Data Controller
The data controller responsible for your personal data is Monospace, operated by the site owner. As data controller, we determine the purposes and means of processing your personal data.
What Data We Collect
We only collect what is necessary to provide and improve the service. Here's exactly what we collect and why.
Account Data
Name, email address, and profile picture collected via Clerk authentication when you sign up.
Organisation Data
Organisation name, member roles, and organisation settings to manage your team workspace.
Project Data
EncryptedBoard names, card titles, task content, notes, links, tickets, and purchase orders. All encrypted at rest.
Communication Data
EncryptedTicket messages and chat messages within your organisation. All encrypted at rest.
Usage Data
Feature usage and page views collected for product improvement purposes only. Never sold or shared.
AI Data
Opt-in onlyConversation history, collected only when the AI feature is explicitly opted into by each user. Can be cleared at any time.
How We Protect Your Data
Security isn't an afterthought — it's foundational to how Monospace is built. We go beyond the minimum requirements.
Encryption at Rest
AES-256-GCMAES-256-GCM encryption applied to all sensitive data stored in the database. Industry-standard, battle-tested cryptography.
Encryption in Transit
TLS 1.3All connections use TLS 1.3, the latest and most secure version of the transport security protocol.
EU Data Residency
EU hostedPrimary database hosted in EU (eu-west-1) via Convex. Your data stays in Europe.
Email in EU
EU hostedEmail processing handled via Resend, with infrastructure in EU (eu-west-1). No data leaves the EU for email.
Access Controls
Role-based permissions and organisation-level access controls ensure members can only access what they should.
AI Privacy Controls
Organisations can disable AI access to their data entirely. AI features are opt-in at both user and organisation level.
Sub-Processors
We use a limited number of trusted third-party processors. Each has been assessed for GDPR compliance and Data Processing Agreements are available.
| Sub-Processor | Purpose | Location | DPA Available |
|---|---|---|---|
Convex | Database & backend | EU (eu-west-1) | |
Clerk | Authentication & identity | US (EU-US DPF certified) | |
Resend | Email delivery | EU (eu-west-1) | |
Vercel | Hosting & CDN | Global (EU-US DPF) | |
OpenRouterOpt-in | AI processing (opt-in only) | US | |
Stripe | Payment processing (via Clerk) | US (EU-US DPF certified) |
Legal Basis for Processing
Under GDPR, we must have a lawful basis for processing your personal data. We rely on the following bases:
Contract
Art. 6(1)(b)Processing necessary for providing the Monospace service you've signed up for. This covers account management, delivering features, and billing.
- Account creation
- Feature delivery
- Billing & payments
Consent
Art. 6(1)(a)Processing only carried out with your explicit, freely given consent. You can withdraw consent at any time.
- AI features
- Marketing communications
- Analytics opt-in
Legitimate Interest
Art. 6(1)(f)Processing necessary for our legitimate interests, balanced against your rights. We carry out legitimate interest assessments.
- Service improvement
- Security monitoring
- Fraud prevention
Your Rights
Under GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@monospace.page. We will respond within 30 days.
Right of Access
Art. 15Request a copy of the personal data we hold about you. We'll provide a machine-readable export of all your data.
Right to Rectification
Art. 16Ask us to correct inaccurate or incomplete personal data. Most data can be updated directly in your account settings.
Right to Erasure
Art. 17Request deletion of your personal data (the 'right to be forgotten'). We'll delete your data within 30 days, subject to legal retention obligations.
Right to Restrict Processing
Art. 18Ask us to pause processing of your data while a dispute is resolved, without deleting it.
Right to Data Portability
Art. 20Receive your data in a structured, commonly used, machine-readable format (JSON/CSV) to transfer to another service.
Right to Object
Art. 21Object to processing based on legitimate interests or for direct marketing purposes. We will stop unless we have compelling grounds.
Automated Decision Making
Art. 22We do not make solely automated decisions that significantly affect you. AI features are assistive only and do not make decisions on your behalf.
Data Retention
We only keep your data for as long as necessary. Here's our retention schedule:
Permanently deleted within 30 days of account deletion
Permanently and immediately deleted when the project is deleted
Can be cleared at any time by the user from their account settings
Rolling backups retained for a maximum of 30 days, then purged
Payment processing handled entirely by Stripe. We do not store card details or sensitive payment information.
International Transfers
We take care to ensure your data is protected whenever it leaves the EU. Here's how we handle international transfers:
Primary EU Storage
Your primary application data is stored in the EU via Convex (eu-west-1). This is the default and applies to all users.
EU-US Data Privacy Framework
Clerk and Stripe are certified under the EU-US Data Privacy Framework, providing adequate protection for transfers to the US.
Standard Contractual Clauses
Where DPF does not apply, we use Standard Contractual Clauses (SCCs) as the legal mechanism for international data transfers.
Vercel CDN
Vercel uses a global CDN for performance. However, application data and database storage remain in the EU. Only static assets are globally distributed.
Children's Data
Monospace is designed for organisational use, including schools. We take the protection of children's data extremely seriously.
- Monospace is intended for use by adults in an organisational or professional context, including school staff.
- We do not knowingly collect personal data from children under 13 without appropriate parental or school consent.
- Schools using Monospace are responsible for obtaining any necessary consents from parents or guardians before using the platform in connection with pupils.
- We support schools in meeting their obligations under the UK GDPR and the Children's Code (Age Appropriate Design Code).
- Student data is handled with particular care — please contact us to discuss your specific requirements.
Data Breach Notification
In the unlikely event of a data breach, we follow a clear and legally compliant incident response process.
ICO Notification
We will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a reportable breach, as required by UK GDPR.
User Notification
Where a breach poses a high risk to your rights and freedoms, we will notify affected users without undue delay with clear information about what happened.
Incident Response Plan
We maintain a written incident response plan to ensure swift, coordinated action in the event of a security incident.
Contact & Data Protection
Exercise Your Rights
To exercise any of your GDPR rights, make a data subject access request, or raise a data protection concern, contact our privacy team.
privacy@monospace.pageWe respond to all privacy requests within 30 days.
Supervisory Authority
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the UK supervisory authority.
We would always prefer to resolve issues directly first — please reach out before escalating.
Monospace for Education
Built for Schools
We understand schools have additional GDPR obligations
Staff-only access
Students don't need accounts. Monospace is used by teachers and administrators only.
Fully encrypted, EU-hosted
All data encrypted with AES-256-GCM and stored in EU (eu-west-1). No data leaves the EU.
DPA available on request
We provide a full Data Processing Agreement (DPA) for schools and local authorities.
KCSIE & safeguarding aligned
We support schools in meeting their obligations under KCSIE and the UK Children's Code.
Role-based access controls
Granular permissions ensure staff only access what they need. Full audit trail available.
ICO guidance compliant
Designed to comply with ICO guidance for schools and education providers.