Customer data protection policy (businesses and end users)

The controller of your personal data is MONEI DIGITAL PAYMENTS S.L. (hereinafter, "MONEI"), with registered office at Calle Palestina, 1, Entreplanta, 29007, Málaga.

MONEI has appointed a Data Protection Officer in charge of supervising compliance with data protection matters, whose contact details are: support@monei.com and whom you can contact if you have any questions or complaints on the matter.

• In the case of a company (Business): Country, Legal form, Tax identification number (NIF) (there is direct integration with the commercial register, which checks it automatically), Business name, Business category, Business description, Website, Company address, Business email, Company phone number, Corporate bank account information (the client can connect their corporate bank account via Open Banking or attach the bank ownership certificate for a corporate IBAN).
• Legal representative (or agent) details: Name and surname, identification document (DNI, NIE, Passport) and video selfie, including biometric data, Country of tax residence, Personal address, Email and telephone number, digital signature.
• For self-employed workers: Country, Tax Identification Number (NIF), Census status certificate details (direct integration is available), Legal business name, Business category, Business description, Website, Company address, Business email, Company phone number, Corporate bank account information (the client can connect their corporate bank account via Open Banking or attach the bank ownership certificate for a corporate IBAN), digital signature.

MONEI may obtain such data: (i) directly provided by the customer when contacting MONEI, through their MONEI profile or collected during the contractual relationship, (ii) through public records (Commercial Registry, Tax Agency) or other information sources such as social media or internet, (iii) from third-party databases for anti-money laundering and terrorist financing prevention and fraud prevention, and (iv) data obtained from browsing.

Identification data, data referring to your professional activity, as well as all contact data whose mandatory nature is expressly established and any others that may be required by applicable regulations are mandatory, and refusal to provide them will make it impossible to enter into the contract.

The obtained data will be used and processed for:

• Register you as a MONEI customer and maintain, develop and control the contractual relationship with the Business.
• Management of billing, payment disbursement and debit charges.

Comply with legal obligations derived from payment services regulations and anti-money laundering and terrorist financing regulations and any other applicable regulations.

For these purposes and in accordance with the regulations and customer identification requirements imposed by Card Systems, MONEI will be obliged to carry out formal and real, professional or business identification of customers. In this sense, biometric verification of the identity of natural persons (Business representative or self-employed worker) is carried out through video-selfie or through qualified electronic signature.

• Fraud prevention activities including communication of personal data to centralized information systems. This processing is based on MONEI's legitimate interest in preventing fraudulent activities.
• Sending commercial communications via email. The customer can oppose this processing at the time of data collection by checking the corresponding box, as well as by sending a communication to support@monei.com at any time. This processing is based on MONEI's legitimate interest in sending you information about MONEI's activity that may be of interest to you.
• Risk analysis. The merchant category will be evaluated using scoring assessment models, including through automated processing, taking into account, among other aspects, the business description and legal address. This processing is based on MONEI's legitimate interest in preventing breaches as well as economic and reputational damage. You can find more details about the logic applied in the Annex I

If you want to obtain more information about the legitimate interest weighting tests carried out by MONEI, contact us through support@monei.com.

Personal data accessed will be processed while the contractual relationship is maintained and, subsequently, will be kept, duly blocked, during the limitation period for actions that may arise from said contractual relationship. In any case, MONEI will retain the information that the Anti-Money Laundering and Terrorist Financing regulations require to obtain for a period of 10 years from the termination of the business relationship or the execution of the operation.

MONEI may communicate personal data to:

• Competent regulatory and administrative authorities (including SEPBLAC, Tax Agency, State Security Forces and Bodies).
• In order to prevent fraudulent conduct, personal data may be sent to centralized information systems.
• Likewise, MONEI has third-party service providers who may access personal data due to the provision of their services, such as auditors, consulting services, advisors, IT maintenance, technology platforms, potential buyers or investors, administrative services and document destruction, among others. MONEI pre-selects these providers based on data protection compliance criteria, has signed contracts with all of them in this matter and controls that they comply with their obligations in this matter.

No international transfers of personal data are made.

Transaction and end customer data: email, name, business name, NIF, browsing data (IP address, device type, country code, language).

Also, only if you contact MONEI's support service, email address will be requested, and all information you provide in your request and the checks we carry out to attend to it will be processed.

The data comes from: (i) automatic reading of the card that serves as payment instrument and data entered by the merchant in the payment system, and (ii) from the support request message.

The required data is mandatory and refusal to provide it will make it impossible to provide the payment service.

The data subject to processing will be applied to attend to the payment service initiated by the merchant/user through their card, to attend to user doubts and claims related to the payment.

The data will be applied to attend to legal responsibilities.

After 18 months from each payment operation, personal data will be kept duly blocked, available to the authorities, for a period of ten years, from the termination of the business relationship or the execution of the operation, as established by the Anti-Money Laundering and Terrorist Financing regulations.

Communication of personal data: MONEI may communicate personal data to:

• Merchants within the framework of providing acquiring services.
• Competent regulatory and administrative authorities (including Bank of Spain, SEPBLAC, Tax Agency, State Security Forces and Bodies).
• Likewise, MONEI has third-party service providers who may access personal data due to the provision of their services, such as auditors, consulting services, advisors, IT maintenance, technology platforms, potential buyers or investors, administrative services and document destruction, among others. MONEI pre-selects these providers based on data protection compliance criteria, has signed contracts with all of them in this matter and controls that they comply with their obligations in this matter.

No international transfers of personal data are made.

Data subjects may exercise the following data protection rights by postal mail to Calle Palestina, 1, Entreplanta, 29007, Málaga, Spain or by email to support@monei.com, proving their identity:

• access: you can obtain information related to the processing of your personal data and a copy of such personal data.
• rectification: if you consider your personal data is inaccurate or incomplete, you can request that such data be modified accordingly.
• erasure: you can request the deletion of your personal data, to the extent permitted by Law.
• restriction: you can request the restriction of processing of your personal data.
• objection: you can object to the processing of your personal data, for reasons related to your particular situation.
• data portability: when legally applicable, you have the right to have the personal data you have provided to us returned or, when technically possible, transferred to a third party.
• not to be subject to automated individual decisions: aims to ensure that you are not subject to a decision based solely on the processing of your data, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Likewise, they may submit a complaint to MONEI's Data Protection Officer at the indicated addresses or to the control authority in the matter, Spanish Data Protection Agency (AEPD), whose contact details are offered through the website aepd.es.