Privacy & Cookies
Last updated: Tuesday, April 7, 2026
This page explains what personal data MonkStreet collects, why we collect it, how we use it, who we share it with, and what rights you have. We've tried to make it readable. The structure follows what GDPR requires, but the language is plain English.
If anything here is unclear, email us at info@monk.st and we'll explain.
Who's responsible for your data
The data controller for MonkStreet is Gestoría Administrativa C.G., S.L.P., the Spanish company that operates the MonkStreet platform.
- Legal name: Gestoría Administrativa C.G., S.L.P.
- Tax ID (NIF): B87121075
- Registered address: C/ Alfonso Rodríguez Santamaría, 29, Bajo, 28002 Madrid, Spain
- Email for data protection matters: info@monk.st
We have not appointed a Data Protection Officer because we're not required to under Article 37 of the GDPR. For all data protection matters, contact us at the email above.
What personal data we collect
We try to collect as little as possible. Here's the actual list:
When you create an account with email and password:
- your email address
- a hashed version of your password (we never see or store the password itself)
- your first name and last name
- an email verification code (temporary, used only to confirm your email is real, then expires)
- your preferred language
- account timestamps (when you signed up, when you last logged in)
When you create an account with Google sign-in:
- your email address
- your first name and last name (as provided by Google)
- your profile picture URL (as provided by Google)
- a hashed identifier from your Google account (we never see your actual Google ID — only a one-way hash)
- your preferred language
- account timestamps (when you signed up, when you last logged in)
When you subscribe to a paid plan:
- billing information collected by Stripe on our behalf (name, billing address, and tax ID where required by Spanish law)
- payment metadata Stripe shares with us (last four digits of your card, customer ID, subscription status)
- subscription state we keep on your account record: your Stripe customer and subscription IDs, your current plan, your subscription start and end dates, and whether you're on a free trial
We don't see or store your full card number, CVV, or bank details. Stripe handles all of that directly.
When you use the platform:
- watchlists, screens, and other content you create
- a log of which companies you've analyzed on MonkStreet, used to power features like recent activity and to help us improve the product
- your credit balance and usage (which depth-gated features you've consumed)
- your notification preferences (what kinds of updates you want to receive from us)
- your activity on the platform — which pages you visit, which features you use — used to improve the service and detect issues
- IP address (logged automatically by our servers and retained for approximately 30 days for security and debugging)
- browser type and device info (logged automatically for the same reasons)
When you contact us or submit feedback:
- whatever you write to us (message content)
- your email address (so we can reply)
- the page you submitted from (for issue reports)
When you subscribe to our newsletter:
- your email address
- your subscription preferences
What we do NOT collect:
We don't collect your phone number, date of birth, gender, nationality, identification number, passport number, or home address — other than what Stripe collects for tax purposes when you subscribe. If you ever see a form on MonkStreet asking for these, something has gone wrong. Please tell us.
Why we collect it (and the legal basis)
GDPR requires us to tell you not just what we collect, but why, and which legal basis under Article 6 allows us to process it. Here's the breakdown:
| What we use it for | Legal basis |
|---|---|
| Creating and managing your account | Contract performance — we can't provide the service without it |
| Authenticating you when you log in | Contract performance |
| Processing your subscription and payments | Contract performance |
| Issuing invoices and complying with Spanish tax law | Legal obligation |
| Providing customer support | Contract performance |
| Detecting and preventing fraud, abuse, or security incidents | Legitimate interest — keeping the platform safe for everyone |
| Improving the platform based on usage patterns | Legitimate interest — making the product better |
| Sending you newsletter or marketing emails | Consent — you can withdraw it anytime |
| Showing you relevant content based on your interests within the platform | Legitimate interest |
| Responding to your data protection requests | Legal obligation |
| Defending ourselves in legal disputes | Legitimate interest |
If we ever want to use your data for a purpose not listed here, we'll ask for your consent first.
How long we keep your data
We keep your personal data only as long as we need it for the purposes above. Specifically:
- Account data: kept while your account is active. Hard-deleted from our primary database when you delete your account.
- Payment and invoice records: retained for 6 years after the transaction, as required by Spanish tax law (Ley General Tributaria).
- Server logs (including IP addresses): approximately 30 days, then auto-deleted.
- Newsletter subscription: kept until you unsubscribe.
- Database backups: our backups roll on a 30-day window. After you delete your account, residual data may persist in backups for up to 30 days before being overwritten.
- Sub-processor data: we'll request deletion from our sub-processors (analytics, error tracking, etc.) within 30 days of your account deletion.
Who we share your data with
We share your data only with sub-processors who help us run the platform. Each one has a legitimate purpose and an appropriate data protection agreement in place.
| Sub-processor | What they do | Where they're located | Transfer safeguard |
|---|---|---|---|
| MongoDB Atlas | Database hosting | Ireland (EU) | EU-hosted, no international transfer required |
| Vercel | Web hosting and serverless functions | United States | EU Standard Contractual Clauses (SCCs) + EU-US Data Privacy Framework |
| Heroku (Salesforce) | Backend application hosting | United States | EU SCCs + EU-US Data Privacy Framework |
| Stripe | Payment processing | Stripe Payments Europe Ltd., Ireland (EU) | EU-hosted for EU users |
| Hetzner | Self-hosted automation server (n8n) | Nuremberg, Germany (EU) | EU-hosted, no international transfer required |
| Google (Gmail / OAuth) | Sign-in with Google, sending operational email | United States | EU SCCs + EU-US Data Privacy Framework |
| Amazon SES | Transactional email delivery | Stockholm and London (EU) | EU-hosted |
| Google Analytics | Aggregate usage analytics | United States | EU SCCs + EU-US Data Privacy Framework |
| Vercel Analytics | Aggregate web analytics | United States | EU SCCs + EU-US Data Privacy Framework |
| Hotjar | Anonymized user behavior analysis | Malta (EU) | EU-hosted |
| Sentry | Error tracking and debugging | United States | EU SCCs + EU-US Data Privacy Framework |
| Substack | Newsletter hosting (some content) | United States | EU SCCs + EU-US Data Privacy Framework — requires your explicit opt-in |
| Kit (formerly ConvertKit) | Newsletter delivery | United States | EU SCCs + EU-US Data Privacy Framework — requires your explicit opt-in |
| Meta (Facebook) Pixel ¹ | Marketing analytics and conversion tracking | United States | EU SCCs + EU-US Data Privacy Framework — only loaded if you accept marketing cookies |
| Google Ads / Google Tag Manager ¹ | Advertising and conversion tracking | United States | EU SCCs + EU-US Data Privacy Framework — only loaded if you accept marketing cookies |
| X (Twitter) Pixel ¹ | Advertising and conversion tracking | United States | EU SCCs + EU-US Data Privacy Framework — only loaded if you accept marketing cookies |
| LinkedIn Insight Tag ¹ | Advertising and conversion tracking | United States | EU SCCs + EU-US Data Privacy Framework — only loaded if you accept marketing cookies |
| xAI, Anthropic, Google Gemini | AI features within the platform | United States | We do not send personal data to these providers — only public market data |
¹ Tracking pixels are listed for transparency. They are only loaded if you give consent through our cookie banner.
We do not sell your personal data to anyone. Ever.
International data transfers
Some of our sub-processors are located outside the European Economic Area, primarily in the United States. When we transfer your personal data to those providers, we rely on safeguards approved under GDPR:
- EU Standard Contractual Clauses (SCCs) — contractual protections approved by the European Commission.
- EU-US Data Privacy Framework — a transfer mechanism for US-based providers that have certified compliance with EU data protection standards.
You can request copies of these agreements by contacting us at info@monk.st.
Your rights
Under GDPR, you have the following rights regarding your personal data:
- Right of access — get a copy of the personal data we hold about you
- Right to rectification — correct anything that's wrong
- Right to erasure ("right to be forgotten") — delete your data, subject to legal retention obligations
- Right to restrict processing — pause our use of your data
- Right to data portability — get your data in a portable format
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — at any time, for processing that's based on consent (like newsletter emails)
To exercise any of these rights, email us at info@monk.st. We'll respond within one month of receiving your request, as required by Article 12 of the GDPR. In complex cases we may extend this by up to two more months, and we'll tell you why.
You also have the right to lodge a complaint with a supervisory authority if you think we're handling your data incorrectly. In Spain, that's the Agencia Española de Protección de Datos (AEPD), www.aepd.es. If you're in another EU country, you can complain to your local data protection authority.
Children
MonkStreet is not for anyone under 18. We don't knowingly collect personal data from minors. If you're a parent or guardian and believe your child has provided personal information to us, please contact us at info@monk.st and we'll delete it.
Security
We take reasonable technical and organizational measures to protect your personal data: encrypted database connections, hashed passwords, access controls, secure backups, monitored infrastructure, and regular security reviews of our stack. No system is perfectly secure, but we work hard to keep yours safe.
If we ever experience a data breach that affects your personal data, we'll notify you and the relevant supervisory authority within 72 hours of becoming aware of it, as required by Article 33 of the GDPR.
Changes to this policy
We may update this Privacy Policy as MonkStreet evolves or as the law changes. If we make material changes that affect your rights, we'll notify active users by email at least 30 days before the changes take effect. Minor edits (typos, clarifications) may be made without notice, but the "Last updated" date at the top will always reflect the most recent revision.
Cookies Policy
This section explains how MonkStreet uses cookies and similar technologies.
What is a cookie?
A cookie is a small text file that a website saves to your browser to remember things — like that you're logged in, what your preferences are, or that you've already seen a particular notice. Some cookies are essential to making the site work; others help us understand how people use it; others power things like marketing measurement.
How we use cookies
We use cookies in three categories:
Strictly necessary cookies are required for the platform to work. These handle things like keeping you logged in, remembering your session, and protecting against attacks. You can't disable these because the platform doesn't function without them.
Analytics cookies let us see (in aggregate) how people use MonkStreet. These help us figure out what's working and what isn't. Includes Google Analytics, Vercel Analytics, and Hotjar.
Marketing cookies are used for advertising measurement and retargeting. Includes pixels from Meta, Google Ads, X, and LinkedIn. We only fire these if you've consented through the cookie banner.
Your cookie choices
When you first visit MonkStreet, you'll see a cookie banner. You can:
- accept all cookies
- reject all non-essential cookies
- customize your preferences by category
You can change your preferences at any time by clicking the Cookie Settings link in the page footer.
You can also manage cookies directly through your browser settings. Each browser handles this differently — search "manage cookies" along with your browser name for instructions.
Managing your cookies
You can open the cookie preferences panel at any time using the button below to enable or disable each category. Necessary cookies cannot be turned off because the platform won't work without them.