Skip to main content

Privacy Policy

Last updated: March 24, 2026

1. Introduction

Monfri ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform at monfri.net ("Service").

We comply with the General Data Protection Regulation (GDPR) and applicable data protection laws of the Republic of Bulgaria.

2. Data We Collect

2.1 Account Data

When you register, we collect:

  • Name, email address, and password (hashed)
  • Organization name
  • Optional: phone number, avatar, timezone, language preference

2.2 Usage Data

We automatically collect:

  • IP address and approximate location (for security and analytics)
  • Browser type and device information
  • Pages visited and features used within the Service
  • Login timestamps

2.3 Customer Data

Data you upload or create through our services (contacts, campaigns, events, workflows) is processed on your behalf. You are the data controller for this data; we are the data processor.

2.4 Social Login Data

If you sign in with Google, we receive your name, email address, and profile picture from Google. We do not access your Google contacts, calendar, or other data.

3. How We Use Your Data

We use your data to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage your account
  • Process billing and subscriptions (via Paddle, our payment processor)
  • Send transactional emails (verification, password reset, billing notifications)
  • Monitor and prevent abuse or security threats
  • Generate aggregated, anonymized analytics to improve the platform

We do not sell your personal data to third parties. We do not use your data for advertising purposes.

4. Third-Party Services

We use the following third-party services that may process your data:

  • Paddle (paddle.com) — Payment processing, invoicing, and tax compliance. Paddle acts as the merchant of record.
  • Cloudflare (cloudflare.com) — CDN, DDoS protection, and DNS. Cloudflare processes request metadata (IP, headers) for security.
  • Google OAuth (accounts.google.com) — Optional social login authentication.
  • MaxMind GeoLite2 — IP-based geolocation for analytics (country, city). No personal data is shared with MaxMind.

5. Data Storage and Security

Your data is stored on servers located in the European Union. We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Database access restricted to application services only
  • Regular security audits and updates
  • Role-based access control within the platform
  • Automated backups with offsite storage

6. Data Retention

We retain your account data for as long as your account is active. After account deletion:

  • Personal data is deleted within 30 days
  • Anonymized analytics data may be retained indefinitely
  • Backups containing your data are rotated within 30 days
  • Legal obligations may require longer retention of billing records

7. Your Rights (GDPR)

Under the GDPR, you have the right to:

  • Access — Request a copy of your personal data
  • Rectification — Correct inaccurate personal data
  • Erasure — Request deletion of your personal data ("right to be forgotten")
  • Portability — Receive your data in a structured, machine-readable format
  • Restriction — Request limitation of processing of your data
  • Objection — Object to processing of your data
  • Withdraw Consent — Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Cookies

We use essential cookies for:

  • Session management (keeping you logged in)
  • CSRF protection (security)
  • Language and timezone preferences

We do not use third-party tracking cookies or advertising cookies. Cloudflare may set security-related cookies (__cf_bm) to identify bots.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. International Data Transfers

Your data is primarily stored and processed within the European Union. If data is transferred outside the EU (e.g., through Cloudflare's global network), it is protected by Standard Contractual Clauses or equivalent safeguards as required by the GDPR.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top indicates when the latest changes were made.

12. Contact

For privacy-related inquiries: