Privacy Policy

Last updated: May 2, 2026

Monoid is built on a single principle: collect only what is necessary, minimize identifiers immediately, and avoid visitor profiles. This policy explains what data we process, why, and how.

1. Who we are

Monoid is operated by Izac Cavalheiro (monoid@monoid.website), established in Brazil. For questions about this policy, contact us at that address.

Monoid does not currently maintain an establishment in the EU, UK, or EEA, and has not appointed a representative under Art. 27 GDPR or UK GDPR. This exemption applies because processing of EU/UK/EEA data subjects is not large-scale, does not involve special categories of data, and is not likely to result in high risk to individuals. We monitor the volume of EU/EEA data subjects processed monthly. If processing consistently exceeds 5,000 distinct EU/EEA data subjects per calendar month, we will appoint an EU representative under Art. 27 GDPR (and, separately, a UK representative under Art. 27 UK GDPR and a Swiss representative under Art. 14 nFADP) before that threshold is sustained.

2. Visitor data we collect on your behalf

When visitors load a page on a Monoid-instrumented site, the JavaScript tracker sends a pageview request containing:

  • The site ID configured in the script tag
  • The page path, such as /pricing
  • The referring hostname, when available
  • The screen width reported by the browser
  • A derived country code from coarse edge metadata
  • A broad device type derived from a User-Agent pattern match and coarse screen width
  • A one-way daily hash used only to count unique visitors
  • Custom event names and optional numeric values, when your site calls window.monoid('event', ...) or enables automatic interaction tracking
  • Page duration in milliseconds on route changes or page unload, used to calculate average time on site

What we do not store: IP addresses, full User-Agent strings, cookies, device fingerprints, precise location, or persistent cross-day visitor identifiers.

The unique visitor hash is computed as SHA-256(IP + User-Agent + SALT + YYYY-MM-DD). The date component means the hash changes every midnight UTC. The secret SALT makes reversal impractical from stored analytics rows. The hash is used as a daily count signal, not as a persistent visitor profile.

3. Account data we collect

When you create or use a Monoid account, we collect:

  • Your email address (for login and transactional emails)
  • A password stored as a salted, one-way hash if you register with email/password
  • OAuth provider identifiers if you use social login (Google, GitHub, Microsoft, or Facebook, when enabled) — we never receive your OAuth passwords
  • Your registered domain names
  • Dashboard preferences, such as date ranges, chart types, and visible panels
  • Password reset tokens in hashed form while a reset link is valid
  • Contact and support messages you send to us
  • Billing information processed entirely by Stripe — we never see or store card numbers

4. Cookies and storage

The tracker script uses no cookies, no localStorage, and no sessionStorage.

The Monoid dashboard uses an httpOnly session cookie (user_token) to maintain your login for up to 30 days. These cookies are strictly necessary for the application and do not track you across other websites.

5. How we use your data

  • Visitor data — to provide aggregated analytics in your dashboard.
  • Account email — to send welcome, site activation, password reset, and service emails.
  • Dashboard preferences — to remember your selected dashboard layout and chart settings.
  • Contact and support messages — to reply to your requests.
  • Billing data — to process payments via Stripe and comply with financial record-keeping requirements.

We do not use your data for advertising, visitor profiling, or any purpose beyond operating the Service.

6. Data sharing

We share data with:

  • Managed edge infrastructure — data collection and application hosting.
  • Stripe — for payment processing.
  • Resend — for transactional email delivery and contact/support message delivery.
  • OAuth providers — only when you choose social login, to complete authentication.

We do not sell data. We do not share data with advertisers, data brokers, or third parties outside the service providers needed to operate Monoid.

6a. International data transfers

Cloudflare, Stripe, and Resend are US-based companies. Transfers of personal data to these providers are covered by the EU Standard Contractual Clauses (SCCs) and the EU–US Data Privacy Framework, the Swiss–US Data Privacy Framework (for Swiss residents), and the UK International Data Transfer Agreement or UK Addendum to EU SCCs (for UK residents). You can review each provider's transfer mechanisms: Cloudflare (cloudflare.com/trust-hub/gdpr/), Stripe (stripe.com/legal/dpa), Resend (resend.com/legal/dpa).

6b. Legal basis for processing

We process personal data on the following legal bases (EU/UK GDPR Art. 6; Swiss nFADP Art. 6):

  • Visitor analytics (hashed, cookie-free, daily-rotating) — Legitimate Interest (Art. 6(1)(f)): providing privacy-preserving audience analytics to website owners is our core service, and the design minimises impact on individual data subjects.
  • Account registration and service delivery — Performance of a contract (Art. 6(1)(b)).
  • Transactional emails — Performance of a contract (Art. 6(1)(b)).
  • Billing records — Legal obligation (Art. 6(1)(c)): financial regulations require retention of payment records.
  • Security logging and rate-limit data — Legitimate Interest (Art. 6(1)(f)): protecting the platform against abuse and unauthorized access.

7. Data retention

  • Pageview and custom event data — dashboard reporting is limited to 90-day ranges; rows older than 90 days are removed by the cleanup process. The 90-day window is also the full retention window — no older data is held, and your data export reflects this complete dataset.
  • Account data, sites, dashboard preferences, OAuth links, pending signups, associated pageviews, and custom events — removed from the active database when you delete your account.
  • Password reset tokens — valid for 1 hour and deleted or invalidated when replaced or used.
  • OAuth login state — valid for 10 minutes and deleted after the callback is processed.
  • Billing records — retained as required by applicable financial regulations (typically 7 years).

8. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data — update your email address directly from the account settings page
  • Delete your account and all associated data
  • Export your analytics data in a structured format
  • Object to processing based on legitimate interests (Art. 21 GDPR / UK GDPR)
  • Lodge a complaint with your national data protection supervisory authority

For visitor analytics, we rely on Legitimate Interest (Art. 6(1)(f)). Our Legitimate Interest Assessment (LIA) applies the three-part EDPB test: (1) Purpose test — providing privacy-preserving audience analytics is a legitimate interest of both Monoid and its customers; (2) Necessity test — each field stored (page path, referrer hostname, country code, device category, browser family, daily visitor hash, date) is individually necessary and nothing more precise is kept; IP addresses and full User-Agent strings are used only in memory and never written to storage; (3) Balancing test — the daily-rotating SHA-256 hash is practically irreversible without simultaneous access to the visitor's IP, User-Agent, and our secret key; no cross-day profiling is possible; DNT signals are honoured; no cookies or persistent identifiers are set on the visitor's device. On balance, the processing imposes minimal risk to individuals while enabling a core service function. You may request a copy of the full LIA document by emailing monoid@monoid.website.

EU/EEA residents may contact their national DPA (list at edpb.europa.eu). UK residents may contact the ICO (ico.org.uk). Swiss residents may contact the FDPIC (fdpic.ch). For Monoid account holders, you can delete your account and all data directly from the account settings page.

For data access, correction, portability, or objection requests, email monoid@monoid.website. We respond within 30 days. Swiss residents may also exercise rights under nFADP Art. 25 (information, access, correction, deletion) by the same contact.

8b. Automated processing and plan enforcement

Monoid applies automated plan-limit enforcement: if a site exceeds its monthly pageview allowance, additional pageview rows are not recorded until the next billing period. This decision is made automatically based on the aggregate pageview count for your account, not on any profiling of individual website visitors. It does not constitute an automated decision with significant legal or similar effect on data subjects within the meaning of GDPR Art. 22 or UK GDPR Art. 22. If you use Monoid analytics data to make automated decisions about your own users, you must disclose this separately in your own privacy notice.

9. Security

All data is transmitted over HTTPS. Passwords are never stored in plaintext; they are stored using salted, one-way password hashing. Session cookies are httpOnly, and authenticated API requests are restricted by origin checks. We log security-relevant events such as failed login attempts, password resets, and account deletion confirmations.

10. Children's privacy

The Service is not directed at, and is not intended to be used by, persons under 16. Monoid is a business analytics platform for website owners and developers. By creating an account, you confirm that you are 16 years of age or older. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it promptly.

11. Changes to this policy

Material changes will be communicated by email at least 14 days before taking effect. The "last updated" date above will always reflect the current version.

12. Contact

Privacy questions, data requests, or concerns: monoid@monoid.website