Privacy Policy
MONOLITH ("we", "our", "us") operates the news intelligence platform at monolith.news. This policy describes what data we collect, why we collect it, who we share it with, how long we keep it, and your rights.
1. Who We Are
MONOLITH is a real-time news intelligence platform operated by Monolith News LLC, a Wyoming limited liability company. We aggregate publicly available RSS feeds and provide AI-assisted analysis of news content.
For data-related enquiries: [email protected]
EU/UK Representative: As a U.S. company directing services to EU and UK residents, we are in the process of appointing a formal Article 27 GDPR representative in the EU/EEA and a UK GDPR representative. In the interim, all data subject requests for EU/UK residents are handled directly by us at [email protected] within the statutory 30-day response period.
2. Data We Collect
2.1 Account Data (registered users only)
| Field | Purpose | Legal Basis |
|---|---|---|
| Username | Account identifier | Contract performance |
| Display name | UI personalisation | Contract performance |
| Password hash (PBKDF2-SHA-256) | Authentication — plaintext never stored | Contract performance |
| Email address (optional) | Verification, magic-link login, digest | Legitimate interest / consent |
| Account tier | Feature access gating | Contract performance |
| Creation timestamp | Account management, abuse prevention | Legitimate interest |
2.2 Session Data
Active sessions are stored server-side in Cloudflare KV with a hard 7-day expiry. Sessions contain username, display name, and tier. They contain no passwords or payment details.
2.3 Payment Data (Pro subscribers)
Paddle processes all payments. We store from Paddle webhook events: email address, Paddle subscription ID, plan type, and validity period. We do not store credit card numbers, CVVs, or billing addresses.
2.4 AI Query Processing
When you use AI chat, your messages are forwarded to AI providers (Groq, Anthropic, OpenAI, OpenRouter). We log: event type, tier, model used, username, and timestamp. We do not log the full text of your query in our own systems.
2.5 Push Notifications
If you enable push notifications, we store your browser push endpoint, encryption keys, username, and subscription timestamp in Cloudflare KV solely to deliver notifications.
2.6 Behavioural Data (local only)
Topic preferences and reading history used for feed personalisation are stored exclusively in your browser's localStorage. This data never leaves your device.
3. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion request |
| Sessions | 7 days (auto-expire) |
| Payment records | Duration of subscription + 7 years |
| Push subscriptions | 90 days from last renewal |
| Security event log | 7 days (rolling) |
| Rate limit counters | 60 seconds – 1 hour (auto-expire) |
4. Third-Party Processors
| Service | Purpose |
|---|---|
| Cloudflare | Infrastructure, CDN, KV storage, DNS |
| Paddle | Payment processing (Merchant of Record) |
| Groq | AI inference (free tier) |
| OpenRouter | AI model routing (Pro tier) |
| Anthropic | AI inference (Pro tier) |
| OpenAI | Voice synthesis (TTS) |
| ElevenLabs | Voice synthesis (TTS) |
| Resend | Transactional email |
5. Your Rights
5.1 Rights for EU / EEA Residents (GDPR)
Under the General Data Protection Regulation you have the following rights:
- Access (Art. 15) — request a copy of the personal data we hold about you
- Rectification (Art. 16) — correct inaccurate or incomplete data
- Erasure (Art. 17) — request deletion of your data ("right to be forgotten")
- Restriction (Art. 18) — ask us to pause processing while a dispute is resolved
- Portability (Art. 20) — receive your data in a structured, machine-readable format
- Objection (Art. 21) — object to processing based on legitimate interest
- Withdraw consent — where processing relies on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, email [email protected]. We will respond within 30 days (extendable to 90 days for complex requests, with notice).
If you are unsatisfied with our response, you have the right to lodge a complaint with your local supervisory authority. A directory of EU data protection authorities is available at edpb.europa.eu.
5.2 Rights for UK Residents (UK GDPR)
UK residents have equivalent rights under the UK GDPR and Data Protection Act 2018. You may also complain to the Information Commissioner's Office (ICO).
5.3 Rights for California Residents (CCPA / CPRA)
California residents have the right to know what personal information is collected, to request deletion, to opt out of sale (we do not sell personal data), and to non-discrimination for exercising these rights. Submit requests to [email protected].
5.4 Account Deletion
To delete your account and all associated data, use the Account Settings page within the app or email us directly. Deletion requests are processed within 14 days.
6. International Data Transfers
MONOLITH is operated from the United States. Our infrastructure providers (Cloudflare, Groq, Resend, Anthropic, OpenAI, OpenRouter, ElevenLabs) process data on servers in the United States and other countries outside the EU/EEA.
Where personal data is transferred from the EU/EEA or UK to a third country, we rely on the following safeguards:
- Standard Contractual Clauses (SCCs) — our key processors (Cloudflare, Anthropic, OpenAI, Resend) have executed EU Standard Contractual Clauses approved by the European Commission under Decision 2021/914/EU
- Adequacy decisions — where the European Commission has recognised a third country as providing adequate protection
- Legitimate interest / necessity — for incidental transfers required to fulfil the contract (e.g. routing an AI query to an inference provider)
You may request a copy of the relevant SCCs by emailing [email protected].
7. Cookies
MONOLITH does not use tracking cookies. We use browser localStorage for session management and feed personalisation. No third-party advertising cookies are set.
8. Children's Privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact us immediately.
9. Changes to This Policy
We will notify registered users by email of material changes at least 14 days before they take effect. The current version is always available at monolith.news/privacy.
10. Contact
MONOLITH · Monolith News LLC
Email: [email protected]