Privacy Policy

1. Data controller

Mona GmbH is the data controller for personal data processed through the Mona service. We are based in Berlin, Germany, and operate under the General Data Protection Regulation (GDPR). Contact: privacy@mona.app

2. What data we collect

We collect only what is necessary to provide the service:

• Account data: name, email address, role, city.
• Project data: briefs, moodboard images, crew details, timelines, budgets you enter.
• Usage data: feature interactions, error logs, performance metrics.
• Payment data: billing is handled by Stripe. We store only your subscription status — not card details.

We do not collect data you do not explicitly provide. We do not purchase third-party data about you.

3. How we use your data

• To provide and operate the Mona service (contract performance, Art. 6(1)(b) GDPR).
• To send transactional emails — brief invitations, confirmations, invoice reminders (legitimate interest, Art. 6(1)(f) GDPR).
• To improve the service through anonymised, aggregated analytics (legitimate interest, Art. 6(1)(f) GDPR).
• To comply with legal obligations where required (Art. 6(1)(c) GDPR).

4. AI processing and your data

Mona uses AI to generate briefs and project content. We apply the following safeguards:

• Personal identifiers (names, addresses, phone numbers) are stripped before any data is sent to external AI providers.
• Your project content is never used to train AI models — by us or by our AI providers. We hold Data Processing Agreements requiring this.
• Where possible, AI processing happens on-device (OCR, voice transcription) before any data reaches our servers.

5. Data sharing

We do not sell your data. We share it only with:

• Supabase — database, storage, and authentication infrastructure.
• Anthropic / OpenAI — AI processing, with PII stripped prior to transmission. DPAs in place prohibiting training use.
• Stripe— payment processing. Governed by Stripe's own privacy policy.
• Resend / Postmark — transactional email delivery.
• Collaborators you explicitly invite to your projects — they receive only the role-filtered brief fields you have shared with them.

All processors are contractually bound to GDPR-compliant data handling.

6. Data retention

• Active account data is retained for as long as your account is active.
• Project data is retained for 12 months after your account is closed, then permanently deleted, unless you request earlier deletion.
• Forwarded email content is deleted from our servers within 48 hours of processing.
• Usage and analytics data is anonymised after 90 days and retained in aggregate form only.

7. Your rights under GDPR

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data. We fulfil deletion requests within 72 hours.
• Portability — receive your data in a structured, machine-readable format. Request via Settings → Data & export.
• Objection — object to processing based on legitimate interest.
• Complaint — lodge a complaint with the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI).

To exercise any of these rights, contact privacy@mona.app.

8. Security

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Access to project data is enforced at the database layer with row-level security — collaborators see only what they are permitted to see. No Mona employee can access your unencrypted project content in normal operations.

9. Cookies

Mona uses only session cookies required for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies that identify you individually.

10. Changes to this policy

If we make material changes to this policy, we will notify you by email at least 14 days before they take effect. The updated date at the top of this page reflects the most recent revision.

11. Contact

Privacy questions and data requests: privacy@mona.app