Privacy Policy

Monday Morning is a local-first desktop app. Most of your data — specs, tasks, notes, and project state — stays on your own machine in a local .mm/ folder. We collect only what's necessary to operate the service you pay for and to improve the product, and we try to make those choices visible and opt-in wherever we can.

Data we collect

1. Account data (Supabase auth)

Your email address for sign-in and an optional display name. Stored in Supabase. Used only for authentication and for sending you transactional messages (receipts, security alerts).

2. License activation (LemonSqueezy)

Your license key and the email address associated with your purchase. Used only to validate and deactivate paid-tier entitlements. LemonSqueezy handles all payment data; we never see your card numbers.

3. Opt-in product telemetry (Pro / Team)

Collected only if you enable telemetry in Settings → Privacy. We record event names (for example app_launch, project_created) and non-identifying metadata. We never collect file contents, project names, spec titles, or source code. Data is aggregated by our analytics provider: [Analytics Provider TBD].

4. Opt-in crash reports

Collected only if you enable crash reporting. Stack traces are captured locally with PII scrubbing — home directory paths, usernames, and other identifying strings are removed before transmission. Remote aggregation provider: [Crash Reporter TBD].

5. Marketing-site analytics

Vercel Analytics and Vercel Speed Insights on getmondaymorning.com. These are anonymous and cookie-less; no personal data is collected.

How we use it

• To sign you into the app.
• To enforce license entitlements for paid tiers.
• To improve the product — fixing crashes, prioritizing features, understanding which workflows matter.
• To protect the service from abuse and security threats.

Data we do NOT collect

• Your source code.
• The contents of your files.
• Your project names, spec titles, task titles, or notes.
• Client secrets, API keys, or credentials stored in plugins.

Third-party integrations (optional)

Monday Morning can connect to third-party services you already use — for example Google Calendar, Slack, GitHub, Trello, Notion, Grain, and Harvest. Every integration is off by default and requires you to explicitly authorize it from the Plugins page.

When you connect a service, data flows directly between your computer and that provider. It does not pass through Monday Morning's servers — Monday Morning does not operate any servers that store integration data. OAuth refresh tokens and API keys are stored in your operating system's keychain.

Google Calendar

If you choose to sign in with Google from Plugins → Google Calendar, Monday Morning requests the following:

• Scope requested: https://www.googleapis.com/auth/calendar.readonly — read-only access to your calendars. We never request write access; Monday Morning cannot modify, create, or delete calendar events.
• Data accessed: event titles, start and end times, descriptions, attendee names and emails, video-conference links (Google Meet, etc.), and event metadata (calendar ID, location, recurrence) for upcoming events on the calendars you grant access to.
• Where it's stored: cached locally in your project folder at .mm/calendar/events.json. The OAuth refresh token is stored in your operating system's keychain. Neither leaves your machine.
• How it's used: to populate the in-app Meetings view, merge calendar events with manually-tracked meeting notes, and provide context to AI prompts that you explicitly invoke from your own machine. It is never used for advertising, profiling, sold to third parties, or transmitted to Monday Morning's infrastructure.
• Disconnection: you can disconnect at any time from Plugins → Google Calendar → Disconnect, which immediately removes the refresh token and clears the local cache. You can also revoke access directly at myaccount.google.com/permissions.

Monday Morning's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Sharing and sub-processors

We share the minimum necessary data with the following service providers to operate Monday Morning:

• Supabase — authentication and account storage.
• LemonSqueezy — payments, subscriptions, and the customer portal.
• Vercel — marketing-site hosting and anonymous analytics.
• [Product analytics provider TBD] — opt-in telemetry.
• [Crash reporter TBD] — opt-in crash reports.

We do not sell your data.

Your rights

You can request access to, correction of, or deletion of your personal data at any time. Email privacy@getmondaymorning.com and we'll respond within 30 days.

Data retention

Free-tier session history is retained locally for 7 days. Account data is retained while your account is active and for a short period afterward for legal and billing records. You can request deletion at any time (see above).

Security

All network traffic uses TLS encryption in transit. Credentials for plugins and integrations are stored in your operating system's keychain (macOS Keychain, Windows Credential Manager, libsecret on Linux). Our infrastructure providers maintain SOC 2 or equivalent certifications.

Changes to this policy

We may update this policy as the product evolves. The version on this page is always current. Substantive changes will be announced in the app before they take effect.

Contact

Questions? Email privacy@getmondaymorning.com.