Privacy Policy

1. Introduction

Monolithic LLC ("Monolithic," "we," "us," or "our") operates the software-as-a-service platform available at getmonolithic.com and its subdomains (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Account and Identity Information

When you create an account or use our Service, we collect:

• Account Details: Name, email address, organization affiliation, and role within your organization
• Authentication Information: Email verification status, multi-factor authentication settings, and authentication method configurations
• Invitation Data: When you invite others to join your organization, we collect the recipient's name and email address

2.2 Session and Technical Information

To maintain security and provide the Service, we automatically collect:

• Session Data: Session tokens (hashed), session expiration times
• Device and Network Information: IP address, browser user-agent, and device information
• Geolocation Data: IP-based geolocation information for security purposes

2.3 Usage and Preference Data

We collect information about how you use and configure the Service:

• User Preferences: In-app settings and configuration preferences
• In-App Notifications: Notification metadata, read/unread status, and action history

2.4 Organization and Billing Information

For organizations using our Service:

• Organization Data: Organization name and administrative settings
• Billing Information: Stripe customer identifiers, subscription status, entitlements, quantities, and renewal dates (payment card details are stored by Stripe, not by us)

2.5 DMARC and Email Authentication Data

As part of our email authentication services, we process:

• Domain Information: Email domains you configure for DMARC monitoring
• DMARC Reports: XML reports sent by email providers, including sender domains, email volumes, and authentication results
• Email Authentication Records: SPF, DKIM, and DMARC authentication outcomes
• IP Addresses: Individual source IPs from email sending sources
• Network Ranges: BGP CIDR prefixes associated with sending IPs, resolved via Team Cymru's ASN lookup service
• ASN Records: Autonomous System Number, organization name, country, and registry data associated with sending networks
• Provider Classification: Cloud provider and email service provider (ESP) identification associated with sending infrastructure
• Geolocation: Country, region, city, and coordinates associated with the network range

3. How We Use Your Information

We use the information we collect to:

• Provide and Maintain the Service: Enable account creation, authentication, session management, and core platform functionality
• Process DMARC Data: Analyze email authentication reports, identify sending sources, and provide source classification insights
• Billing and Subscriptions: Process payments, manage subscriptions, and track usage-based billing through our payment processor (Stripe)
• Improve the Service: Analyze usage patterns, troubleshoot issues, and develop new features
• Security and Fraud Prevention: Detect and prevent unauthorized access, abuse, and fraudulent activity
• Communications: Send service-related notifications, updates, and administrative messages
• Compliance: Meet legal obligations and enforce our Terms of Service

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom (UK), our legal basis for collecting and using your personal information depends on the data involved and the context:

• Contract Performance: Processing necessary to provide the Service you have requested
• Legitimate Interests: Fraud prevention, security, and service improvement. We rely on legitimate interests for IP-based geolocation only for security purposes (e.g., detecting unauthorized access), not for general analytics.
• Legal Compliance: Meeting regulatory requirements and responding to legal requests
• Consent: Where you have explicitly consented to specific processing activities

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following situations:

5.1 Service Providers

We use trusted third-party service providers to support our Service:

• Stripe: Payment processing and subscription management
• Cloudflare: Content delivery, security, and DDoS protection

These providers are contractually obligated to protect your information and use it only for the purposes we specify.

We also use Team Cymru's public DNS-based ASN lookup service to resolve BGP network ranges for source IPs found in DMARC reports. This is a passive query to a public service; no personal account data is transmitted.

5.2 Business Transfers

If Monolithic is involved in a merger, acquisition, or sale of assets, your personal information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.

5.3 Legal Requirements

We may disclose your information when required by law or in response to:

• Valid legal processes (subpoenas, court orders)
• Requests from government authorities
• Protection of our rights, property, or safety
• Prevention of fraud or security threats

6. Data Retention

We retain your personal information for as long as your account remains active, as necessary to provide the Service, or as required by law or for legitimate business purposes such as dispute resolution and fraud prevention. When you delete your account, we will delete or anonymize your personal information within 90 days. DMARC report data may be retained for analytical purposes but will be disassociated from identifiable user accounts upon account deletion.

7. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data in transit is encrypted using TLS; sensitive data at rest is encrypted
• Authentication: Password hashing using secure algorithms, support for multi-factor authentication
• Access Controls: Role-based access controls and principle of least privilege
• Session Management: Secure session tokens with automatic expiration
• Infrastructure Security: Regular security updates, firewalls, and intrusion detection

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Your Rights and Choices

Depending on your location, you may have the right to: request a copy of your personal information; export your data in a machine-readable format; update or correct inaccurate information; request deletion of your personal information (subject to legal retention requirements); restrict processing in certain circumstances; object to processing based on legitimate interests; and withdraw consent where consent is the legal basis.

To exercise these rights, contact us at [email protected]. We will respond to requests within 30 days.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have rights under the CCPA and CPRA to know what personal information we collect about you, to delete or correct it, to opt out of the sale or sharing of your information (we do not sell or share your information for advertising purposes), and to non-discrimination for exercising these rights.

To submit a California privacy rights request, contact us at [email protected]. We will verify your identity before processing your request and respond within 45 days, with an extension of up to an additional 45 days where reasonably necessary.

10. International Data Transfers

Our Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. For EEA and UK users, we ensure adequate safeguards are in place, including Standard Contractual Clauses approved by the European Commission and use of service providers certified under appropriate data protection frameworks.

11. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will take steps to delete such information.

12. Cookies and Tracking Technologies

We use strictly necessary cookies to maintain your session and authentication state. These cookies are required for the Service to function and cannot be disabled. We do not use analytics or cross-site tracking cookies. You can control cookies through your browser settings, but disabling session cookies will prevent you from using the Service.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy with a new "Last Updated" date and sending an email notification to your registered address. Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

14. Contact Us

For questions, concerns, or requests regarding this Privacy Policy, contact us at [email protected].

For EEA and UK users, you also have the right to lodge a complaint with your local data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu.