Privacy Policy

Last Updated:         8th February 2026

​

1. Purpose
This Privacy Policy defines how Monix Technology Limited, trading as Pipin (the “Company”), collects, uses, shares, stores, and protects personal data.
 

The purpose of this policy is to explain, in clear and practical terms, what personal data the Company processes, why it is processed, how it is safeguarded, and what rights individuals have in relation to that data. It is intended to help users understand how their information is handled when they use Pipin or interact with the Company.

This policy describes how the Company processes personal data in practice, based on its current operating model, systems, and controls. 

This Privacy Policy is provided in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 and explains how the Company fulfils its obligations as a data controller under that legislation.

2. Scope and applicability
This Privacy Policy applies to the processing of personal data by the Company in connection with the Pipin service and the Company’s operations.

 

It applies where you:
     use the Pipin mobile or web applications
     visit or interact with the Company’s website
     create or manage a Pipin account
     connect financial accounts to Pipin
     contact the Company for support or operational enquiries
     provide feedback or participate in user research

 

This policy applies to personal data processed by the Company regardless of whether the data is collected directly from you or received from third parties you choose to connect to the service.

 

This policy applies to current and former users, including beta testers, where the personal data relates to services provided by the Company. It also applies to personal data processed through customer support, complaints handling, security monitoring, and incident management.

 

The Company acts as the data controller for personal data processed in connection with Pipin. This policy does not apply to third-party services or platforms that are linked to or integrated with Pipin but operated independently of the Company. Those services are governed by their own privacy policies.

 

3. Who we are and how to contact us
Monix Technology Limited, trading as Pipin (the “Company”), is a company registered in England and Wales under company number 14199523. Its registered office is 3rd Floor, 86–90 Paul Street, London, EC2A 4NE.

 

The Company is the data controller for personal data processed in connection with the Pipin service for the purposes of UK data protection law.
 

Data Protection Officer
The Company has appointed its Chief Executive Officer as Data Protection Officer. The Company ensures that data protection matters are handled independently, free from conflicting commercial interests and with appropriate oversight.

 

The Data Protection Officer is responsible for overseeing the Company’s compliance with data protection law, advising on data protection obligations, monitoring internal policies and controls, and acting as a point of contact for individuals and supervisory authorities on data protection matters.
 

How to contact the Company
You can contact the Company, including the Data Protection Officer, about privacy or data protection matters in the following ways:
     By email at data@pipin.app 
     By post at the address above
     Through in-app support or messaging within the Pipin application

​

4. Personal data the Company processes
The personal data processed by the Company depends on how you use Pipin and which features you choose to use. The Company processes personal data only where there is a defined purpose connected to providing the service, meeting legal obligations, protecting users and the service, or operating the Company responsibly.

 

The categories of personal data processed by the Company are described below.
 

4.1 Identity and account information
When you create or manage a Pipin account, the Company processes information needed to identify you and operate your account. This includes your name, email address, internal account identifiers, and records relating to account status and settings.

 

This information is used to create and maintain your account, authenticate access, communicate with you about the service, and support account-related requests.
 

4.2 Financial account and transaction information
If you choose to connect a financial account to Pipin, the Company processes read-only account information obtained through an authorised third-party account information service provider. This can include account details such as account name, type, and balance, as well as transaction data such as dates, amounts, descriptions, merchant information, and categorisation.

 

The Company uses Yapily Connect Ltd (“Yapily”) as its open banking provider to access financial account information with your permission. Yapily is authorised and regulated by the Financial Conduct Authority (“FCA”) to provide account information services. When you connect a financial account, access is granted through consent flows governed by Yapily’s end-user terms, which explain how financial data is accessed from your bank and made available to the Company.

 

The Company does not initiate payments, move funds, or access online banking credentials. Access to financial account data is limited to the permissions you grant and can be withdrawn by you at any time through the app or through your bank.
 

4.3 Usage, activity, and interaction information
When you use Pipin, the Company processes information about how you interact with the service. This includes feature usage, navigation and interaction data, timestamps, and actions taken within the app.

 

This information helps the Company operate the service, understand how features are used, diagnose issues, and improve usability and performance.
 

4.4 Device, technical, and connection information
The Company processes technical information generated by your device and connection when you access Pipin. This can include device type, operating system, app version, browser information, IP address, and similar technical identifiers, as well as diagnostic information such as error messages and crash reports.

 

This information is used to maintain service reliability, support security monitoring, investigate faults or incidents, and prevent misuse of the service.
 

4.5 Insights, summaries, and derived information
The Company generates summaries, indicators, and insights within Pipin based on the information you choose to connect and how you use the service. These outputs are designed to help you organise and understand your finances within the app and are visible to you as part of the service.

 

The Company does not use this information to make automated decisions, including profiling, that produce legal effects or similarly significant effects for you.
 

4.6 Communications, support, and feedback information
If you contact the Company, request support, provide feedback, or take part in user research, the Company processes the information you provide and related correspondence. This can include messages, emails, survey responses, call notes, and records of actions taken to respond.

 

This information is used to provide support, resolve issues, improve the service, and maintain appropriate records of interactions.
 

4.7 Complaints, rights requests, and operational records
Where you raise a complaint, exercise a data protection right, or where the Company needs to investigate an issue, the Company processes and creates records to manage the matter appropriately. This can include complaint records, investigation notes, decision records, audit trails, and relevant system logs.

 

These records are used to meet legal and regulatory obligations, demonstrate compliance, resolve disputes, and improve Company processes.
 

4.8 Special category data
The Company does not intentionally collect or process special category personal data as defined under UK data protection law, such as data relating to health, biometric identifiers, racial or ethnic origin, religious or philosophical beliefs, or sexual orientation.

 

Where information connected to financial activity could indirectly reflect aspects of an individual’s circumstances, it is processed solely for the purpose of providing the Pipin service and is not treated or analysed as special category data.
 

4.9 Sources of personal data
The Company receives personal data directly from you when you create an account, use the Pipin service, contact the Company, or provide feedback.

 

Where you choose to connect financial accounts, the Company also receives personal data indirectly from financial institutions via authorised account information service providers, such as Yapily Connect Ltd, acting under your instruction and consent.

 

The Company does not obtain personal data from data brokers or third-party marketing sources.

 

5. How and why personal data is used
The Company uses personal data only where there is a clear and defined purpose connected to operating the Pipin service, protecting users and the service, meeting legal obligations, or running the Company responsibly. Personal data is not used for unrelated or speculative purposes.

 

The main ways in which the Company uses personal data, and the lawful bases relied upon, are set out below.
 

5.1 Providing and operating the Pipin service
Lawful basis: performance of a contract.
The Company uses personal data to provide the core Pipin service. This includes creating and managing user accounts, authenticating access, displaying connected financial data you choose to share, organising transactions, generating in-app insights, and enabling features to function as described.

This processing is necessary for the Company to deliver the service you sign up for.
 

5.2 Operating the service safely and securely
Lawful basis: legitimate interests in maintaining a secure, reliable service and protecting users.
The Company uses personal data, including technical, usage, and connection information, to operate Pipin in a safe and secure manner. This includes monitoring system performance, detecting errors, investigating faults, identifying abnormal or potentially harmful activity, and preventing misuse of the service.

Security monitoring and investigation may involve reviewing logs, access records, and diagnostic data where this is necessary to understand what has happened and to protect users and the service.
 

5.3 Customer support, complaints, and issue resolution
Lawful basis: performance of a contract and legitimate interests, depending on the nature of the request.
The Company uses personal data to respond to support enquiries, handle complaints, investigate issues, correct errors, and communicate outcomes. This may involve reviewing account information, support correspondence, and relevant system records to understand and resolve the matter.

Where an issue relates to personal data, security, or user rights, processing is carried out in line with the Company’s Complaints Handling Procedure and Incident and Breach Management Policy.
 

5.4 Service improvement and development
Lawful basis: legitimate interests in improving the service.
The Company uses usage, interaction, and feedback information to understand how Pipin is used, identify areas of confusion or friction, improve reliability, and develop features. Where practical, analysis is carried out using aggregated or pseudonymised data rather than directly identifiable information.

Personal data is not used for unrelated research or development activities and is not retained solely because it may be useful in the future.
 

5.5 Communications with users
Lawful basis: performance of a contract and legitimate interests for service messages; consent for marketing communications.
The Company uses contact information to send service-related communications that are necessary for the operation of Pipin. These include messages about account activity, security notifications, important changes to the service, or information required to support your use of the app.

Marketing or promotional communications are sent only where you have chosen to receive them. You can withdraw your consent at any time using the unsubscribe link provided or through available account settings.

Financial account data and in-app financial insights are never used for marketing or promotional purposes.
 

5.6 Legal, regulatory, and risk management purposes
Lawful basis: legal obligation or legitimate interests, depending on the context.
The Company may process and retain personal data where this is necessary to meet legal or regulatory obligations, respond to lawful requests from authorities, manage complaints or disputes, or defend legal claims.

Personal data may also be processed in connection with insurance arrangements. This includes underwriting, claims handling, incident investigation, forensic analysis, and cooperation with insurers or their advisers following a security incident or other insured event.

In some cases, this may require retaining specific records for a limited period after account closure where there is a documented legal, dispute, insurance, or security-related reason.

Where personal data is processed or retained for these purposes, access is restricted and retention is limited to what is necessary and proportionate.

5.7 Automated decision-making
The Company does not use personal data to carry out automated decision-making, including profiling, that produces legal effects or similarly significant effects for users.

 

6. Mandatory and optional data
Some personal data is required for the Company to provide the Pipin service. This includes information needed to create and manage an account, authenticate access, connect financial accounts where you choose to do so, and operate core features of the service.

​

If required information is not provided, or if required permissions are withdrawn, the Company may be unable to provide some features or may be unable to provide the service at all. Where this is the case, the impact will be explained to you within the app or through support communications.

 

Other personal data is optional. This includes information you choose to provide through feedback, surveys, beta programmes, or user research. Providing this information is voluntary and does not affect your ability to use the core Pipin service.

 

Where optional data is collected, the Company uses it only for the specific purpose explained at the time it is provided and does not treat refusal or withdrawal as a barrier to accessing the service.

 

7. Analytics and cookies

7.1 Analytics
The Company uses analytics to understand how the Pipin website and application are used, how features perform, and where reliability or usability issues arise. Analytics data helps the Company monitor performance, diagnose problems, and improve the service over time.

 

Analytics focus on service usage, stability, and user experience. The Company does not use analytics for behavioural advertising, profiling for marketing purposes, or selling user data.

​

Where practical, analytics data is reviewed in aggregated or pseudonymised form rather than at an individual user level. Individual-level analytics are accessed only where necessary to investigate a specific issue, such as a fault, incident, or support request.
 

7.2 Cookies and similar technologies
The Company uses cookies and similar technologies on its website to ensure the site functions correctly and to understand how it is used.

Some cookies are essential for the website to operate, such as those that support security, page navigation, and basic functionality. These cookies are required and cannot be disabled through the website.

 

Where non-essential cookies are used, such as those supporting analytics, you are given control over whether those cookies are set. You can manage cookie preferences through on-site controls where available and through your browser settings at any time.

 

Cookies are not used to track users across unrelated websites, create third-party advertising profiles, or deliver targeted advertising.

 

8. Sharing personal data
The Company does not sell personal data and does not share personal data for advertising or marketing by third parties.

Personal data is shared only where this is necessary to operate the Pipin service, meet legal obligations, or protect users and the Company. Sharing is limited to what is required for the specific purpose and is subject to contractual and technical controls.

8.1 Service providers and processors
The Company uses trusted third-party service providers to support the delivery and operation of Pipin. These providers may host systems, provide infrastructure, support analytics, operate customer support tools, or enable authorised account connectivity.

 

Where a third party processes personal data on the Company’s behalf, they act as a processor and are permitted to process personal data only in accordance with the Company’s instructions. Contracts require processors to protect personal data, apply appropriate security measures, support user rights, notify the Company of incidents, and delete or return data when services end.

 

The Company selects and manages processors in line with its Third-Party and Processor Policy, which defines how providers are assessed, approved, monitored, and offboarded.
 

8.2 Open banking and account connectivity
Where you choose to connect financial accounts, personal data is shared with the Company through authorised account information service providers, such as Yapily Connect Ltd. These providers operate under their own regulatory obligations and end-user terms, which govern how financial data is accessed from banks and transmitted securely.

 

The Company receives financial account data only for the purpose of providing the Pipin service and does not receive or store users’ online banking login credentials.
 

8.3 Professional advisers and authorities
The Company may share personal data with professional advisers such as lawyers, accountants, or insurers where this is necessary for advice, compliance, or risk management.

​

Personal data may also be disclosed to authorities or regulators where the Company is required to do so by law or where disclosure is necessary to protect users, investigate misuse, or respond to legal claims.
 

8.4 Business changes
If the Company undergoes a business change such as a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction where permitted by law.

​

In such cases, personal data will remain subject to appropriate protections, and individuals’ rights under UK data protection law will continue to apply.

 

9. Data storage and international transfers
Personal data processed by the Company is primarily stored and processed in the United Kingdom and the European Economic Area.

 

Where third-party services are used, data may be stored or processed in other locations. In such cases, the Company ensures that international transfers of personal data take place only where appropriate safeguards are in place under UK data protection law. These safeguards may include adequacy decisions or approved contractual protections.

 

The Company does not transfer personal data internationally without a defined operational need and documented safeguards. Information about data locations and transfers is considered as part of third-party approval and review.

 

10. Data retention and deletion
The Company keeps personal data only for as long as there is a clear and lawful reason to do so. Retention is based on the purpose for which the data is used, legal or regulatory obligations, and the need to protect users and the service.

 

Retention periods are defined by data category and documented in the Company’s Data Retention and Deletion Policy. Personal data is not retained indefinitely and is not kept solely because it may be useful in the future.

 

Further detail on retention periods by data category is set out in the Company’s Data Retention and Deletion Policy, which is available to insurers, partners, and regulators on request.
 

10.1 Account closure and deletion
When an account is closed or a valid deletion request is received, the Company stops collecting new data for that account and deletes or anonymises personal data from active systems, unless retention is required for a specific lawful reason.

 

Some information may be retained for a limited period after account closure where this is necessary to complete closure activities, handle complaints or disputes, investigate security issues, or meet legal obligations. Where this occurs, access to retained data is restricted.
 

10.2 Legal, dispute, and security holds
In limited circumstances, the Company may retain specific personal data beyond standard retention periods. This can occur where there is an ongoing complaint, dispute, legal matter, or security investigation.

​

Any such retention is documented, limited to what is necessary, access-controlled, and reviewed until the reason for retention no longer applies. Once the retention reason ends, the data is deleted or anonymised in line with Company policy.
 

10.3 Backups
Personal data may persist in encrypted backups for a limited period after deletion from active systems as part of the Company’s disaster recovery processes. Backup data is not used for routine processing or analysis and is deleted or expires in line with defined backup retention cycles.

 

11. Your rights
You have rights under UK data protection law, including the UK General Data Protection Regulation (UK GDPR), in relation to your personal data. These rights exist to give you control over how your information is used and to ensure it is handled fairly and lawfully.
 

11.1 Rights available to you
The rights available to you, and how the Company applies them in practice, are explained below.

​

Right of access
You have the right to request confirmation of whether the Company processes your personal data and to request a copy of that data, together with information about how it is used.

When responding to an access request, the Company provides the personal data held about you that falls within the scope of the request, along with explanatory information required by law. Information that would adversely affect the rights of others or reveal confidential Company information may be withheld or redacted where permitted.

​

Right to rectification
You have the right to request correction of personal data that is inaccurate or incomplete.

Where the Company relies on data obtained from third parties, such as financial institutions, correction may involve updating records held by the Company or directing you to the appropriate source where correction must be made at origin.

​

Right to erasure
You have the right to request deletion of your personal data in certain circumstances.

Where a valid erasure request is received, the Company deletes or anonymises personal data from active systems unless retention is required for a lawful reason, such as compliance with legal obligations, handling complaints or disputes, or investigating security issues. Where deletion cannot take place immediately, access to retained data is restricted until deletion occurs.

​

Right to restrict processing
You have the right to request restriction of processing in specific circumstances, such as where the accuracy of data is contested or where processing is being assessed following an objection.

While processing is restricted, the Company will store the data but will not actively use it except where permitted by law.

 

Right to object
You have the right to object to processing carried out on the basis of legitimate interests.

Where an objection is received, the Company will assess whether there are compelling legitimate grounds to continue processing that override your interests, rights, and freedoms. If no such grounds exist, processing will cease for the objected purpose.

​

Right to data portability
Where processing is based on consent or contract and carried out by automated means, you have the right to request a copy of certain personal data in a structured, commonly used, and machine-readable format, or to have it transferred to another provider where technically feasible.

This right applies to personal data you have provided to the Company where processing is based on consent or contract and carried out by automated means. This typically includes basic account information and connected financial data in a raw or structured form, but does not include derived insights or internal analysis generated by the service.

​

Right to withdraw consent
Where the Company relies on consent to process personal data, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before consent was withdrawn.
 

11.2 How to exercise your rights
You can exercise your data protection rights by contacting the Company using the contact details set out in this Privacy Policy, including through in-app support.
 

To protect your information, the Company may need to verify your identity before acting on a request. Verification is proportionate to the nature of the request and the sensitivity of the data involved.

 

The Company responds to rights requests within the timeframes required by law. Where a request is complex or requires additional time, the Company will explain the reason for any extension and keep you informed.
 

11.3 Questions, concerns, and complaints
If you have questions or concerns about how the Company has handled your personal data or a data protection request, you can contact the Company using the details set out in this Privacy Policy.

 

Information about how to raise a privacy-related complaint with the Company is set out in Section 15 of this Privacy Policy.

 

12. Security and incident handling
The Company takes the security of personal data seriously and applies technical and organisational measures designed to protect it against unauthorised access, loss, misuse, or disclosure. Security controls are designed to be proportionate to the nature of the data processed and the Company’s size and operating model.

12.1 How personal data is protected
The Company uses a combination of technical and organisational measures to protect personal data. These measures include limiting access to personal data to individuals who need it to perform their role, using authentication controls to protect systems and accounts, encrypting data in transit between systems, and maintaining logging and monitoring to support oversight and investigation.

​

Anyone working for or on behalf of the Company is not permitted to access personal data out of curiosity or for personal interest, and all access is subject to monitoring and audit controls.

 

Personal data is stored within systems that are designed to restrict unauthorised access and to support traceability where access or changes occur. Access rights are reviewed and removed when no longer required.

 

Security controls are reviewed and updated as the Company’s systems, services, and risk profile evolve.
 

12.2 Monitoring and issue detection
The Company monitors systems and services to identify errors, abnormal behaviour, or potential security issues. This monitoring may involve reviewing technical logs, access records, and diagnostic information where necessary to understand what has occurred and to take appropriate action.

 

Monitoring is used to protect users and the service and is not carried out for unrelated or intrusive purposes.
 

12.3 Security incidents and personal data breaches
A security incident is any event that compromises, or could reasonably be expected to compromise, the confidentiality, integrity, or availability of Company systems or personal data.

 

Where a security incident involves, or may involve, personal data, the Company assesses whether it constitutes a personal data breach under UK data protection law.

 

Security incidents and personal data breaches are handled in line with the Company’s internal incident management processes. This includes investigating what happened, containing and mitigating the issue, assessing the potential impact on individuals, and taking steps to reduce the risk of recurrence.
 

12.4 Notification and communication
Where the Company identifies a personal data breach that is required to be reported under UK data protection law, it will notify the UK Information Commissioner’s Office without undue delay and, where required, inform affected individuals.

 

If the Company contacts you about a security or data protection issue, it will provide clear and relevant information about what has happened, what it means for you, and any steps you should take.

 

13. Children
Pipin is designed for use by adults and is not intended for individuals under the age of 16 (sixteen).

 

The Company does not knowingly collect or process personal data relating to children under 16 (sixteen). The service, onboarding flows, and communications are not directed at children, and the Company does not market Pipin to children.

 

If the Company becomes aware that it has collected personal data relating to a child under 16 (sixteen) without appropriate consent, it will take steps to delete that data as soon as reasonably practicable and to prevent further processing.

 

If you believe that a child has provided personal data to the Company, you can contact the Company using the details set out in this Privacy Policy.

 

14. Changes to this Privacy Policy
The Company may update this Privacy Policy from time to time to reflect changes to the Pipin service, changes in how personal data is processed, legal or regulatory developments, or improvements to the clarity of this policy.

 

Where changes materially affect how personal data is used or the rights available to individuals, the Company will take reasonable steps to inform users. This may include in-app notifications, email communications, or prominent notices within the service or on the Company’s website.

 

The most recent version of this Privacy Policy will always be available through the Pipin application and the Company’s website. The “last updated” date at the top of the policy indicates when it was most recently revised.

 

15. Questions and complaints
The Company aims to be transparent and fair in how it handles personal data. If you have a question, concern, or complaint about this Privacy Policy or how your personal data has been processed, you can raise the matter with the Company.
 

15.1 What can be raised under this section
This section covers concerns or complaints relating to how the Company has handled personal data. This includes situations where you believe your data has been used incorrectly, retained longer than expected, disclosed inappropriately, or where you are dissatisfied with how a data protection request has been handled.

​

General service questions or feature feedback that do not relate to personal data are handled through normal support channels.
 

15.2 How the Company handles privacy-related complaints
When the Company receives a privacy-related concern or complaint, it assesses the issue to understand its nature and impact. Depending on the circumstances, this may involve reviewing relevant account information, communications, system records, or technical logs to establish what has happened.

​

The Company investigates privacy-related complaints fairly and proportionately. Where an issue is identified, the Company will take reasonable steps to address it, explain what has been done, and consider whether changes are needed to prevent similar issues from occurring again.

​

Where resolution requires input from third parties or further technical investigation, the Company will explain this and provide updates where reasonable.

15.3 Outcomes and responses
The Company will respond to privacy-related complaints in clear and plain language. Responses may include an explanation of findings, confirmation of any corrective action taken, or reasons why the Company considers its handling of personal data to be appropriate in the circumstances.

​

Where the Company identifies an error or shortcoming, it will take reasonable steps to put matters right.
 

15.4 External escalation
If you remain dissatisfied after raising a privacy-related concern or complaint with the Company, you have the right to raise the matter with the UK Information Commissioner’s Office (ICO), the supervisory authority responsible for data protection in the United Kingdom.

 

You can contact the ICO at www.ico.org.uk. Raising a concern with the ICO does not affect any other legal rights you may have.