Privacy Policy

Last updated: April 28, 2026

Monoid is built on a single principle: collect only what is necessary, anonymize immediately, and never identify individuals. This policy explains what data we process, why, and how.

1. Who we are

Monoid is operated by Izac Cavalheiro (monoid@monoid.website). For questions about this policy, contact us at that address.

2. Visitor data we collect on your behalf

When visitors load a page on a Monoid-instrumented site, our tracker sends a single request containing:

  • The page URL and referrer URL
  • A derived country code (from Cloudflare's edge metadata — not the IP address)
  • A device type ("desktop", "mobile", or "tablet") derived from a User-Agent pattern match
  • A one-way daily hash used only to count unique visitors

What we do not collect or store: IP addresses, full User-Agent strings, cookies, device fingerprints, precise location, or any information that could identify a natural person.

The unique visitor hash is computed as SHA-256(IP + User-Agent + SALT + YYYY-MM-DD). The date component means the hash changes every midnight UTC. The secret SALT makes brute-force reversal infeasible. The hash is a count signal — it cannot be used to re-identify or track a visitor.

3. Account data we collect

When you create a Monoid account, we collect:

  • Your email address (for login and transactional emails)
  • A hashed password (PBKDF2, random salt, 10,000 iterations) if you register with email/password
  • OAuth provider identifiers if you use social login (Google, GitHub, etc.) — we never receive your OAuth passwords
  • Your registered domain names
  • Billing information processed entirely by Stripe — we never see or store card numbers

4. Cookies and storage

The tracker script uses no cookies, no localStorage, and no sessionStorage.

The Monoid dashboard uses one httpOnly session cookie (user_token) to maintain your login. This cookie is strictly necessary for the dashboard to function and does not track you across other websites.

5. How we use your data

  • Visitor data — to provide aggregated analytics in your dashboard.
  • Account email — to send activation links, billing receipts, and service announcements.
  • Billing data — to process payments via Stripe and comply with financial record-keeping requirements.

We do not use your data for advertising, profiling, or any purpose beyond operating the Service.

6. Data sharing

We share data with:

  • Cloudflare — our infrastructure provider. Data is processed on their edge network. See Cloudflare's privacy policy.
  • Stripe — for payment processing. See Stripe's privacy policy.
  • Resend — for transactional email delivery. Email addresses are passed only when sending a specific email.

We do not sell data. We do not share data with advertisers, data brokers, or any other third party.

7. Data retention

  • Pageview data — retained for 91 days, then automatically purged.
  • Account data — retained as long as your account is active. Deleted within 30 days of account deletion.
  • Billing records — retained as required by applicable financial regulations (typically 7 years).

8. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account and all associated data
  • Export your analytics data
  • Object to or restrict certain processing

You can delete your account directly from the account settings page. For other requests, email monoid@monoid.website. We respond within 30 days.

9. Security

All data is transmitted over HTTPS. Passwords are hashed with PBKDF2 and never stored in plain text. Session tokens use JWT with short expiry windows. We follow security best practices and review our architecture regularly.

10. Children's privacy

The Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it promptly.

11. Changes to this policy

Material changes will be communicated by email at least 14 days before taking effect. The "last updated" date above will always reflect the current version.

12. Contact

Privacy questions, data requests, or concerns: monoid@monoid.website