Privacy Policy

1. Who we are and how to contact us

Mando Network Limited ("Mando", "we", "us", "our") is the data controller for the personal data described in this Privacy Policy. Our registered office address is published on our Contact page. Our Data Protection Officer can be reached at dpo@mando.network. You have the right to lodge a complaint with the Information Commissioner's Office at any time — see section 11.

2. What personal data we collect

We collect and process the following categories of personal data:

• Identity data — full legal name, date of birth, nationality, government-issued identity document (passport, UK driving licence, national ID), a liveness-verified selfie image, and the machine-readable zone data extracted from the identity document.
• Contact data — email address, mobile phone number, residential address and postcode.
• Financial data — Mando account balance and transaction history, linked external bank account details, card last-4-digits and BIN, payout destinations, merchant business name and trading name, and, for business applicants, registered company number and beneficial-ownership information.
• Technical data — IP address, device type, operating system, browser, device fingerprint hash, cookie identifiers, time zone, referrer URL, pages viewed and actions taken in the dashboard.
• Authentication data — bcrypt-hashed password, bcrypt-hashed passcode, AES-256-GCM-encrypted memorable word, TOTP seed for authenticator apps, login history with device and location metadata.
• Communications data — support tickets, chat transcripts, emails to and from support, complaint correspondence, call recordings (with notice).
• Compliance data — PEP and sanctions screening results, MLRO case notes, suspicious activity reports, fraud-engine risk scores.
• Marketing preferences — consent flags for email marketing and in-app notifications.
• Business content data — photographs of price lists, menus, business cards or leaflets uploaded through our Smart Scanner feature; business logos, brand colours and service descriptions used to build your merchant website; and promotional content created through our Print Studio and Email Marketing tools.
• Social media data — social media profile URLs and handles you provide when using our Social Media Reach feature, and associated engagement metrics.
• Booking and customer data — appointment records, customer names and contact details entered by you or your customers through the online booking system, review content, and loyalty programme participation data.
• Subscription data — your current subscription tier (Starter, Pro or Gold), subscription start date, billing cycle, payment method last-4-digits, and upgrade or downgrade history.

3. How we collect your data

We collect data directly from you when you open an account, complete identity verification, use the dashboard, contact us, or make payments. We also collect data automatically from your use of the website and dashboard. We receive data from third parties including: identity verification providers (Onfido, Persona or equivalent); sanctions and PEP screening providers; Companies House; our banking and card-scheme partners; fraud-prevention services; and, for Google sign-in, Google Identity Services under their OAuth consent flow. We also collect business content data when you voluntarily upload photographs through our Smart Scanner feature or provide branding assets for website generation; and we collect social media profile information when you choose to use the Social Media Reach feature.

4. Legal basis for processing

Under Article 6 of the UK GDPR we only process personal data where we have a lawful basis. The lawful bases we rely on, and the processing activities they justify, are:

• Contract (Article 6(1)(b)) — to take steps at your request before entering into the Terms of Service, and to perform our obligations under the Terms after account opening. This covers identity verification, account opening, payment execution, dashboard access, and customer support.
• Legal obligation (Article 6(1)(c)) — to comply with the Money Laundering Regulations 2017, the Payment Services Regulations 2017, the Electronic Money Regulations 2011, the Proceeds of Crime Act 2002, the Terrorism Act 2000, HM Treasury sanctions regulations, the Financial Services and Markets Act 2000, and tax-reporting obligations under the Common Reporting Standard. This covers KYC/KYB checks, sanctions screening, suspicious-activity reporting, regulatory record-keeping, and tax information exchange.
• Legitimate interests (Article 6(1)(f)) — to prevent fraud and financial crime, to secure our systems, to develop and improve our services, to carry out internal reporting and analytics, and to make direct marketing communications to existing customers (subject to your right to object under section 10). Our legitimate-interests assessment is available on request.
• Consent (Article 6(1)(a)) — where we ask for your explicit consent, for example to send marketing emails to prospective customers, to deploy non-essential cookies, or to process any special-category data that may be contained in an identity document.
• Public interest and substantial public interest (Articles 6(1)(e) and 9(2)(g) read with Schedule 1 Part 2 of the DPA 2018) — to comply with our duties to prevent and detect unlawful acts and financial crime as laid out in the statutory guidance.

5. How we use your data

• To verify your identity and open your account.
• To execute payment transactions and maintain accurate account records.
• To detect, prevent and investigate fraud, money laundering, terrorist financing, sanctions evasion and other financial crime.
• To provide customer support and respond to queries and complaints.
• To send operational emails (receipts, security alerts, regulatory notices, verification codes, password resets).
• To meet our legal, regulatory and reporting obligations, including reporting suspicious activity to the UK National Crime Agency as required by section 330 of POCA 2002.
• To provide subscription-tier features, including but not limited to: generating your business website, processing images through our Smart Scanner to extract service and pricing information, executing email marketing campaigns, managing your online booking calendar, operating the Social Media Reach service, and producing print materials through Print Studio.
• To process uploaded images (price lists, menus, business cards) through our automated text-extraction service in order to populate your service menu. Uploaded images are processed in real time and permanently deleted from our servers immediately after extraction is complete — they are not retained.
• To improve the service through analytics and product research. We anonymise or pseudonymise data wherever practicable.
• To market our own similar services to existing customers under the soft-opt-in permitted by Regulation 22(3) of the Privacy and Electronic Communications Regulations 2003 ("PECR"), subject always to your right to opt out.

6. Who we share data with

We share personal data only with categories of recipients who have a legitimate need to receive it:

• Our regulated banking and card partners (UK credit institutions safeguarding Funds, the BIN sponsor for our card programme, the card scheme operators — Visa and Mastercard — where scheme-rule reporting is required).
• Identity verification providers — to match your uploaded identity document to an authoritative source.
• Fraud prevention providers — we run device fingerprint and velocity checks through specialist third-party services.
• Payment processors — PaymentProvider, Adyen or equivalent, for card acceptance.
• SMS and email providers — Twilio for SMS verification codes and authentication challenges; our transactional email provider for receipts and notifications.
• Automated content processing — where you use features such as Smart Scanner, website generation, logo creation, or service-description generation, your uploaded content may be processed by a third-party machine-learning API under a data-processing agreement that prohibits the sub-processor from retaining or training on your data. No personal data beyond the uploaded image or text prompt is transmitted.
• Print fulfilment partners — where you order printed materials through Print Studio, your business name, logo and design content are shared with our print-and-delivery partner under a data-processing agreement.
• Professional advisers — our auditors, insurers, lawyers and compliance consultants, under contractual confidentiality.
• Regulators and law-enforcement — the FCA, the Information Commissioner's Office, HMRC, HM Treasury, the National Crime Agency, the police, and any court with jurisdiction, where required by law or a lawful order.
• In a corporate transaction — if Mando Network Limited is acquired or merged, data may be transferred to the successor entity subject to the same protections as in this Policy.

We do not sell personal data. We do not share personal data with data brokers, advertising networks, or any third party for their own independent marketing purposes.

7. International transfers

Most processing takes place within the United Kingdom or European Economic Area. Where we transfer personal data to a country outside the UK that is not subject to a UK adequacy decision, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, supplemented where appropriate by additional technical and organisational safeguards, and we carry out a transfer risk assessment for each transfer. A list of our sub-processors and their locations is available on request.

8. How long we keep data

Retention periods are set by law and by reasonable business need:

• Identity verification records and KYC files — retained for five years after account closure, as required by Regulation 40 of MLR 2017.
• Transaction records — retained for at least six years from the end of the tax year to which they relate, for HMRC and audit purposes.
• Security event logs — retained for at least 12 months, typically up to 24 months.
• Support and complaint correspondence — retained for six years from the date of the last interaction.
• Marketing preferences — retained until you withdraw consent or object.
• Smart Scanner images — deleted immediately after text extraction is complete. Not retained on our servers.
• Business content (website assets, logos, print designs) — retained for the duration of your account plus 30 days after closure, to allow you to export your data.
• Booking and customer records — retained for six years from the date of the last interaction, consistent with our transaction-record retention.
• Cookie data — per the Cookies Policy (typically a maximum of 13 months).

After the relevant retention period expires, personal data is either securely deleted or anonymised so that it can no longer be associated with you.

9. Security

We implement technical and organisational measures appropriate to the risk under Article 32 of the UK GDPR, including: TLS 1.3 with HSTS preload for all data in transit; AES-256-GCM encryption for sensitive fields at rest; bcrypt hashing with cost factor 12 for passwords and 10 for passcodes; segregation of customer funds in safeguarded bank accounts; role-based access control for staff with just-in-time elevation; mandatory two-factor authentication for all staff accessing production systems; continuous vulnerability scanning; third-party penetration testing at least annually; a documented incident-response plan aligned with Article 33 and 34 of UK GDPR; and formal change-management procedures.

In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects, we will notify the ICO without undue delay and in any event within 72 hours of becoming aware of it, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk.

10. Your rights

Under the UK GDPR you have the following rights, each of which can be exercised by contacting dpo@mando.network:

• Right of access (Article 15) — to obtain confirmation that we process your data, and a copy of it.
• Right to rectification (Article 16) — to have inaccurate data corrected.
• Right to erasure (Article 17) — to have data deleted, subject to our overriding legal obligations to retain.
• Right to restriction of processing (Article 18).
• Right to data portability (Article 20) — to receive the data you provided to us in a structured, commonly used, machine-readable format.
• Right to object (Article 21) — including the absolute right to object to direct marketing.
• Rights related to automated decision-making (Article 22) — we do not take decisions with legal or similarly significant effect purely on the basis of automated processing, save where it is necessary for the performance of the contract, authorised by law, or based on your explicit consent. Our fraud engine scores transactions but a human always reviews any action that would freeze an account.
• Right to withdraw consent (Article 7(3)) — for any processing where we rely on consent, you can withdraw at any time.

We will respond to any request within one calendar month, extendable by up to two further months where the request is complex, in accordance with Article 12(3). We will not charge you a fee except where your request is manifestly unfounded or excessive.

11. Complaints to the ICO

You have the right to lodge a complaint with the Information Commissioner's Office, the UK data-protection regulator, at any time. You can contact the ICO at ico.org.uk, by telephone on 0303 123 1113, or by writing to Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. We would appreciate the opportunity to resolve your concerns before you approach the ICO.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in law, regulation, or our services. Material changes will be notified to you by email and by a prominent notice in the dashboard. The "last updated" date at the top of this policy shows the date of the most recent revision.