This privacy policy describes which personal data monsys.ai processes, why, how long we retain it, with whom we share it, and what rights you have under the General Data Protection Regulation (GDPR).
GoTrust BV, established in Belgium, operates monsys.ai and is the data controller within the meaning of GDPR.
Contact for privacy questions, access requests, rectification or deletion: info@gotrust.be.
GoTrust BV has not appointed a Data Protection Officer (DPO) because the scale of processing does not require one under GDPR. For formal complaints you may contact the Belgian Data Protection Authority (gba-apd.be).
**Account data** — work email address, hashed (bcrypt) password, first name (optional), tenant name, role, IP address and timestamp of last login, IP and timestamp of terms acceptance.
**Server telemetry** — hostname, OS, version, CPU/memory/disk aggregates, installed packages, running services, listening ports, SSH keys, sudo permissions, container info. We do NOT transmit raw log lines or file content.
**Inventory of users and groups** on your servers — for compliance reports. Passwords are NEVER read or stored.
**Billing data** (Pro tier only) — payment method metadata (card brand + last 4 digits, never the full number), invoices, payment status. Full card data is sent directly to Stripe or PayPal and never reaches our servers.
**Audit logs** — who performed which action and when in the hub (login, agent creation, console session, emergency action). Retained for security investigation.
**Performance of the contract** (Art. 6.1.b GDPR) for all account data, telemetry and billing — this is what you need to use the service.
**Legal obligation** (Art. 6.1.c GDPR) for billing data (Belgian accounting law — 7-year retention for outgoing invoices).
**Legitimate interest** (Art. 6.1.f GDPR) for security audit logs, fraud detection, debugging and service improvement. You may object at any time via info@gotrust.be.
We do NOT use profiling or automated decision-making that significantly affects your legal position.
We share data only with the following processors, all under a Data Processing Agreement (DPA):
• **Stripe Payments Europe Ltd** (Ireland) — for card and SEPA payments. GDPR-compliant.
• **PayPal (Europe) S.à r.l.** (Luxembourg) — for PayPal payments.
• **Our EU hosting provider** — to run the hub (servers in an EU data centre).
• **Email provider** — for transactional email (account confirmation, password reset, invoice notifications).
We NEVER sell data, do NOT use ad trackers, and do NOT send data outside the EU/EEA unless via a GDPR-compliant transfer mechanism.
**Telemetry** — Free tier: 7-day rolling window. Pro tier: 90-day rolling window. Automatically deleted thereafter.
**Account data** — for the lifetime of the account + 30 days after cancellation (to allow rollback on accidental cancel).
**Audit logs** — 1 year.
**Invoices and payment documents** — 7 years (Belgian accounting law).
**Backups** — our nightly backups contain copies of the above. Retained 30 days. Deletion requests are propagated to backups within 30 days via restore-on-write.
Under GDPR you have the right to:
• **Access** the data we hold about you (Art. 15);
• **Rectify** incorrect data (Art. 16);
• **Erasure** ("right to be forgotten", Art. 17) — your tenant and all associated data are removed within 30 days;
• **Restrict** processing (Art. 18);
• **Portability** — a machine-readable export of your data (Art. 20);
• **Object** to processing based on legitimate interest (Art. 21);
• Lodge a **complaint** with the Belgian Data Protection Authority (gba-apd.be).
Send your request to info@gotrust.be. We respond within 30 days.
All personal data, telemetry, and backups are stored on infrastructure located within the European Union. We do not transfer personal data to third countries unless they are covered by an appropriate GDPR mechanism (adequacy decision or standard contractual clauses).
We apply appropriate technical and organisational measures: TLS 1.3 on all connections, bcrypt for passwords, Ed25519 signatures for agent payloads, database Row-Level Security for tenant isolation, user roles (RBAC), TOTP two-factor for admin actions.
In the exceptional event of a data breach with high risk to your rights and freedoms, we will notify the Data Protection Authority within 72 hours and you directly by email.
Our public website (monsys.ai) uses only strictly necessary cookies (language preference, session). The Hub (app.monsys.ai) uses a session cookie for authentication. See our cookie policy for details and the cookie banner for your choice.
We may update this policy. Material changes are announced at least 30 days in advance by email. The most recent version is always available at /privacy.