Privacy Policy

Last updated: 17 September 2025

This Privacy Policy explains how OOOIOO (the “App”, “Platform”, or “OOOIOO”), operated by ON MONETARY UNIR DOT COM INC, a Public Benefit Corporation ("ON", "we", "us", or "our"), collects, uses, shares, and safeguards information about you when you access our websites, mobile applications, cards, and related online/offline services (collectively, the “Services”).

Controller: For GDPR/UK GDPR purposes, ON MONETARY UNIR DOT COM INC. is the data controller for Personal Data processed via the Services, unless otherwise stated (e.g., when acting solely as a processor for an enterprise customer).

By using the Services, you acknowledge that we will process your information as described in this Privacy Policy. We do not sell or “share” your Personal Information for cross‑context behavioral advertising as defined under U.S. state privacy laws.

Interpretation and Definitions

Interpretation

Unless otherwise indicated, capitalized terms have the meanings given below. Terms apply whether used in the singular or plural.

Definitions

• Account: A unique account created for you to access the Services.
• App: The OOOIOO mobile application(s).
• Business (CCPA/CPRA): Where applicable, as defined in Cal. Civ. Code §1798.140; generally refers to a legal entity that determines the purposes and means of processing consumers’ personal information and that does business in California or otherwise falls within CPRA’s scope.
• Company / we / us / our: ON MONETARY UNIR DOT COM INC., Public Benefit Corporation, acting through the OOOIOO Platform. For GDPR/UK GDPR, the Company is the Data Controller unless stated otherwise.
• Country: Refers to the United States (Delaware), unless a region‑specific notice specifies otherwise.
• Consumer (CCPA/CPRA): A natural person who is a California resident, as defined by California law.
• Cookies: Small files stored on your device by a website or app; may be essential for functionality or optional for analytics (see Cookie Notice).
• Controller / Data Controller (GDPR/UK GDPR): The natural or legal person which determines the purposes and means of processing Personal Data.
• Processor / Data Processor (GDPR/UK GDPR): A natural or legal person which processes Personal Data on behalf of the Controller.
• Device: Any device that can access the Services, such as a computer, phone, or tablet.
• Do Not Track (DNT): A browser setting; industry standards for responding are not uniform, so we currently do not respond to DNT signals.
• Footprint: Our identity‑verification provider acting as our Processor for KYC/identity checks.
• KYC: “Know‑your‑customer” identity verification required by law or by our card/payment partners.
• Personal Data / Personal Information: Any information relating to an identified or identifiable individual. For GDPR/UK GDPR, this includes identifiers such as name, ID number, online identifier, or factors specific to identity. For CCPA/CPRA, it includes information that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household.
• Sale (CPRA): Transferring Personal Information to a third party for monetary or other valuable consideration.
• Share/Sharing (CPRA): Disclosing Personal Information to a third party for cross‑context behavioral advertising. We do not sell or share Personal Information as defined by CPRA.
• Service Provider / Processor: A third party that processes data on behalf of the Company (e.g., hosting, analytics, KYC, payments, AI inference).
• Services: The Websites, Apps, any card/program features, and related online/offline services operated by or on behalf of the Company.
• Sub‑processor: A processor engaged by our processor to assist with processing on our behalf. A current list is available upon request.
• Usage Data: Data collected automatically (e.g., app/browser type, device identifiers, IP‑derived general location, pages viewed, time spent).
• Website(s): oooioo.com and onmonetaryunit.com (and subdomains).
• You / User / Data Subject: The individual using the Services, or the company/other legal entity on whose behalf the individual uses the Services, as applicable.

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

When you use the Services, we may collect the following categories of Personal Data:

• Account & Identity: Full name, email address, phone number, username, password hashes, one‑time codes.
  • KYC (where required): ID document images and liveness checks processed by Footprint (our identity‑verification Processor) to verify your identity. We do not store raw biometric templates; we receive verification results and limited derived attributes (e.g., pass/fail, risk signals).
• Contact & Profile: Mailing address, country/region, language, time zone, communication preferences.
• Financial & Transactional (card/payments): Tokenized payment credentials handled by our PCI‑compliant partners; transaction metadata such as timestamps/amounts/MCC; allow/deny lists for merchant categories. We do not store raw card PANs.
• Service Content & Usage: Content you submit or generate in the App (texts, files, media); workspace membership and sharing settings.
• Support: Messages, attachments, and metadata you send to our support channels.

Providing certain data may be necessary to deliver the Services (e.g., identity checks for card issuance). Where required by law, we will request your consent. issuance). Where required by law, we will request your consent.

Usage Data (automatic collection)

We automatically collect Usage Data when you interact with the Services. This includes information such as your IP address (and general location derived from IP), device type, operating system, app/browser type and version, device and advertising identifiers (if available), language, time zone, pages/screens viewed, feature usage, click/tap events, session duration, referrer/UTM parameters, diagnostics, crash logs, performance telemetry, and security events (e.g., login attempts, authentication state). On mobile devices, similar data may be collected via embedded SDKs for functionality, diagnostics, and security.

Tracking Technologies, Cookies, and SDKs

We use cookies, SDKs, and similar technologies (such as pixels, tags, and local storage) to operate, secure, and improve the Services.

Types we use:

• Strictly Necessary (Essential): Session management, authentication, security, load balancing. (Session or short-lived; set by us.)
• Functional: Remember your choices (e.g., language), maintain preferences. (Usually persistent; set by us.)
• Analytics/Performance: Privacy-centric measurement, A/B testing, crash reporting. (Persistent; set by us or our providers.)
• Fraud & Abuse Prevention: Detect spam, malicious behavior, or misuse. (Session or persistent; set by us or our providers.)

We do not use cookies or SDKs for cross-context behavioral advertising and do not sell or “share” Personal Information as defined by the CPRA.

Your choices:

• Browser controls: Block or delete cookies in your browser settings (note: essential cookies are required for core functionality).
• Consent banner/settings (EEA/UK and where required): Manage non-essential cookies/SDKs at any time.
• Mobile OS controls: Reset or limit ad/device IDs and disable certain permissions (e.g., precise location).

Use of Your Personal Data

We use Personal Data only as permitted by law (GDPR/UK GDPR, CPRA, and others). Our main purposes include:

• Providing and maintaining the Services: Operating core features across web, apps, and any card/program components; monitoring uptime and performance.
• Account & authentication: Creating and managing your Account; securing logins, tokens, MFA, and session management.
• KYC & eligibility (where required): Verifying identity via Footprint (our Processor) for regulatory or card-program needs; assessing eligibility and expanding coverage of pre-funded benefits.
• Communications: Sending service or transactional messages (e.g., security alerts, changes to terms, outages); responding to support requests.
• Personalization & service quality: Tailoring available benefits and showing transparent value calculations for items you select; measuring and improving quality.
• Analytics, testing, and fraud prevention: Using privacy-centric analytics, crash reporting, A/B testing, and abuse detection to keep the Services safe and reliable.
• Compliance and enforcement: Meeting legal, regulatory, tax, and accounting obligations; enforcing Terms; preventing misuse.
• Marketing (optional): With your consent or, where permitted, under “soft opt-in” rules, sending updates about similar products/services. You can opt out at any time.

We do not sell Personal Information or “share” it for cross-context behavioral advertising as defined by CPRA.

Sharing and Disclosure of Personal Data

We disclose Personal Data only as needed to operate the Services or as required by law:

• Service providers / sub-processors (Processors): Hosting and storage, identity verification (Footprint), payments/card issuing and program management, fraud/security tools, analytics/crash reporting, communication tools, and AI inference providers. These providers are contractually bound to process data only on our instructions and to protect it.
• Partners you connect or activate: If you link an account or enable a partner benefit, we share the minimum necessary data (e.g., a token or business email) to deliver that feature.
• Affiliates: Within ON MONETARY UNIR DOT COM INC. and its affiliates for legitimate business purposes aligned with this Policy.
• Business transfers: In a merger, acquisition, financing, or sale of assets, Personal Data may be transferred. We require the successor to honor this Policy (or provide materially similar protection) and will notify you where required.
• Public or shared areas: Information you post or share with other users (e.g., names, avatars, content) may be visible to others according to your settings.
• Legal: To comply with law or lawful requests; to protect our rights, users, or the public; to prevent fraud, security incidents, or abuse.
• With your consent: For any other purpose you authorize.

A current list of key sub-processors is available upon request at privacy@onmonetaryunit.com.

Retention of Personal Data

We retain Personal Data only as long as necessary for the purposes above and to satisfy legal, accounting, or regulatory requirements. When no longer needed, we delete or anonymize it.

Typical retention periods:

• Account identifiers: Until account deletion, plus up to 90 days for backups.
• KYC/identity (where applicable): Legal minimum (often 5–10 years, jurisdiction-dependent).
• Card/transaction records: 7–10 years for financial recordkeeping.
• Content you create: Until you delete it or your workspace owner disables access; backups for up to 30–90 days.
• Security/access logs: 12–24 months (shorter where feasible).
• Support tickets: 24 months after closure.

Upon account deletion, we begin deletion within 30 days. Some records may be retained as required by law (e.g., sanctions screening, finance).

International Transfers

We operate globally. When transferring Personal Data outside your jurisdiction (e.g., EEA/UK to the U.S.), we use appropriate safeguards, including:

• EU Standard Contractual Clauses (SCCs) (Modules 2/3) with supplementary measures;
• UK IDTA/Addendum for UK transfers;
• Other approved mechanisms where applicable; and, if certified, the EU–US Data Privacy Framework (details provided in our transfer addendum if relevant).

We do not rely on your general consent as the legal basis for international transfers.

Security of Your Personal Data

We use administrative, technical, and physical safeguards to protect Personal Data, including encryption in transit and at rest, access controls with least privilege, key management, secure software development practices, vulnerability management, and incident-response procedures. Despite our efforts, no method of transmission or electronic storage is 100% secure. If we learn of a breach affecting your Personal Data, we will notify you and regulators as required by law.

Detailed Information on Processing (Categories of Providers)

We engage third-party providers (Processors) that process Personal Data strictly on our instructions and under appropriate data-protection terms. Examples of categories include: Hosting & Storage (infrastructure, databases, backups, CDN); Identity Verification (KYC) — Footprint; Payments & Card Program — payment processors, card issuer/program manager, fraud/chargeback tools; Analytics & Crash Reporting; Security & Abuse Prevention; Communications — email/SMS/push, in-app support/ticketing; AI Inference Providers — runtime model inference (we opt out of model training wherever offered). A current list of key sub-processors is available upon request at privacy@onmonetaryunit.com.

Analytics

We use privacy-centric analytics and crash-reporting tools to understand product performance and improve reliability. Where required (e.g., EEA/UK), we obtain your consent before setting non-essential cookies/SDKs.

• What we collect: aggregated or pseudonymous Usage Data (e.g., pages/screens viewed, session duration, feature engagement, crash diagnostics).

● What we don’t do: we do not use analytics for cross‑context behavioral advertising,
and we do not sell or “share” Personal Data as defined by CPRA.
● Your choices: manage non‑essential cookies/SDKs via our banner/settings (web) and
app controls (mobile).

Email Marketing

We may send you:

• Transactional/Service communications (e.g., security alerts, changes to terms, receipts). You cannot opt out of these essential messages.
• Marketing communications about similar products or services, only with your consent where required or under applicable “soft opt-in” rules.

You can opt out of marketing at any time via the unsubscribe link in our emails or by contacting privacy@onmonetaryunit.com. Opting out does not affect transactional messages.

Payments and Card Program

For paid products/services and any card program features:

• No PAN storage by us. We do not store raw payment card numbers. Payment information is handled by our PCI DSS–compliant payment processors and card partners using tokenization.
• Strong customer authentication. Where applicable (e.g., EU/UK), we support SCA/3‑D Secure.
• App store billing. If you subscribe via an app store, that store’s payment policy and privacy terms apply in addition to this Policy.
• Program disclosures. The card (if offered) is issued and operated by our regulated partners. OOOIOO/ON is not a bank. Program-specific terms and privacy notices from those partners apply to their processing.

Provider identities and data-flow details are available upon request at privacy@onmonetaryunit.com.

GDPR / UK GDPR Privacy Notice

Legal Bases for Processing

We process Personal Data only where a lawful basis applies:

• Contract – to create and manage your account; deliver web/app features and any card/program services; provide support.
• Legitimate interests – to keep the Services secure (fraud/abuse prevention, logging), measure and improve performance (privacy-centric analytics, crash reporting), and run product operations. You can object to processing based on our legitimate interests (see “Your Rights”).
• Consent – for optional things like marketing emails, non-essential cookies/SDKs, precise location, or certain partner connections. You can withdraw consent at any time.
• Legal obligation – to meet KYC/AML, sanctions, accounting/tax, and regulatory requirements.
• Vital interests / Public task – used rarely, e.g., where necessary to protect life or comply with a lawful public-interest request.

Your Rights (EEA/UK/Switzerland)

Subject to exemptions in law, you have the right to: access, rectify, erase, restrict, object (including to direct marketing), portability, withdraw consent, contest automated decisions, and complain to your data-protection authority.

How to exercise. Use in-app controls or contact privacy@onmonetaryunit.com. We may ask for information to verify your identity. We respond within 1 month (extendable by up to 2 months for complex requests, with notice).

EU/UK representative and DPO. We have appointed a representative/DPO for the EEA/UK.
Contact details: legal name, postal address, email/phone of EU/UK representative or DPO.

U.S. State Privacy Notice (including California CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA)

This section applies to U.S. state residents where we are subject to the relevant state privacy law (e.g., if we “do business” in a state or otherwise meet that law’s applicability thresholds). It supplements the rest of this Policy.

General (All Covered States)

• We do not sell Personal Information or “share” it for cross-context behavioral advertising.
• We do not engage in targeted advertising as defined by VA, CO, CT, or UT laws. If this changes, we will provide clear opt-out controls and honor recognized signals as required.
• You may submit privacy rights requests via in-app controls or by emailing privacy@onmonetaryunit.com. We verify your identity (and agent authority, if applicable) before acting and respond within the timelines required by each state law.
• For states that require it (e.g., VA, CO, CT), we provide an appeals process for denied requests. Submit appeals to privacy@onmonetaryunit.com with the subject “Privacy Appeal.” If your appeal is denied, we will inform you how to contact your state Attorney General.

California (CPRA)

Categories of Personal Information Collected (last 12 months):
(Definitions per Cal. Civ. Code §1798.140.)

• A. Identifiers: Name, alias, postal address, IP address, email, account ID. Collected: Yes
• B. Customer records (§1798.80(e)): Name, phone, address; government ID for KYC via our processor; limited financial info processed by payment/card partners. Collected: Yes (KYC/payments only)
• C. Protected classifications: No (not sought; if provided, incidental)
• D. Commercial information: Records/history of products/services (subscriptions, card program usage). Collected: Yes
• E. Biometric information: Liveness data for identity verification via Footprint (our processor). We do not store raw biometric templates; we receive verification results. Collected: Yes (KYC only)
• F. Internet/network activity: Interaction with our sites/apps (pages/screens, events, crash/diagnostic data). Collected: Yes
• G. Geolocation: Approximate (IP-derived). Collected: Yes (approximate only)
• H. Sensory data: Audio/visual only if you upload media or use voice features/support; otherwise No
• I. Professional/employment: No, unless acting on behalf of a business account
• J. Education: No
• K. Inferences: Limited internal inferences (e.g., fraud/abuse risk or eligibility scoring); not for advertising. Collected: Limited

Sensitive Personal Information (SPI): Processed only for limited permitted purposes (e.g., government ID for KYC) and not to infer characteristics; therefore, the right to limit generally does not apply. If our use changes, we will provide a right-to-limit mechanism.

Disclosures for Business Purposes (last 12 months):
We disclose PI to Service Providers/Processors under contracts that restrict its use to our purposes. Categories disclosed: A, B, D, F (and E only for KYC via Footprint).

CPRA Rights & How to Exercise Them:
You may request Know/Access, Delete, Correct, and other CPRA rights. Submit requests via in-app controls or privacy@onmonetaryunit.com. We respond within 45 days (extendable once by 45 days with notice). We will honor Global Privacy Control (GPC) if we begin selling/sharing PI in the future.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA)

If you are a resident of VA, CO, or CT and we are subject to that state’s law, you may have rights to: access, confirm, delete, correct, and data portability; and to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. Submit requests via in-app controls or privacy@onmonetaryunit.com. Appeals: email privacy@onmonetaryunit.com with subject “Privacy Appeal.”

Utah (UCPA)

If you are a Utah resident and we are subject to UCPA, you may have rights to: access, delete, and data portability; and to opt out of sale or targeted advertising. (UCPA does not include a correction right or a profiling opt-out.) Submit requests via in-app controls or privacy@onmonetaryunit.com.

“Do Not Track” (CalOPPA)

Browser Do Not Track (DNT) signals are not yet standardized, so we do not respond to DNT at this time. If we begin selling or sharing Personal Information in the future, we will honor applicable opt-out signals such as Global Privacy Control (GPC).

Children’s Privacy

Our Services are not directed to children under 16 (or a higher age where required by local law). We do not knowingly collect Personal Data from children. If you believe a child has provided Personal Data to us, please contact privacy@onmonetaryunit.com and we will take appropriate action. Where parental consent is required by law (e.g., COPPA for children under 13), we will obtain it before processing.

Links to Other Websites

Our Services may contain links to third-party websites or services. We are not responsible for their content or privacy practices. Please review the privacy policies of every site you visit.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new “Last updated” date and, where changes are material, notify you in-app or by email. Your continued use of the Services after the effective date means you accept the changes.

Contact Us

• Email: privacy@onmonetaryunit.com
• In-app: Support → Privacy request
• Postal address: 16192 Coastal Hwy, Lewes, DE 19958, USA
• EU/UK representative / DPO: [Contact details available upon request]

---

Annex A — Data Map (Overview)

Systems: App, Web, Authentication, Billing, Card program, KYC (Footprint), Support desk, Analytics, Logging/SIEM, File storage, Email, Push notifications, AI inference
Vendors: Hosting, email/SMS, identity, payment/card issuer & program manager, analytics, crash reporting, fraud/security, AI providers
Transfers: EEA/UK → US via SCCs + supplementary measures; UK Addendum; DPF (if certified)

---

Annex B — Sub-processors (Availability)

For security reasons, we do not publish a public list. A current list of sub-processors (names, roles, locations) is available upon request at privacy@onmonetaryunit.com.

---

Annex C — Retention Schedule (Summary)

See Retention of Personal Data. Jurisdiction-specific minimums (finance/KYC) may require longer retention (e.g., 5–10 years).

---

Cookie Notice (Summary)

We use cookies, mobile SDKs, and similar technologies (pixels, tags, local storage) to operate, secure, and improve the Services. Some are essential and cannot be switched off. Others are optional and used only with your consent where required (e.g., EEA/UK).

Categories We Use

• Essential (Strictly Necessary): Authentication/session management, load balancing, security (CSRF, rate-limits), consent logging. (Session or short-lived; set by us.)
• Functional: Remembering preferences (e.g., language, accessibility). (Persistent; set by us.)
• Analytics/Performance: Privacy-centric measurement, crash reporting, A/B testing. (Persistent; set by us or our providers.)
• Fraud & Abuse Prevention: Bot detection, risk scoring. (Session or persistent; set by us or our providers.)
• Advertising/Targeting: Not in use. We do not sell or “share” data for cross-context behavioral advertising.

Your Controls

• Consent banner / Settings (EEA/UK): Manage non-essential cookies/SDKs any time via our banner or settings.
• Browser settings: Block or delete cookies; note that essential cookies are required for core functionality.
• Mobile settings: Reset/limit device or ad IDs; disable permissions (e.g., precise location).
• GPC: If we ever sell/share PI or use targeted ads, we will honor Global Privacy Control signals.

Retention

• Session cookies expire when you close your browser/app.
• Persistent cookies/SDK data typically last 6–13 months unless you delete them sooner. Exact lifetimes depend on the provider and purpose.

For more details, contact privacy@onmonetaryunit.com. We will update this Notice if our providers or purposes change.