Privacy Policy
Contents
1. Overview
Mononio AI Corporation ("Mononio," "we," "us," or "our") operates the Mononio AI autonomous marketing platform at mononio.ai. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you use our Service.
This policy applies to all users of the Mononio platform, including visitors, registered users, and enterprise customers. By using the Service, you agree to the collection and use of information as described in this policy.
📋 We are a B2B service. The data we process primarily relates to your business account and marketing operations. We do not sell personal data.
2. Data We Collect
2.1 Account Information
When you create an account or sign in via OAuth, we collect:
- Name and email address
- Profile information from OAuth providers (Google, GitHub, Facebook)
- Account creation date and authentication method
- Subscription and billing information (processed by Stripe; we do not store payment card data)
- Communication preferences
2.2 Ad Data & Campaign Data
To provide our marketing automation services, we collect and process:
- Connected ad account data from Meta, Google Ads, and TikTok (campaigns, ad sets, ads, performance metrics)
- Ad spend data, ROAS, click-through rates, conversion data
- Campaign configurations you create within the platform
- Brand kit assets (logos, brand colors, fonts, taglines)
- Target audience definitions and custom audiences
- Creative assets (images, videos) uploaded to the platform
- Ad copy, headlines, and descriptions — both user-provided and AI-generated
2.3 Analytics & Usage Data
We collect data about how you use our platform:
- Feature usage patterns and session data
- Pages visited, clicks, and interactions within the app
- AI query history and chat messages with Mononio's AI system
- API request logs (for debugging and security)
- Device and browser information (user agent, screen resolution)
- IP address and approximate geographic location
- Referral source and UTM parameters
2.4 Business Intelligence Data
As part of our autonomous marketing command center functionality, we may collect:
- Business DNA information you provide (industry, target market, competitive positioning)
- Shopify store data (products, variants, performance metrics) for connected stores
- Competitor intelligence data gathered through permitted research tools
- Customer persona definitions you create
- Performance reports and generated analytics
2.5 API Keys & Credentials
When you connect third-party services, we store authentication credentials necessary to access those services on your behalf. All credentials are encrypted at rest using AES-256-GCM encryption.
3. How We Process Data
3.1 AI Analysis & LLM Routing
Your campaign data and business information is processed by AI language models to generate insights, recommendations, ad copy, and optimization actions. We route requests to different AI providers (OpenAI, Anthropic, Together AI) based on the task type and model capabilities. Data sent to AI providers is governed by their respective privacy policies and our Data Processing Agreement.
3.2 Vector Storage (pgvector)
We use PostgreSQL with the pgvector extension to store semantic embeddings of your campaign content, brand information, and customer personas. These vector representations enable semantic search and AI-powered recommendations. Embeddings are stored in our Neon PostgreSQL database.
3.3 Campaign Automation
Our automated systems process your campaign data to:
- Monitor ad performance and trigger optimization actions
- Pause underperforming campaigns based on rules you define
- Generate performance reports on your defined schedule
- Send smart alerts when anomalies are detected
- Execute bid adjustments and budget reallocations
3.4 Image & Video Generation
Input data (brand assets, product images, creative briefs) may be sent to image generation providers (Fal.ai, OpenAI DALL-E) to produce ad creatives. Generated content is stored in our cloud storage (Cloudflare R2).
3.5 Legal Bases for Processing
We process your data on the following legal bases:
| Processing Activity | Legal Basis |
|---|---|
| Account management and authentication | Contract performance |
| Service delivery and campaign automation | Contract performance |
| Billing and payment processing | Contract performance, legal obligation |
| Security monitoring and fraud prevention | Legitimate interests |
| Service analytics and improvement | Legitimate interests |
| Marketing communications | Consent |
| Legal compliance | Legal obligation |
4. Third-Party Data Sharing
We do not sell personal data. We share data with third parties only as necessary to provide the Service:
4.1 AI Providers
We send relevant portions of your campaign data, brand information, and queries to AI providers to generate AI-powered insights and content:
| Provider | Data Shared | Privacy Policy |
|---|---|---|
| OpenAI | Campaign context, ad copy requests, analysis queries | openai.com/privacy |
| Anthropic | Campaign context, strategic analysis queries | anthropic.com/privacy |
| Together AI | Content generation requests | together.ai/privacy |
| Fal.ai | Image generation prompts, brand assets | fal.ai/privacy |
4.2 Advertising Platforms
When you connect ad accounts, we exchange data with advertising platforms on your behalf:
- Meta (Facebook/Instagram Ads): Campaign data, audience definitions, creative assets
- Google Ads: Campaign configurations, bidding data, conversion tracking
- TikTok Ads: Campaign data, creative assets, audience targeting
4.3 Infrastructure & Analytics
| Provider | Purpose | Data Shared |
|---|---|---|
| Neon (PostgreSQL) | Database hosting | All application data |
| Render | Application hosting | Application logs, runtime data |
| Cloudflare R2 | File/asset storage | Uploaded images, generated creatives |
| Stripe | Payment processing | Billing information, transaction records |
| Meta Pixel | Conversion tracking (landing page) | Page views, conversion events from marketing pages |
| Google Analytics 4 | Product analytics | Usage events, feature interactions (anonymized) |
4.4 Legal Disclosure
We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of Mononio, our users, or the public.
4.5 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, user data may be transferred as part of that transaction. We will notify you of any such change via email or prominent notice on our Service.
6. Data Retention & Deletion
6.1 Retention Periods
| Data Category | Retention Period |
|---|---|
| Account information | Duration of account + 30 days post-termination |
| Campaign data and ad performance | Duration of account + 30 days post-termination |
| AI-generated content and outputs | Duration of account + 30 days post-termination |
| Billing and payment records | 7 years (legal/tax compliance) |
| Security and access logs | 90 days |
| Uploaded assets (images, videos) | Duration of account + 30 days post-termination |
| Anonymized analytics data | Up to 3 years |
6.2 Account Deletion
You may request deletion of your account and associated data at any time by contacting privacy@mononio.ai. Upon receiving a verified deletion request, we will:
- Delete your account and personal data within 30 days
- Retain billing records as required by law (7 years)
- Retain anonymized, non-identifiable analytics data
- Confirm deletion via email once complete
7. Data Security
We implement industry-standard security measures to protect your data:
- Encryption at rest: All sensitive credentials and personal data are encrypted using AES-256-GCM
- Encryption in transit: All data transmitted between your browser and our servers uses TLS 1.2+
- Row-Level Security: Our database enforces strict per-user data isolation — no user can access another user's data
- Parameterized queries: All database queries use parameterized statements to prevent SQL injection
- Sandbox isolation: AI agent execution environments are sandboxed with allowlisted environment variables only
- Access controls: Internal access to production data is restricted to authorized personnel only
No security system is impenetrable. In the event of a data breach that affects your personal data, we will notify you and relevant authorities as required by applicable law within 72 hours of becoming aware of the breach.
8. GDPR — EU/EEA Users
🇪🇺 This section applies to users in the European Union and European Economic Area.
Mononio AI Corporation acts as a Data Controller for the personal data of EU/EEA users. For enterprise customers, a Data Processing Agreement is available.
8.1 Your Rights Under GDPR
As an EU/EEA data subject, you have the following rights:
- Right of Access (Art. 15): Request a copy of the personal data we hold about you
- Right to Rectification (Art. 16): Request correction of inaccurate personal data
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
- Right to Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances
- Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format
- Right to Object (Art. 21): Object to processing based on legitimate interests
- Rights Related to Automated Decision-Making (Art. 22): Rights regarding automated decisions with significant effects
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
8.2 How to Exercise Your Rights
Submit requests to our Data Protection Officer at dpo@mononio.ai. We will respond within 30 days. We may need to verify your identity before processing requests.
8.3 International Data Transfers
Your data is processed and stored in the United States. When transferring data from the EU/EEA to the US, we rely on Standard Contractual Clauses (SCCs) as the transfer mechanism under GDPR Article 46(2)(c). A copy of applicable SCCs is available on request.
8.4 Right to Lodge a Complaint
You have the right to lodge a complaint with your national data protection supervisory authority. For a list of EU data protection authorities, visit: edpb.europa.eu
8.5 Data Protection Officer
Our designated Data Protection Officer can be reached at:
Email: dpo@mononio.ai
Address: Mononio AI Corporation, Dover, Delaware, USA
9. CCPA — California Residents
🌟 This section applies to residents of California under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
9.1 Your Rights Under CCPA/CPRA
California residents have the following rights:
- Right to Know: Request disclosure of personal information collected, used, disclosed, or sold in the past 12 months
- Right to Delete: Request deletion of personal information we have collected about you
- Right to Correct: Request correction of inaccurate personal information
- Right to Opt-Out of Sale/Sharing: Opt out of the sale or sharing of your personal information
- Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
9.2 Do Not Sell My Personal Information
🛑 Mononio does not sell personal information to third parties. If you wish to exercise your right to opt out of any future sale, or to confirm our practices, contact us at privacy@mononio.ai with the subject line "CCPA Opt-Out Request."
9.3 Categories of Personal Information Collected
In the past 12 months, we have collected the following categories of personal information:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address | Yes |
| Commercial Information | Subscription records, purchase history | Yes |
| Internet/Network Activity | Browsing history on our Service, usage data | Yes |
| Professional Information | Business name, industry, role | Yes |
| Sensitive Personal Information | Account credentials (encrypted) | Yes |
9.4 Exercising California Rights
Submit verifiable California consumer requests to: privacy@mononio.ai with subject "CCPA Request." You may also designate an authorized agent to submit requests on your behalf.
We will respond to verifiable requests within 45 days. For complex requests, we may extend this period by an additional 45 days with notice.
10. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 18, we will promptly delete that information. If you believe we may have collected data from a minor, contact us at privacy@mononio.ai.
11. Policy Changes
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Sending an email to your registered email address
- Displaying a prominent notice within the Service
- Updating the "Effective" date at the top of this policy
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.
12. Contact & Data Protection Officer
For privacy-related inquiries, data subject requests, or questions about this policy:
| Company | Mononio AI Corporation |
| Address | Dover, Delaware, USA |
| Privacy Email | privacy@mononio.ai |
| DPO Email (GDPR) | dpo@mononio.ai |
| General Support | support@mononio.ai |
We aim to respond to all privacy requests within 30 days (or sooner as required by applicable law).