MONII is built around the idea that your hosting tokens shouldn't leave your phone unless you say so. This page is the plain-English version. The defaults are private.
MONII is built by Ross Jones, an independent developer. "We" / "MONII" / "us" throughout this document refers to that one-person operation. Contact details are at the bottom.
None. MONII doesn't ship analytics SDKs, crash reporters, or advertising identifiers. No third-party JavaScript runs in the app.
When you tap "Continue with Apple", "Continue with Google", or "Continue with GitHub" on the Welcome screen, we receive your email address and the provider's stable user identifier (e.g. Google sub-ID). We use Supabase as our authentication layer; the credentials themselves (passwords, OAuth secrets) never touch our infrastructure — those live with Apple, Google, or GitHub.
You can also pick "Continue without an account" on the Welcome screen, in which case we receive no identity data at all. Background monitoring + push notifications won't work in that mode, but everything else does.
Connecting Netlify opens an in-app browser to Netlify's OAuth consent screen. Once you authorize MONII, Netlify hands MONII an access token. By default, that token stays on your phone in the iOS Keychain. We never see it.
Connecting Vercel is a paste-token flow because Vercel doesn't offer OAuth for indie apps. You generate a Personal Access Token on vercel.com and paste it in — same treatment: lives in Keychain, stays on your phone by default.
If you flip the "Background monitoring" toggle on the Connect Hub, your provider token is sent to
MONII's Supabase database, encrypted at rest using AES via PostgreSQL's
pgp_sym_encrypt. The decryption key lives in a separate secret store accessible only to
our scheduled polling function. Our database itself contains only ciphertext.
With monitoring on, we poll your Vercel / Netlify usage endpoints every 15 minutes, record usage snapshots (bandwidth, build minutes, edge invocations), and send a push notification when usage crosses 70% / 90% / 100% of plan limits. You can toggle this off at any time in Settings — token is revoked server-side immediately.
To send pushes, we collect your device's Expo push token (a string Apple assigns that routes notifications to your phone) and link it to your MONII user ID. We do not collect device identifiers, IDFA, IDFV, or any cross-app tracking IDs.
MONII is the only first-party data handler. The third parties below are processors we use because they're necessary to make the app work — they don't receive data for their own purposes:
| Service | What they handle |
|---|---|
| Supabase | Authentication + the database your encrypted tokens live in if monitoring is on. supabase.com/privacy |
| Apple / Google / GitHub | Sign-in identity. You see their consent screen; we receive only the fields they let you share. |
| Vercel / Netlify | The hosting platforms you connect. MONII calls their APIs on your behalf — we don't tell them anything about you they don't already know. |
| Expo Push Notification Service | Delivers our push notifications to your phone. Receives the push payload (title + body) and your push token only. |
We don't sell data, don't share it for advertising, don't transfer it to data brokers, and don't use it to train AI models.
MONII's Supabase project is hosted in the EU. Push notifications route through Expo's infrastructure (United States). If you're in the EU, your data may be processed in the US for the purposes of delivering push notifications under Apple/Google/Expo's own protections.
You have the right to:
MONII is a developer tool. We don't market to or knowingly collect data from anyone under 13. If you believe a child has signed up, email us and we'll delete their account.
If we change anything substantive — new data we collect, new third party, new use — we'll update the date at the top and notify active users via in-app banner before the change takes effect. Trivial copy edits go live without notice.
Privacy questions, data requests, complaints: support@getmonii.com.
For UK GDPR / EU GDPR matters MONII is also the data controller. There is no dedicated DPO at our scale — Ross handles all data requests directly and aims to respond within 7 days.