Preamble
This Privacy Policy (hereinafter the "Policy") aims to inform the Merchant about how MONNIZ GROUP, a public limited company with a capital of 30,000,000 XOF, registered with the Cotonou RCCM under number RB/COT/25 B 41103, whose registered office is located at Carrefour Jéricho, Cotonou, Republic of Benin (hereinafter "Monniz", "we" or "our"), collects, uses, shares and protects its personal data as well as that of its end Customers in the context of the use of the Monniz Business platform (web business.monniz.com, iOS/Android mobile applications, API, and any related service).
This Policy is drafted in accordance with Beninese law n°2017-20 of April 20, 2018, on the Digital Code in the Republic of Benin and, where applicable, to equivalent legislations of the Covered Countries.
It is an integral part of the General Terms of Use. By using the Service, the Merchant acknowledges having read and accepted this Policy. The Merchant is responsible for informing their team and end Customers about the processing of their data by Monniz.
Essential reminder. Monniz is a technology platform. Funds are held by licensed financial Partners (Mobile Money operators, card issuers, payment service providers). A portion of the data processed in the context of the Service is shared with these Partners to enable the execution of operations.
1. Definitions
Application: the Monniz Business mobile applications and the website business.monniz.com.
End customer: any natural or legal person who purchases a good or service, or makes a reservation, from the Merchant via the Service.
Business Account: the unique technical interface assigned to a Merchant.
Personal data or Personal Information: any information relating to an identified or identifiable natural person, in accordance with law 2017-20.
Merchant: any natural or legal person who has created a Business Account.
Partner or Financial Partner: any approved third-party provider that holds the funds of Merchants and/or executes financial operations.
Technical provider: any IT service provider (hosting, communication, analytics, anti-fraud, notification) that processes data on behalf of Monniz.
Data controller: Monniz Group, which determines the purposes and means of the processing described in this Policy. For the data of its end Customers, the Merchant is jointly responsible for processing.
Subcontractor: any entity that processes data on behalf of the Data Controller, in accordance with documented instructions.
2. Personal data we collect
We only collect data necessary for providing the Service and complying with our legal obligations.
2.1 Merchant data, identification. First name, last name, date and place of birth, nationality, phone number, email, country of residence, postal address, profile picture (optional).
2.2 KYC data of the executive. Official ID (front and back scan), ID number and expiration date, selfie or video for facial comparison (sensitive biometric data), proof of residence depending on the level, proof of income or source of funds on request.
2.3 KYB data of the business. Business name, legal form, commercial register (RCCM or equivalent), tax ID (NINEA, IFU, NIF), sectoral authorizations (health authorization, license, approval), beneficial owners (name, % ownership, ID), headquarters address, business sector (Vertical), logo and visual identity.
2.4 Financial and transactional data of the Merchant. Mobile Money phone numbers used for withdrawals, reference bank account (RIB or IBAN), virtual USD card number (masked on Monniz side, managed by our card issuer partner), crypto wallet addresses used, transaction history (date, time, amount, currency, counterparty, status), subscription deduction history and their attempts.
2.5 Technical data. IP address, device identifiers, model, operating system, application version, device fingerprint for anti-fraud purposes, connection logs, approximate geolocation (based on IP), authentication tokens, push notification tokens.
2.6 Behavioral data of the Merchant. Pages viewed, session duration, features used, events (catalog creation, first payment received, etc.), responses to marketing campaigns.
2.7 Support data. Content exchanged with customer service (email, chat, form), phone recordings (with prior information).
2.8 Data of the Merchant's end Customers. When an end Customer purchases on the public Shop, books an appointment or creates a customer account, we collect as a processor of the Merchant: first name, last name, email, phone, delivery addresses, history of orders/bookings/downloads, abandoned cart content (if applicable), responses to Merchant campaigns (abandoned cart reminders, review requests), responses to contact forms or quote requests. The Merchant remains the primary data controller for this data; Monniz acts as a processor in accordance with articles 32 et seq. of law 2017-20.
2.9 Data of the Merchant's team members. First name, last name, email, phone, role/permissions, last login, active sessions.
2.10 Data provided about third parties. When the Merchant creates a contact (Transfer Beneficiary, invoice client), they provide us with data regarding this third party (name, phone, address, etc.). We process this data only to execute the operation and comply with our AML-CFT obligations. The Merchant agrees to inform these third parties of the transmission of their data via Monniz and its Partners.
3. Why we collect this data and on what legal basis
3.1 Creation and management of the Business Account (identification, contact), legal basis: contract execution.
3.2 KYC verification of the executive and KYB of the business (KYC data, biometrics, KYB), legal basis: legal AML-CFT obligation and BCEAO + explicit consent for biometrics.
3.3 Execution of operations (collection, withdrawal, transfer, card, crypto conversion, subscription), legal basis: contract execution.
3.4 Fight against fraud, money laundering, and terrorist financing, legal basis: legal obligation + legitimate interest.
3.5 Account security (anti-takeover, intrusion detection, 2FA), legal basis: legitimate interest.
3.6 Notifications related to operations (in-app, email, WhatsApp to merchants), legal basis: contract execution.
3.7 Notifications to the Merchant's end Customers (order confirmation emails, booking, delivery, ticket, invoice, quote, abandoned cart reminder, request for feedback), legal basis: execution of the contract between the Merchant and their end Customer, of which Monniz is a subcontractor.
3.8 Marketing communications and product updates intended for the Merchant, legal basis: revocable consent at any time.
3.9 Internal statistics and Service improvement, legal basis: legitimate interest (aggregated and pseudonymized data).
3.10 Response to customer support, legal basis: contract execution + legitimate interest.
3.11 Response to requests from authorities, legal basis: legal obligation.
3.12 Reorganization, merger, transfer, legal basis: legitimate interest.
The Merchant can refuse or withdraw their consent to processing based on consent (notably marketing) at any time, without affecting the provision of the core Service. However, withdrawing consent for the collection of KYC or KYB data will prevent the use of certain features (withdrawals, cards, transfers beyond thresholds).
4. With whom we share your data
We share personal data only with recipients necessary for the execution of the Service or to comply with our legal obligations.
4.1 Financial partners. To execute operations, we transmit to our Partners (our payment processor for Mobile Money payins/payouts and card, our virtual USD card issuer partner, live Mobile Money operators, crypto processors, etc.) the strictly necessary data: identification, amounts, Beneficiary contact details, ID number, etc. Each Partner applies its own privacy policy and is responsible for processing on its side.
4.2 Identity verification providers. KYC data (ID, biometrics) and KYB (commercial register, tax ID) are processed by specialized partners, contractually bound to strict security and confidentiality obligations.
4.3 Technical providers. our transactional and marketing email provider, Meta WhatsApp Business Cloud API (merchant notifications only), our hosting provider, cloud infrastructure provider, error monitoring service, anonymized analytics providers. All our technical providers are bound by subcontracting agreements imposing security, confidentiality, and non-reuse guarantees.
4.4 End Customers of the Merchant. When the Merchant publishes their public Store and accepts orders, some of their business data (trade name, logo, store address, hours, contact, specific legal notices) become publicly visible. The Merchant is responsible for the confidentiality of this information.
4.5 Authorities and trusted third parties. We transmit data to competent public authorities when required by law, in particular: CENTIF (National Financial Information Processing Unit) of Benin and equivalent authorities in other Covered Countries, in the context of AML/CFT obligations; judicial authorities, upon requisition or court decision; tax authorities, in the context of their prerogatives; financial services regulators (BCEAO, market authorities).
4.6 Acquirers in case of reorganization. In the event of a merger, acquisition, business transfer, restructuring, or collective proceedings, data may be transmitted to the acquirer or assignee. The Merchant will be informed in advance whenever possible.
4.7 No data sale. Monniz does not sell or rent personal data to third parties for commercial purposes.
5. International data transfers
Certain data may be transferred and stored outside the ECOWAS / UEMOA area, particularly when: our infrastructure or analytics providers are located abroad (email providers in France, hosting providers in Lithuania, Meta WhatsApp in Ireland/USA, etc.); the operation initiated by the Merchant involves a counterparty or Partner located abroad; a competent foreign authority requests information from us within a legal framework.
In this case, Monniz commits to implementing appropriate safeguards: standard contractual clauses, recognized security certifications (ISO 27001, SOC 2), or any other mechanism compliant with law 2017-20 and international best practices. The Merchant acknowledges and consents to these transfers by using the Service.
6. Retention periods
We retain data for as long as necessary for the intended purpose, in compliance with legal obligations.
KYC data (identity document, biometrics, supporting documents) and KYB (commercial register, beneficial owners): 10 years after the closure of the Business Account (LCB-FT obligation and accounting retention).
Transactional data (transaction history, subscription deductions, issued invoices): 10 years after the last transaction (accounting and tax obligations).
Identification and contact data of the Merchant: duration of the Business Account + 1 year.
Data of the Merchant's end Customers (orders, store customer accounts, abandoned cart content, quote requests, reservations): duration of the Merchant's Business Account activity + 1 year, unless a deletion request is made by the end Customer or the Merchant within the limits of accounting obligations.
Technical logs (connection, IP, device): 12 rolling months.
Customer support data: 3 years after the last exchange.
Cookies and trackers: in accordance with the Cookie Policy.
Marketing data (with consent): until consent is withdrawn, and at most 3 years after the last effective contact.
Telephone communication recordings: 6 months (unless in dispute or ongoing investigation).
Data in the context of a judicial procedure: until the end of the applicable statute of limitations.
At the end of these periods, the data is deleted or archived securely and anonymized.
7. Data security
We implement appropriate technical and organizational measures to protect data against loss, alteration, unauthorized disclosure or unauthorized access: encryption of sensitive data at rest (AES-256) and in transit (TLS 1.3); secure storage of secrets (encrypted vaults, cloud provider secret management); PCI DSS compliance for card data (complete numbers never stored on Monniz side, managed by our card issuer and payment processor partners); strong authentication (password + 6-digit PIN + TOTP 2FA + active sessions); device verification and new-login alerts; internal access partitioning following the principle of least privilege; logging of access and critical operations; segregation of funds into dedicated bank accounts at financial Partners, separate from Monniz's operational accounts; regular security audits, internal and by independent third parties; continuity and disaster recovery plan in case of incident.
No device is infallible. The Merchant remains responsible for the confidentiality of their identifiers in accordance with Article 7 of the Terms of Use.
8. Procedure in case of data breach
In the event of a personal data breach that could pose a risk to the rights and freedoms of Merchants or their end Customers, Monniz commits to:
Notify the Personal Data Protection Authority (APDP) of Benin as soon as possible and no later than 72 hours after becoming aware.
Inform the concerned Merchants without undue delay, by email to the address associated with the Account and by notification in the App, when the breach is likely to result in a high risk to their rights and freedoms.
Cooperate with the Merchant to inform their own end Customers if necessary.
Take all necessary measures to limit the consequences of the breach and prevent its recurrence.
9. Your rights
In accordance with law 2017-20, the Merchant and their end Customers have the following rights regarding their personal data.
9.1 Right of access. Obtain confirmation that data is being processed, and receive a copy.
9.2 Right of rectification. Request the correction or update of inaccurate or incomplete data.
9.3 Right to erasure (right to be forgotten). Request the deletion of data, subject to legal retention obligations (notably KYC, KYB, and transactional: 10 years).
9.4 Right to restriction. Request the temporary suspension of processing, for example in case of dispute regarding the accuracy of the data.
9.5 Right to object. Object, for reasons related to their particular situation, to processing based on legitimate interest. The possibility to object at any time to processing for commercial prospecting purposes, without justification.
9.6 Right to data portability. Receive data in a structured, commonly used, and machine-readable format (CSV, JSON), and transmit it to another data controller.
9.7 Right to withdraw consent. Withdraw consent to processing that depends on it at any time, without affecting the lawfulness of prior processing.
9.8 Right to set post-mortem directives (natural persons).
9.9 Right to complain. File a complaint with the Personal Data Protection Authority (APDP) of Benin or the competent supervisory authority in the country of residence.
9.10 How to exercise these rights. Send an email to [email protected], or contact Monniz via the App settings. We will respond to the request within one (1) month of receipt. This period may be extended to three (3) months in case of complex requests; the requester will be informed of the reasons and expected duration. To process the request, we may need to verify the identity of the requester to prevent impersonation.
9.11 Rights of the Merchant's end Customers. End Customers wishing to exercise their rights should primarily contact the Merchant from whom they made their purchases (main data controller). The Merchant can access the list of their end Customers from their dashboard and initiate deletion operations in accordance with the law. Monniz, as a subcontractor, will assist the Merchant in responding to requests from end Customers.
10. Cookies and trackers
The site business.monniz.com and the App use cookies and similar technologies (device identifiers, pixels, SDK). The usage terms, retention periods, and how to configure them are detailed in the Cookie Policy, which complements this Policy.
When the Merchant configures marketing pixels on their public Store (Facebook Pixel, Google Tag Manager, TikTok Pixel), they are responsible for obtaining consent from their end Customers and displaying a compliant cookie banner.
11. Data of minors
The Service is strictly reserved for individuals aged 18 years or older, or for legal entities represented by an adult manager. We do not knowingly collect data concerning minors.
If we discover that a Business Account has been created by a minor, or that data concerning a minor is processed without the consent of the legal representative, we will promptly close the Account and delete the data, subject to legal retention obligations.
The Merchant is responsible for the compliance of its own public Store regarding the minimum age of its end Customers according to its activity (sale of alcohol, betting, etc.).
12. Automated decisions and profiling
Certain operations of the Service rely on automated decisions:
KYC identity verification (automatic facial comparison with the ID).
KYB business scoring (automatic verification of the commercial register and compliance with sanctions).
Fraud scoring on transactions, which may trigger additional checks or a temporary block.
Dynamic limits based on the Merchant's risk profile.
Detection of abandoned carts and automatic triggering of email follow-up H+24h.
Automatic suspension of the Business Account after three (3) failed subscription payment attempts (Article 6 of the Terms and Conditions).
These decisions never produce a definitive legal effect without the possibility of human intervention: the Merchant can always request a manual review by contacting support at [email protected].
13. Links to third-party sites
The Service may contain links to third-party sites or applications that we do not control (financial Partner sites, end Customer sites, etc.). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with data.
14. Modifications to this Policy
We may modify this Policy to reflect legislative, technical, or commercial developments. Any substantial modification will be notified by email to the address associated with the Business Account, by notification in the Application, and by publication on business.monniz.com. The applicable version is always the one available on business.monniz.com/legal/confidentialite. The date of the last update is indicated at the bottom of the Policy.
15. Contact
15.1 Data Protection Officer. For any questions, requests to exercise rights, or complaints regarding personal data protection: Email: [email protected]. Postal address: MONNIZ GROUP, Carrefour Jéricho, Cotonou, Republic of Benin. Phone: +229 01 95 66 96 26.
15.2 Supervisory authority. Personal Data Protection Authority (APDP), Republic of Benin, Website: https://apdp.bj. The Merchant residing in another Covered Country may also contact the competent authority in their country of residence.
A question about this document? Contacte-nous or write to [email protected].