Privacy Policy

1. Introduction and Scope

Utilli, LLC (dba Tilli) ("Monay," "we," "us," or "our") operates a comprehensive financial services platform including Monay ID (identity services), Monay CaaS (Coin-as-a-Service), and Monay WaaS (Wallet-as-a-Service). This Privacy Policy applies to all personal information collected through our services, including our dual-rail blockchain infrastructure (Base EVM L2 and Solana).

By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.

2. Information We Collect

2.1 Information You Provide Directly

• Identity Information: Full legal name, date of birth, nationality, gender
• Contact Information: Email address, phone number, residential and mailing addresses
• Government Identifiers: Passport, driver's license, national ID, Social Security Number (SSN) or Tax Identification Number (TIN)
• Financial Information: Bank account details, payment card information, cryptocurrency wallet addresses, transaction history
• Biometric Data: Voice patterns for Monay ID authentication (with explicit consent)
• Business Information: Company name, registration number, beneficial ownership, business licenses
• Enhanced Due Diligence: Source of funds, occupation, expected transaction volume, purpose of account

2.2 Information Collected Automatically

• Device Information: IP address, device ID, hardware model, operating system, browser type and version
• Usage Data: Pages visited, features used, transaction patterns, click-through rates
• Location Data: GPS location (with consent), IP-based location, time zone
• Blockchain Data: Public wallet addresses, transaction hashes, smart contract interactions
• Cookies and Tracking: Session cookies, persistent cookies, pixel tags, local storage
• Security Data: Login attempts, authentication methods used, security event logs

2.3 Information from Third Parties

• Identity Verification Services: Persona, Alloy, Onfido verification results
• Credit and Risk Assessment: Credit bureau reports, fraud scores, risk ratings
• Sanctions Screening: OFAC, UN, EU, and other sanctions list checks
• Financial Partners: Transaction data from banks and payment processors
• Blockchain Networks: Public blockchain transaction data
• Marketing Partners: Lead generation and referral information

3. Legal Basis and Purpose of Processing

We process your personal information based on the following legal grounds:

3.1 Contract Performance

• Creating and managing your account
• Processing transactions and payments
• Providing customer support
• Delivering requested services and features

3.2 Legal Obligations

• Complying with KYC/AML requirements under the Bank Secrecy Act and USA PATRIOT Act
• Filing Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs)
• Responding to court orders, subpoenas, and law enforcement requests
• Meeting tax reporting obligations
• Maintaining records as required by financial regulations

3.3 Legitimate Interests

• Preventing fraud, money laundering, and terrorist financing
• Ensuring network and information security
• Improving our services and developing new features
• Conducting analytics and business intelligence
• Marketing our services (with opt-out options)

3.4 Consent

• Processing biometric data for authentication
• Sending promotional communications
• Using cookies and similar tracking technologies
• Sharing data with third parties beyond what is necessary for service provision

4. How We Share Your Information

4.1 Service Providers

We share information with carefully selected service providers who assist us in operating our platform:

• Cloud infrastructure providers (AWS, Google Cloud)
• Identity verification services (Persona, Alloy, Onfido)
• Payment processors (TilliPay, banking partners)
• Blockchain infrastructure providers
• Customer support tools
• Analytics and monitoring services

4.2 Legal and Regulatory Disclosures

• Financial Crimes Enforcement Network (FinCEN)
• Office of Foreign Assets Control (OFAC)
• State financial regulators
• Law enforcement agencies with valid legal process
• Courts and tribunals
• Tax authorities

4.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information with other parties when you provide explicit consent, such as when you authorize third-party applications to access your account.

5. Data Security and Protection

We implement comprehensive security measures to protect your information:

5.1 Technical Safeguards

• AES-256 encryption for data at rest
• TLS 1.3 encryption for data in transit
• Hardware Security Modules (HSM) for cryptographic key management
• Web Application Firewall (WAF) protection
• DDoS mitigation
• Intrusion detection and prevention systems
• Regular security vulnerability scanning
• Annual penetration testing by third-party security firms

5.2 Organizational Safeguards

• Role-based access controls (RBAC)
• Principle of least privilege
• Background checks for employees
• Regular security training
• Confidentiality agreements
• Incident response procedures
• Business continuity and disaster recovery plans

5.3 Compliance Certifications

• PCI-DSS Level 1 compliance for payment card data
• SOC 2 Type II certification
• ISO 27001 certification (in progress)
• NIST Cybersecurity Framework alignment

6. Data Retention and Deletion

We retain your information for as long as necessary to fulfill the purposes outlined in this policy and comply with legal obligations:

• Account Information: Duration of account plus 7 years
• Transaction Records: Minimum 5-7 years per regulatory requirements
• KYC/AML Documentation: 5 years after account closure
• Marketing Data: Until you opt-out or 3 years of inactivity
• Security Logs: 1 year for general logs, 7 years for security incidents
• Biometric Data: Until you revoke consent or close your account

Upon account closure, we will delete or anonymize your personal information except where retention is required by law or for legitimate business purposes such as fraud prevention.

7. Your Privacy Rights

7.1 Rights Available to All Users

• Access: Request a copy of your personal information
• Correction: Update or correct inaccurate information
• Deletion: Request deletion subject to legal retention requirements
• Portability: Receive your data in a machine-readable format
• Opt-Out: Unsubscribe from marketing communications
• Restriction: Limit processing of your information

7.2 GDPR Rights (European Economic Area, UK, Switzerland)

• Right to object to processing based on legitimate interests
• Right to withdraw consent at any time
• Right to lodge a complaint with supervisory authorities
• Right not to be subject to automated decision-making

7.3 CCPA Rights (California Residents)

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of sale (we do not sell personal information)
• Right to non-discrimination for exercising privacy rights
• Right to limit use of sensitive personal information

7.4 How to Exercise Your Rights

To exercise any of these rights, please contact us at Contact Privacy Team via our contact form or through your account settings. We may need to verify your identity before processing your request. We will respond to your request within the timeframe required by applicable law (generally 30 days).

8. International Data Transfers

We operate globally and may transfer your information to countries outside your country of residence. When we transfer personal data internationally, we ensure appropriate safeguards are in place:

• EU-approved Standard Contractual Clauses (SCCs)
• UK International Data Transfer Agreement (IDTA)
• Adequacy decisions where applicable
• Binding Corporate Rules for intra-group transfers
• Your explicit consent where required

9. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Required for platform functionality and security
• Performance Cookies: Help us understand how you use our services
• Functionality Cookies: Remember your preferences and settings
• Marketing Cookies: Used to deliver relevant advertisements (with consent)

You can manage cookie preferences through your browser settings or our cookie consent tool. Note that disabling certain cookies may impact functionality.

10. Children's Privacy

Our services are not directed to individuals under 18 years of age (or the age of majority in your jurisdiction). We do not knowingly collect personal information from minors. If we become aware that we have collected information from a minor without parental consent, we will promptly delete it.

11. Biometric Data and Voice Authentication

For Monay ID voice authentication services:

• We collect voice patterns only with your explicit consent
• Voiceprints are converted to encrypted mathematical templates
• Original voice recordings are immediately deleted after processing
• Templates are stored using military-grade encryption
• You can delete your voiceprint at any time through account settings
• We never share biometric data with third parties except as required by law

12. Blockchain and Public Information

Please note that blockchain transactions are public and permanent:

• Transaction details on public blockchains (Ethereum, Solana) are visible to anyone
• We cannot delete or modify blockchain records
• Wallet addresses may be linked to your identity through our services
• We implement privacy-enhancing features where technically feasible
• Consider using privacy features like mixing services at your own risk

13. Third-Party Links and Services

Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

14. Updates to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by:

• Posting a notice on our platform
• Sending an email to your registered address
• Requiring acknowledgment for significant changes

Your continued use of our services after changes indicates acceptance of the updated policy.

15. Contact Information and Data Protection Officer

For privacy-related questions, requests, or complaints:

EU Representative:
[To be appointed]
Email: eu-Contact Privacy Team via our contact form

UK Representative:
[To be appointed]
Email: uk-Contact Privacy Team via our contact form