the website and through the parts of the app that we operate directly, MONOBANK is the controller as defined under Article 4 of the EU GDPR and the equivalent provision of the UK GDPR.

You can contact us at hello@monobank.com for any GDPR-related question, request, or complaint.

Categories of personal data we process

The categories of personal data we process under the GDPR mirror those described in our Privacy Policy:

  • identifiers and contact details (such as name, email address, phone number, country of residence);
  • account credentials, where you create an account with us;
  • identity verification data collected through a licensed partner’s verification flow, where required to access a regulated product (this is processed by the partner as controller);
  • communications you send us through support, contact, partnership, careers, or feedback channels;
  • device and technical information (such as device type, operating system, app version, language, time zone, and crash diagnostics);
  • usage information (such as pages or screens viewed, features used, and high-level interaction events);
  • network information (such as IP address and approximate location derived from it); and
  • cookie and similar identifiers, as described in the Privacy Policy.

We do not knowingly process special categories of personal data (Article 9 EU GDPR / Article 9 UK GDPR) outside what is required for legally mandated identity verification carried out by a licensed partner.

We process personal data on the following GDPR legal bases:

PurposeLegal basis
Operating, maintaining, and improving the website and the app; providing core in-app and on-site functionality; managing your account where you have one.Performance of a contract (Article 6(1)(b)).
Securing the Services, preventing and detecting fraud and abuse, and investigating incidents.Legitimate interests (Article 6(1)(f)) — our interest in keeping the Services safe and reliable for everyone, balanced against your rights.
Communicating with you about the Services, important changes, security alerts, and your support requests.Performance of a contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)).
Sending you product updates, launch information, and other marketing communications.Consent (Article 6(1)(a)), which you can withdraw at any time.
Setting and reading non-essential cookies and similar technologies on the website.Consent (Article 6(1)(a)). Strictly necessary cookies are based on legitimate interests.
Meeting legal, regulatory, and partner-driven obligations that apply to us.Legal obligation (Article 6(1)(c)).
Enabling identity verification, account opening, card issuance, and payment processing through licensed partners.Performed by the partner as controller, on the legal basis they identify in their own notice — typically performance of a contract and legal obligation.

Recipients of personal data

We share personal data only with parties who are bound to handle it appropriately:

  • Licensed financial partners acting as independent controllers for regulated services made available through the app;
  • Service providers (processors) — for example, hosting, app distribution, error monitoring, analytics, customer support tooling, and email delivery — acting only on our written instructions under Article 28 EU GDPR / Article 28 UK GDPR data processing agreements;
  • Public authorities, regulators, and law-enforcement bodies where we are required to disclose data by applicable law or a binding order;
  • Counterparties in a corporate transaction, such as a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality and data protection commitments.

We do not sell personal data and we do not share it for cross-context behavioral advertising.

International transfers

The Services may be operated from, and supported by providers in, more than one country. Where we transfer personal data of EU/EEA or UK individuals outside their respective region, we rely on appropriate safeguards required by the EU GDPR and UK GDPR, such as:

  • the European Commission’s Standard Contractual Clauses (Module 1, 2, or 3 as applicable);
  • the UK International Data Transfer Addendum to the EU SCCs, or the UK International Data Transfer Agreement;
  • adequacy decisions, where the destination country has been recognized as offering an adequate level of protection.

Where additional safeguards are needed in light of the destination country’s laws, we put them in place.

Retention

We keep personal data only for as long as we need it for the purposes described in the Privacy Policy, or for as long as we are required to keep it under applicable law, regulation, or partner requirements. When we no longer need it, we delete or anonymize it.

Identity verification data and account records associated with regulated services are retained by the relevant licensed partner in line with their own retention obligations under applicable financial regulation.

Your rights under the GDPR

Subject to the conditions and exceptions in the EU GDPR and UK GDPR, you have the right to:

  1. Access — obtain confirmation of whether we process personal data about you, and a copy of that data (Article 15);
  2. Rectification — ask us to correct inaccurate or incomplete data (Article 16);
  3. Erasure — ask us to delete your data in defined circumstances (“right to be forgotten”) (Article 17);
  4. Restriction — ask us to restrict the processing of your data in defined circumstances (Article 18);
  5. Data portability — receive certain data you have provided to us in a structured, commonly used, machine-readable format and ask us to transmit it to another controller, where technically feasible (Article 20);
  6. Object — object to processing carried out on the basis of legitimate interests, including profiling, and to direct marketing at any time (Article 21);
  7. Withdraw consent — where processing is based on your consent, withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal (Article 7(3));
  8. Lodge a complaint — with your local supervisory authority in the EEA, or with the UK Information Commissioner’s Office in the United Kingdom (Article 77).

Where the data in question is held by a licensed partner as their own controller, we will help you direct your request to the right place.

How to exercise your rights

To exercise any of these rights, contact us at hello@monobank.com. Please tell us, where you can:

  • which right you want to exercise;
  • the email address or other identifier associated with your interaction with the Services; and
  • enough detail for us to understand and act on the request.

We may need to verify your identity before responding, particularly for access, erasure, or portability requests. We aim to respond within one month of receiving a complete request, in line with Article 12(3) of the EU GDPR and UK GDPR. Where a request is complex or where we receive a number of requests, we may extend this period by a further two months and will tell you why.

Automated decision-making

We do not use solely automated decision-making that produces legal or similarly significant effects on you, in the meaning of Article 22 of the EU GDPR and UK GDPR, in the parts of the Services we operate directly.

Some regulated decisions made through licensed partners — for example, identity verification or fraud screening — may include automated elements. Those decisions are governed by the partner’s own GDPR notice and processes, which set out your rights with respect to that processing.

Updates

We may update this notice from time to time, including to reflect changes in regulation, our partner setup, or our processing practices. When we do, we will update the date at the top of this page.

Contact

For any GDPR-related question, request, or complaint, contact us at hello@monobank.com.

You also have the right to lodge a complaint at any time with your local supervisory authority — for example, the UK Information Commissioner’s Office (ICO) in the United Kingdom, or the data protection authority of your EU/EEA member state.