Privacy Policy

MNVA Companies operates the Moneva self-custodial application and the Moneva website. "MNVA Companies" is a placeholder name for the operating legal entity and will be replaced with the registered entity name once finalized. For the personal data described in this policy that we ourselves determine the purposes and means of processing, MNVA Companies acts as the data controller. This policy covers both the App and the website, together with related communications and support channels, and explains what we collect, why, how we use and share it, and the rights and choices available to you.

Moneva is self-custodial software. You, and only you, control your wallet, your device, and the cryptographic credentials that authorize your activity. MNVA Companies does not hold, take custody of, escrow, or control user funds, and does not hold, generate, store, or have access to your private keys, the private material behind your passkeys, or any seed or recovery phrases. Transactions you initiate are executed by smart contracts and blockchain networks rather than by us, and we cannot move, freeze, or reverse them on your behalf.

Blockchain activity is public by nature. When you transact on a public blockchain, details such as wallet addresses, transaction amounts, token types, and timestamps are recorded permanently on a distributed public ledger that anyone can read. That on-chain record is not controlled by MNVA Companies, exists independently of the Service, and cannot be edited or deleted by us or by you. You should assume that anyone can view and analyze on-chain data and potentially associate it with you.

Some features of the Service rely on independent, licensed third parties. Identity verification (KYC), and certain payment, on-ramp, off-ramp, virtual account, card, and remittance data, are collected and held directly by our licensed payment partners and our licensed identity-verification partner. For that data, those partners typically act as separate data controllers, or as processors for their own regulated activities, under their own privacy policies and legal obligations, not under this one. MNVA Companies may receive limited outputs from these partners, such as a verification status or result, but does not collect or store the underlying sensitive identity documents.

We collect and process the following categories of information in connection with the Service.

(a) Account and identity data needed to run the App. This may include the email address or login-provider identifier returned when you sign in with a third-party login provider (for example, an Apple or Google sign-in identifier), the username or alias you choose, public-credential metadata associated with your passkey (the public, non-secret portion used to recognize your authenticator, never any private key material), and your public wallet address. This is the minimum we need to create, operate, and authenticate your account.

(b) Device and technical data. This may include your device type and model, operating system and version, App version, IP address, browser type, language and locale settings, push-notification token, and crash, error, and diagnostic logs. We use this data to deliver, secure, and troubleshoot the Service.

(c) Usage data. This may include the features you use, your interactions with the App and website, in-app events, screens viewed, settings and preferences, and your corridor and currency selections. We use this data to understand how the Service is used and to improve it.

(d) Transaction metadata associated with the interface. When you initiate an action through the App (for example, a transfer, swap, savings deposit, or trading interaction), we may process metadata about that action, such as the assets, amounts, timestamps, and status involved, so the interface can function. By design, the corresponding transaction is also recorded publicly and permanently on the relevant public blockchain, where it exists independently of us.

(e) Communications and support data. If you contact us for support or otherwise communicate with us, we collect the contents of your messages, your contact details, and any information you choose to provide so we can respond, investigate, and keep records of the interaction.

(f) Data held by our licensed identity-verification partner. To use certain regulated features, you may be asked to complete identity verification. KYC documents and other sensitive identity data (for example, government-issued identification, selfies or biometric checks, date of birth, and proof of address) are collected and held by our licensed identity-verification partner, not by MNVA Companies. We may receive only the outcome of that process, such as a verification status or result (for example, approved, pending, or rejected) and limited associated reference data, but we do not collect or store the underlying identity documents.

What we do not collect or store. MNVA Companies does not collect, store, or have access to your private keys, the private cryptographic material behind your passkeys, or your seed or recovery phrases. Anyone who obtains these can control your assets, so you must keep them safe. We have no way to access these, and we cannot recover them for you.

We use the information described above for the purposes below.

Providing and securing the Service. To create, operate, maintain, authenticate, and secure your account and the App and website, and to keep them functioning reliably.

Enabling features. To enable the features you choose to use, such as transfers, swaps, savings and yield interfaces, card and remittance functionality, and trading interfaces, which operate in connection with licensed partners, third-party liquidity venues, audited DeFi protocols, and public blockchain networks. Some features require sharing limited data with those parties so the feature can work.

Fraud prevention, security, and abuse detection. To detect, investigate, prevent, and respond to fraud, security incidents, unauthorized access, prohibited use, and other harmful or unlawful activity, and to protect the integrity of the Service and our users.

Customer support. To respond to your inquiries, troubleshoot problems, and provide assistance.

Product analytics and improvement. To understand how the Service is used, measure performance, fix bugs, and develop and improve features and the overall user experience.

Communications. We send two kinds of messages. First, service, security, and transactional communications about your account and the Service (for example, sign-in and security alerts, important changes, and operational notices); you receive these by virtue of having an account, they are part of the Service, and they do not require your marketing consent. Second, marketing or promotional communications, which we send on the basis of the consent you give when you sign up to receive them, for example by joining our waitlist, where you are shown a clear notice at the point of sign-up, and you can withdraw it and unsubscribe at any time using the unsubscribe link in every marketing email or your email preferences, without affecting the service communications you continue to receive.

Legal and regulatory compliance. To comply with our legal and regulatory obligations, including sanctions and watchlist screening, applicable anti-money-laundering and counter-terrorist-financing requirements, tax and record-keeping obligations, responding to lawful requests from competent authorities, and establishing, exercising, or defending legal claims.

We do not sell your personal data, and we do not use your information for purposes that are incompatible with those described in this policy.

Where data-protection laws such as the EU and UK General Data Protection Regulation apply to you, we rely on the following legal bases for processing your personal data. Where more than one basis applies, the relevant basis depends on the specific purpose.

Performance of a contract. We process the account and technical data necessary to provide the Service to you and to perform our agreement with you, including creating and operating your account and delivering the features you request.

Legitimate interests. We process data where necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. These interests include securing the Service, preventing fraud and abuse, understanding and improving how the Service is used, ensuring reliability, and protecting our users and our business. We balance these interests against your rights and only process what is reasonably necessary, and you may object to this processing as described in the Rights section below.

Consent. Where required by law, we rely on your consent, for example for certain analytics, marketing communications, and non-essential cookies or similar technologies. You can withdraw your consent at any time, and doing so does not affect the lawfulness of processing carried out before withdrawal. In particular, we send marketing emails on the basis of the consent you give when you sign up to receive them, shown with a clear notice at the point of sign-up, while service, security, and transactional communications rest on performance of our contract with you and our legitimate interests and do not require marketing consent. Where you give marketing consent, we keep a record of whether consent was given, the date and time it was given, and the version and wording of the consent text shown to you, so we can demonstrate the basis for sending you marketing emails.

Legal obligation. We process data where necessary to comply with legal obligations to which we are subject, including anti-money-laundering and identity-verification requirements, sanctions compliance, tax and record-keeping duties, and responding to lawful requests.

Identity verification (KYC). The legal basis for processing your KYC documents and sensitive identity data sits primarily with the licensed identity-verification partner that collects and holds that data and determines how it is processed to meet applicable legal obligations. MNVA Companies generally relies on legal obligation and legitimate interests for the limited verification outputs it receives.

We share personal data only as described below, and not for purposes incompatible with this policy. We refer to our partners and providers generically and do not name specific companies on these pages.

Licensed payment partners. We share limited data with licensed payment partners that provide on-ramp and off-ramp services, virtual account functionality, card services, and remittance settlement, so that those features can operate. These partners process the relevant data under their own privacy policies and regulatory obligations.

Licensed identity-verification partner. Where identity verification is required, the licensed identity-verification partner collects and processes your identity data directly, and we receive only limited outputs such as your verification status or result.

Service providers acting as processors. We share data with cloud hosting, infrastructure, analytics, crash-reporting, and communications providers that process data on our behalf and under our instructions, subject to confidentiality and data-protection obligations, to help us operate, secure, analyze, and improve the Service.

Email and communications provider. We use a third-party email service provider to send you the communications described in this policy, including service, security, and transactional messages and, where you have opted in, marketing emails. To do this we share the data needed to deliver and manage those emails, such as your email address, your name or alias if provided, your marketing-consent status, and basic delivery and engagement information. Our third-party email service provider acts as a processor on our behalf and under our instructions and is bound by confidentiality and data-protection obligations. Where a specific provider applies, it is identified as [email service provider].

Login and identity providers. When you sign in with a third-party login provider, we exchange limited data with that provider to authenticate you. That provider processes your data under its own privacy policy.

Legal, regulatory, and safety disclosures. We may disclose data to law enforcement, regulators, courts, or other competent authorities where required to comply with applicable law, legal process, or enforceable governmental requests, or where reasonably necessary to enforce our terms, prevent fraud or harm, or protect the rights, property, or safety of our users, MNVA Companies, or others.

Corporate transactions. If MNVA Companies is involved in a merger, acquisition, financing, reorganization, sale of assets, or similar transaction, or in insolvency proceedings, personal data may be transferred as part of that transaction, subject to this policy or a successor policy with equivalent protections.

We do not sell your personal data, and we do not share it for purposes beyond those described in this policy. Separately, please remember that on-chain transaction data is inherently public and is not within our control: it is published on public blockchains when you transact, regardless of any sharing decisions by us, and exists on the public ledger independently of MNVA Companies.

We keep personal data only for as long as necessary to fulfill the purposes for which it was collected, including providing the Service, or for as long as we are required or permitted to keep it under applicable law, or to establish, exercise, or defend legal claims. When data is no longer needed, we delete it, anonymize it, or otherwise stop using it.

Some retention is driven by legal obligations. Anti-money-laundering, financial-record, and tax rules can require records to be retained for multi-year periods, and these obligations may require us or our licensed partners to retain certain data even after your relationship with the Service ends. Rather than state fixed periods we have not verified, we apply retention principles: we retain account and identity data for the life of your account and for any period required afterward by law; we retain technical, usage, and diagnostic data for as long as it is useful for the purposes described and then delete or anonymize it; and we retain support and communications records for as long as needed to address your matter and meet our legal and operational needs. Where a specific term is required, it is set at [retention period].

On-chain data cannot be deleted. Transactions and related data recorded on public blockchains are permanent and outside our control, so they cannot be modified or erased on request, by us or by anyone.

Retention of KYC data is governed by the licensed identity-verification partner that holds it, under that partner's policies and applicable legal retention obligations, not by MNVA Companies.

We use reasonable technical and organizational measures designed to protect personal data, including encryption of data in transit and, where appropriate, at rest, access controls and the principle of least privilege, passkey-based authentication, logging, and monitoring for security events. We review and update these measures over time.

Self-custodial security model. Because Moneva is self-custodial, an essential part of your security is in your own hands. You control your passkey and your device, and you are responsible for safeguarding them, keeping your software up to date, and not sharing access, your seed phrase, or your recovery information with others. MNVA Companies cannot access your private keys or passkey private material, cannot move, freeze, or restore your funds, and cannot recover lost funds, keys, passkeys, or recovery phrases on your behalf. Anyone who controls your device or credentials may be able to control your wallet, and if you lose control of them we may be unable to help you regain access to your assets.

No method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security, and you use the Service understanding that residual risk always exists.

If you believe you have found a security vulnerability or experienced a security incident, or that your account or device has been compromised, please report it to us promptly at support@moneva.io so we can investigate and respond.

Breach notification. If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the affected users and the relevant supervisory authorities as required by applicable law and without undue delay.

MNVA Companies operates globally and works with global service providers and partners, so your personal data may be processed and stored in countries other than the one in which you live. These countries may have data-protection laws that differ from, and may be less protective than, those of your home jurisdiction.

Where we transfer personal data across borders and the law requires appropriate safeguards, we put in place suitable measures, such as standard contractual clauses or another lawful transfer mechanism recognized under applicable law, to help ensure your data remains protected. We refer to these mechanisms generically here; where a specific mechanism applies, it is identified as [transfer mechanism], and any region-specific safeguard is identified as [region-specific safeguard].

By using the Service, you understand that your information may be transferred to and processed in jurisdictions outside your own, subject to the safeguards described in this policy. You may contact us at support@moneva.io to ask about the safeguards that apply to a particular transfer.

Subject to your jurisdiction and applicable law, you may have the following rights regarding your personal data: the right to access the data we hold about you; to rectify inaccurate or incomplete data; to request erasure or deletion; to restrict or object to certain processing; to data portability; to withdraw consent where processing is based on consent; and to lodge a complaint with your local data-protection or supervisory authority. For marketing emails specifically, you can withdraw your consent at any time by using the unsubscribe link included in every marketing email or by changing your email preferences, and this will not stop the service, security, and transactional messages you receive as an account holder.

If you are a resident of California or another U.S. state with comparable privacy laws, you may also have the right to know what personal information we collect and how we use and disclose it, to request access to, deletion of, or correction of that information, and to opt out of the sale or sharing of personal information. As noted in this policy, we do not sell your personal data, and we do not share it for cross-context behavioral advertising in the manner those laws define as a sale or share. We will not discriminate against you for exercising your rights.

To exercise your rights, contact us at support@moneva.io. To protect your data, we may need to verify your identity before acting on a request, and we may ask for information sufficient to confirm that the request comes from you or an authorized agent, which you may use where the law permits. We will respond within the timeframes required by applicable law.

Some limitations apply. On-chain data is immutable and public and cannot be deleted, modified, corrected, or recalled, by us or anyone. Requests relating to KYC data may need to be directed to, or may be constrained by, the licensed identity-verification partner that holds that data and by legal retention obligations that prevent deletion until those obligations expire.

On our website and within the App, we and our service providers use cookies, software development kits (SDKs), local storage, device identifiers, and similar technologies, together with analytics and crash-reporting tools, to operate the Service, remember your preferences, keep you signed in, secure the Service, and understand how it is used.

We distinguish between essential technologies, which are necessary for the Service to function and cannot be switched off, and optional technologies, such as analytics and any marketing-related technologies, which we use to measure and improve the Service. You can control optional technologies through your browser settings, your operating-system-level advertising and tracking controls, and, where we provide one, a consent banner or in-app preferences tool that lets you accept or decline non-essential technologies. Disabling some technologies may affect how parts of the Service work.

Third-party analytics and crash-reporting providers process this data as processors on our behalf and under our instructions, and are bound to use it only to provide their services to us. Where required by law, we rely on your consent for non-essential cookies and similar technologies, which you can change or withdraw at any time.

The Service is not directed to, and is not intended for, children. You must be at least 18 years old, or the age of majority in your jurisdiction if higher, to use the Service, consistent with the eligibility requirement in our Terms of Service.

MNVA Companies does not knowingly collect personal data from anyone under that age. If we learn that we have collected personal data from a minor without an appropriate legal basis, we will take reasonable steps to delete it promptly. If you believe a minor has provided us with personal data, please contact us at support@moneva.io so we can address it.

The Service relies on and connects to third parties, including licensed payment partners, the licensed identity-verification partner, third-party liquidity venues, audited DeFi protocols, public blockchain networks, and third-party login and identity providers, and may contain links to third-party websites or services. These third parties have their own privacy policies that govern the data they collect, use, and share.

MNVA Companies does not control and is not responsible for the privacy practices, content, or security of these third parties, including how public blockchain networks handle the on-chain data they record. We encourage you to read the privacy policies of any third-party service or website before providing your information to it or relying on it.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make changes, we will revise the "last updated" date at the top of this policy and post the updated version in the App or on our website.

If we make material changes, we will provide additional notice by reasonable means, which may include in-app or website notices or other appropriate communications, as required by law. Where permitted by applicable law, your continued use of the Service after an update takes effect constitutes your acceptance of the updated policy. If you do not agree with an update, you should stop using the Service. We encourage you to review this policy periodically.

If you have questions about this Privacy Policy, our data practices, or you wish to exercise your privacy rights, please contact us at support@moneva.io.

The entity responsible for the Service is MNVA Companies, a placeholder name for the registered operating entity that will be updated once finalized, located at [registered office address].

Where applicable, you can reach our data-protection contact or Data Protection Officer at [DPO/representative contact], and, if you are in the European Union or the United Kingdom, our designated representative at [EU/UK representative contact]. You also have the right to contact your local data-protection or supervisory authority directly.