Do you train AI models on my data?

No. We query third-party AI providers (OpenAI, Anthropic, Google, Perplexity) to measure how they respond to public, category-level prompts. We do not send your private data, account contents, or scan history to those providers, and we do not train any models on customer data.

Where is my data hosted?

On US-region cloud infrastructure managed by our hosting provider, with database backups encrypted at rest. All access to production data is gated behind SSO and role-based access controls and is logged.

Are you SOC 2 certified?

Not yet. We have implemented controls aligned with SOC 2 Type II (access control, change management, encryption, logging) but have not completed an external audit. We will publish the report here when the audit is complete. If your procurement requires an in-flight audit letter today, email us.

Can I delete my account and data?

Yes. Account deletion is self-serve from the settings page. We hard-delete account records, scans, drafts, source ledgers, and crawl metadata within 30 days of the deletion request. Backups are purged on the next backup rotation cycle (≤30 days).

Who do I contact about a security issue?

Email support@monroya.ai with details. We acknowledge within one business day and aim to resolve critical issues within 7 days. Responsible disclosure is welcome.

Security & privacy

How we handle your data.

The honest version. What we collect, where it lives, who can touch it, what we're certified on today, and what we're not.

Updated: June 2026

Authentication & access

Customer accounts use email + password or Google SSO via our managed auth provider. Sessions are JWT-backed and expire on a rolling window. Production database access is limited to a small set of engineers, gated behind SSO with hardware key MFA, and fully audit-logged.

Hosting

The application runs on a serverless edge runtime in front of a managed Postgres database. Data is stored in US regions. All traffic uses TLS 1.2 or higher. Backups are encrypted at rest and tested on a rotating schedule.

What we collect

The minimum required to run scans and produce opportunities:

Account profile — email, name, organization, role.
Site crawl metadata — public-page content, schema, links, used to build your prompt set and source ledger.
Prompts you confirm and scans you run — including the provider responses and extracted citations.
Product usage — which features you open, used for billing and improving the product. We don't sell or share this.

We don't ask for or store source-of-truth analytics, CRM, or revenue data. Monroya doesn't need it to do its job.

What we share with AI providers

During scans we query public AI providers (OpenAI, Anthropic, Google, Perplexity) with the prompts you've confirmed. Those queries look identical to any other API call — the providers do not see your account identity, your scan history, or any other customer's data. We don't send private content to them and we don't train any models on customer data.

Subprocessors

The third-party services that process customer data on our behalf:

Email delivery — Resend, for transactional emails (trial, payment, alerts).
Payment processing — Stripe. Card data never touches our infrastructure.
AI providers (scan-time only) — OpenAI, Anthropic, Google, Perplexity. See above.
Error monitoring — used for crash/error telemetry only; scrubbed of PII.

We notify customers at least 30 days before adding or replacing a subprocessor that processes customer data.

Retention & deletion

Active accounts retain scans and drafts indefinitely so you can see historical movement. On account deletion we hard-delete records within 30 days; encrypted backup snapshots are purged on the next rotation (≤30 days). Trial accounts that are never converted are purged 90 days after the trial ends.

Compliance posture

Honest snapshot — no marketing-spun badges:

GDPR — DPA available on request for paying customers.
SOC 2 Type II — controls implemented, audit not yet completed. If your procurement needs status today, email us.
HIPAA / FedRAMP / ISO 27001 — not in scope.

We will publish certifications on this page only after the underlying audit is complete. We don't list "compliant" badges we haven't earned.

Reporting a security issue

Email support@monroya.ai. We acknowledge within one business day. Responsible disclosure is welcome.

Frequently asked questions

Do you train AI models on my data?: No. We query third-party AI providers (OpenAI, Anthropic, Google, Perplexity) to measure how they respond to public, category-level prompts. We do not send your private data, account contents, or scan history to those providers, and we do not train any models on customer data.
Where is my data hosted?: On US-region cloud infrastructure managed by our hosting provider, with database backups encrypted at rest. All access to production data is gated behind SSO and role-based access controls and is logged.
Are you SOC 2 certified?: Not yet. We have implemented controls aligned with SOC 2 Type II (access control, change management, encryption, logging) but have not completed an external audit. We will publish the report here when the audit is complete. If your procurement requires an in-flight audit letter today, email us.
Can I delete my account and data?: Yes. Account deletion is self-serve from the settings page. We hard-delete account records, scans, drafts, source ledgers, and crawl metadata within 30 days of the deletion request. Backups are purged on the next backup rotation cycle (≤30 days).
Who do I contact about a security issue?: Email support@monroya.ai with details. We acknowledge within one business day and aim to resolve critical issues within 7 days. Responsible disclosure is welcome.