Privacy Policy

Last updated: 25 May 2026

1. Who we are

Monx is operated by Artur Daci and Besnik Picori (the "Operators", "we", "us"). We run the marketing site at monx.me and the customer console at console.monx.me. You can reach us at [email protected] (a dedicated [email protected] address will replace this once provisioned).

2. What this policy covers

This policy covers personal data we process when you visit monx.me or hold an account on console.monx.me. It does not cover the personal data of your end users — Monx scans the public infrastructure of domains you enroll, not their visitors.

3. What we collect

3.1. Account data

• Email address (used for login, password reset, and service notifications).
• A bcrypt hash of your password. We never see or store the plaintext.
• Session cookies (httpOnly, Secure, SameSite=Lax) and a CSRF token cookie.

3.2. Billing data

• An optional Stripe customer ID if you subscribe to a paid plan.
• We do not see, touch, or store card numbers. Stripe handles card data directly.

3.3. Monitoring configuration

• The domains you enroll for monitoring.
• Notification integration secrets you provide (Telegram bot tokens and chat IDs, Slack webhook URLs, email recipient addresses). These are encrypted at rest with Fernet (AES-128-CBC + HMAC).

3.4. Scan data about your domains

• DNS records (A, AAAA, MX, SPF, DKIM, DMARC, CAA, etc.).
• TLS certificates and chain metadata.
• HTTP response headers and status codes.
• Open ports and service fingerprints from network scans.
• Vulnerability findings produced by Nuclei templates.
• Lighthouse performance audit results.
• Trust signals extracted from the public webpages of the enrolled domain by a large language model (default: self-hosted Ollama, no third-party LLM call).

3.5. Operational telemetry

• Application logs (errors, slow requests, scan outcomes).
• Aggregated request counters used for rate-limiting. We do not store real visitor IPs against monitoring traffic; only aggregated counters.

4. How we use it

• Provide the service: run scans on the domains you enroll, produce findings, and surface them in your console.
• Send alerts: deliver notifications through the integrations you configure (email, Telegram, Slack).
• Billing: create and reconcile Stripe subscriptions for paid plans.
• Security: detect abuse, enforce rate limits, and investigate incidents.
• Improvement: diagnose bugs and prioritise features based on aggregate usage.

We do not profile you, we do not run ad targeting, and we do not sell or rent personal data to third parties.

5. Legal basis (GDPR Article 6)

• Performance of a contract (Art. 6(1)(b)) — account data, monitoring configuration, scan results, and notification delivery. These are necessary to provide the service you signed up for.
• Legitimate interests (Art. 6(1)(f)) — operational logs, abuse detection, and rate-limiting. Our interest is keeping the service available and secure, balanced against your reasonable expectations.
• Consent (Art. 6(1)(a)) — aggregate analytics on the marketing site (see Section 12). You can decline without affecting your account.
• Legal obligation (Art. 6(1)(c)) — retention of billing records as required by applicable tax and accounting law.

6. Third-party processors

We use the following sub-processors. Each has access only to the data needed for its purpose.

• Cloudflare — CDN, DNS, and DDoS protection. Sees all HTTP traffic to monx.me and console.monx.me.
• Stripe — payment processing and subscription billing. Handles card data we never touch.
• VirusTotal — reputation lookups against the domains you enroll.
• Telegram — delivery of alerts to the Telegram chat IDs you configure.
• Slack — delivery of alerts to the Slack webhook URLs you configure.
• SMTP relay provider — delivery of transactional and alert email.
• OpenAI / Anthropic — opt-in only. If you turn on third-party LLM analysis in your console settings, public webpage content from the enrolled domain may be sent for trust-signal extraction. The default is a self-hosted Ollama instance and no third-party LLM call is made.

7. Data location

Our origin servers are located in the European Union. Cloudflare may cache static assets at points of presence worldwide. Stripe processes payment data in the United States; transfers are governed by the EU Standard Contractual Clauses. If you opt in to a third-party LLM (Section 6), prompts may be processed outside the EU under the provider's own transfer safeguards.

8. Retention

• Account data: retained while your account is active. Deleted within 30 days of account closure, except where we are required to keep records for legal reasons (e.g. invoices).
• Scan results: 90 days rolling in our analytics store (ClickHouse). Older data is aggregated and de-identified.
• Application logs: 30 days.
• Billing records: retained for the period required by applicable tax law.

9. Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you.
• Rectify data that is inaccurate or incomplete.
• Erase your data ("right to be forgotten"), subject to legal retention obligations.
• Receive your data in a portable format (JSON export from the console).
• Restrict processing while a dispute is resolved.
• Object to processing based on legitimate interests.
• Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email us at [email protected]. We respond within 30 days.

10. Children

Monx is a business tool and is not directed at people under 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, contact us and we will delete it.

11. Cookies

We use the following cookies:

• Session cookie (necessary) — keeps you logged in to the console.
• CSRF token cookie (necessary) — prevents cross-site request forgery on form submissions.
• Cloudflare cookies (necessary) — bot mitigation and routing (__cf_bm, cf_clearance).

12. Analytics

The marketing pages on monx.me use a privacy-friendly aggregate pageview counter from pageviews.ai (tracker ID 019de57e-0e7d-7348-a468-6f37353046b5). The tracker counts pageviews in aggregate. It does not fingerprint individual visitors, does not set tracking cookies, and is not used for advertising. The console at console.monx.me has no analytics tracker.

13. Changes to this policy

We will update the "Last updated" date at the top of this page when we change this policy. For material changes (new categories of data, new processors, changes to retention) we will also email account holders before the change takes effect.

14. Contact and complaints

For any question about this policy or your data, email [email protected].

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the data protection authority in your country of residence. The Operators are based in Estonia; the supervisory authority there is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon / AKI).