Privacy Policy

1. Introduction

This Privacy Policy explains how Monaveo Ltd. ("we", "us", "our"), operating the Monaveo platform, collects, uses, and protects personal data when you use our services. We are committed to protecting your privacy in accordance with the UK GDPR, the General Data Protection Regulation (EU) 2016/679, and applicable laws of England and Wales.

2. Data We Collect

2.1 Account Data

When you create an account, we collect your name, email address, company name, billing address, and payment information (processed securely through Stripe).

2.2 Service Data

When you use Monaveo to manage devices, the platform processes device hostnames, IP addresses, operating system information, hardware metrics (CPU, memory, disk usage), and service/process status. This data is collected by agents installed on managed devices.

2.3 Microsoft 365 Data

If you connect your Microsoft 365 tenant, Monaveo accesses user directory information, device compliance status, and Intune device inventory via the Microsoft Graph API. This data is accessed only with your explicit admin consent and is used solely to display and manage your M365 environment within the Monaveo dashboard. We do not store M365 data beyond short-term caching for display.

2.4 Communication Data

We collect data from support tickets, emails, and other communications you send to us.

2.5 Usage Data

We collect basic analytics about how you interact with the dashboard, including pages visited, features used, and session duration.

3. How We Use Your Data

We use your data to:

• Provide and maintain the Monaveo platform and its features
• Process billing and payments
• Send service notifications, alerts, and system updates
• Provide technical support
• Improve and develop new features
• Comply with legal obligations

4. Data Encryption & Security

All commands sent between the Monaveo dashboard and managed agents are encrypted end-to-end. Our relay servers forward encrypted data without the ability to read or decrypt the content. Each managed device receives a unique cryptographic identity for secure communication.

We implement industry-standard security measures including encrypted data transmission, secure authentication, role-based access control, and strict tenant isolation between MSP accounts.

5. Data Sharing

We do not sell your personal data. We share data only with:

• Stripe — for payment processing
• Cloudflare — for content delivery and security
• Contabo GmbH — EU region hosting (Germany)
• Contabo GmbH — US region hosting (New Jersey, USA)
• RustDesk (Purslane Ltd) — for remote desktop sessions (public relay, self-hosted planned)
• SMTP2GO — for transactional email delivery (regionally routed)
• Microsoft Corporation — only when you connect your M365 tenant (Graph API, admin consent required)
• Law enforcement — only when legally required

6. Data Retention

We retain different categories of data for specific periods based on operational necessity and legal requirements:

• Account Data (name, email, company, billing) — retained for the duration of your active account plus 30 days after account deletion
• Device Performance Metrics (CPU, memory, disk usage) — retained for 48 hours in real-time resolution. Older metrics are automatically purged
• Device Inventory Data (installed software, hardware specs, OS info) — retained for the duration of the account as part of asset management
• Notifications (system notifications, in-app alerts) — retained for 30 days, then automatically purged
• Alert History (device alerts, threshold violations) — active alerts are retained until resolved. Resolved and dismissed alerts are automatically purged after 1 year
• Audit Logs (user actions, configuration changes, login events) — retained for 1 year, then automatically purged. In the event of active legal proceedings or regulatory investigation, relevant logs may be retained longer as required by law
• Ticket Data (support tickets, comments, attachments) — retained for the duration of the account
• Billing Records (invoices, payment history) — retained for 6 years as required by UK Tax Law (HMRC) and the Companies Act 2006.
• Database Backups — retained for 30 days, then permanently destroyed

When you close your account, we delete your personal data within 30 days, except where retention is required by law (e.g., billing records). Customers wishing to retain a copy of their data must submit a written request to privacy@monaveo.com before or within fourteen (14) days of termination. Monaveo will work with the Customer in good faith to provide a copy of their data on a case-by-case basis, with the format, scope, and delivery method agreed between the parties based on what is technically feasible at the time of the request. A reasonable service fee may apply to data export requests. Deletion of personal data remains free of charge. Full details are set out in our Terms of Service §14.4.

7. Your Rights

Under UK GDPR and EU GDPR, you have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data ("right to be forgotten") — contact us and we will process your deletion request within 30 days, as required by UK GDPR
• Restrict processing of your data
• Data portability — receive your data in a structured format
• Object to processing based on legitimate interests
• Withdraw consent at any time

To exercise any of these rights, contact us at hello@monaveo.com.

8. Cookies

The Monaveo website and dashboard use only strictly necessary cookies required for authentication, session management, and security. These cookies are exempt from consent requirements under Regulation 6(4) of the UK Privacy and Electronic Communications Regulations (PECR) 2003, as they are essential for the service you have requested. We do not use advertising, analytics, or third-party tracking cookies. No cookies are used to track you across other websites.

9. Data Residency & International Transfers

When you create your Monaveo account, you select your data region (EU or US). All your data — including device information, tickets, alerts, and reports — is processed and stored exclusively within your chosen region.

Each region operates as a completely independent environment with separate databases and application instances. No personal data is replicated, mirrored, or transferred between regions.

Payment processing is handled by Stripe, Inc. and content delivery by Cloudflare, Inc. — both operate under their own data processing agreements and applicable transfer safeguards.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes via email or through the Monaveo dashboard.

11. Contact Us