Privacy Policy

Moni — Your AI Money Companion by Koodooka

Effective: 1 February 2026

Summary: Moni is built with privacy at its core. We do not sell your personal data, we do not use third-party advertising SDKs, and biometric data never leaves your device.

1. Introduction

Koodooka Ltd ("Koodooka", "we", "us", or "our") operates the Moni mobile application ("Moni" or the "App"), an AI-powered financial companion that helps you understand and manage your money through natural conversation.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use Moni. It applies to all users of the App and is designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.

By using Moni, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the App.

2. Information We Collect

2.1 Account & Identity Information

When you create an account, we collect:

• Phone number — used for account verification and authentication via one-time passcode (OTP)
• Name — as provided during registration
• Email address — used for account communication
• Date of birth — as provided during onboarding for age verification and regulatory purposes
• Address — as provided during onboarding for identity and regulatory purposes

Authentication is managed through Firebase Authentication, operated by Google LLC.

2.2 Biometric Data

Biometric data (Face ID, Touch ID, fingerprint) is processed entirely on your device using your operating system's secure enclave. Koodooka does not receive, transmit, or store your biometric data on any server.

Biometric authentication is optional and used solely to unlock the App on your device.

2.3 Financial Data

In a future release, you may choose to connect your bank accounts through regulated Open Banking providers. When available, this will include:

• Account balances and account details
• Transaction history (descriptions, amounts, dates, categories)
• Account holder name verification

This access will be read-only — Moni will not be able to initiate payments or modify your bank accounts. You will be able to disconnect your accounts at any time. This policy will be updated when Open Banking features become available.

2.4 Voice & Media Data

• Microphone: Used when you send voice notes to chat with Moni's AI. Audio is transcribed to text for processing; raw audio may be temporarily stored during transcription and then deleted.
• Camera: Used when you scan documents or cheques. Images are processed for data extraction and are not retained beyond the purpose of the scan.

2.5 Device & Technical Data

• Device type, operating system, and version
• Push notification tokens (for delivering notifications)
• App version and crash/diagnostic logs
• IP address (logged transiently for security purposes)

2.6 Usage Data

We collect anonymised usage analytics and crash/diagnostic data via Firebase Crashlytics to improve the App experience, monitor app health, and diagnose issues. This data is not linked to your identity.

3. How We Use Your Information

| Purpose | Legal Basis (UK/EU GDPR) | |---|---| | Provide and operate the App | Performance of contract (Art. 6(1)(b)) | | Authenticate your identity | Performance of contract (Art. 6(1)(b)) | | Display your financial data and AI-generated insights | Performance of contract (Art. 6(1)(b)) | | Process voice inputs and document scans | Performance of contract (Art. 6(1)(b)) | | Send push notifications (account alerts, insights) | Consent (Art. 6(1)(a)) | | Prevent fraud and ensure security | Legitimate interest (Art. 6(1)(f)) | | Improve and develop the App | Legitimate interest (Art. 6(1)(f)) | | Comply with legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) |

4. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data to any third party.

We share data only with the following categories of service providers, who process data on our behalf under appropriate contractual safeguards:

| Provider | Purpose | Data Shared | |---|---|---| | Firebase (Google LLC) | Authentication, push notifications | Email, phone, device tokens | | Open Banking providers | Bank account connectivity | Account credentials (via secure redirect) | | Microsoft Azure | Cloud infrastructure & data storage | Encrypted application data | | AI model providers | Natural language processing | Anonymised/pseudonymised conversation data |

We may also disclose personal data if required to do so by law, regulation, or valid legal process (e.g., a court order or regulatory request).

5. Data Storage & Security

Your data is stored on Microsoft Azure infrastructure in the UK South region. We implement industry-standard security measures, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and the principle of least privilege
• Regular security assessments and vulnerability scanning
• Secure key management via Azure Key Vault
• Audit logging and monitoring

While we take all reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

6. International Data Transfers

Some of our service providers (e.g., Firebase/Google) may process data outside the UK and EEA. Where this occurs, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the UK ICO or European Commission
• UK International Data Transfer Agreement (IDTA)
• Adequacy decisions where applicable

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required by law.

• Account data: Retained while your account is active, and for up to 6 years after deletion (to comply with financial record-keeping obligations)
• Financial transaction data: Retained while your account is active and for up to 6 years after disconnection
• Voice recordings: Deleted after transcription processing (typically within 24 hours)
• Document scans: Deleted after data extraction is complete
• Technical/diagnostic logs: Retained for up to 12 months

When data is no longer needed, it is securely deleted or anonymised.

8. Your Rights (UK & EU GDPR)

Under data protection law, you have the following rights:

• Right of access — Request a copy of the personal data we hold about you
• Right to rectification — Request correction of inaccurate or incomplete data
• Right to erasure — Request deletion of your personal data ("right to be forgotten")
• Right to restrict processing — Request that we limit how we use your data
• Right to data portability — Receive your data in a structured, machine-readable format
• Right to object — Object to processing based on legitimate interests
• Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time
• Rights related to automated decision-making — You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects

To exercise any of these rights, contact us at support@koodooka.com. We will respond within one month as required by law.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or your local supervisory authority.

9. Children's Privacy

Moni is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@koodooka.com and we will take steps to delete such information promptly.

10. Cookies & Tracking

Moni is a native mobile application and does not use browser cookies. We do not employ any third-party advertising trackers or SDKs. If we introduce analytics tools in the future, we will update this policy and obtain consent where required.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by email before the changes take effect. The "Effective" date at the top of this page indicates when this policy was last revised.

We encourage you to review this policy periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Company: Koodooka Ltd
• Email: support@koodooka.com