Review of Privacy Policy and T&Cs


#1

Whilst this may not be of interest to most people, there have been some other topics regarding the T&Cs and Privacy Policy:

In addition to those helpful topics, I thought I would take time to note down all my thoughts in the hope they will be useful for Mondo’s consideration, especially @tristan and @paul, and (as an investor) avoid paying someone else to do it. I do not have a legal background but have reviewed many contracts from technology, information security and information privacy perspectives.

Also, Mondo is putting a lot of effort into functionality, design and usability… but the current documents don’t seem to have the same degree of thought, polish or accuracy. They do rather look like hacked versions of other companies’ documents. :unamused:

Mondo Privacy Policy

https://getmondo.co.uk/privacy/

The ICO has a preference for using the term “privacy notice” instead of “privacy policy”. Mondo may well have a more detailed internal-only privacy policy too. See also result of this ICO consultation once published.

This Privacy Policy, together with our Terms and Conditions, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.

Minor issue but does “processed” somehow exclude “collected, stored, used and transmitted”?

Information we may collect from you

This appears to be a heading, but is rendered in a paragraph style instead of a heading (H2?) style.

2.Information that you provide when you enter a competition or promotion sponsored by us or third parties, and when you report any problem with our website;

The previous item mentions “via our website or mobile application”, so is this item saying that no personal data is collected when reporting a problem about the mobile app or API? I suspect not. Perhaps define “applications” somewhere to include the website, the mobile apps, community forum, API, developer area, Slack, etc, and avoid listing everything in each clause? Some data about potential and actual investors also came via the Crowdcube website - where is that data, and how is it being used/protected/maintained/etc?

3.If you contact us, we may keep a record of that correspondence, including any phone number or email address you use;

What about other modes of communication like Twitter and post? Again, maybe make this clause more generic to avoid listing every current and future method. Maybe also “phone number or email address” is too specific? Does AppChart use email address? Some other identifiers may also be used like account number, customer ID etc?

5.Details of transactions (including details of payment cards and bank accounts used) that you carry out through our website, mobile application, or using the Mondo card.

Replace full stop with a semi colon like the previous clauses.

6.Details of your usage of our mobile application and website including, but not limited to, traffic data, location data, logs, error- & crash-reporting, and other communication data and the resources that you access.

Same as previous.

8.Information you give us explicit permission to access from your mobile device, including your address book, photos, geolocation, gyroscopes, data from your cameras or microphones. You may choose not to give permission to share this data, but it may restrict the usage of certain features of the mobile application;

Possibly needs an “and” added at the end if item 4 in the subsequent list is correct.

We process personal information for the purposes of:

Use of “process” again. See comment at start of this. Also the following five items should start with a capital letter like the previous list.

Use of IP addresses and cookies

Would “user tracking” be more generic. The text in this section sounds a bit outdated. IP addresses and Cookies are not the only way of tracking users, and that so-called “cookie law” was about all tracking technologies, not cookies. This section also all seems to be about the main website. What about the mobile app, and other ways customers interact with Mondo?

the fulfilment of your order

Sounds like this section was copied from an ecommerce merchant’s privacy notice. May require re-writing.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

Mondo also has legal obligations, so it is not just the “reasonably necessary” that it should be worrying about. Also “in accordance with this [user/customer] privacy policy” is not adequate for employees and suppliers. There needs to be some other corporate privacy policy.

We may disclose your personal information to any member of our group of companies, which includes our subsidiaries, our ultimate owner and any undertakings owned by it.

Does Mondo really have subsidiaries and an ultimate owner? I suspect not.

3.If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms and Conditions or other agreements; or to protect the rights, property, or safety of us, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction;

Add “and” at end as previous list(s).

Access to information

Perhaps be more helpful by stating a particular person/role/team, or asking for some particular wording. This will help Mondo itself identify subject access requests (SARs). Consider email/Twitter etc initiated SARs.

Any material changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email.

Possibly by app alert instead/as well?

16-28 Tabernacle Court, Tabernacle Street, EC2A 4DD

This address is mentioned twice. It is neither the address listed by Companies House (White Bear Yard, EC1R 5DF) nor the address mentioned on the careers page (Epworth St, EC2A 4DL). Possibly should also quote company number?

Mondo Card Terms and Conditions of Use

https://getmondo.co.uk/terms/

Formatting of headings and lists, indentation and punctuation conventions are different to the Mondo Privacy Policy.

Definitions

Inconsistent use of semi-colons and full stops at end of list items.

2.2

“Issuer” is mentioned four times always with an initial capital letter, but is not defined anywhere. Should that not be “us” instead?

9.1.3.

This list item finishes with "and’, so either the next item should be at the same level or rthe “and” needs tobe deleted.

10.1.We may change any of these terms and conditions, including fees and charges, or introduce new terms. If we make any changes, we will give 2 month’s prior written notice to you by email.

And/or by the app?

10.2.If we change these terms and conditions, the new terms and conditions will be available at www.getmondo.co.uk/terms-and-conditions from the date the change takes place.

Incorrect URL - that is a dead link. Change to “www.getmondo.co.uk/terms

10.4.Between receipt of the notice and the proposed date of change, if you notify us that you do not accept the change, this agreement will terminate immediately and subject to condition 8.2 you can redeem your total balance at that time without charge.

Maybe this should be referring to the redemption period validity in “8.1” and not the lack of redemption charge in “8.2”?

13.5.We can delay enforcing its rights under this agreement without losing them.

Who/what does “its” refer to?

15.1.

Is Tabernacle Street correct here (see comment above relating to the same address in the Mondo Privacy Policy).

Community Terms of Service

Not reviewed in detail. But there are contradictions with the other documents above. Access/use is governed by US Californian law.

This CToS defines the above Mondo Privacy Policy as “community.monzo.com’s Privacy Policy”. But the Mondo Privacy Policy doesn’t state or imply that.

Other

There are no specific ToS/T&Cs for the main website, mobile app or API (just for the community site mentioned above). These will be very different to the card T&Cs, and probably need to include something about application abuse issues.

How is Mondo assessing data transfers to US due to the current uncertain status of safe Harbor?


(James!) #2

This is incredibly comprehensive! You deserve a job there! :stuck_out_tongue:


(James Billingham) #3

@_Colin_W It is extremely important to understand that at present Mondo is not a bank. As such, many of the topics you’ve brought up in your posts over the last couple of days don’t really make sense at this stage.

They simply do not need to reach the level of accuracy or comprehensiveness in their legal documents/policies yet - it would be a poor use of their time to attempt this right now.

Obviously this will change in time for them becoming a regulated company, but that isn’t going to happen any time soon and as such it’s kinda unreasonable to expect them to spend the time required at this point.


#4

Well. Thank you for the personal feedback.

Could you please list the “many topics” that “don’t really make sense” to permit me to reply to the criticism.

Regarding your criticism of me posting this topic:

  1. Development of trust by current and potential customers takes time to build and maintain. Mistakes and mis-formatting in public documents directed to customers doesn’t really add much confidence in how carefully the systems are being developed, how the company protects information including intellectual property, business data and personal data, and whether the company’s business systems and processes are robust enough to become a bank.

  2. Perhaps decent documents will help with Mondo’s application to become a bank?

  3. In terms of requirements for accuracy/correctness, I would think Mondo would want a valid contract formed with its customers in the Mondo Card Terms and Conditions of Use, and that may also be a condition of Wirecard providing services to Mondo. Mondo doesn’t have to be a bank to need to form valid contracts with customers and suppliers.

  4. Nothing in my feedback above comes from any FCA guidance or the FCA handbook.

  5. Most of my feedback is about inconsistencies, incorrect formatting, invalid cross-references and definition mistakes. None of that is for banks only. Just good business.

  6. Furthermore it is not just banks that have to comply with the Data Protection Act, the Privacy and Electronic Communication Regulations and amendments, and the Companies Act. Mondo is already “regulated”, like most other entities.

  7. I seem to remember seeing a picture of a Mondo employee with a stack of debit cards, so Mondo is also subject to PCIDSS, and if you think I’m being pedantic about the above documents, there will be no hope for PCIDSS compliance!

  8. And in any case the Mondo card is issued by a company regulated in the UK by the Financial Conduct Authority, and those terms are discussed above.

  9. I agree it is still an early stage but why does that mean I am not allowed to provide feedback to help? If we are permitted to say this or that about the app, and how it could be improved, or ideas for features, why are documents out of scope?

Mondo says “We’re trying to build the best bank on the planet and we want you on board.” I am just trying to help.


(James Billingham) #5

It’s just a bit premature and could easily come off as demanding.


#6

On the subject of receipts, I was suggesting Mondo should consider being careful about user generated content, before it becomes an issue. On account verification, I made the suggestion that if Mondo begin to ask for copies of government identity documents, it should consider deleting them as soon as possible. I don’t think either of those are premature or demanding. They are after all only suggestions. And none are bank-specific.

Regarding the last topic regarding privacy/marking, I was merely replying to someone else’s topic to show my support and encouragement. Maybe you can complain to them about their suggestion instead?

If these need further discussion, could you please post to the original topics?