Privacy Policy

The provider of the Services and the controller in the sense of the GDPR is:

Whenever you access the content of our Services, connection data is transmitted to our web server. This connection data includes:

• The IP address of the user
• The date and time of the request
• The referring URL
• Device information (e.g., device type, browser type/version)
• Unique device identifiers

This connection data is not used to infer the identity of the user or merged with data from other sources, but rather serves to provide the website. The legal basis for processing your data is Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest in providing a functional service).

3.1 Registration and Login

For registration to use our web application, we collect the following personal data:

• Email address: for authentication via Supabase Auth
• Password: securely hashed and stored for account access

Legal basis: Art. 6 para. 1 sentence 1 lit. b GDPR (contract fulfillment) and Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest in providing the app).

3.2 Authentication via Supabase

Authentication is performed through Supabase, a service that processes your email address and IP address to enable secure login. Data is stored in compliance with GDPR requirements.

3.3 Image Generation and Storage

When you use our image generation features:

• Prompts and inputs: stored to enable generation and history
• Generated images: stored on Cloudinary for delivery and gallery access
• Reference images: uploaded images are processed to maintain character consistency

Legal basis: Art. 6 para. 1 sentence 1 lit. b GDPR (contract fulfillment).

Our Services use the following third-party providers:

4.1 Supabase (Authentication & Database)

We use Supabase for user authentication and data storage. Supabase processes your email address, login credentials, and application data. Data is stored in secure, GDPR-compliant data centers.

4.2 Cloudinary (Image Storage & Delivery)

Generated images and uploaded references are stored on Cloudinary, a cloud media platform. Cloudinary ensures fast global delivery and reliable backup of your images. You can download or delete your images at any time.

4.3 Google Gemini API (AI Captions)

We use Google's Gemini API to generate AI-powered captions and analyze images for caption generation. Image data sent to Gemini is processed according to Google's privacy policy and is not used to train their models.

4.4 Vercel (Hosting)

Our Services are hosted on Vercel. When you visit, your browser loads necessary data by connecting to Vercel servers. Vercel may record your IP address for security purposes.

Our Services use cookies and similar technologies to ensure functionality and improve user experience.

5.1 Essential Cookies

These cookies are required to provide our Services and ensure secure operation:

• Session cookies for login and authentication
• Security cookies to protect against misuse

Legal basis: Art. 6 para. 1 sentence 1 lit. b GDPR (performance of contract) and Art. 6 para. 1 sentence 1 lit. f GDPR (legitimate interest in security).

5.2 Managing Cookies

You can configure your browser to reject cookies or delete stored cookies. Note that disabling essential cookies may limit the functionality of our Services.

Your data may be transferred to recipients outside the EU, including the USA, where our third-party providers operate. We ensure appropriate safeguards through:

• EU Standard Contractual Clauses
• Adequacy decisions where applicable
• Provider certifications under data protection frameworks

We store your data only as long as necessary to fulfill the purposes for which it was processed:

• Account data: retained while your account is active, deleted upon account deletion request
• Generated images: retained until you delete them or close your account
• Log data: typically retained for 30 days for security purposes

Under GDPR, you have the following rights regarding your personal data:

• Right of access: obtain information about your stored data
• Right to rectification: correct inaccurate personal data
• Right to erasure: request deletion of your personal data
• Right to restriction: limit processing of your data
• Right to data portability: receive your data in a machine-readable format
• Right to object: object to processing based on legitimate interests

To exercise these rights, contact us at hello@monolith.com.

We protect your data with technical and organizational measures against unauthorized access, loss, and misuse. This includes:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of data at rest
• Secure authentication mechanisms
• Regular security reviews

We may update this Privacy Policy as necessary to reflect changes in our practices or legal requirements. The current version is always available on our website. Material changes will be communicated to registered users via email.

For questions about this Privacy Policy or data protection, contact us at: