1. About this Privacy Notice

Privacy and the security of transactions are core elements of cryptocurrencies, blockchain technology and its whole global movement. Monnay really appreciates the trust Users (hereinafter referred to as “User/s” or “you”)  have in us when trading cryptocurrencies and other digital assets on our platform.

For this reason, privacy and data security have an enormously high priority for the Monnay group. It is very important to us that you feel safe during your visit to our website and while using our services as well as over the course of all other business transactions with us. As soon as you make use of products and/or services of Monnay, you entrust us with the processing of your personal data. Monnay wants to give you the best possible experience with our platform to ensure that you enjoy the usage of our products and services now and in the future. That’s why we want to understand the User behaviour on our platform in order to continuously improve it.

Therefore, in this Privacy Notice, we want to transparently inform you which personal data we collect from you and why and who might receive it. Furthermore, we would like to inform you which precautions we take to protect your personal data, which rights you have in this context and to whom you can turn for data protection concerns.

Regarding the terms used in this Privacy Notice, such as “Processing” or “Controller”, we refer to the definitions of the GDPR.

For our Swiss customers solely: for definitions of terms relevant under applicable data protection law, such as “personal data”, “processing”, etc., we refer to the respective data protection laws, in particular the Swiss Data Protection Act (Federal Act on Data Protection (FADP); SR 235.1) and the Data Protection Ordinance (Ordinance to the Federal Act on Data Protection (OFADP); SR 235.11) and, to the extent applicable, the General Data Protection Regulation of the European Union (GDPR).

This Privacy Notice is drafted in English and German. In case of conflict the English version shall be the binding version.

2. Applicability

To whom does this Privacy Notice apply?

Monnay and its direct and indirect subsidiaries (hereinafter referred to as “Monnay” or “Monnay Group” or “we”) offer via its websites (e.g.: www.monnay.com, exchange.monnay.com) and its mobile applications (“Mobile App”) (together hereinafter referred to as “Website” or “Platform”) services and products related to buying and selling cryptocurrencies and other digital assets as well as payment and IT services.

This Privacy Notice applies to all services and products regarding our Platform,our Broker together with associated products, this website and our Helpdesk; and provides an overview in regards to the main actors when providing our Platform.

Users of the Monnay Card might also want to have a look at the Privacy Policy of Contis, who issues the cards.

Further descriptions of the provided services and the legal entities providing them can be found in Section 4 of the Monnay Group General Terms and Conditions. In order to keep this Privacy Notice neat and easy to read, we want to provide a brief overview (the specifics will depend on the User’s location and the used product). Concerning our Platform, the following entities are the “main actors”:

• Monnay: has its business address at Stella-Klein-Löw Weg 17, 1020 Vienna, Austria, registered in the commercial register of the Commercial Court of Vienna under FN 569240 v and is the content provider of the Platform as well as responsible for the offer of cryptocurrencies on it;

  • Monnay Group AG, with its registered address at Hardstrasse 201, 8005 Zürich, Switzerland registered in the commercial register of the Commercial Court of Zürich under CHE-267.250.666;

• Monnay Metals GmbH: has its business address at Stella-Klein-Löw Weg 17, 1020 Vienna, Austria, is registered in the commercial register of the Commercial Court of Vienna under FN 511923 d, and offers trading with precious metals via the Platform;
• Monnay Payments GmbH: has its business address at Stella-Klein-Löw Weg 17, 1020 Vienna, Austria, is registered in the commercial register of the Commercial Court of Vienna under FN 501412 x, and offers different payment services via the Platform;
• Monnay Financial Services GmbH: has its business address at Stella-Klein-Löw Weg 17, 1020 Vienna, Austria, is registered in the commercial register of the Commercial Court of Vienna under FN 551181 k and acts as a service provider for the Platform. Monnay Financial Services GmbH provides the reception and transmission of orders regarding digital securities in accordance with the Austrian Securities Supervision Act 2018 (Wertpapieraufsichtsgesetz 2018 or “WAG”);
• Monnay Customer Care GmbH: has its business address at Stella-Klein-Löw Weg 17, 1020 Vienna, Austria, is registered in the commercial register of the Commercial Court of Vienna under FN 523486 h and acts as a service provider in regards to the Helpdesk for the Monnay Group (except for Monnay Custody);
• Monnay Custody Ltd: has its business address at 21 Holborn Viaduct, London, EC1A 2DY, United Kingdom, is registered under registration number 11625148 and acts as a service provider for crypto custody services called Monnay Custody.
• Pantos GmbH has its business address at Stella-Klein-Löw Weg 17, 1020 Vienna, Austria, is registered in the commercial register of the Commercial Court of Vienna under FN 481562 f and is building a decentralised protocol that allows transfer of assets between blockchains.

For users from certain countries or depending on the used services, other legal entities in the Monnay Group might be involved as service or content providers, such as:

• Germany: Monnay Asset Management GmbH: has its business address at Friedrich-Ebert-Anlage 36, 60325 Frankfurt am Main, Germany, is registered in the commercial register of the Commercial Court of Frankfurt am Main under HRB 121696 and is a service provider for the Monnay Group.
• Turkey: Monnay Teknoloji A.Ş.: has its business address at Esentepe Mahallesi Kir Gülü Sk. Metrocity is Merkezi D, Block Apt. No 4/4, Şişli, Istanbul, Turkey, is registered in the Trade Register of Istanbul under 243948-5 and is a service provider in regards to payment processing for the Monnay Group.

3. Minors:

Are minors allowed to use Monnay’s services?

No, the products and services of Monnay are not directed to people under the age of 18 years. Only persons of legal age are permitted to use the services of Monnay and register for an account. Therefore, we are not knowingly collecting personal data from minors. So, if you are under the age of 18 years, please do not use Monnay’s platform and do not provide us with any personal data.

4. Controller:

Who is responsible for the data processing and who can you contact?

Monnay is aware that both the protection and the careful handling of your personal data are very important. Monnay will solely use the Personal Data provided by you in compliance with the applicable data protection laws and this Privacy Notice.

Generally, each company of the Monnay Group is a Controller pursuant to Art 4 para 7 GDPR and therefore responsible for the processing of personal data in connection with the services provided by the specific company (for the different services see Point 2). In some cases, entities of Monnay might act as Processor pursuant to Art 4 para 8 GDPR on behalf of each other.

Due to the high data security standards in the Monnay Group, Monnay considers it necessary to implement a group-wide uniform data protection strategy. Thus, Monnay acts as a central point of contact for all data protection issues concerning all services offered by the Monnay Group via the platform or the Mobile App.

If you have any questions in connection with the processing of your personal data and the exercising of your rights under GDPR, you can contact our Data Protection Officer (DPO): [email protected] Please note that for certain requests, we require further identification data from you (e.g. Passport, ID card, etc), in order to ensure that your personal data is only shared with you.

Joint Controllers

If Monnay Group acts together with other parties as Joint Controller (e.g. processing data for jointly determined purposes within the Monnay Group), we provide those parties with personal data if applicable and based on at least one of the legal bases listed under Point 7. In case of a joint controllership, we transmit your personal data only based on a sufficient agreement with our partners (Art 26 GDPR). However, no sensitive payment data will be transmitted within the Monnay Group.

Monnay will only share your personal data with other third parties if a legal basis applies. This may be due to our contract with you, our legitimate interests, a legal obligation or your prior consent (withdrawable at any time).

5. Payment Initiation Services and Financial Services:

How is my personal data processed if I use payment initiation and financial services?

This Privacy Notice also sets out the more specific data protection information in regards to Monnay’s subsidiaries such as Monnay Payments GmbH (provides different payment services via the platform) and Monnay Financial Services GmbH (service provider for the reception and transmission of orders regarding digital securities in accordance with the Austrian Securities Supervision Act 2018 – Wertpapieraufsichtsgesetz 2018 or “WAG”).

When you use our payment initiation services, we will only process your personal data with your consent or due to a contractual obligation towards you and we will not request any data from you other than those necessary to provide this service. Furthermore, we won’t use, access or store any data for purposes other than for the performance of the payment initiation service as explicitly requested by you. All personal data which is necessary to provide the payment service (especially your security credentials) is not accessible by any other party other than Monnay Payments and only transmitted by us through safe and efficient channels. After the performance of the service Monnay Payments will not store your sensitive payment data.Monnay Payments offers the following services (hereinafter referred to as “payment services”):

• Payment Transfer Services: services for the execution of payment transactions, including the transfer of funds to a payment account with Monnay Payments or with another payment service provider (e.g. direct debit transactions, payment card transactions, credit transfer transactions).
• Money Remittance Services: services where funds are received from a payer, without any payment accounts being created (in the name of the payer or the payee), for the sole purpose of transferring a corresponding amount to a payee or to another payment service provider acting on behalf of the payee, or where such funds are received on behalf of and made available to the payee.
• Payment Initiation Services: a service to initiate a payment order at the request of the payment service User with respect to a payment account held at another payment service provider.
• E-Money Services: issuance and redemption of electronic money within the meanings of section 1 para 1 of the E-GeldG (“E-Money”) including the administration of the related e-money wallets.

When you use our financial services, we will only process your personal data with a valid legal basis (Art 6 GDPR) and we will not request any data from you other than those necessary to provide this service

Financial Services offers the following services (hereinafter referred to as “financial services”):

• Acceptance and Transmission of Orders: When accepting and transmitting orders, Financial Services brings the Users together with the Product Manufacturer or a trading platform insofar as it forwards the Users order for the execution of a certain transaction to the Product Manufacturer or a trading platform.

6. Data categories and sources:

Which personal data do we process and from which sources does the data originate?

We process the personal data that we receive from you within the scope of the business relationship and your usage of our Website or Mobile App (Platform) and payment services. Furthermore, we might process data we receive within the Monnay Group and data we have received from credit agencies, debtor directories, business analysis providers (e.g. Credit Information Services, Business and financial information companies, Security companies, etc..), and from publicly accessible sources (e.g.: commercial register, register of associations, land register, media, sanctions lists).

When using Monnay’s services or interacting with Monnay, the following personal data might be processed:

• Contact and general account creation data: when creating a new User account or communicating with Monnay, we might process for example: name, address, telephone number, email, date of birth, photo for the account, etc.;
• Verification data: when an account is verified, we might process for example: screenshots/photos of national identity documents (e.g.:passport, driving licence, ID card) and identification data from these documents, utility bill details for residence verification, data about status of politically exposed persons, video data from the video authentication process, biometric data for verification (see point 7), etc.;
• Financial data for facilitation of transactions: e.g.: bank details (IBAN, BIC), payment service provider information, payment details, transaction-ID, and other sensitive payment data. In addition, data relating to the placing of orders for financial instruments (number of units purchased, amount, time of acquisition/termination and similar) will be processed.
• Log data on the website: e.g.: IP-address, transaction data, deposit and withdrawal address, computer or mobile device information, frequency, time, operating system, browser type, device type, unique device identification number, identification cookies (e.g. for the Affiliate and Tell-a-Friend programme), optionally form data, crash reports, performance data, interactive chat (for Monnay Custody), third-party cookies, etc.;
• Mobile app data: e.g.:IP-address, transaction data, deposit and withdrawal address, mobile device information, frequency, time, operating system, browser type, device type, unique device identification number, optionally form data, crash reports, performance data and only with your explicit consent, data from: camera, microphone, storage, telephone (read SMS confirmation);
• Company details in case of business accounts and you use payment services we might process for example:commercial register reports, data of/or concerning beneficial owners, records or additional information on recent, past or planned business activities, other data necessary to determine/validate the structure, the beneficial ownership or any power of attorney of the company.
• Business onboarding data: e.g.:  KYC company data, ultimate beneficial ownership (UBO), legal entity type, PEP status of UBOs, Country of Incorporation, VAT and registration Number, Financial Statement Data, Shareholder data, Authorised individual data (which might include personal data of an individual such as name, ID number, ID type, issuing authority, email address, phone number).
• Details to and proof of funds, if necessary: e.g.: banking statements or any other details provided by banks or financial institutions, contracts of sales or contracts in general, or any other suitable data to prove or determine the origin of funds, if exceeding the daily/monthly or general limits on Monnay or upgrading to Monnay Club “High Limit Service or OTC Service”. In order to determine User’s purpose for using the above-mentioned services or trading volume additional information on recent, past or planned business or personal activities of business or private Users or other data to determine the User’s intentions, if necessary, can be processed, as requested by Monnay or provided by the User;
• Personal data provided by you in requests to our Support or other employee; if you contact our support, we might process for example: data provided in your request to the support team.
• Marketing data: if you visit our website or social media sites or during the usage of the Mobile App, we might process statistical and marketing data for example: number of visitors, frequency, clicks, time, places, target groups, data from cookies and similar technologies, consumer’s behaviour, interests and preferences, data about market research and target groups surveys, etc.; for social media see also point 11 and for cookies our Cookie Policy.
• Research data: if you, inter alia, participate in any discussion boards, panels, etc. provided by Monnay or take part in one of our research initiatives and provide data via forms (which you might receive separate information about if you voluntarily agree to participate);
• Photo, video and audio data from events or fairs or interviews: e.g.: photo, video and audio data.
• Recordings of telephone conversations and electronic communication: Pursuant to section 33 of the Austrian Securities Supervision Act (WAG), Financial Services is required to keep recordings of telephone calls and electronic communications at least in relation to transactions carried out in trading for its own account and the provision of services relating to the acceptance, transmission and execution of User orders. We will inform you of this in advance. It should be noted that orders are only accepted via the platform and not via telephone or email (does not apply to Monnay Wealth Customers).

  • For Monnay Wealth Users telephone calls and communications might be recorded with relation to execution of User orders given and accepted via a telephone call.

• Data concerning experience and investing which is derived from Cash Plus appropriateness test. In particular, knowledge and previous experience with investing including information on the nature of service, transactions and financial instruments with which the User is familiar; the nature, size and frequency of transactions using financial instruments carried out by the User, educational background and occupational or previous professional experience.
• Metadata in connection with purchase of the Steelcoin Asset. This data is not personal data and cannot be used to or lead to re-identifying a person, will be sent to Steelcoin for statistical purposes. Eg.:
  • Anonymised_user_id, transaction_id, timestamp, order status, cryptocoin_name (Steelcoin), type of transaction, transaction amount in quantity, asset price, transaction amount in EUR.

• Further User identification information in the sense of the Austrian Financial Market Anti-Money Laundering Act (“FM-GwG”) is also obtained during the initial registration process.The following pieces of information might be processed to tailor future conversations to the user:

  • Users financial Goals

  • Users risk tolerance

  • Specific assets or markets of users interest

  • Any particular investment strategy or preferences

  • Other financial or investment information provided by the user

• Data provided by you in connection with the voluntary use of Coach: AI based Coach uses a Large Language Model, in particular, ChatGPT to formulate and provide dynamic answers. Users shall refrain from sharing any sensitive and personal data while using the provided feature. The data provided might be processed in the United States. The following pieces of information might be processed to tailor future conversations to the user:

  • Users financial Goals

  • Users risk tolerance

  • Specific assets or markets of users interest

  • Any particular investment strategy or preferences

  • Other financial or investment information provided by the user

    • Data collected in connection with participating in the Fusion Incentive

    • Such as proof of VIP status, full name, email associated with Monnay account and current VIP status on the eligible exchange

For Users of Monnay Custody only, we want to point out the following specifics:

• The data processed will be stored for a five year period according to the 5th Anti-Money-Laundering Directive (AMLD5).

• The following specific data categories are collected:

  • Blockchain data: your private blockchain key that will be managed and used to verify and carry out transactions you make online through the App/site;

  • Background check data: might also include credit checks.

7. Purpose and legal basis for using personal data:

For which purposes and on what legal basis do we process your personal data?

All processing is performed in accordance with applicable data protection legislation. This includes, inter alia, the EU General Data Protection Regulation (GDPR), the E-Privacy Directive and the national implementing acts (e.g. the Austrian Data Protection Act). Generally, we process your personal data based on one of the legal bases listed below.

If we ask you to provide any personal data not described in point 7, then such data and the purpose and legal basis for the collection and processing, will be communicated to the User at the point of collecting the personal data.

If we ask you to provide any personal data not described in point 7, then such data and the purpose and legal basis for the collection and processing, will be communicated to the Client at the point of collecting the personal data.

Additionally we adhere to international standards that help trace and combat illicit activities in the financial sphere, such as those set by the Financial Action Task Force (FATF). We process your personal data

7.1. For the performance of contractual obligations (Art 6 para 1 lit b GDPR):

Processing of personal data might be necessary for the performance of the contract with you or in order to take steps at your request prior to entering into a contract. The following data processing operations, for example, are covered by such contractual obligations:

• general performance of our services, all tasks necessary for the operation, performance and administration of Monnay and its platform;
• video authentication process if you register for an account (validation of identity);
• account management (e.g. continuous updating of User data);
• execution of your orders (e.g. payment processing, chargebacks, proof of purchase and selling);
• data processing and data transmission to precious metals vendors for the transferral of ownership of precious metals to you in accordance with your order;
• Users service and support request; (e.g. contacting because of complications, Zendesk)
• performance of the Affiliate programme and the Tell-a-Friend programme;
• application processing and data transmission for the Monnay Debit Card (see point 9.4.).

• analysis and improvement of the platform’s quality and the general User experience (e.g. performance tracking on the platform);

• recording of telephone conversations for execution of user orders for Monnay Wealth;

• to enable participation in the Fusion incentive program.

7.2. For compliance with legal obligations (Art 6 para 1 lit c GDPR):

Processing of personal data might also be necessary for complying with various legal obligations (e.g. 5. AMLD, ZaDiG 2018, GewO 1994, FATF Travel Rule etc.). The following data processing operations, for example, are covered by such legal obligations:

• contract management, accounting and invoicing;
• compliance and risk management;
• Know-Your-Customer measures like video authentication process (validation of identity) and proof of funds;
• monitoring for prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing;
• providing information to fiscal criminal authorities in the context of fiscal criminal proceedings or to prosecution in accordance with official orders;
• consultation of credit agencies to determine creditworthiness and default risks.
• appropriateness test.
• transaction information; such as sender’s name, account number, location information, recipient’s name and account number in order to prevent money laundering and terrorist financing within the means of complying with FATF Travel Rule
• recordings of telephone conversations and electronic communication.
• appropriateness test.

7.3. To protect legitimate interests (Art 6 para 1 lit f GDPR):

Where necessary, data processing might take place beyond the performance of the contract in order to maintain the legitimate interests of Monnay or a third party. The following data processing operations are covered by such a legitimate interest:

• prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing;

• processing inquiries from authorities, lawyers, collection agencies in the course of legal prosecution and enforcement of legal claims in the context of legal proceedings;

• risk management and risk minimisation e.g. through enquiries to credit agencies, debtor directories or providers of business analysis;

• data transmission within the Monnay Group for internal administrative purposes;

• account management and handling general User requests and inquiries;

• testing and optimisation of procedures and models for analysing requirements, business management, product development and direct User engagement;

• process and quality management measures;

• analysis and improvement of the platform’s quality and the general User experience (e.g. performance tracking on the platform);

• market research, business management and continuing development of services and products;

• processing statistical data, performance data and market research data via the website, the Mobile App or social media platforms;

• direct marketing and advertising (e.g. performance of marketing strategies, targeting of Users, dispatch of vouchers, advertisement from Monnay and its partner companies);

• use of audio, video and photo data from public spaces (e.g. public events, fairs, etc.) for marketing and other representation purposes on our social media channels or our website;

• performance tracking of the Affiliate programme and the Tell-a-Friend programme;

• processing User preferences (e.g. language, region) via cookies on our website (see also our Cookie Policy;

• identification and examination of potentially defective or suspicious business cases and accesses to our websites (e.g. website analysis);

• Payment services (e.g. transfers from your Monnay Account to another Monnay Account or a third party, initiating payment initiation services at a third party, etc.)

• measures for protecting our Users and Partners, as well as safeguarding network and information security; also measures to protect our employees, Users and property of Monnay e.g. through video surveillance (erasing cycle 72 h) and from external data centres and service providers;

• data security and IT-security on our website and safeguarding our network (e.g. prevention of identity theft and defective or suspicious accesses to our websites).

• Processing data for appropriateness test (Cash Plus).

• Recording of telephone conversations for execution of user orders for Monnay Wealth.

• For customer support communications an AI based chatbot might be processing customer requests.

• Usage of AI based Coach Investor memory: the investor memory stores and processes user activity and information shared with it, on the basis of the ChatGPT AI model.

7.4. Based on your consent (Art 6 para 1 lit a GDPR):

If you have given us your consent to process your personal data, processing will only take place in accordance with the defined purposes and to the extent agreed in the declaration of consent. Given consent may be withdrawn at any time without giving reasons and with future effect, if you no longer agree to the processing. For example, with your consent we are processing data for the following purposes:

• for the use of all functions of the Mobile App (e.g. telephone permission to read SMS confirmation, camera to scan barcodes, microphone for commands, etc.);
• direct marketing and advertising (e.g. User satisfaction surveys, newsletters, sweepstakes and other advertising communications);
• website analysis and tracking for advertising purposes (see also our Cookie Policy);
• certain uses of audio, video and photo data (e.g. commercials, interviews, etc.) for marketing and other representational purposes via various channels;
• auto-ident procedures for verifying your account (validation of identity) (see point 8).

Please note that the withdrawal of the consent does not affect the lawfulness of processing based on consent before its withdrawal.

7.5. Processing for other purposes: 

As a general principle of Monnay, we only process personal data for the purposes for which they were collected. In exceptional cases, however, we might process your personal data which we have collected for one specific purpose for another purpose. In this case, we will inform you before the intended processing about this purpose, the period for which your personal data will be stored, the exercise of data subject rights, the option to withdraw consent, the existence of the right to file a complaint with the data protection authority, whether provision of the data was necessary on legal or contractual grounds and what the consequences would be if it were not provided, and whether automated decision-making or profiling is carried out.

8. Special categories of personal data:

Does Monnay process special categories of personal data?

This term stems from Art 9 GDPR and includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data (Art 9 para 1 GDPR). In general, Monnay does not process such categories of personal data, with twofold exceptions being for the purposes of identity verification, and fraud prevention as per Art 9 para 2 lit g GDPR and §21 (6) FmGwG the Financial Market Money Laundering Act (FmGwG) respectively.

During your onboarding you may be asked to complete identity verification via auto-ident procedures in which, in addition to the actual verification data (e.g. screenshots of ID documents and identification data from these, residence, status of politically exposed persons, video data, etc.), biometric data (e.g. personal data resulting from specific technical processing in connection with the physical, physiological or behavioural characteristics of a person and enabling the unique identification of a person, e.g. facial images, dactyloscopic data) is also collected. Such processing of biometric data takes place on the basis of your express consent, which you may revoke at any time, and on the basis of substantial public interest as outlined in Art 9 GDPR. Therefore, we also process and store the provided biometrical data on the grounds of public interest for the purposes of fraud prevention (§21 (6) FmGwG).

The biometric data will be processed solely by our service providers and will be erased completely within 3 years after performing the identification. Monnay only receives the positive or negative verification result alongside other verification data and does not process biometric data from Users itself at any time.

9. Recipients of personal data:

Who receives your personal data?

The protection and confidentiality of your personal data is important to Monnay Group. Therefore, we transfer your personal data only to the extent described below or within the scope of an instruction at the time the data is collected from you. In addition, personal data that we collect concerning you will neither be sold by us nor otherwise disclosed to third parties and in  general limited to the recipients in the following four groups:

9.1. Data transfer within the Monnay Group:

Within the Monnay Group, your personal data will be shared between companies: if there is a legal basis as described above. This happens for internal administrative purposes to conduct internal administrative activities efficiently. Our employees treat your data with the highest security standards and also only have access on a need-to-know basis. In all these cases only those offices or employees will receive your personal data who need it to fulfil the contractual and legal obligations and legitimate interests.

If a company acts as a service provider for Monnay Payments or Financial Services, we contractually oblige this company to ensure the confidentiality and security of your personal data that they process on our behalf.

9.2. Data transfer to Processors 

To a limited extent, we also transmit personal information to Processors. Such include, inter alia, service providers for video authentication services, IT services, User support, improvement of our website, monitoring of defective business cases, application management. Processors may only use or disclose this data to the extent necessary to perform services for us or to comply with legal requirements. We contractually oblige these Processors to ensure the confidentiality and security of your personal data that they process on our behalf.

9.3. Data transfer to public bodies and institutions:

We might also transfer your personal data might be disclosed to public bodies and institutions (i) if we are required to do so by law or in the context of legal proceedings, (ii) if we believe that disclosure is necessary to prevent damages or financial loss, or (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities.

9.4. Data transfer to other third parties:

Monnay will only share your personal data with other third parties if a legal basis applies. This may be due to our contract with you, our legitimate interests, a legal obligation or your prior consent (withdrawable at any time).

We want to especially highlight othertypes of third parties that we might have to share data with:

• Card Provider: if you use the Monnay debit card, we will send your personal data as required to our partner Contis. Your personal data might be processed (this may include verification data, contact data and financial data) to issue the Monnay debit card;

  • Monnay-Technology-Solution Partner: if you are a Monnay User via one of our Monnay-Technology-Solution Partners (please see point 8), we might share personal data with them. Please see their respective Privacy Policies as linked below;

  • Payment gateway provider: if you are a Monnay Custody User, payments made on the website or via the App are made through such entrusted third party. Such partner will not share your payment card details with Monnay and processing is subject to their own privacy policy and terms and conditions;

  • Content managing system: the Monnay Custody website is hosted in Hubspot who has their own Cookie Policy.

  • Virtual Asset Service Providers (VASPs) involved in any monetary transactions.

  • Bank Ident Verification Provider Solaris: We might process your data in connection with bank identity verification processes. For more information please see Solaris Privacy Policy.

  • OpenAI: In connection with the use of the Coach feature, the data collected during the usage of the feature will be processed by ChatGPT.

    • Talos Advanced Trading Services: Monnay might transfer data to our White Label Parties such as Talos, aimed at specific subset of users with experienced trading knowledge. To enable Talos to provide advanced trading experience and the services thereof, users agree for the purposes of fulfillment of contractual obligations, to give Talos (and its licensors) access to user materials through the delivery mechanism agreed upon by the parties, in accordance with Talos’ technical specifications. During the term, Talos (and its licensors) are granted a limited, non-sublicensable license to  use, extract, reformat, manipulate, analyze, summarize, and otherwise derive information from the users solely as necessary and proportionate to provide the Services to user and operate, maintain, and improve the Services.

    • In this case, user material relates to all information, data content and other materials in any form or medium submitted, posted, collected, transmitted or otherwise provided by or on behalf of the user, through the services or to Talos in connection with users’ use of the services. User materials include trading instructions and liquidity provider credentials.

    • Steelcoin Asset Provider: The above mentioned data pieces are transmitted to and processed by Steelcoin for statistical purposes. The data in question does not concern personal data, rather accumulated and anonymised metadata that can not lead to re-identifying a person.

• Other third parties: Monnay Group might transfer your personal data to any other person with your consent to the disclosure or the purpose of performing a contract or in order to take steps at the request of the data subject prior to entering into a contract, especially for the performance of payment services to credit institutions and other payment service providers as well as in regard of Monnay and/or Monnay Metals GmbH, as far as the disclosure is necessary for the performance of transactions of cryptocurrencies, digital assets or the purchase and sale of precious metals.
  • Financial Services may disclose your personal data to other third parties with your consent to disclosure or for the purpose of fulfilling the contract or at the Customer’s request even before the contract is concluded. Any such transfer of data shall take place in particular for the processing of financial services with regard to banks or other payment service providers, as well as with regard to the Monnay, provided that said disclosure is necessary for the implementation of orders.

10. International data transfer:

Is data transferred to third countries or international organisations?

Monnay will process your personal data in general within the European Economic Area. In some circumstances it might be the case that it is processed also outside the European Economic Area. If this is the case, we will rely on appropriate data transfer mechanisms according to Art 44 et seq GDPR. This might be, inter alia:

• an adequacy decision by the European Commission (Eg.: EU-US Privacy Framework);
• standard contractual clauses as published by the European Commission;
• binding corporate rules;

Regardless of where your personal data is processed, it will be processed in accordance with the provisions in the Privacy Notice, including the technical and organisational measures outlined in point 17.

11. Data Security:

How is my personal data protected?

The security of data is very important to Monnay and we are committed to protecting data we collect. We maintain comprehensive administrative, technical and physical measures designed to protect your personal data against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. These measures meet the highest international safety standards and are regularly reviewed regarding their effectiveness and suitability for achieving the intended safety objectives.

We have implemented the following technical and organisational measures for example:

• SSL encryption on our websites from which we transfer personal data;
• two-factor authentication (2FA) for our platform;
• ensuring the confidentiality, integrity, availability and resilience of our systems and services;
• use of encrypted systems;
• pseudonymisation and anonymisation of personal data;
• entry, access and transfer control for our offices and systems;
• measures for rapid recoverability of the availability of personal data in the event of a physical or technical incident;
• measures for privacy by design and default on our platform like e.g. prevention of User enumeration;
• implementation of procedures for regular review, assessment and evaluation of the effectiveness of the technical and organisational measure to ensure the security of the processing like e.g. our bug bounty programme;
• internal IT security guidelines and IT security trainings;
• incident-response management.
• Obtained ISO/IEC 27001 security certification

Please also make sure that you use the two-factor authentication (2FA) for your Monnay account, keep your access data confidential and protect your computer against unauthorised access.

12. Updates of this Privacy Notice:

How will I find out about changes to this Privacy Policy?

We, Monnay, are committed to upholding the principles of data protection up to date. For this reason, we regularly review and update our Privacy Notice. This is to ensure that it is correctly and clearly displayed on our website, contains appropriate information about your rights and our processing activities (also with regard to technical changes or business development) and is implemented in accordance with applicable law, thus complying with data protection requirements. We update this Privacy Notice from time to time when required, in order to take current circumstances into account. If we make significant changes to this Privacy Notice, we will notify you after the login into your account and provide you with the updated version of the Privacy Notice. If it is required by applicable law, Monnay will obtain your express consent to significant changes.

13. How to contact us?

Thank you for reading our Privacy Notice!

If you have any further questions about this Privacy Notice or the processing of your personal data, please contact our Data Protection Officer: [email protected].