MonAI LTD, a limited company registered in England & Wales under company number 15691996 with registered office at Office 16292, 182-184 High Street North, East Ham, London, United Kingdom, E6 2JA ("we," "our," "us," "MonAI," or "the Company"), is committed to protecting your privacy and ensuring full transparency regarding how we collect, process, use, disclose, and safeguard your personal information in compliance with the UK General Data Protection Regulation (UK GDPR), UK Data Protection Act 2018, GDPR (EU 2016/679), and other applicable data protection laws.
This Privacy Policy explains our data practices when you visit our website, use our MonOS platform and related services (collectively, the "Service"), or interact with our business. We process personal information both as a Data Controller (when we determine the purposes and means of processing) and as a Data Processor (when processing on behalf of our customers).
By accessing and using the Service, you consent to the data practices described in this policy and acknowledge that you have read and understood it. If you do not agree with our privacy practices, please do not use the Service. We encourage you to read this policy carefully and contact us with any questions.
We collect personal information that you voluntarily provide to us, including:
- Contact Information: Full name, email address, telephone number, postal address, country of residence
- Account Information: Username, password hash, security questions, authentication methods, account preferences, and profile information
- Business and Professional Information: Company name, job title, department, business size, industry, business requirements, and organizational structure
- Communication Data: Messages, support requests, feedback, surveys, preferences for communication methods, and records of interactions with our staff
- Payment Information: Billing address, payment method details (credit card type, last 4 digits), invoice history, and payment preferences. Full payment card details are processed securely through PCI-DSS compliant third-party payment processors and are not stored on our servers.
- Transactional Data: Subscription history, purchase history, order details, and billing records
- Content: Any documents, files, or data you upload to or create within the Service
When you access and use the Service, we automatically collect:
- Usage and Activity Data: Features accessed, functionality used, frequency and duration of use, workflow execution details, API calls made, actions performed within the platform, and engagement metrics
- Device and System Information: Device type, operating system, browser type and version, device identifiers, unique mobile device identifier, and hardware specifications
- Connection and Network Data: IP address (both IPv4 and IPv6), ISP or mobile carrier information, network type (WiFi, cellular, etc.), referring URL, and connection speed
- Server Logs: Error messages, system activity logs, request logs, timestamps, response codes, and performance metrics
- Location Data: Approximate geographic location derived from IP address (city/region level, not precise GPS)
- Analytics and Performance Data: Page load times, feature performance metrics, error rates, crash reports, and system stability data
We use the following tracking mechanisms:
- Essential Cookies: Strictly necessary for platform operation, session management, authentication, and security (no consent required under GDPR Article 7)
- Functional Cookies: Enable preferences, language selection, accessibility features, and personalized settings
- Analytical Cookies: Track usage patterns, feature adoption, page performance, and user behavior for platform improvement (Google Analytics, Hotjar, or similar)
- Marketing Cookies: Facilitate retargeting ads on third-party platforms if you have consented
- Web Beacons and Pixels: Transparent pixels embedded in emails and pages to track opens, clicks, and impressions
- Session Storage: Temporary session identifiers and security tokens
You have the right to control cookie preferences through your browser settings. Disabling non-essential cookies may affect functionality. We do not use cookies for profiling or automated decision-making without consent.
We process your personal information for the following purposes, based on the legal grounds specified:
- Provide, operate, maintain, and deliver the MonOS platform and its features
- Process transactions, manage subscriptions, and handle billing
- Create and maintain your user account
- Process orders and fulfill your requests
- Deliver customer support, technical assistance, and troubleshooting
- Send service-related communications (account confirmation, password reset, billing notifications, service updates)
- Enable integrations with third-party applications and services you authorize
- Analyze aggregated and anonymized usage patterns to identify feature usage and user behavior trends
- Develop, enhance, and optimize platform features and functionality
- Conduct research and development activities
- Perform A/B testing and user experience research
- Debug issues, investigate bugs, and maintain platform stability
- Monitor and improve system performance and reliability
- Test new features in beta or experimental environments
- Send service announcements, updates, and important notifications
- Provide technical support and respond to your inquiries
- Share product updates, feature announcements, and educational content (with your consent for marketing)
- Invite you to surveys, feedback sessions, and user research
- Send newsletters and marketing materials (only with your explicit opt-in consent)
- Respond to your comments, questions, and feedback
- Detect, investigate, and prevent fraud, abuse, unauthorized access, and security threats
- Protect against cyberattacks, malware, and other malicious activities
- Ensure system and user security
- Enforce our Terms of Service and other policies
- Comply with legal obligations, court orders, and regulatory requirements
- Investigate and resolve complaints and disputes
- Respond to law enforcement requests and legal processes
- Maintain evidence for legal proceedings
- Understand your needs to improve our Service
- Send administrative notifications
- Conduct internal analytics and business intelligence
- Determine whether you qualify for service features
- Create de-identified and anonymized datasets for benchmarking and research
We are committed to limiting sharing of your personal information. We do not sell, rent, lease, or otherwise monetize your personal data to any third parties. Information sharing occurs only in the following circumstances:
We work with carefully vetted third-party service providers who process data on our behalf under written Data Processing Agreements (DPAs) requiring them to:
- Process data only for specified purposes
- Implement appropriate security measures
- Not disclose data to unauthorized parties
- Delete or return data upon request
These include:
- Cloud Infrastructure: Amazon Web Services (AWS), Microsoft Azure, or similar providers for hosting, storage, and computing
- Payment Processing: Stripe, PayPal, or other PCI-DSS compliant payment processors
- Analytics: Google Analytics, Mixpanel, Hotjar for usage analytics and behavior analysis
- Communication: SendGrid, Mailgun for transactional emails and notifications
- Customer Support: Zendesk, Intercom, or similar ticketing systems
- Security and Monitoring: Cloudflare, New Relic, or similar providers for security, DDoS protection, and performance monitoring
- Legal and Compliance: Auditors, legal advisors, and compliance consultants
With your explicit authorization, we may share data with:
- Third-party applications you connect to through our platform (data shared only as requested for the specific integration)
- Analytics and reporting partners you explicitly authorize
- Your business associates for collaborative features or workflows
We provide clear disclosure when data will be shared and obtain your explicit consent before sharing.
In the event of a merger, acquisition, asset sale, bankruptcy, or other business transaction:
- Your information may be transferred as part of the transaction
- We will provide notice to you of any change in ownership or control
- The acquiring entity must honor this Privacy Policy or obtain your consent for any material changes to how your data is processed
We may disclose personal information without consent when:
- Required by Law: Compelled by subpoena, court order, warrant, or legal process
- Regulatory Compliance: Required by government agencies, regulatory authorities, or legal authorities
- Protection of Rights: Necessary to enforce our Terms of Service or other agreements
- Public Safety: Necessary to protect public health, safety, or security
- Prevent Harm: Necessary to prevent fraud, abuse, or imminent harm
- Establish Rights: Necessary to establish, exercise, or defend legal claims
We will notify you of legal requests unless legally prohibited, and we will provide only the minimum information legally required.
We may share your information with your explicit, informed written consent for purposes not covered above.
We implement comprehensive administrative, technical, and physical security measures designed to protect your personal information from unauthorized access, alteration, disclosure, and destruction:
- Encryption in Transit: All data transmitted between your devices and our servers is encrypted using TLS 1.2 or higher with strong cipher suites
- Encryption at Rest: Sensitive data stored on our servers is encrypted using AES-256 encryption
- Access Controls: Multi-factor authentication (MFA) for user accounts, role-based access control (RBAC), and principle of least privilege for employee access
- API Security: API authentication via OAuth 2.0, API keys, and rate limiting to prevent abuse
- Network Security: Firewalls, virtual private networks (VPNs), intrusion detection systems (IDS), intrusion prevention systems (IPS), and network segmentation
- Web Application Security: Web application firewalls (WAF), protection against OWASP Top 10 vulnerabilities, and automated vulnerability scanning
- Employee Training: Mandatory data protection, privacy, and security awareness training for all employees and contractors
- Access Policies: Strict, documented data access procedures, principle of least privilege, and access logging and monitoring
- Incident Response Plan: Documented incident response procedures, breach notification procedures compliant with UK GDPR Article 33, forensic investigation capabilities, and crisis communication plans
- Data Protection Impact Assessment (DPIA): Conducted for high-risk processing activities
- Privacy by Design: Privacy considerations built into system design and development from inception
- Vendor Management: Due diligence on third-party security practices, regular security assessments of vendors, and contractual security requirements
- Data Center Security: Controlled physical access to data centers using biometric authentication, security cards, and visitor logs
- Surveillance: Closed-circuit television (CCTV) monitoring in facilities housing sensitive data
- Environmental Controls: Climate control, fire suppression systems, and power redundancy
- Equipment Security: Secure wiping and destruction of decommissioned hardware, tracking of physical assets, and encryption of portable devices
While we implement robust security measures, no system is completely secure. We cannot guarantee absolute protection against unauthorized access, and you use the Service at your own risk. We encourage you to implement additional security measures on your systems and maintain strong passwords.
We retain your personal information only for as long as necessary to achieve the purposes for which it was collected or as required by applicable law:
- Account and Service Data: Retained for the duration of your account plus 90 days after account termination or closure, to allow for account recovery and backup restoration
- Transaction and Billing Records: Retained for 6 years to comply with UK tax requirements and financial regulations (HMRC requirements)
- Payment Information: Payment method details retained for 1 year after the last transaction or until subscription cancellation (PCI-DSS requirements)
- Support and Communications: Support tickets and communications retained for 2 years from resolution
- Marketing Preferences: Retained for 3 years following the last interaction or until you opt out
- Usage and Analytics Data: Aggregated and anonymized data retained indefinitely; individual-level data retained for 12-24 months
- Security and Access Logs: Retained for 12-24 months for security monitoring and incident investigation
- Legal and Compliance Records: Retained as long as legally required, typically 6-7 years or longer if litigation is pending
- Deleted Content: User-deleted content retained in backups for 90 days; backups deleted after 1 year
- Personal data is securely deleted or anonymized through secure erasure or cryptographic destruction
- Data on removed hard drives and equipment is securely wiped using multiple-pass overwrite protocols or physical destruction
- Backups containing personal data are deleted according to retention schedules
- You may request deletion of your personal data (subject to legal retention requirements) through your account settings or by contacting us
If litigation is pending or anticipated, we may retain data longer than normal retention periods to comply with legal obligations and preserve evidence.
Depending on your location and applicable law, you may have the following rights regarding your personal information. These rights are protected under UK GDPR, GDPR, and other data protection laws:
- Right to Access: You have the right to request and obtain a copy of your personal information we hold and details of how it is processed
- Right to Portability: You have the right to receive your personal information in a structured, commonly-used, machine-readable format (e.g., CSV, JSON)
- How to Exercise: Submit a Subject Access Request (SAR) to info@themon.ai with proof of identity
- Right to Rectification: You may correct, update, or amend inaccurate or incomplete information
- How to Exercise: Access your account settings to update information, or contact us to request corrections
- Our Response: We will correct information and notify relevant third parties who received inaccurate data where feasible
- Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal information under certain conditions, except where retention is required by law, for legal claims, or for legitimate interests
- Right to Restrict Processing: You may request that we limit our processing of your data to storage only, pending resolution of a dispute
- How to Exercise: Contact us at info@themon.ai to submit a deletion or restriction request
- Our Response: We will comply within 30 days unless we have a legal basis to retain the data
- Right to Object: You may object to processing based on legitimate interests, including for marketing purposes
- Right to Opt-Out of Marketing: You may unsubscribe from marketing communications at any time
- Right Against Automated Decision-Making: You have the right not to be subject to automated decision-making (including profiling) that has legal effects, except where necessary for contract performance or with your consent
- How to Exercise: Use unsubscribe links in marketing emails or contact info@themon.ai
- You may withdraw your consent for specific processing activities at any time without affecting the legality of processing prior to withdrawal
- Withdrawal does not affect processing based on other legal grounds
- How to Exercise: Contact info@themon.ai
- You may disable non-essential cookies through your browser settings or our consent management tool
- You can request opt-out from analytics tracking by contacting us
To exercise any of these rights, please contact us at info@themon.ai with:
- Your full name and account email address
- Specific right(s) you wish to exercise
- Proof of identity or authorization if acting on behalf of another person
- Specific information you're requesting (if applicable)
We will respond to valid requests within 30 days (extendable by 60 days for complex requests) in accordance with applicable law.
The Service is not intended for children under the age of 13 (or the applicable age of digital consent in your jurisdiction), and we do not knowingly collect, process, or retain personal information from children under 13.
If you are under 13 years of age, you may not use the Service without parental or legal guardian consent.
If we discover that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will:
- Immediately delete such information from our systems
- Notify the child's parent or legal guardian
- Comply with all applicable laws regarding children's privacy (including COPPA in the USA and UK data protection laws)
Parents or legal guardians who believe a child has provided us with personal information should contact us immediately at info@themon.ai.
For users between 13 and 18 years of age (or the applicable age of majority in their jurisdiction), we provide additional privacy protections and limit processing where legally required.
If you are located outside the United Kingdom or European Economic Area (EEA), or if we transfer your data internationally, your personal information may be transferred to, stored in, and processed in countries other than your country of residence, which may have different data protection laws.
We ensure all international data transfers are conducted with appropriate legal safeguards:
-
UK GDPR Chapter 5 Mechanisms:
- Adequacy Decisions: Data transfers to countries with deemed adequate data protection (e.g., UK data transfers under Part 7 of UK GDPR)
- Standard Contractual Clauses (SCCs): Legally binding contractual terms approved by the UK ICO incorporating essential data protection safeguards
- Binding Corporate Rules (BCRs): Internal policies and procedures for multinational organizations
-
EU GDPR Chapter 5 Mechanisms:
- EU Commission Adequacy Decisions
- Standard Contractual Clauses (EU SCCs)
- Binding Corporate Rules
-
Supplementary Measures: Additional technical and organizational measures to ensure protection equivalent to UK/EEA standards, including:
- Enhanced encryption
- Enhanced access controls
- Data minimization practices
- Contractual commitments regarding data protection
For transfers to countries without adequacy determinations, we implement Standard Contractual Clauses and supplementary safeguards to ensure personal information is protected to a level substantially equivalent to UK and EEA standards.
By using the Service, you consent to the transfer of your personal information outside your country of origin for processing in accordance with this Privacy Policy and applicable data protection laws.
Our platform may integrate with, link to, or allow you to connect with third-party services, applications, websites, and content ("Third-Party Services") including social media platforms, analytics providers, payment processors, and business applications.
This Privacy Policy applies only to MonAI's processing of your information. Third-Party Services are governed by their own privacy policies, terms of service, and data practices. We are not responsible for:
- How third parties collect, process, or use your data
- The privacy and security practices of third parties
- Third-party content or functionality
- Links from Third-Party Services to other websites
- Third-party cookies or tracking technologies
We encourage you to:
- Review the privacy policies of all Third-Party Services before use
- Understand how third parties handle your personal information
- Adjust privacy settings and permissions in third-party services directly
When you authorize integration with a Third-Party Service, we may share:
- Limited personal information necessary for the integration
- Data only for the specific purposes you authorize
- Information subject to the third party's privacy policy
You may revoke third-party integrations at any time through your account settings.
We are not responsible for third-party websites or services accessed via links from our Service. We recommend you review their privacy policies before providing information.
In the event of an unauthorized access, security breach, or compromise of your personal information, we will:
- Immediate Investigation: We will immediately investigate the breach and assess its scope and severity
- User Notification: We will notify affected users without undue delay and, where required by law, within 72 hours to your registered email address
- Regulatory Notification: We will notify supervisory authorities as required under UK GDPR Article 33 and GDPR Article 33
Our breach notification will include:
- Nature of the breach and data involved
- Likely consequences of the breach
- Measures taken or being taken to address the breach
- Contact point for further information (info@themon.ai)
- Recommended steps you should take
- Your rights under data protection law
We may delay notification if:
- Required by law enforcement or government authorities
- Notification would compromise investigation effectiveness
- We have taken sufficient mitigating measures to prevent harm
- Promptly update your password if credentials were compromised
- Monitor your accounts for suspicious activity
- Report any unauthorized access to us immediately
- Take protective measures as recommended in our notification
We may update this Privacy Policy periodically to reflect:
- Changes in our privacy practices and data processing activities
- Changes in applicable laws and regulations (especially updates to GDPR, UK GDPR, or other data protection laws)
- Feedback from users and data protection authorities
- New technologies or security practices
- Updates to our service offerings
For material changes to this Privacy Policy, we will:
- Post the updated policy on our website with a clear "Last Updated" date
- Send advance email notification to your registered email address at least 30 days before the change takes effect
- Provide in-app notifications within the platform
- Obtain your explicit consent for changes that expand the scope of data processing or change our legal basis for processing
Non-material clarifications or minor updates may be made without advance notice, though the "Last Updated" date will be refreshed.
Your continued use of the Service after policy changes take effect constitutes your acceptance of the updated Privacy Policy. If you do not agree with material changes, you may terminate your account before the effective date.
If you have questions, concerns, requests, or complaints regarding this Privacy Policy, our privacy practices, or how we handle your personal information, please contact us:
Data Privacy Inquiries and Subject Access Requests:
Email: info@themon.ai
Response time: Within 30 days of receipt
Technical Support:
Email: tech@themon.ai
Phone: To be added
General Inquiries:
Email: info@themon.ai
Mailing Address:
MonAI LTD
Office 16292, 182-184 High Street North
East Ham, London
United Kingdom, E6 2JA
Data Protection Officer (for EU/EEA Residents):
Email: dpo@themon.ai
Our Data Protection Officer is responsible for monitoring our compliance with this Privacy Policy and GDPR.
Supervisory Authorities:
-
United Kingdom: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
-
European Union: Your local data protection authority in the country where you reside
You have the right to lodge a complaint with the relevant supervisory authority if you believe we have violated your data protection rights, without prejudice to any other administrative or judicial remedies.
For users and data subjects in the United Kingdom, we comply fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Our lawful bases for processing personal information include:
- Article 6(1)(a): Explicit consent for marketing communications, newsletter subscriptions, and non-essential cookies
- Article 6(1)(b): Contract performance for service delivery, account management, and billing
- Article 6(1)(c): Legal obligation to comply with laws, regulations, tax requirements, and accounting standards
- Article 6(1)(f): Legitimate interests including platform improvement, analytics, fraud prevention, and business operations
- Article 9: Where applicable, processing of special category data (health, financial) only with explicit consent or legal exemption
For users in the European Union and European Economic Area, we comply with GDPR (Regulation EU 2016/679).
Our Data Protection Officer (DPO) is available to address any GDPR-related inquiries.
Special Category Data (Article 9): We do not intentionally collect special category data including race, ethnicity, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or sex life/sexual orientation unless you explicitly provide it for documented business purposes with your prior written consent.
Legal Bases are identical to UK GDPR and include Chapters 2 Article 6 and Article 9 exemptions.
For California residents, we comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
Your CCPA/CPRA Rights include:
- Right to know what personal information is collected
- Right to know whether personal information is sold or disclosed
- Right to delete personal information (subject to exceptions)
- Right to opt-out of the sale or sharing of personal information
- Right to limit use and disclosure of sensitive personal information
- Right to correct inaccurate personal information
- Right to non-discrimination for exercising your CCPA rights
Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. We will not deny you goods or services, charge different prices or rates, or provide different levels of service based on your exercise of CCPA rights.
Opt-Out Rights: You may opt-out of the sale or sharing of your personal information at any time by:
- Submitting a request to info@themon.ai
- Using a Global Opt-Out preference signal (if supported)
- Accessing your account settings
For residents of Brazil, we comply with the Lei Geral de Proteção de Dados Pessoais (LGPD).
We maintain reasonable privacy safeguards and compliance measures for all jurisdictions in which we operate or provide services, including:
- New Zealand Privacy Act 2020
- Australian Privacy Act 1988
- Singapore Personal Data Protection Act (PDPA)
- Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
If you are in a jurisdiction with specific data protection requirements, please contact info@themon.ai for information about compliance with local laws.
This Privacy Policy is part of our Terms of Service. By using our services, you agree to both documents.