Privacy policy (until 9 April 2024)
This customer privacy policy (“Privacy Policy”) governs how Montonio („Montonio/us/we/our”) gathers and uses personal data of customers, i.e., the end users of Montonio’s Services - persons using payment initiation and refunds services or applying for financing or using pay later service (credit intermediation) or using card payment services or whose personal data is processed while offering other Montonio’s Services.
Montonio always aims to protect privacy of customers and other data subjects. Montonio’s Privacy Policy is made available in our service flows and on our website.
In case of questions about how Montonio processes personal data, additional information can be obtained by contacting us at compliance@montonio.com.
- DEFINITIONS
Here you will find definitions of terms often used in the Privacy Policy. Terms are defined in this Section of the Privacy Policy or in the text of the Privacy Policy.- Personal data protection terms have the same meaning as defined in the General Data Protection Regulation (2016/679) (“GDPR”). Some data protection terms may be specified in the context of Montonio’s processing as defined below.
- Agreement means any Agreement entered into between Montonio and a customer or any other data subject, incl. Terms of Service for the Payment Initiation Service, intermediation terms of Financing and Pay Later Services or other terms and conditions applicable for providing Montonio’s Services.
- Customer/you means a natural person who uses Montonio’s services to initiate payment or to get financing (credit intermediation), incl. pay later, to pay to a Merchant or whose personal data is processed while offering other Montonio’s services.
- Merchant means person using Montonio’s services for their business activities and who is not a Customer.
- Montonio/us/we means Montonio group companies:
- Montonio Finance OÜ, registry code 14557628, address Kai 1, 10111 Tallinn, Estonia (“MF OÜ”);
- Montonio Finance UAB, registry code 305205122, address Konstitucijos pr. 7, Vilnius, Lithuania (“MF UAB”);
We may share personal data with our other group companies if we have a legal basis and agreement to do so. Information about personal data sharing is given to the data subject either via this Privacy Policy or other notice.
- Service(s) means services offered by Montonio.
- Privacy Policy means this text, which sets out Montonio’s principles of personal data processing for processing of Customer personal data.
- Website means Montonio’s website accessible via https://montonio.com and all its subdomains.
- GENERAL INFORMATION AND CONTACT DETAILS
Here you will find when the Privacy Policy applies, information how to contact us and explanation on controller-processor statuses.- Applicability. This Privacy Policy applies to Montonio’s processing of Customer personal data while offering Montonio’s Service(s). Please note, that information to Merchants and Merchant representatives on processing of their personal data is provided in Montonio’s User Privacy Notice.
- Contacts. You can contact us in matters related to personal data processing by e-mailing us at compliance@montonio.com. We have appointed data protection officer who can be reached at compliance@montonio.com. Our postal addresses can be found in Clause 1.5.
- Changes. We have the right to unilaterally amend this Privacy Policy. We will notify the data subject – Customer, of all important material changes to the Privacy Policy on the Website or otherwise.
- About the Controller-Processor Statuses. Controller of your personal data depends on the used Service(s). Montonio has different processing statuses for different Service(s) offered. Processing statuses for main Services are as follows: i) MF UAB is a controller for payment initiation and refunds services and card payment services; ii) MF OÜ is a controller for financing services and pay later services; iii) MF OÜ is a processor in case of shipping services and other additional services (management of orders, refunds and payments) to the Merchant (Merchant is the controller). Please note, that Merchant is a separate controller for Customers personal data when offering its services/products. Information on how Merchants process personal data is provided on their respective webpages.
- Lead Supervisory Authority. The lead supervisory authority in personal data protection matters for Montonio’s group companies is Estonian Data Protection Inspectorate (Eesti Andmekaitse Inspektsioon). Data subject has a right to turn to a supervisory authority of their own location. You can find the details of EU data protection authorities from here.
- Use of Cookies and Other Trackers. Information about use of cookies and other trackers is provided in the cookie solution on the Website.
- Other Links/Apps etc. Please note that the links on our Website may lead to media that is governed by privacy terms of the respective service providers’, and not by this Privacy Policy. We are not responsible for anything on those other websites. Processing of your personal data on our social media is governed by our privacy terms and by relevant social media platform’s privacy terms.
- PRINCIPLES OF PERSONAL DATA PROCESSING
Here you will find the key principles that we are always guided by when processing your personal data.- Compliance and Aim. Montonio’s aim is to process personal data in a responsible manner where we can demonstrate the compliance of processing personal data with the purposes set and the applicable data protection regulations.
- The Principles. All Montonio’s processes, guidelines, actions, and activities related to personal data processing are based on the following principles: lawfulness, fairness, transparency, purposefulness, data minimisation, accuracy, storage limitation, integrity, confidentiality, and data protection by default and by design.
- GENERAL PURPOSES, GROUNDS FOR, AND ACTIVITIES OF PROCESSING
Here you will find information about the purposes and grounds for the processing of your personal data.- Consent. Based on consent, we process personal data precisely within the limits, to the extent and for the purposes for which you have given us your consent. The consent must be freely given, specific, informed, and unambiguous, for example, by ticking the box on the Website or in the Service(s) flow. Please note that you have the right to withdraw your consent at any time by contacting us at compliance@montonio.com or for example in case of certain email by unsubscribe link in the email. Withdrawing consent won’t influence processing done before the withdrawal.
- Entry Into and Performance of an Agreement. Upon entering into and performing an Agreement, we may process personal data for the following purposes:
- taking steps prior to entering into an Agreement, which are necessary for entering into an Agreement or which the data subject requests;
- identifying you to the extent necessary for entering into and performing an Agreement or taking steps to enable usage of our Service(s) or as prescribed by law (e.g., AML obligations, creditworthiness assessment obligations);
- performing the obligations assumed (e.g., providing payment initiation service, credit intermediation);
- communicating with you, incl. sending information and reminders about the performance of the Agreement or about the usage of the Service(s);
- protection of rights and claims;
- to detect, prevent and address technical issues;
- to provide support;
- to provide and maintain our Service(s), incl. monitor usage of our Service(s) and Website;
- to notify you about changes to our Service(s) or to give you other Agreement/Service(s) related notice.
Please note that exact purpose and grounds may also be defined in an Agreement.
- Legal Obligation. We process personal data to comply with a legal obligation in accordance with and to the extent provided by law. For example, Montonio’s anti-money laundering or creditworthiness assessment obligations deriving from Money Laundering and Terrorist Financing Prevention Act, Creditors and Credit Intermediaries Act, Republic of Lithuania Law on the Prevention of Money Laundering and Terrorist Financing, Republic of Lithuania Law on Payments.
- Legitimate Interest. Our legitimate interest means our interest in managing or directing our activities and enabling us to offer the best possible Service(s). In case we are using legitimate interest, we have previously assessed our and your interests. You have the right to see the conducted legitimate interest assessment connected to the processing of your personal data. If you wish to do so contact us at compliance@montonio.com. We may process your personal data (except special categories of personal data) based on legitimate interest for the following purposes:
- managing and analysing a client database and Service(s) (if not covered with the Agreement) to improve the availability, functions and quality of Service(s), e.g., using a CRM or different analytics solutions to enable the foregoing (general data and service usage data is processed);
- development of our Service(s) and Website if not covered with the Agreement (all data categories may be processed excl. special categories and offence data);
- ensuring a better client/Customer experience, to provide higher quality Service(s); we may monitor the usage and collect statistics about usage of our Service(s) and Website, analyse identifiers and personal data collected from our Website, Service(s) and our social media pages and other sales channels (general data, usage data, technical data, device data and data from cookies (if enabled) may be used);
- organizing campaigns, incl. organising personalised and targeted campaigns. The terms and conditions of campaigns are set out separately;
- sending offers/information to the client or potential client if the respective person has previously purchased or shown interest in a similar product, and if such processing is allowed in respective jurisdiction. In this case, the person is always guaranteed to have a simple opportunity to resign from the communication, and we have considered our and the (potential) client’s interests (contacts and service usage data may be processed);
- conducting satisfaction surveys and measuring the effectiveness of marketing activities performed (contacts and service usage data may be processed);
- making recordings and logging; we may record and retain messages and orders given both in our premises and using means of communication (e-mail, phone etc.) as well as information and other activities we have performed. If necessary, we use these recordings to prove orders or other activities, incl. in legal proceedings;
- technical and cyber security reasons, for example measures for combating piracy and ensuring the security of the Website and our Service(s) as well as for making and storing back-up copies and preventing/repairing technical issues (depending on the issue all data categories may be used);
- processing for organisational purposes, foremost for internal management purposes (but also audits and other potential supervision), including the processing between our group companies (subsidiaries, affiliates) (depending on the issue/co-operation all data categories may be used);
- establishing, exercising or defending legal claims, incl. assigning claims to, for example, collection service providers, or using legal advisors (depending on the issue all data categories may be used);
- If you have given us information about not sending you a certain type of information – retaining the information about such prohibition.
- New purpose. Where personal data is processed for a new purpose other than that for which the personal data are originally collected or it is not based on the data subject’s consent, we carefully assess the permissibility of such new processing. We will, in order to ascertain whether processing for a new purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia:
- any link between the purposes for which the personal data are collected and the purposes of the intended further processing;
- the context in which the personal data are collected, in particular regarding the relationship between the data subject and us;
- the nature of the personal data, in particular whether special categories of personal data are processed or whether personal data related to criminal convictions and offences are processed;
- the possible consequences of the intended further processing for data subjects;
- the existence of appropriate safeguards, which may include encryption or pseudonymisation.
- INFORMATION WE PROCESS
Here you can find categories of data subjects and information on Customer’s personal data we process.- Categories of Data Subjects. The Privacy Policy applies to the processing of personal data of Customers. Please note, that processing of Customers personal data by Merchants is covered by respective Merchant’s privacy terms.
- Not Directed at Children. Our Service(s) are not intended for children.
- Sources of Personal Data. In general, Montonio processes Customer’s personal data from following sources:
- Personal data inserted or given to us or to Merchant by the data subject (e.g., full name, email, phone nr, address, information on purchased goods/services);
- Personal data resulting from standard communication between us and the Customer (e.g., when you contact us by email, chat etc.);
- Personal data resulting from the usage of our Service(s) (e.g., usage of payment initiation service: full name, contacts, payment sum, authentication status, account information, payment status);
- Personal data obtained from third parties (e.g., from authentication and verification and AML partners e.g., authentication status, PEP status, sanction status);
- Personal data generated and combined by us (e.g., data about the usage of Service(s) etc.).
- General Categories of Data We Process as a Controller. As a controller we process among other the following personal data:
- General Customer data (identification and contacts): e.g., full name, email, phone nr, data on usage of Service(s);
- Verification data: e.g., we verify the data provided to us to a reasonable extent or as we are obligated by law e.g., ID-document data, full name, PEP status, sanction information, adverse media, and other relevant data;
- Service(s) usage data: g., depending on service Service(s) usage data (order data, content of shopping cart, financing data, communications with us, technical data (device data, IP-address, browser data));
- Technical data: e.g., information about the date, time and your activity in the Service(s), device data, IP address, domain name, software and hardware data, general geographic location (e.g., city, country);
- Data gathered from use of Website incl., by Cookies (if enabled).
Please see table of Customer personal data for more information (see Clause 5.5).
- Table of Customer’s Personal Data. General overview of Customer’s personal data processed by Montonio while offering its Service(s):
Personal data
Purpose of processing
Grounds for processing
Contact details (e.g., phone number, e-mail, address)
Performance of a contract; direct marketing
Performance of contract; consent for direct marketing
Verification and AML checks data (verification data of presented data, PEP data, sanctions data, transaction checks, incl., information about purchased goods/services)
Verification of presented data and AML data gathering
Legal obligation in case of payment initiation and credit intermediation (data verification and other AML obligations); data not covered by legal obligation is processed under public interest; for services not licensed – necessary for entering into contract (verification of identity data) and legitimate interest or public interest for AML data
Payment data (full name, contacts, payment amount, name of payee, list of payer’s IBANs, payer’s bank, email, address, IP address, status of authentication, payment status, paymentID)
Provision of payment services (performance of a contract)
Performance of contract; certain data may be processed due to legal obligations
Financing and Pay Later agreement data (e.g., status of the agreement, data on the financed amount, amount of the down-payment, APRC, interest rate)
Keeping of credit file
Legal obligation deriving from consumer credit legislation
Information on usage of Service(s) (e.g., payment data, credit offers, credit contracts, communications with us, data on returns etc., shopping cart data)
Performance of contract; depending on data – some data may be processed due to legal obligations or public interest, e.g. related to AML, fraud prevention
Performance of contract; certain data may be processed due to legal obligations, public interest
Data on the website sections visited
Risk management, fraud prevention, service development
Legitimate interest
Device data (e.g., type of device, device identifier, other metadata)
Risk management, fraud prevention,
Legitimate interest
Technical data on the use of the Website and our Service(s) (e.g., IP address, type and version of the browser, logs)
Risk management, fraud prevention, service development
Legitimate interest
Other data on connection to Service(s) provision (e.g., satisfaction surveys, feedback, Service usage data, recordings)
Service development, better customer experience
Legitimate interest
*shipping and Service usage data (e.g., full name, address, phone nr, email, parcel data), shopping cart data (i.e., list of products and/or services purchased)
*offering shipping and ancillary services (management of orders, payments, refunds etc) to a Merchant
*Montonio uses same grounds for processing as Merchant (Montonio is a processor of Merchant in case of shipping and additional (non-licensed) services)
Contact us if you need more precise information on the processing of your personal data. Please note that in case where we are the processor, we may redirect you to your data controller if you have provided us with necessary information.
- TRANSFER AND AUTHORISED PROCESSING OF PERSONAL DATA
Here you will find information about the transfer and authorised processing of personal data.- Usage of Cooperation Partners. We cooperate with persons to whom we may transmit data, including personal data, concerning data subjects within the context and for the purpose of that cooperation. We may have different type of controller-processor-sub-processor relationships with those cooperation partners. When transferring personal data to our cooperation partners, we comply with the applicable data protection requirements. For example:
- we transfer and share personal data with our partner creditors. Legal acts require our partner creditors and us to obtain, verify, and record certain information about all Customers of financing products. In addition, for this purpose, Montonio or the partner creditors may consult other sources to obtain information about you. The list of partner creditors and their privacy policies are available here;
- we transfer and share data with Merchants whose services/products you are buying.
- Requirements for the Usage of Cooperation Partners Who Are Processors. Such third parties (processors) may include, among other, IT partners - i.e., service providers for various technical services (depending on the service can access all data categories), advertising and marketing partners (can access general data and certain service usage data), customer satisfaction survey companies (can access contact details and certain service usage data), advisors (depending on the issue all data may be processed), provided that:
- the respective purpose and processing are lawful;
- personal data is processed pursuant to the instructions of us and on the basis of a valid contract.
Our main processors are: Data processors
- Other Disclosures and Transfers. We may disclose personal data also on the following cases:
- For Law Enforcement. Under certain circumstances, we may be required to disclose your personal data if required to do so by law or in response to valid requests by public authorities. We always assess the lawfulness of information requests before disclosing any personal data.
- For Business Transactions. If we or our subsidiaries are involved in a merger, acquisition or asset sale, your personal data may be transferred.
- Unforeseeable Transfers. In other cases, we transmit your personal data to third parties provided that we have your consent, a legal obligation, or there is a relevant exception e.g., in the event that the transfer is necessary to protect your vital interests.
- Transfers Outside the EEA. We generally process your personal data inside of the EEA. However, we may use service providers/cooperation partners from outside of the EEA. Transfer of personal data outside the EEA is only commenced if requirements from GDPR Chapter V are met (e.g., adequacy decision* the GDPR art 45 or EU SCC** the GDPR art 46). We will take all the steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Privacy Policy.
- If you want to know which transfer ground is used, contact us at compliance@montonio.com. In case of EU’s standard clauses or binding corporate rules, you may request to have a copy (if such clauses are applicable to transfers of your personal data). We have the right to retract information that is confidential.
*Adopted adequacy decisions can be found here.
**You can find the text of standard contractual clauses here.
- Usage of Cooperation Partners. We cooperate with persons to whom we may transmit data, including personal data, concerning data subjects within the context and for the purpose of that cooperation. We may have different type of controller-processor-sub-processor relationships with those cooperation partners. When transferring personal data to our cooperation partners, we comply with the applicable data protection requirements. For example:
- STORAGE AND SECURITY OF PROCESSING PERSONAL DATA
Here you will find a description of how we protect your personal data and for how long we store personal data.- Personal Data Retention Periods. We store personal data as long as need depending on the purpose of the processing. When retaining personal data, we comply with the purpose of processing, limitation periods for potential claims, and storage periods provided for in the law. Certain personal data is stored depending on the requirement deriving from applicable law e.g., duration of credit service + 3 years, 7 years accounting data, 5 or 8 years for AML obligations. Personal data for which the storage period has expired are destroyed or made anonymous.
- Security Measures. We have established guidelines and rules of procedure on how to ensure the security of personal data through the use of both organisational and technical measures. Among others, we do the following to ensure security and confidentiality:
- We have an access-level management system in use (i.e., access to personal data is handled need-to-know basis);
- we use software solutions that help ensure a level of security that meets the market standard.
The security of your data is important to us and we take all reasonable steps to ensure the security of personal data.
- Incident. In the event of any incident involving personal data, we do our best to mitigate the consequences and alleviate the relevant risks in the future. We will follow notice requirements of the GDPR.
- GDPR Data Protection Rights
Here you can read about your rights in connection to your personal data.- Data Subject’s Rights. We want to make sure that you are fully aware of all your data protection rights. Every data subject is entitled to the following rights (under certain preconditions):
- The right to access and a copy – you have the right to access and to request copy of your personal data.
- The right to rectification – you have the right to request that we correct any information that is inaccurate.
- The right to erasure – you have the right to request that we erase your personal data, under certain conditions e.g., when processing is done under your consent;
- The right to restrict processing – you have the right to request that we restrict the processing of your personal data, under certain conditions;
- The right to object to processing – you have the right to object to our processing of your personal data, under certain conditions e.g., processing done under legitimate interest;
- The right to data portability – you have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
- Rights in connection to consent – you have the right to withdraw your consent at any time e.g., by unsubscribing or contacting us. Withdrawing your consent won’t influence processing done before withdrawal.
- Right connected to legitimate interest – you have the right to see the conducted legitimate interest assessment connected to the processing of your personal data. For this write us at compliance@montonio.com.
- Rights related to automated processing and profiling mean that you have on grounds relating to your particular situation, the right to object at any time to the processing of personal data concerning you that is based on automated decisions/profiling. You have the right to require human intervention and an explanation regarding the logic of making an automated decision. Automated processing/profiling may also be partially based on data collected from public sources. For avoidance of doubt, we do not use automated processing or profiling that has a significant effect on the data subject or their rights.
- The right to file a complaint – you have the right to file a complaint with us or supervisory authority or court if you think that your rights in connection to personal data have been infringed. We kindly ask you to contact us first for finding a solution. If needed our data protection supervisory authority is Estonian Data Protection Inspectorate (Andmekaitse Inspekstioon) info@aki.ee, Tatari 39, Tallinn 10134; contacts can be found: aki.ee/en/contacts. You also have the right to turn to a supervisory authority of your residence country. For example, our Lithuanian Customers can turn to Valstybinė duomenų apsaugos inspekcija, ada.lt, ada@ada.lt, L. Sapiegos 17, Vilnius Lithuania.
You can find the details of EU data protection authorities from here.
If you need more information about your data protection rights and how to use them contact us at compliance@montonio.com.
- Responses and Additional Information. If you make a request, we have one month to respond to you. If you would like to exercise any of these rights or need more information on your rights, please contact us. Please note, that we may need to identify you before granting you any of the rights connected to your personal data.
- Data Subject’s Rights. We want to make sure that you are fully aware of all your data protection rights. Every data subject is entitled to the following rights (under certain preconditions):