GoMonio

Privacy Policy

Last Updated: July 2, 2025

1. Introduction

At GoMonio ("we," "our," or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our financial management platform ("Service").

By using our Service, you consent to the data practices described in this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Personal Information

We collect personal information that you provide directly to us, including:

  • Account registration information (name, email address, password)
  • Profile information for Personal, Business, or Agency accounts
  • Billing and payment information processed through Stripe
  • Contact information for support requests
  • Product update and marketing communication preferences

2.2 Financial Information

We collect and process financial data that you provide or authorize us to access:

  • Transaction data from CSV and Excel imports
  • Bank account information (when using PSD2 integration via Nordigen)
  • Transaction categorization and financial analysis data
  • Account balances and cash flow information
  • Financial reports and forecasting data

2.3 Technical Information

We automatically collect certain technical information:

  • Device information (browser type, operating system, device identifiers)
  • Usage analytics through Google Analytics
  • Log data (IP addresses, access times, pages viewed)
  • Session information and authentication data
  • Cookies and similar tracking technologies

2.4 Agency and Client Data

For Agency profiles managing business clients:

  • Client invitation and onboarding information
  • Client financial data (with appropriate authorization)
  • Agency-client relationship data and permissions
  • Client communication and support interactions

3. How We Use Your Information

3.1 Service Provision

We use your information to:

  • Provide and maintain our financial management services
  • Process transactions and manage your subscription billing
  • Generate financial reports, analytics, and forecasting
  • Facilitate agency-client relationships and data sharing
  • Enable bank integration through PSD2 providers

3.2 Communication

We use your contact information to:

  • Send transactional emails through Mailjet including:
    • Account verification and email confirmation
    • Login confirmation for two-factor authentication
    • Password reset and security notifications
    • Subscription and billing notices
    • Member and team invitation emails
    • Service updates and security alerts
  • Provide customer support and respond to inquiries
  • Send product updates and feature announcements (only if you opt-in during registration)
  • Send marketing communications and promotional content (only if you opt-in during registration)
  • Notify you of important service changes or security issues

3.3 Analytics and Improvement

We analyze usage data to:

  • Understand how users interact with our Service
  • Improve our platform's functionality and user experience
  • Develop new features and capabilities
  • Ensure security and prevent fraudulent activities

3.4 Legal Compliance

We may use your information to:

  • Comply with applicable financial regulations and laws
  • Respond to legal requests and prevent illegal activities
  • Protect our rights, privacy, safety, or property
  • Enforce our Terms of Service

4. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide our services and fulfill our Terms of Service
  • Legitimate Interests: Analytics, security, fraud prevention, and service improvement
  • Consent: Product updates, marketing communications, and non-essential cookies
  • Legal Obligation: Financial record-keeping and regulatory compliance

5. Third-Party Services and Data Sharing

5.1 Service Providers

We share data with trusted third-party providers to deliver our services:

  • Supabase: Database hosting and management (EU-based infrastructure)
  • Stripe: Payment processing and subscription billing
  • Mailjet: Transactional and marketing email delivery
  • Nordigen (GoCardless): Bank integration and PSD2 connectivity
  • Google Analytics: Website usage analytics and insights
  • Vercel: Application hosting and content delivery

5.2 Data Processing Agreements

All third-party providers are bound by data processing agreements that ensure appropriate data protection standards and GDPR compliance. We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

5.3 Legal Disclosures

We may disclose your information when required by law or to:

  • Comply with legal obligations, court orders, or government requests
  • Protect against fraud, security threats, or illegal activities
  • Defend our legal rights and interests
  • Protect the safety of our users or the public

6. Cookies and Tracking Technologies

6.1 Essential Cookies

We use essential cookies that are necessary for our Service to function:

  • Authentication and session management
  • Security and fraud prevention
  • User preferences and settings
  • Load balancing and performance optimization

6.2 Analytics Cookies

With your consent, we use analytics cookies to:

  • Google Analytics for usage statistics and user behavior analysis
  • Performance monitoring and error tracking
  • Feature usage analytics and A/B testing

6.3 Marketing Cookies

With your consent, we may use marketing cookies from:

  • Google Ads for retargeting and conversion tracking
  • Facebook Pixel for social media advertising
  • LinkedIn Insight Tag for professional network advertising
  • Other advertising platforms for targeted marketing campaigns

6.4 Cookie Management

You can manage your cookie preferences through your browser settings or our cookie consent banner. Disabling essential cookies may affect the functionality of our Service.

7. Data Security

7.1 Security Measures

We implement comprehensive security measures to protect your data:

  • Industry-standard encryption for data in transit and at rest
  • Secure password hashing using Argon2
  • Two-factor authentication for enhanced account security
  • Row-level security (RLS) for database access control
  • Regular security audits and vulnerability assessments
  • Rate limiting and DDoS protection

7.2 Access Controls

We maintain strict access controls with role-based permissions ensuring that only authorized personnel can access personal data, and only to the extent necessary for their job functions.

7.3 Data Breach Response

In the event of a data breach, we will notify affected users and relevant supervisory authorities within 72 hours as required by GDPR, and provide guidance on protective measures.

8. Data Retention

8.1 User Account Data

Personal account information is retained for 30 days after account deletion to allow for account recovery. After this period, personal data is permanently deleted from our primary systems.

8.2 Financial Data

Financial transaction data is retained for 10 years after account deletion in accordance with financial regulations. This data is stored in secured, separate database tables with enhanced access controls and is anonymized where possible.

8.3 Agency-Client Data

When agency-client relationships are terminated, client data access is immediately revoked. Client data retention follows the same schedule as individual user accounts.

8.4 Marketing and Product Update Data

Product update and marketing communication data is retained until you withdraw consent or request deletion, subject to legal requirements for business records.

9. International Data Transfers

While we serve users globally, all personal data is stored and processed within the European Union through our EU-based infrastructure partners, including Supabase's EU regions.

When using third-party services that may process data outside the EU (such as certain features of Stripe or Google Analytics), we ensure appropriate safeguards are in place, including:

  • EU-US Data Privacy Framework adequacy decisions
  • Standard Contractual Clauses (SCCs) where applicable
  • Additional technical and organizational safeguards

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

10.1 Right of Access

You can request a copy of all personal data we hold about you, available through your account dashboard or by contacting our support team.

10.2 Right to Rectification

You can update or correct your personal information through your account settings or request corrections through our support channels.

10.3 Right to Erasure

You can request deletion of your personal data, subject to legal retention requirements for financial records. Our automated deletion system handles most data removal.

10.4 Right to Data Portability

You can export your data in standard formats (CSV, JSON) through our platform's export features at any time.

10.5 Right to Object

You can object to processing based on legitimate interests, including marketing communications and certain analytics.

10.6 Right to Restrict Processing

You can request restriction of data processing in certain circumstances, such as during dispute resolution.

10.7 Right to Withdraw Consent

You can withdraw consent for product updates, marketing communications, non-essential cookies, or other consent-based processing at any time.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your personal data appropriately.

11. Children's Privacy

Our Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete such information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes through:

  • Email notification to your registered email address
  • Prominent notice within our Service
  • Updated "Last Updated" date at the top of this policy

Continued use of our Service after changes become effective constitutes acceptance of the updated Privacy Policy.

13. Contact Information

If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us through:

  • Support channels available in your account dashboard
  • Our help documentation and FAQ section
  • Direct contact information provided in your account settings

For urgent privacy-related matters or data protection officer inquiries, please use the priority support channels indicated in your account.

14. Governing Law

This Privacy Policy is governed by the laws of Finland and the European Union's General Data Protection Regulation (GDPR). Any disputes related to privacy matters shall be subject to the jurisdiction of Finnish courts.

This Privacy Policy is effective as of July 2, 2025.