Privacy Policy

Last updated: April 22, 2026

Changelog: initial version published April 22, 2026. Material changes will be listed here with date and a one-line summary.

Draft — pending legal review before v1.0 launch. This document is a working draft. Substantive changes will be announced in-app before they take effect.

Monday Morning is a local-first desktop app. Most of your data — specs, tasks, notes, and project state — stays on your own machine in a local .mm/ folder. We collect only what's necessary to operate the service you pay for and to improve the product, and we try to make those choices visible and opt-in wherever we can.

Data we collect

1. Account data (Supabase auth)

Your email address for sign-in and an optional display name. Stored in Supabase. Used only for authentication and for sending you transactional messages (receipts, security alerts).

2. License activation (LemonSqueezy)

Your license key and the email address associated with your purchase. Used only to validate and deactivate paid-tier entitlements. LemonSqueezy handles all payment data; we never see your card numbers.

3. Opt-in product telemetry (Pro / Team)

Collected only if you enable telemetry in Settings → Privacy. We record event names (for example app_launch, project_created) and non-identifying metadata. We never collect file contents, project names, spec titles, or source code. Data is aggregated by our analytics provider: [Analytics Provider TBD].

4. Opt-in crash reports

Collected only if you enable crash reporting. Stack traces are captured locally with PII scrubbing — home directory paths, usernames, and other identifying strings are removed before transmission. Remote aggregation provider: [Crash Reporter TBD].

5. Marketing-site analytics

Vercel Analytics and Vercel Speed Insights on getmondaymorning.com. These are anonymous and cookie-less; no personal data is collected.

How we use it

  • To sign you into the app.
  • To enforce license entitlements for paid tiers.
  • To improve the product — fixing crashes, prioritizing features, understanding which workflows matter.
  • To protect the service from abuse and security threats.

Data we do NOT collect

  • Your source code.
  • The contents of your files.
  • Your project names, spec titles, task titles, or notes.
  • Client secrets, API keys, or credentials stored in plugins.

Sharing and sub-processors

We share the minimum necessary data with the following service providers to operate Monday Morning:

  • Supabase — authentication and account storage.
  • LemonSqueezy — payments, subscriptions, and the customer portal.
  • Vercel — marketing-site hosting and anonymous analytics.
  • [Product analytics provider TBD] — opt-in telemetry.
  • [Crash reporter TBD] — opt-in crash reports.

We do not sell your data.

Your rights

You can request access to, correction of, or deletion of your personal data at any time. Email privacy@getmondaymorning.com and we'll respond within 30 days.

Data retention

Free-tier session history is retained locally for 7 days. Account data is retained while your account is active and for a short period afterward for legal and billing records. You can request deletion at any time (see above).

Security

All network traffic uses TLS encryption in transit. Credentials for plugins and integrations are stored in your operating system's keychain (macOS Keychain, Windows Credential Manager, libsecret on Linux). Our infrastructure providers maintain SOC 2 or equivalent certifications.

Changes to this policy

We may update this policy as the product evolves. The version on this page is always current. Substantive changes will be announced in the app before they take effect.

Contact

Questions? Email privacy@getmondaymorning.com.