# Privacy Policy

Canonical URL: http://modelmonster.ai/about/privacy/

## Model Monster, Inc. Privacy Policy

**Effective 2026-04-01**

## 1. Overview

This Privacy Policy explains what personal data Model Monster, Inc. ("Model Monster," "we," "us," "our") collects, why we collect it, how we use and share it, and the rights you have over it.

We take a minimal-collection approach: we ask for the information we need to run the Services, and not more.

This policy applies to data we collect as a controller. Where we process customer-submitted content on behalf of a business customer, we act as that customer's processor, and our obligations are governed by our [Terms of Service](https://modelmonster.ai/about/terms/) and any executed Data Processing Addendum. In the event of a conflict between this policy and an executed DPA, the DPA controls.

## 2. Who We Are

Model Monster, Inc., a Delaware corporation, with a principal place of business at 21750 Hardy Oak Blvd. #102, San Antonio, TX 78258-4946. Privacy contact: privacy@modelmonster.ai.

## 3. Scope

This policy covers personal data about visitors to modelmonster.ai, newsletter subscribers, business users of the platform, people who contact us via forms or email, and billing contacts for paying customers. It does not cover personal data that a customer submits to the platform as Your Content, which is governed by the Terms and any applicable DPA.

## 4. What We Collect

### 4.1 Business user accounts

To create an account we require an email address. Users may optionally provide a name, profile picture, and time zone when they enter it in the app.

### 4.2 Google Single Sign-On

If a user signs in with Google, we request only the `email` scope. Google returns the user's email address and a Google account identifier. We do not receive the user's Google profile name or picture.

### 4.3 Newsletter subscribers

We collect an email address. Subscription uses a double opt-in: we send a confirmation email and the subscriber must click to confirm. We do not track opens or clicks.

### 4.4 Marketing site forms

Form submissions on modelmonster.ai are delivered as email to our shared support inbox. We receive whatever you put in the form. Submissions are not routed into a CRM or marketing automation platform.

### 4.5 Billing contacts

When an organization purchases a subscription, Stripe collects payment information directly. We never receive your card number. From Stripe we receive billing name, billing email, billing address, Stripe customer ID, last four digits and card brand, and invoice history. We use this only for billing, invoicing, tax, and fraud prevention.

### 4.6 Support correspondence

Messages sent to our support address (and replies to messages from us) are stored in our Google Workspace inbox together with the sender's email address.

### 4.7 Automatically collected technical data

When you use the platform or visit modelmonster.ai, our servers log:

- IP address
- User agent
- Referring URL and requested URL
- HTTP status and response size
- Timestamp
- Session or request identifiers

We use these logs only for security (detecting abuse, rate limiting, investigating incidents) and debugging. We retain them for one year.

We run OpenTelemetry instrumentation inside our own infrastructure. Telemetry goes to a collector inside our network perimeter; it is not sent to any third-party observability vendor.

## 5. What We Don't Collect

We do not knowingly collect:

- Special categories of data under GDPR Article 9 (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data about sex life or sexual orientation)
- Protected health information regulated by HIPAA
- Financial account numbers beyond what Stripe handles directly
- Government identifiers such as Social Security numbers, driver's license numbers, or passport numbers
- Precise geolocation beyond what an IP address infers
- Behavioral advertising data

Customers are contractually prohibited from submitting these categories to the platform as Your Content unless an Order Form expressly authorizes it (see Terms Section 7.3).

## 6. Cookies

We use only essential or functional cookies: session cookies to keep you logged in, CSRF tokens, and preference cookies for things like time zone and UI state. We do not use analytics cookies, advertising cookies, tracking pixels, or beacons. We do not share cookie data with third parties.

## 7. How We Use Your Data

We use personal data to:

- Operate the Services (authenticate users, deliver the platform, provide support)
- Deliver the newsletter you subscribed to
- Communicate with you about your account and operational matters
- Bill and collect payment through Stripe
- Detect and respond to abuse, fraud, and unauthorized access
- Comply with law and defend legal claims

We do not use personal data for targeted advertising, profiling with legal or similarly significant effect on you, or training generative AI models. Our Terms Section 5.1 commits that customer content will not be used to train generative AI models used in the Services without explicit opt-in; the same commitment applies to the personal data described in this policy.

## 8. Legal Bases (GDPR and UK GDPR)

For individuals in the EU, EEA, UK, or Switzerland, we rely on:

- **Contract performance** to provide the platform and process billing.
- **Legitimate interest** for security logging, fraud prevention, responding to inquiries, and operating a business website.
- **Consent** for newsletter subscription. You can withdraw consent at any time via the unsubscribe link in any newsletter or by emailing privacy@modelmonster.ai.
- **Legal obligation** for tax, accounting, and responding to lawful requests.

## 9. How We Share Your Data

We share personal data only with the service providers below, with lawful authorities when required, and as part of a business transfer. Our current sub-processors:

1. **Akamai Technologies (Linode)** — hosting and infrastructure, United States.
2. **Twilio SendGrid** — email delivery (transactional email and newsletter), United States. Used as an SMTP relay only; we do not use SendGrid Marketing Campaigns.
3. **Stripe** — payment processing, United States.
4. **Google LLC (Google Workspace)** — email hosting for our support inbox and identity provider for Google SSO, United States.
5. **Ribar, obrt za računalne usluge** — independent contractor providing engineering and debugging services, Croatia.
6. **DigitalMind, obrt za usluge i sport** — independent contractor providing engineering and debugging services, Croatia.

Each sub-processor is bound by a written agreement that restricts use of personal data to the services they perform for us.

We may disclose personal data to comply with a subpoena, court order, or other legal obligation, or to protect Model Monster, our customers, or the public from harm. If Model Monster is acquired, merged, or sells substantially all of its assets, personal data may be transferred as part of that transaction, subject to this policy or a materially equivalent successor policy.

**We do not sell personal data. We do not share personal data for cross-context behavioral advertising.**

## 10. Data Location and International Transfers

Personal data is stored and processed in the United States. Our Croatian contractors listed above may access data stored in the United States from Croatia, for engineering and debugging purposes. No personal data is stored in Croatia.

Where personal data of individuals in the EU, EEA, UK, or Switzerland is transferred to the United States, we rely on the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and, where applicable, the Swiss Addendum, as the transfer mechanism.

## 11. Retention

Customer Content retention is governed by Terms Section 7.7. For other data:

- **Business user account records:** deleted within 90 days after account closure, except where longer retention is required by law or necessary to resolve disputes or enforce agreements.
- **Newsletter subscriptions:** retained until you unsubscribe. After unsubscribe, your email address remains on a suppression list indefinitely so that we do not re-email you (legitimate interest).
- **Billing and invoice records:** seven years, to meet US tax and accounting requirements.
- **Support correspondence:** three years from last contact.
- **Server and security logs:** one year.
- **Data subject request records:** three years.

## 12. Your Rights

Depending on your jurisdiction, you may have the right to:

- Access the personal data we hold about you
- Correct inaccurate data
- Delete your personal data
- Receive a copy in a common, machine-readable format
- Restrict or object to certain processing
- Withdraw consent for processing based on consent (newsletter)
- Complain to a supervisory authority
- Not be subject to solely automated decision-making that produces legal or similarly significant effects on you (we do not make such decisions)

To exercise any right, email privacy@modelmonster.ai. We may need to verify your identity; for account holders this typically means authenticating through your existing account. We respond within 30 days (GDPR / UK GDPR) or 45 days (California), with extensions permitted by law for complex requests.

## 13. US State Privacy Rights

The following applies to residents of US states with comprehensive privacy laws, including California, Colorado, Connecticut, Delaware, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia.

**Categories collected in the past 12 months:** identifiers (email address, Google account ID, IP address); commercial information (billing records via Stripe); internet or electronic activity (server logs); and inferences drawn from the above. Specifics are in Section 4.

**Sources:** directly from you; automatically from your browser or device; and from Stripe for billing data.

**Business purposes:** as described in Section 7.

**Recipients:** the sub-processors listed in Section 9.

**No sale, no sharing for advertising.** We do not sell personal data and do not share it for cross-context behavioral advertising under California and similar state laws. There is no "Do Not Sell or Share" election to make because we do not sell or share.

**Sensitive personal information:** we do not collect categories defined as sensitive under California or similar state laws.

**Global Privacy Control:** because we do not sell or share, there is no opt-out to honor. If that changes, we will honor GPC signals.

**Financial incentives:** none.

**Authorized agents:** California residents may use an authorized agent. We will require a signed authorization and may verify your identity directly.

**Right to appeal:** if we deny your request, you may appeal by replying to our response email. If the appeal is denied, you may contact your state attorney general.

## 14. Children

The Services are not directed to individuals under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a minor has provided us personal data, email privacy@modelmonster.ai and we will delete it.

## 15. Security

We implement commercially reasonable safeguards as described in Terms Section 7.5, including encryption in transit and at rest, tenant-isolated architecture, role-based access controls, API-key authentication, MFA (TOTP and WebAuthn), security training for personnel, vulnerability scanning, and monitoring. No system is perfectly secure. We recommend strong, unique passwords and enabling MFA.

Report security vulnerabilities to security@modelmonster.ai.

## 16. Breach Notification

If a personal data breach occurs, we will notify affected users and, where required, supervisory authorities within the timeframes required by applicable law: 72 hours to the relevant Data Protection Authority under GDPR and UK GDPR, and without unreasonable delay under US state laws.

## 17. EU and UK Representative

Under Article 27 of the GDPR and the UK GDPR, we have appointed the following as our representative for EU and UK data subjects and supervisory authorities:

**Ribar, obrt za računalne usluge**<br/>
Motovunska 24, 10000 Zagreb<br/>
OIB: 55800771816<br/>
[eu-rep@modelmonster.ai](mailto:eu-rep@modelmonster.ai)(Routes directly to representative)

You may contact our representative for any matter under the GDPR or UK GDPR.

## 18. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. For material changes, we will provide reasonable advance notice (at least 30 days) by email to account holders or by a prominent notice on modelmonster.ai. The effective date at the top indicates when the current version took effect.

## 19. Contact

Model Monster, Inc.
21750 Hardy Oak Blvd. #102
San Antonio, TX 78258-4946
privacy@modelmonster.ai