LEGAL · PRIVACY POLICY

What we collect — and what we don't.

MONII is built around the idea that your hosting tokens shouldn't leave your phone unless you say so. This page is the plain-English version. The defaults are private.

Last updated: 20 May 2026 · Effective immediately

Who we are

MONII is built by Ross Jones, an independent developer. "We" / "MONII" / "us" throughout this document refers to that one-person operation. Contact details are at the bottom.

What data we collect, and why

From your device, automatically

None. MONII doesn't ship analytics SDKs, crash reporters, or advertising identifiers. No third-party JavaScript runs in the app.

From you, when you sign in

When you tap "Continue with Apple", "Continue with Google", or "Continue with GitHub" on the Welcome screen, we receive your email address and the provider's stable user identifier (e.g. Google sub-ID). We use Supabase as our authentication layer; the credentials themselves (passwords, OAuth secrets) never touch our infrastructure — those live with Apple, Google, or GitHub.

You can also pick "Continue without an account" on the Welcome screen, in which case we receive no identity data at all. Background monitoring + push notifications won't work in that mode, but everything else does.

When you connect a hosting platform

Connecting Netlify opens an in-app browser to Netlify's OAuth consent screen. Once you authorize MONII, Netlify hands MONII an access token. By default, that token stays on your phone in the iOS Keychain. We never see it.

Connecting Vercel is a paste-token flow because Vercel doesn't offer OAuth for indie apps. You generate a Personal Access Token on vercel.com and paste it in — same treatment: lives in Keychain, stays on your phone by default.

If you opt into Background Monitoring

If you flip the "Background monitoring" toggle on the Connect Hub, your provider token is sent to MONII's Supabase database, encrypted at rest using AES via PostgreSQL's pgp_sym_encrypt. The decryption key lives in a separate secret store accessible only to our scheduled polling function. Our database itself contains only ciphertext.

With monitoring on, we poll your Vercel / Netlify usage endpoints every 15 minutes, record usage snapshots (bandwidth, build minutes, edge invocations), and send a push notification when usage crosses 70% / 90% / 100% of plan limits. You can toggle this off at any time in Settings — token is revoked server-side immediately.

Push notifications

To send pushes, we collect your device's Expo push token (a string Apple assigns that routes notifications to your phone) and link it to your MONII user ID. We do not collect device identifiers, IDFA, IDFV, or any cross-app tracking IDs.

What we never collect

Who we share data with

MONII is the only first-party data handler. The third parties below are processors we use because they're necessary to make the app work — they don't receive data for their own purposes:

ServiceWhat they handle
Supabase Authentication + the database your encrypted tokens live in if monitoring is on. supabase.com/privacy
Apple / Google / GitHub Sign-in identity. You see their consent screen; we receive only the fields they let you share.
Vercel / Netlify The hosting platforms you connect. MONII calls their APIs on your behalf — we don't tell them anything about you they don't already know.
Expo Push Notification Service Delivers our push notifications to your phone. Receives the push payload (title + body) and your push token only.

We don't sell data, don't share it for advertising, don't transfer it to data brokers, and don't use it to train AI models.

Where data lives

MONII's Supabase project is hosted in the EU. Push notifications route through Expo's infrastructure (United States). If you're in the EU, your data may be processed in the US for the purposes of delivering push notifications under Apple/Google/Expo's own protections.

How long we keep data

Your rights

You have the right to:

Children

MONII is a developer tool. We don't market to or knowingly collect data from anyone under 13. If you believe a child has signed up, email us and we'll delete their account.

Changes to this policy

If we change anything substantive — new data we collect, new third party, new use — we'll update the date at the top and notify active users via in-app banner before the change takes effect. Trivial copy edits go live without notice.

Contact

Privacy questions, data requests, complaints: support@getmonii.com.

For UK GDPR / EU GDPR matters MONII is also the data controller. There is no dedicated DPO at our scale — Ross handles all data requests directly and aims to respond within 7 days.