Get the Moneda App

Scan the QR code to download the app

https://get.moneda.com/aacgzvx0

Privacy

Last Updated: 2025/11/08

Moneda Digital GmbH ("Moneda", "we", "us", "our" or "Company") is committed to protecting your privacy. This Privacy Policy how we handle your personal data, your rights under the GDPR, and the steps we take to protect your information when you use our services ("Service"). We aim to be transparent, respectful, and secure in everything we do. By using Moneda, you agree to the practices described in this Privacy Policy.

If you have any questions or concerns, you can contact us at privacy@moneda.com.

1. Purposes and Legal Bases for Data Processing

We process personal data for the following purposes. The legal basis for each processing activity is listed together with a short explanation and category:

  • Account Management: When you create an account or profile to use our Services, we collect personal information such as your name, email address, and any other details necessary for account creation. We use this information to authenticate your account and provide you with the requested Services.
  • Communication: When you contact us via our website, email, or other channels, we collect your name, email address, and any other details you choose to provide (including the content of your communications). We use this information to respond to your inquiries and improve our support.
  • Transaction Facilitation: Facilitating user-initiated blockchain transactions via third-party providers, including payment providers. Moneda itself is not regulated and does not provide regulated financial services.
  • Personalization: Allowing users to configure preferences, goals, risk tolerance, and view general suggestions based on those inputs. No investment advice is provided.
  • Security & Fraud Prevention: Monitoring blockchain addresses to prevent you from interacting with known fraudulent accounts. We also process biometric data (e.g. Face ID or fingerprint information) to facilitate secure sign-ins and transaction approvals related to your self-custodial wallet. This biometric data is processed locally on your device and is not stored or accessible by Moneda.
  • Use of Third-Party Services: To provide our services efficiently and securely, we rely on various external service providers. These include providers of hosting, analytics, authentication, app distribution, transaction infrastructure, and regulated financial services.
  • Analytics and App Usage: Understanding app usage through Google Firebase. Firebase collects pseudonymized technical data (e.g., screen views, session duration, device type) to help improve app performance and usability. No identifiable personal data such as name or email is collected. Users may opt out by disabling analytics in the app settings.
  • Legal Compliance: Fulfilling our regulatory duties and record-keeping obligations. This includes complying with financial regulations and other legal requirements (for example, anti-money laundering verification checks). Certain processing may also occur at the instruction of regulated service partners (e.g. when we assist our partners in meeting their compliance obligations).
  • Identity Verification (KYC & AML Compliance): If you choose to access features of Moneda that involve fiat currency or other regulated financial services. for example, linking a bank account, topping up your Moneda account with EUR or USD, withdrawing funds to a bank, or opening a virtual IBAN account, we will ask you to complete an identity verification process as required by law (Know Your Customer or “KYC”). This one-time verification involves collecting certain information and documents (such as a government-issued photo ID, a live selfie for liveness verification, and a recent proof of address) to confirm your identity. We use this information only to verify your identity, comply with anti-money laundering (”AML”) regulations, and enable the requested financial services for you.
  • Mandatory Service Notifications: Sending essential information about account activity, security alerts, system updates, or transaction confirmations. These are service-related and not promotional in nature.
  • Newsletters: Sending optional newsletters, marketing updates, or educational content, if you have subscribed to receive them. You can unsubscribe at any time, and we will only send these with your consent.

2. Your Rights under GDPR

  • Right of access (Art. 15 GDPR): You may request confirmation as to whether personal data concerning you is being processed and receive a copy of such data, along with details about its purpose, origin, and recipients.
  • Right to rectification (Art. 16 GDPR): You may request that inaccurate or incomplete personal data be corrected or completed.
  • Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data if the processing is no longer necessary, you have withdrawn your consent, or the data was unlawfully processed. Exceptions may apply (e.g. legal retention obligations).
  • Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data, e.g., while we verify its accuracy or assess an objection.
  • Right to data portability (Art. 20 GDPR): You may request to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and request its transmission to another controller.
  • Right to object (Art. 21 GDPR): You may object to the processing of your personal data where we process it based on legitimate interests. We will stop processing unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Art. 7(3) GDPR): If you have given consent, you may withdraw it at any time. This does not affect the lawfulness of prior processing.
  • Right to lodge a complaint (Art. 77 GDPR): If you believe that the processing of your data violates data protection law, you can file a complaint with the relevant supervisory authority.
  • Children's data: Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children.

3. Legal Basis for Processing

We process your data based on the following legal bases:

  • Performance of a Contract: Processing is necessary to deliver the services you have requested (for example, using your information to set up your account and provide the Moneda app’s functionality).
  • Legitimate Interests: Processing is based on our legitimate interests in operating and improving our services, maintaining security, and providing user support. In such cases, we ensure that our legitimate interests are not overridden by your privacy rights.
  • Legal Obligations: Processing is necessary for us to comply with applicable laws and regulations. This includes obligations under financial laws (for example, verifying customer identity under AML regulations), tax laws, or other legal requirements.
  • Consent: In specific situations, we rely on your consent to process your data (for instance, for sending optional newsletters or certain analytics cookies, where required by law). In those cases, you have the right to withdraw your consent at any time, and we will stop the processing in question.

4. Data Sharing

We do not sell your personal data. However, we do share certain data with third parties in order to operate our service and comply with legal requirements. We are committed to being transparent about who we share data with and why. Here are the categories of recipients and the purposes of sharing:

  • Service Providers (Processors): We use trusted third-party service providers to perform tasks on our behalf. These include cloud hosting providers (to store and process data securely), authentication services, push notification and email services, and other IT infrastructure providers necessary for running the Moneda app. We also use payment processing services when you purchase or use certain features. These providers only process your data under our instructions and for the purposes we specify.
  • Identity Verification Partners: When identity verification (KYC) is required, we use a specialized third-party provider to conduct these checks. Our current KYC verification partner is Sumsub. Sumsub collects and processes your identification documents and information (such as your ID, selfie, and proof of address) to verify your identity on our behalf. Moneda itself does not receive or store the full image of your ID documents; instead, we receive a verification result or token once the KYC process is completed. This means your sensitive identity data stays with the secure verification platform, and Moneda only learns whether you passed the check (and basic necessary details like your verification status or level). We only initiate this KYC process for users who opt to use financial features that legally require identity verification.
  • Financial Partners: For certain features, such as providing you with a virtual IBAN account or enabling fiat on-ramps/off-ramps (converting between fiat currency and crypto assets), we partner with regulated financial service providers. In particular, Moneda has integrated with a banking platform called Iron to offer EUR/USD virtual accounts and automated deposit/withdrawal services. If you choose to use these features, we will securely share the personal data necessary to open and operate your account with our partner Iron (for example, your name, contact details, and confirmation that you have passed KYC) so that they can create and manage the bank account services for you. We employ a tokenized access method for this data sharing: rather than sending your documents directly to Iron, we provide Iron with a secure share token from Sumsub, which allows them to confirm your verified identity through Sumsub’s system. This approach ensures that Iron can satisfy its regulatory requirements and activate your account without directly handling your identity documents, adding an extra layer of security for your data. In practice, your account with Iron will only be set up when you initiate a relevant transaction, such as requesting a fiat deposit or withdrawal, so your KYC data is shared only when it’s needed to provide the service, and not before.
  • Analytics Providers: We use analytics tools to understand how our app is used and to improve performance. For example, we utilize Google Firebase Analytics, which collects usage data in a pseudonymized manner (such as device information and usage statistics, without your name or contact info). This helps us improve user experience. You can opt out of analytics at any time via the app settings. We do not share identifiable personal information with analytics providers.
  • Legal and Regulatory Authorities: We may disclose personal data to government authorities, law enforcement, or regulators if required to do so by law. Examples include fulfilling a court order or legal request, or sharing information to comply with anti-money laundering reporting obligations and other legal requirements. We only share what is necessary and will notify you of such disclosures when permitted by law.

All third-party partners we share data with are bound by strict data protection obligations. We require them to handle your data securely and only for the specific purposes we have defined, in accordance with this Privacy Policy and applicable privacy laws. We do not allow our service providers to use your data for their own purposes. Additionally, we remain responsible for protecting your personal data throughout these engagements.

International Data Transfers: If we ever transfer your personal data to a country outside the European Union (EU) or European Economic Area (EEA), we will ensure that appropriate safeguards are in place to protect your information in compliance with GDPR. Such transfers will only occur if one of the following conditions is met: (a) the destination country has been officially recognized by the EU Commission as providing an adequate level of data protection, (b) we have put in place appropriate safeguards such as Standard Contractual Clauses (SCCs) with the recipient, or (c) you have given us your explicit consent for the specific transfer.

5. Data Retention

We retain your personal data for as long as you have an active Moneda account or as long as necessary to fulfill the purposes described in this Policy. If you decide to delete your account (or request us to do so), we will delete or anonymize your personal data within 30 days of the request, unless a longer retention period is required by law or is necessary to resolve disputes or enforce our agreements. After this period, or once the data is no longer needed for any legal or business purpose, we will permanently delete it or irreversibly anonymize it.

Note: Certain data must be retained for fixed periods due to legal obligations. For example, if you have completed a KYC identity verification, we (or our regulated partners) are required under anti-money laundering laws to retain the related verification records for a minimum period (typically five years after the end of our business relationship with you). Such retention is mandated by law and is done to comply with financial regulations, even if you request your account to be deleted. Rest assured, any data we retain for legal reasons remains subject to the security and privacy protections outlined in this Policy, and we will not use it for any other purpose.

6. How We Protect Your Data

We take the security of your personal data very seriously. Moneda uses industry-standard security measures to protect your information from unauthorized access, loss, or misuse. These measures include, but are not limited to, encryption (we encrypt data in transit and at rest wherever applicable) and access controls (we limit access to personal data to authorized personnel on a need-to-know basis). We also employ techniques like tokenization and other pseudonymization methods to minimize direct exposure of sensitive data when working with third-party services (for example, as noted above, we use tokenized verification for sharing KYC status).

Your self-custodial cryptocurrency wallet managed through Moneda is another area of security focus. Important: Moneda does not store or have access to your private keys, recovery phrases, or crypto funds. Those remain under your control. Our app provides an interface for you to manage your wallet, but the secure storage of your credentials (e.g. your mobile device’s secure enclave for biometric keys or your own custody of seed phrases) is your responsibility. We cannot access or recover your funds if you lose your private keys, and we never transmit or store your secret keys on our servers. By keeping sensitive wallet data out of our reach, we ensure that even a breach of Moneda’s systems would not compromise your cryptocurrency assets.

7. On-Chain Data and Smart Contracts

When you use Moneda to initiate blockchain transactions (for example, token swaps, lending, or transfers via integrated smart contracts), certain personal data implicitly becomes public due to the nature of blockchain technology. Specifically, your Moneda wallet’s public address and the details of your transactions will be submitted to public blockchain networks. This on-chain data is permanently recorded on the blockchain and may be publicly viewable by anyone. It cannot be altered or erased once confirmed in a block.

While Moneda facilitates these transactions for your convenience, please understand that we do not control the blockchain networks or the storage of data on them. The data you broadcast (transaction amounts, blockchain addresses involved, and any metadata you include in a transaction) will exist indefinitely on the distributed ledger outside of Moneda’s control.

For transparency, when you interact with third-party decentralized protocols through Moneda (for example, decentralized exchanges or lending platforms that we integrate), those protocols might have their own data practices. We recommend reviewing the privacy policies of those specific protocol providers if you have concerns, though generally personal data is not exchanged in onchain interactions aside from the public blockchain data described above.

Please note that onchain data falls outside the scope of GDPR erasure rights because we are not able to remove data that is stored on a public blockchain that we do not control.

8. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, Moneda will follow all applicable legal requirements regarding breach notification. We will notify you of the breach without undue delay and in any case within 72 hours of becoming aware of it, unless there is a justified reason for a delay (in line with Art. 33 GDPR). Notification will be done via in-app notification or email (or both), and will include information about the nature of the breach, the data affected, the steps we are taking to address it, and any recommendations for you to protect yourself. We will also inform the relevant data protection authorities as required. Once the immediate threat is contained, we will provide updates on the status of the issue and measures taken to prevent future incidents.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, the legal landscape, or other operational needs. When we make significant changes, we will notify you through appropriate channels (for example, via the Moneda app or by email) and update the “Last Updated” date at the top of this Policy. We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued use of Moneda after any changes to this Policy signifies your acceptance of the updated terms.

10. No Data Protection Officer (DPO) Appointed

In accordance to Art. 37 GDPR and §38 BDSG (German Federal Data Protection Act), Moneda Digital GmbH is not legally required to appoint a Data Protection Officer (DPO), because our core activities do not consist of large-scale processing of sensitive data categories that would mandate a DPO.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us:

Email: privacy@moneda.com

Postal Address: Moneda Digital GmbH, Wilmersdorfer Str. 122-123, 10627, Berlin, Germany

12. Supervisory Authority

Moneda Digital GmbH is based in Berlin, Germany. Our lead supervisory authority for data protection matters is the Berlin Commissioner for Data Protection and Freedom of Information. You have the right to contact this authority if you wish to lodge a complaint or seek further information about your data protection rights.

Supervisory Authority Contact Details:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61, 10555 Berlin, Germany
Website: https://www.datenschutz-berlin.de/