Monizze

Privacy Policy

Last updated: 26/01/2025

This privacy policy explains how Monizze uses personal data when providing Social Vouchers and RewardFlex. We've written this in clear, practical language for employees/beneficiaries ("benefs"), employers, and partners.

If you're looking for something specific, jump to the section that matches who you are and which service you use.

1. Who we are

Monizze NV/SA is a Belgian company providing digital employee benefits and voucher solutions.

Company registration number (KBO/BCE): BE 0834.013.324

Depending on the service, Monizze acts either as: a data controller (we decide why and how personal data is used), or a data processor (we process data strictly on an employer's instructions). This difference matters, and we explain it clearly below.

Contact our Data Protection Officer (DPO): julien.bellaiche@up.coop

General privacy inquiries: privacy@monizze.be

Address: Rue de l'Hôpital / Gasthuisstraat 31, 1000 Brussels, Belgium

2. Which service and role apply to you?

Social Vouchers — You are a beneficiary (benef)

If you receive Social Vouchers, Monizze acts as a data controller. This means:

  • Your employer sends us the details needed to grant vouchers
  • From that point on, Monizze manages the vouchers directly with you
  • You have a direct contractual relationship with Monizze
  • Your GDPR rights (access, deletion, etc.) are handled directly by Monizze

RewardFlex — You are an employer

If you are an employer using RewardFlex, Monizze acts as a data processor. This means:

  • You decide why and how your employees' data is used
  • Monizze only provides the platform and follows your instructions regarding the processing of data
  • You remain responsible for your employees' personal data
  • You will enter into a data processing agreement with Monizze defining each party's rights and obligations

RewardFlex — You are an employee

If your employer uses RewardFlex:

  • Your employer is the GDPR data controller
  • Monizze processes your data only on your employer's instructions
  • Monizze does not decide which benefits you can choose or how long your data is kept
  • If you want to exercise your GDPR rights in this context, you should contact your employer, who may involve Monizze where needed

3. What personal data is processed

Social Vouchers

For Social Vouchers, Monizze processes the following personal data as data controller:

  • Identification data: name, date of birth, national register number (NISS)
  • Contact data: email address, phone number
  • Voucher data: type of voucher, balance, transactions, expiry dates
  • Technical and security data: login details, device information, security logs

This data is necessary to identify you, issue vouchers, process transactions, and meet legal obligations.

RewardFlex — Employers

For RewardFlex, Monizze processes personal data on your behalf as a data processor. This typically includes:

  • Identification and contact data of your employees
  • Employment-related data needed to administer flexible remuneration
  • Configuration and usage data related to the RewardFlex platform

You decide which data is required and for how long it is retained.

The RewardFlex terms and conditions are available here: Download RewardFlex T&Cs (PDF)

RewardFlex — Employees

If your employer uses RewardFlex, Monizze processes:

  • Identification and employment-related data provided by your employer
  • Benefit choices and usage data generated within RewardFlex
  • Technical and security data related to your use of the platform

Your employer remains the GDPR data controller for this processing.

Special note on national register numbers (NISS)

Your national register number (NISS/Rijksregisternummer) is considered sensitive personal data under Belgian law and receives special protection.

We process your NISS number because:

  • Social Vouchers: Belgian social legislation and accounting requirements mandate the use of NISS for issuing regulated vouchers (meal vouchers, eco-vouchers, etc.). This processing is necessary to comply with legal obligations under the Act of 8 August 1983 organising a National Register of Natural Persons and related social security legislation.
  • RewardFlex: Where your employer uses RewardFlex, your NISS may be processed as part of employment-related data management. In this case, your employer determines the legal basis, and Monizze processes the NISS strictly according to the employer's instructions and legal obligations.

We never use your NISS for purposes beyond these legal requirements, such as internal identification or marketing. Access to NISS data is strictly controlled and limited to authorized personnel who require it to fulfill our legal obligations.

4. Why we use personal data

Social Vouchers — Monizze = data controller

We use your data to:

  • Create and manage your voucher account
  • Issue vouchers and process transactions
  • Show balances, history and expiry dates
  • Prevent fraud and secure the platform
  • Meet legal and regulatory obligations

RewardFlex — Monizze = data processor

We process data only to:

  • Provide the RewardFlex platform
  • Allow employers to manage flexible remuneration
  • Ensure platform security and availability

We do not decide which benefits you can choose or how your data is used beyond the platform.

5. Legal bases

We rely on different legal bases depending on the specific processing activity:

Social Vouchers (Monizze as controller)

  • Contract (Article 6(1)(b) GDPR) – to create and manage your voucher account, issue vouchers, and process transactions according to our contractual relationship with you
  • Legal obligations (Article 6(1)(c) GDPR) – to meet accounting requirements (10-year retention), comply with Belgian social legislation for regulated vouchers, and fulfill anti-fraud obligations
  • Legal obligations (Belgian National Register Act of 8 August 1983) – for processing your national register number (NISS), which is required under Belgian social security and voucher legislation
  • Legitimate interests (Article 6(1)(f) GDPR) – for platform security, fraud prevention, and service improvement. Our legitimate interests in protecting the platform and preventing fraud are balanced against your rights and do not override your fundamental rights and freedoms.

RewardFlex (Monizze as processor)

For RewardFlex, your employer is the data controller and determines the legal basis for processing your personal data. Monizze processes your data only according to your employer's documented instructions and the legal basis they have established.

Typically, employers rely on:

  • Contract with the employee
  • Legal obligations (employment law, social security, tax obligations)
  • Consent where required for optional benefits

If you have questions about the legal basis for processing your RewardFlex data, please contact your employer.

6. How long we keep your data

We retain personal data for fixed and clearly defined periods, in line with legal obligations and our services.

Social Vouchers

  • Voucher and transaction data: 10 years (legal accounting and social legislation requirements)
  • Account and support data: kept for the duration of the contractual relationship, then deleted or anonymised
  • Security logs: 12 months, unless required longer for fraud investigations

RewardFlex

  • Personal data processed on behalf of employers: kept for the duration defined by the employer, as set out in the data processing agreement
  • Platform security logs: 12 months, unless required longer for security or legal reasons

Once retention periods expire, data is securely deleted or anonymised.

7. Who we share data with

We only share personal data where this is necessary for the service, legally required, or explicitly requested by the employer.

Social Vouchers — Beneficiaries

For Social Vouchers, Monizze may receive and process personal data through different channels:

  • Employers or self-employed persons who decide to grant Social Vouchers and provide the necessary data directly to Monizze
  • Advisory or onboarding partners (such as accountants, social secretariats or similar intermediaries) who, at the request of the employer or self-employed person, may pass along the necessary personal data so that Monizze can set up and provide Social Vouchers

In all cases: the decision to work with Monizze is taken by the employer or the self-employed person; Monizze uses the data solely to grant and manage Social Vouchers; Monizze acts as data controller for the processing related to Social Vouchers; Monizze does not use this data for unrelated purposes.

RewardFlex — Employers & employees

For RewardFlex, personal data may be shared in a controlled and purpose-limited way:

  • Recommendation and onboarding partners (such as social secretariats, payroll providers or accountants) may, at the employer's request, pass along the necessary employee data to Monizze so that RewardFlex can be set up and provided
  • Employers remain responsible for deciding to work with Monizze and for instructing any such partners to share data
  • Monizze processes this data solely to provide the RewardFlex service and does not use it for any independent purpose

In addition, Monizze may share RewardFlex data on the employer's instructions only with IT, hosting and security providers supporting the platform. Monizze does not independently decide to share RewardFlex data with third parties.

International data transfers and hosting

All personal data is hosted within the European Union. We use EU-based infrastructure and hosting providers to ensure your data remains protected under GDPR.

If any of our service providers process data outside the EU/EEA (for example, if using cloud services with global operations), we ensure appropriate safeguards are in place, such as:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules where applicable

Currently, our primary infrastructure remains within EU data centers. If this changes, we will update this policy and ensure all international transfers comply with GDPR Chapter V requirements.

You can always get more information on Monizze's subprocessors at security.monizze.be. We keep our trust center up to date at all times.

8. Your GDPR rights and how they are handled

You always have rights over your personal data, including:

  • Access – you can request a copy of your personal data
  • Correction – you can ask us to correct inaccurate data
  • Deletion – you can request deletion of your data (subject to legal retention obligations)
  • Restriction – you can ask us to limit how we use your data
  • Objection – you can object to processing based on legitimate interests
  • Data portability – you can receive your data in a structured, machine-readable format (CSV, JSON, or similar)
  • Withdraw consent – where processing is based on consent, you can withdraw it at any time

Who to contact?

Social Vouchers: contact Monizze directly
Email: privacy@monizze.be
Address: Rue de l'Hôpital / Gasthuisstraat 31, 1000 Brussels, Belgium

RewardFlex: contact your employer. Your employer is the data controller and handles most GDPR requests. If you are unsure whether to contact your employer or Monizze, you can always reach out to us and we'll guide you to the right contact.

Response timeframes

We respond to requests within one month of receiving them. In complex cases, we may extend this by two additional months and will inform you if this is necessary.

For RewardFlex requests, Monizze can only act on GDPR requests following your employer's instructions, as set out in our data processing agreement with them.

Verification

To protect your privacy and security, we may ask you to provide proof of identity (such as a copy of your ID card) before fulfilling certain requests.

9. Cookies and tracking technologies

Monizze uses cookies and similar technologies on our website and in our applications. These help us:

  • Ensure the platform functions properly (essential cookies)
  • Remember your preferences and login status
  • Understand how you use our services to improve them (analytics)
  • Maintain security and prevent fraud

When you first visit our website or app, we'll ask for your consent for non-essential cookies. You can manage your cookie preferences at any time through your browser settings or by clicking below.

10. Data security

We use technical and organisational measures to protect your data, including:

  • Access controls
  • Encryption where appropriate
  • Monitoring and logging
  • Regular security reviews

No system is ever 100% risk-free, but security is a core priority at Monizze, and we got your back.

Monizze is ISO27001:2022 certified, both organisationally and for our products. You can find more information around security and data protection at Monizze via security.monizze.be.

11. Data processing agreement (RewardFlex)

For RewardFlex, Monizze processes personal data under a data processing agreement (DPA) with each employer.

This DPA:

  • Forms an integral part of our contracts with the employers
  • Sets out the rights and obligations of employers (as data controllers) and Monizze (as data processor)
  • Describes security measures, sub-processors, and assistance with GDPR rights

The DPA is made available at: monizze.be/documents/en/gdpr/dpa.pdf

12. Updates to this policy

We may update this policy if our services or legal obligations change. The latest version will always be available on our website.

13. Questions or complaints

If you have questions or concerns:

Email: privacy@monizze.be

You also have the right to lodge a complaint with the Belgian Data Protection Authority.

This policy is intentionally written to be practical and understandable. If something is unclear, that's on us — please tell us.