Privacy Policy

1.1 Account Information. When you create an account, we collect your name, email address, and authentication credentials. If you sign in via GitHub, Google, or GitLab OAuth, we receive your name, email address, and profile avatar from the identity provider. We do not receive or store your OAuth provider password.

1.2 Organization and Project Data. We store data you create on the platform: organization names and settings, project configurations, Git repository contents, task board data (tasks, comments, attachments, time entries), documentation wiki content, environment variable names (values are encrypted and not accessible to MonkeysCloud staff), domain configurations, and deployment history.

1.3 Customer Code and Databases. Your application source code, build artifacts, and database contents are stored on infrastructure managed by MonkeysCloud within Google Cloud Platform. This data is processed to provide the Service (building, deploying, and running your applications). MonkeysCloud does not access, read, or analyze your source code or database contents except as necessary to provide the Service or as required by law.

1.4 Usage Data. We collect information about how you use the Service: pages visited, features used, API calls made, build and deploy events, and interaction patterns. This data is used to improve the Service, debug issues, and generate aggregate analytics. Usage data does not include the contents of your code, tasks, or databases.

1.5 Payment Information. If you add a payment method, payment processing is handled by Stripe, Inc. We do not store credit card numbers, CVVs, or full bank account details on our servers. We receive and store a tokenized reference to your payment method, billing address, and transaction history. Stripe's privacy policy applies to payment data.

1.6 Log Data. Our servers automatically record information including your IP address, browser type, operating system, referring URL, pages visited, and timestamps. This data is used for security monitoring, abuse prevention, and Service improvement. Log data is retained for 90 days.

1.7 Cookies and Similar Technologies. We use strictly necessary cookies for authentication and session management. We use analytics cookies (Google Analytics) to understand aggregate usage patterns. You can disable analytics cookies in your browser settings without affecting Service functionality. We do not use advertising cookies or tracking pixels.

We use collected information to:

• Provide, maintain, and improve the Service
• Authenticate your identity and manage your account
• Process payments and manage billing
• Send transactional emails (account verification, password reset, billing notices, deployment alerts, trial expiration reminders)
• Provide customer support
• Monitor and prevent abuse, fraud, and violations of our Terms of Service
• Comply with legal obligations
• Generate aggregate, anonymized analytics about Service usage

We do not use your personal information for advertising. We do not sell your personal information to third parties. We do not use your source code, database contents, or task data to train machine learning models.

MonkeysCloud includes AI-powered features (code review, build analysis, deploy risk scoring, sprint planning, chat). These features are powered by Google Vertex AI (Gemini models) running within Google Cloud Platform.

When you use AI features, the relevant context (code diffs, build logs, task data, deploy history) is sent to Google Vertex AI for processing. This data is processed within GCP infrastructure and is subject to Google Cloud's data processing terms. Your data is not used by Google to train foundation models. AI processing is transient — data is not stored by the AI service beyond the duration of the request.

You can disable AI features for your organization in Settings → AI.

We share information with third parties only in the following circumstances:

4.1 Service Providers. We use third-party service providers to operate the Service: Google Cloud Platform (infrastructure, compute, storage, AI processing), Stripe (payment processing), and transactional email providers. These providers process data on our behalf under contractual obligations to protect your information.

4.2 Legal Requirements. We may disclose information if required by law, regulation, legal process, or governmental request. We will notify you of such requests when legally permitted.

4.3 Business Transfers. In the event of a merger, acquisition, or sale of assets, user information may be transferred to the acquiring entity. We will notify you before your information becomes subject to a different privacy policy.

4.4 With Your Consent. We may share information with third parties when you explicitly consent, such as when you connect an external integration.

We do not sell, rent, or trade personal information to third parties for their marketing purposes.

MonkeysCloud is based in the United States. If you are located outside the United States, your information is transferred to and processed in the United States (or the GCP region you select for your instances).

For transfers from the EEA and UK, we rely on the following mechanisms: Standard Contractual Clauses (SCCs) approved by the European Commission, and Google Cloud's data processing and security terms, which include EU SCCs.

Account Data. Retained as long as your account is active. If you delete your account, personal data is deleted within 30 days. Aggregate anonymized data may be retained indefinitely.

Project Data. Retained as long as the project exists. When a project is deleted, all associated data (code, database files, tasks, logs, configuration) is permanently deleted within 30 days.

Suspended Resources. Suspended projects and instances retain data for up to 90 days after suspension. After 90 days, data is permanently deleted. Warning emails are sent at 60 days and 7 days before deletion.

Log Data. Retained for 90 days, then automatically deleted.

Payment Records. Retained for 7 years as required by tax and accounting regulations.

7.1 All Users. You can access, update, and delete your account information from your account settings. You can export your Git repositories, database data, and task data at any time. You can delete your account, which triggers deletion of all associated personal data within 30 days.

7.2 EEA and UK Residents (GDPR). You have the right to: access your personal data, rectify inaccurate data, erase your data (“right to be forgotten”), restrict processing, data portability, object to processing, and not be subject to automated decision-making. Our legal basis for processing is: contract performance (providing the Service), legitimate interest (improving the Service, preventing abuse), and consent (analytics cookies). To exercise your rights, contact privacy@monkeys.cloud. We will respond within 30 days.

7.3 California Residents (CCPA/CPRA). You have the right to: know what personal information we collect and why, delete your personal information, correct inaccurate information, and opt out of the sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise your rights, contact privacy@monkeys.cloud or use the account settings page. We do not discriminate against users who exercise their privacy rights.

7.4 Colorado Residents (CPA). You have the right to: access, correct, delete, and obtain a portable copy of your personal data, and opt out of targeted advertising, sale of personal data, and profiling. We do not engage in targeted advertising, sale of personal data, or automated profiling. Contact privacy@monkeys.cloud.

MonkeysCloud is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal information, contact privacy@monkeys.cloud.

We implement technical and organizational measures to protect your information, including encryption in transit and at rest, access controls, audit logging, and regular security assessments. See our Security page for details.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

For privacy-related questions or to exercise your data rights:

For EEA residents, you have the right to lodge a complaint with your local data protection authority.