POL-503 Privacy Notice
Owner (role): Operational Owner — Data Protection
Approver (role): Data Protection Officer
Effective date: 8 June 2026
Applies to: Monek Group Limited and its subsidiaries (collectively, "Monek")
Master policy: POL-601 Data Protection Policy
Role mappings: Allocated Roles — Data Protection (UK GDPR)
1. About this Privacy Notice
This Privacy Notice explains how Monek Group Limited and its subsidiaries (collectively, "Monek", "we", "us", "our") collect, use, store, share and protect your personal data, and the rights you have over it.
It applies to personal data we handle in connection with:
- Our website at www.monek.com and its supporting services
- Our payment-processing services provided to and through our Merchants and Partners
- Our onboarding, support, terminal-rental and related business activities across the Group
This Notice was last updated on 11 May 2026 and reflects the changes to UK data protection law brought in by the Data (Use and Access) Act 2025, the substantive provisions of which took effect on 5 February 2026.
This Notice does not apply to personal data processed by third-party websites or services we link to, or to personal data we process about our own employees (which is covered separately in our Employee Privacy Notice).
2. Who we are
| Group entity | Monek Group Limited and its Subsidiaries (collectively, "Monek") |
| Principal operating subsidiary (UK payment services) | Monek Merchant Services (company number 11894023) |
| Registered office | Innovation House, Unit F2/F3, Davidson Road, Lichfield, Staffordshire, WS14 9DZ |
| Website | www.monek.com |
| ICO registration number | ZA244482 |
| Data Protection Officer contact | dpo@monek.co.uk |
You can ask us anything about this Notice or how we handle your personal data by emailing dpo@monek.co.uk. We will respond as quickly as we can; please see §13 for the timescales that apply to specific kinds of requests.
3. When this Notice applies, and our role
Whether Monek is the Data Controller (the party that decides how and why your personal data is used) or the Data Processor (a party that handles personal data on behalf of someone else who is the Controller) depends on the circumstances. This matters because it determines who is responsible for your data and who you can address your rights against.
| When you interact with us… | Monek's role | Who is the Controller |
|---|---|---|
| You make a payment through a website or application powered by Monek (operated by one of our Merchants or Partners) | Data Processor | The Merchant or Partner you are paying. Monek processes the data on their instructions under a written contract. |
| You are a contact at one of our Merchants, Partners or Suppliers (e.g. you sign documents, attend meetings, receive support communications) | Data Controller | Monek |
| You visit our website, fill in a contact form, request a demo, or otherwise contact us directly | Data Controller | Monek |
| You are a prospect we approach with information about our services | Data Controller | Monek |
| You are an employee, contractor or director of any Monek Group entity | Data Controller (covered by our separate Employee Privacy Notice) | Monek |
If you're not sure which applies, ask us at dpo@monek.co.uk.
4. What personal data we process
The personal data we handle falls into the following categories. Not all of it applies to every individual — what we hold about you depends on how you've interacted with us.
| Category | Examples |
|---|---|
| Contact details | Name, postal address, email, phone number, job title |
| Identity data | Date of birth, proof of identity documents, signatures (typically for compliance with anti-money laundering rules or for merchant onboarding) |
| Financial and transaction data | Payment card details (PAN, expiry, cardholder name), bank account details, transaction amounts, dates, currencies, merchant identifiers |
| Account and contractual data | Your account ID, usernames, the products and services you use, contract terms |
| Communications data | Records of correspondence (support tickets, emails, recorded calls where applicable) |
| Technical and device data | IP address, device type, operating system, browser type and version, language preferences |
| Usage data | Pages visited, features used, interactions with our website, anonymous traffic data |
| Business data | Information about the businesses we work with (legal structure, jurisdiction, products and services, public company records) — much of this is not personal data, but may include personal data about named individuals within those businesses |
We do not routinely process special category data (for example, health data, racial or ethnic origin, political opinions or religious beliefs). The only special category data we process is in the limited employment context covered by our Employee Privacy Notice.
5. Where we get your personal data from
We obtain personal data:
- Directly from you — when you fill in a form, contact us, sign a contract, use our services, or pay through a Merchant or Partner that uses our payment infrastructure
- From our Merchants and Partners — when they pass us your data to enable us to provide payment processing or related services on their behalf
- From other sources — including identity verification services, anti-fraud and AML databases, financial service providers, public records (e.g. Companies House), and from publicly available sources such as the websites of businesses we deal with
6. How we use your personal data, and our lawful basis for doing so
Under UK GDPR, we must have a lawful basis for everything we do with your personal data. The table below summarises the main purposes for which we use personal data and the lawful basis we rely on for each.
| Purpose | Lawful basis (UK GDPR Article 6) | Notes |
|---|---|---|
| Providing payment-processing services to and through our Merchants and Partners (when Monek acts as Processor) | 6(1)(b) Contract (between Monek and the Merchant/Partner; Monek processes the data on their instructions per Article 28) | We follow the Merchant or Partner's instructions; they are the Controller for this data |
| Providing services directly to a Merchant, Partner or business contact (when Monek is Controller) | 6(1)(b) Contract; 6(1)(f) Legitimate interests for ancillary uses (e.g. service communications) | |
| Verifying identity, screening for fraud and complying with anti-money-laundering rules | 6(1)(c) Legal obligation; 6(1)(f) Legitimate interests; and the DUAA "recognised legitimate interest" of crime detection, investigation and prevention (UK GDPR Annex 1) | We are required by law to perform these checks |
| Responding to enquiries, providing support, sending service notices | 6(1)(b) Contract; 6(1)(f) Legitimate interests | |
| Meeting our reporting obligations to regulators (ICO, FCA, HMRC), responding to lawful requests from law enforcement, and cooperating with investigations | 6(1)(c) Legal obligation; DUAA "recognised legitimate interest" of responding to requests from public bodies (Annex 1) | |
| Operating, securing, monitoring and improving our systems and services (including logging, monitoring and incident response) | 6(1)(f) Legitimate interests — codified by DUAA as a recognised example of legitimate interests (ensuring the security of network and information systems) | |
| Direct marketing to business contacts about our services | 6(1)(f) Legitimate interests (codified by DUAA as a recognised example) — subject to your right to object and to the rules under PECR | You can opt out at any time; see §13 |
| Intra-group administrative sharing for internal management purposes (between Monek Group Limited and its subsidiaries) | 6(1)(f) Legitimate interests (codified by DUAA) | |
| Making, defending or pursuing legal claims; protecting our business and other people | 6(1)(c), 6(1)(f) | |
| Preparing for, executing or unwinding a sale or restructuring of our business | 6(1)(f) Legitimate interests | A potential buyer or their advisers may receive personal data subject to confidentiality undertakings |
Where we rely on legitimate interests, we have weighed our interests against your rights and freedoms and concluded that our use is proportionate and would not unreasonably interfere with what you'd expect. You can ask us for more detail on this balancing exercise by emailing dpo@monek.co.uk. For the narrow set of "recognised legitimate interests" introduced by DUAA, the law does not require us to carry out a balancing test, but we still apply the wider data protection principles.
We do not routinely rely on consent as a lawful basis for our core services. If we ever do ask for your consent (for example, for an optional cookie or marketing channel), we'll make that clear at the point we ask, and you'll be able to withdraw consent at any time without affecting the lawfulness of processing before you did so.
7. Who we share your personal data with
We may share your personal data with the following categories of recipient, in each case only where there is a lawful basis and appropriate safeguards in place:
- Other entities within the Monek Group, for internal administrative purposes (intra-group sharing is recognised by DUAA as a permitted legitimate interest)
- Our Merchants and Partners, when we are processing data on their behalf or when sharing is necessary to deliver a service
- Sub-processors and service providers we engage to support our operations — for example, providers of card-scheme connectivity, terminal logistics, identity verification, fraud prevention, IT infrastructure, hosting and security services
- Financial service providers (acquirers, card schemes, banks) that are necessary to complete a payment transaction
- Regulators and supervisory authorities — including the ICO (Information Commission), Financial Conduct Authority, HM Revenue & Customs, and equivalent bodies — where we are required to share information
- Law enforcement and other authorities — where we are required by law, court order or other legal process, or where, acting in good faith, we believe disclosure is necessary in the investigation of suspected illegal activity
- Professional advisers — auditors, lawyers, insurers, accountants — under appropriate confidentiality undertakings
- Successors in any sale or restructuring of our business — including potential buyers and their advisers — under appropriate confidentiality undertakings
We maintain an internal Sub-processor Register that records each sub-processor we use and the type of personal data they handle. Where we act as Processor for a Merchant or Partner, the use of sub-processors is also governed by the contract between us and that Merchant or Partner.
We do not sell your personal data to anyone.
8. Where your personal data is stored and processed
Your personal data is stored and processed within the United Kingdom. We do not currently transfer personal data outside the UK.
If we ever need to do so in future (for example, by engaging a sub-processor with operations outside the UK), we will only do so where the destination jurisdiction provides a level of protection that is not materially lower than the UK standard — using one of the recognised transfer mechanisms permitted under UK GDPR — and we'll update this Notice to reflect that.
9. How long we keep your personal data
We keep personal data only for as long as we need it for the purposes set out in this Notice, having regard to our legal, regulatory and contractual obligations. Different categories of data have different retention periods — for example, transaction records, anti-money-laundering checks, and complaint records each have minimum retention periods set by law or regulation.
Our full retention schedule is set out in our internal Personal Data Retention Policy and Schedule (POL-508). If you would like to know how long we keep a particular type of data, email dpo@monek.co.uk.
Even after you close an account or end a relationship with us, we may need to retain some data to meet ongoing legal obligations (for example, AML record-keeping). There may also be limited residual data in our backup systems that is removed as part of our scheduled backup-deletion cycle.
10. Automated decision-making
We do not currently make decisions about you that are based solely on automated processing and that produce legal effects on you or similarly significantly affect you.
We may in future introduce automated decision-making in business areas such as automated merchant onboarding. If we do, we will:
- Tell you about it before any decision is made (including how it works, what factors are taken into account and what the consequences are)
- Give you the right to make representations about the decision
- Give you the right to obtain human intervention to review the decision
- Give you the right to contest the decision
We will also update this Privacy Notice and complete a Data Protection Impact Assessment before any automated decision-making is deployed.
11. Cookies and similar technologies
Our website uses cookies and similar technologies for essential functions, to improve our service and — where you have agreed — for analytics and other non-essential purposes.
Full details of the cookies we use, how to manage your cookie preferences, and the lawful basis for each cookie category are set out in our Cookie & PECR Compliance Policy (POL-603). You can also manage cookies through the controls in your browser or via the cookie banner on our website.
12. Security
We take the security of your personal data seriously. We apply appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, alteration or destruction, including:
- Certification to PCI DSS Level 1 for payment card data
- Certification to ISO 27001 for our information security management system
- Encryption of personal data in transit and at rest where appropriate
- Strict access controls, multi-factor authentication and role-based access
- Continuous monitoring, logging and incident response
Where we share personal data with sub-processors, we require equivalent standards of protection through written contracts.
13. Your rights
Under UK GDPR you have the following rights in relation to your personal data. Some rights have conditions and exceptions; we will explain these to you if they apply to your request.
| Right | What it means in practice |
|---|---|
| Right to be informed | You have the right to clear information about how we use your data — that's what this Notice is for. |
| Right of access (DSAR) | You can ask us for a copy of the personal data we hold about you, along with information about how we use it. |
| Right to rectification | You can ask us to correct personal data about you that is inaccurate, or to complete data that is incomplete. |
| Right to erasure ("right to be forgotten") | You can ask us to delete your personal data in certain circumstances. We may need to keep some data to meet legal obligations (for example, AML record-keeping); if so, we'll tell you. |
| Right to restriction of processing | You can ask us to limit how we use your data in certain circumstances. |
| Right to data portability | Where we hold data based on your consent or under a contract with you, you can ask us to provide it in a structured, machine-readable format and, where technically feasible, to transmit it to another organisation. |
| Right to object | You can object to our use of your personal data where we are relying on legitimate interests, including for direct marketing. If you object to direct marketing, we will stop. |
| Rights related to automated decision-making | See §10. |
| Right to withdraw consent | Where we rely on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal. |
| Right to complain to us directly (new statutory right under DUAA, in force since February 2026) | You have a statutory right to complain to us about how we have handled your personal data. We will acknowledge your complaint within 30 days and investigate it without undue delay. |
| Right to complain to the regulator | You can complain to the ICO (Information Commission) at any time — see §15. You can also complain to us first if you prefer. |
How to exercise your rights
Email dpo@monek.co.uk and tell us what you want. To protect your data, we may need to verify your identity before we act, and may ask you for additional information to help us locate the data you're asking about. Where we need clarification, our response clock will pause until you give it to us ("stop the clock" under DUAA).
We aim to respond to most requests within one month of receiving the request and any verification we need. If your request is particularly complex or you've made multiple requests, we may extend this by up to a further two months; we'll let you know within the first month if that's the case.
Where Monek is acting as a Processor (for example, you've paid through one of our Merchants and your request is about that payment), we will pass your request on to the relevant Merchant or Partner — they are the Controller and the appropriate party to respond. We'll let you know when we do this.
14. Children
Our services are designed for businesses, not for children. We do not knowingly process the personal data of children under 16. If you have reason to believe that we have collected such data, please tell us at dpo@monek.co.uk and we will delete it.
15. Changes to this Privacy Notice
We may update this Notice from time to time — for example, to reflect changes in our services or in the law. The "Last updated" date at the top tells you when the current version was issued. We encourage you to review this Notice regularly. For material changes that affect how we use your personal data, we will tell you in advance through the Services or by email where we have your contact details.
16. How to contact us, and how to complain
General queries about this Privacy Notice or how we use your data:
- Email: dpo@monek.co.uk
- Post: Data Protection Officer, Monek Group Limited, Innovation House, Unit F2/F3, Davidson Road, Lichfield, Staffordshire, WS14 9DZ
To complain to us directly (your new statutory right under DUAA), use the same contact details and please tell us:
- That your message is a complaint
- A summary of what happened and when
- What you would like us to do
We will acknowledge your complaint within 30 days and respond on the substance as soon as we reasonably can.
To complain to the regulator, you can contact the Information Commissioner's Office (which is being renamed the Information Commission under DUAA):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
You can complain to the regulator without complaining to us first, although we'd appreciate the chance to put things right.