Skip to main content

Privacy Policy — Mono Card

Effective Date: February 8, 2026 Last Updated: February 24, 2026

Mono Labs R&D LLC 28 Geary St STE 650, Suite 568 San Francisco, CA 94108 Contact: legal@mono-labs.org

This policy covers Mono Card Web (Next.js web application) and Mono Card Mobile (React Native mobile application). These are the only Monolythium products that require user accounts and collect personal data.

Data We Collect

Account Information

When you create a Mono Card account, we collect:

  • Email address — Used for account login, notifications, and password recovery.
  • Password — Stored as a salted, hashed value. Plaintext passwords are never stored.
  • Full name — Required for card issuance.
  • Phone number — Required for card issuance and optional MFA.

KYC (Know Your Customer) Documents

To comply with financial regulations, we require identity verification before issuing a card. KYC is processed through our third-party provider, SumSub:

  • Government-issued ID — Passport, driver's license, or national ID card.
  • Selfie / liveness check — A photo or video for identity matching.
  • Proof of address — Utility bill, bank statement, or similar document.

On the mobile app, camera permission is requested for document scanning and selfie capture during the KYC process.

Transaction Data

  • Card transactions — Purchase amounts, merchant names, dates, and statuses as provided by the card network.

Data We Do NOT Collect

  • Blockchain private keys or seed phrases
  • Wallet addresses or on-chain activity
  • Browsing history or website activity
  • Analytics or usage telemetry beyond what is described above
  • Advertising or tracking identifiers

How Data Is Stored

Web Application

  • Access tokens — Stored in memory only (cleared on page close).
  • Refresh tokens — Stored in localStorage only if the "Remember Me" option is selected. Otherwise kept in memory.
  • Account data — Stored on Mono Labs backend servers, encrypted at rest.

Mobile Application

  • Sensitive credentials — Stored using react-native-keychain, which uses the OS keychain (iOS Keychain / Android Keystore).
  • Session data — Stored securely on-device.
  • Account data — Stored on Mono Labs backend servers, encrypted at rest.

Network Requests

RequestPurposeDestination
AuthenticationLogin, registration, token refreshMono Labs API servers
KYC verificationIdentity document submission and status checksSumSub (third-party)
Card operationsView cards, transactions, balancesMono Labs API servers
MFAMulti-factor authentication codesMono Labs API servers

Third-Party Services

SumSub (Identity Verification)

We use SumSub for KYC identity verification. When you submit KYC documents:

  • Documents and selfies are transmitted directly to SumSub's servers.
  • SumSub processes the verification and returns a pass/fail result to Mono Labs.
  • SumSub retains documents according to their own privacy policy.
  • Mono Labs receives the verification result and a reference ID, but does not store copies of your identity documents on its own servers after verification is complete.

On the mobile app, SumSub's verification flow is presented via a secure WebView.

No other third-party analytics, advertising, or tracking services are used.

Data Retention

  • Account data — Retained for as long as your account is active. You may request account deletion at any time.
  • KYC documents — Retained by SumSub according to applicable financial regulations and their retention policy. Mono Labs does not independently retain copies of identity documents after verification.
  • Transaction history — Retained for as long as your account is active and as required by applicable financial regulations.
  • Authentication tokens — Access tokens expire after a short period. Refresh tokens are cleared on logout.

Your Rights

You may:

  • Access your personal data by logging into your account.
  • Correct inaccurate personal data through your account settings.
  • Delete your account by contacting us. Deletion is subject to regulatory retention requirements.
  • Export your transaction history from the application.

Security

  • Passwords are salted and hashed before storage.
  • Multi-factor authentication (MFA) is available.
  • All API communication uses HTTPS/TLS.
  • Access tokens are short-lived and stored in memory.
  • Backend services use rate limiting, HMAC authentication, and security headers (CSP, HSTS).

Children's Privacy

Mono Card is not directed to children under 18. Card issuance requires identity verification confirming the applicant is of legal age.

Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the product after changes constitutes acceptance of the updated policy.

Contact