← Back to Home

Privacy Policy

Last updated: 2025-12-30

1. Introduction

Monasticx ("we", "us", or "our") operates the Scriptorium platform (https://scriptorium.monasticx.dev). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service in compliance with the General Data Protection Regulation (GDPR) and German data protection laws (BDSG).

By using Scriptorium, you agree to the collection and use of information in accordance with this policy.

2. Data Controller (Verantwortlicher)

Monasticx

Email: [email protected]

For data protection inquiries, please contact us at the email address above.

3. Data We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address
  • Name
  • Password (encrypted)
  • Workspace information

3.2 Connected Advertising Platforms

When you connect advertising platforms, we access and store:

  • Google Ads: Campaign data, ad performance metrics, spend data, account information
  • Meta Ads: Campaign data, ad insights, spend data, account information
  • OAuth Tokens: Encrypted access tokens to maintain your connections

Note: We only access data necessary to provide analytics services. We do not access personal data of individuals who interact with your advertisements.

3.3 Usage Data

We automatically collect:

  • IP address
  • Browser type and version
  • Pages visited and features used
  • Date and time of access
  • Device information

3.4 Payment Information

Payment processing is handled by Stripe. We do not store complete credit card numbers. We only receive and store:

  • Last four digits of your card
  • Card type and expiration date
  • Billing address
  • Stripe customer ID

4. Legal Basis for Processing (GDPR Art. 6)

We process your personal data based on:

  • Contract Performance (Art. 6(1)(b)): Processing necessary to provide our services, including account management and analytics features.
  • Consent (Art. 6(1)(a)): For connecting third-party advertising platforms and optional marketing communications.
  • Legitimate Interests (Art. 6(1)(f)): For improving our services, security, and fraud prevention.
  • Legal Obligation (Art. 6(1)(c)): For tax records and legal compliance.

5. How We Use Your Data

We use the collected data to:

  • Provide and maintain our analytics services
  • Calculate ROI and attribution metrics
  • Generate reports and insights
  • Process payments and manage subscriptions
  • Send service-related notifications
  • Improve and optimize our platform
  • Provide customer support
  • Detect and prevent fraud or abuse

6. Data Sharing and Third Parties

6.1 Service Providers

We share data with trusted service providers who assist in operating our platform:

ProviderPurposeLocation
HetznerServer hostingGermany/EU
CloudflareCDN, DDoS protectionGlobal (EU data centers available)
StripePayment processingEU/US (SCCs in place)
NeonDatabase hostingEU region available

6.2 Advertising Platform APIs

To provide our services, we connect to advertising platforms via their official APIs. This involves sending authenticated requests to retrieve your advertising data. We do not share your data with these platforms beyond what is necessary for authentication.

6.3 Legal Requirements

We may disclose your data if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7. Data Retention

We retain your data for the following periods:

  • Account data: Until account deletion, plus 30 days for backup purposes
  • Analytics data: Up to 24 months of historical data
  • Payment records: 10 years (German tax law requirement)
  • Server logs: 90 days

After you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

8. Your Rights (GDPR)

Under the GDPR, you have the following rights:

Right of Access (Art. 15)

Request a copy of your personal data we hold.

Right to Rectification (Art. 16)

Request correction of inaccurate personal data.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten").

Right to Restriction (Art. 18)

Request limitation of processing your data.

Right to Data Portability (Art. 20)

Receive your data in a machine-readable format.

Right to Object (Art. 21)

Object to processing based on legitimate interests.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. In Germany, you can contact your state's data protection authority (Landesdatenschutzbeauftragter) or the Federal Commissioner for Data Protection (Bundesbeauftragter für den Datenschutz).

9. Cookies and Tracking

We use the following types of cookies:

Essential Cookies

Required for the platform to function. These cannot be disabled.

  • scriptorium_session - Authentication session
  • current_workspace - Selected workspace

Analytics Cookies

Help us understand how visitors interact with our platform. These are only set with your consent.

You can manage cookie preferences in your browser settings. Note that disabling essential cookies may affect platform functionality.

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest (AES-256-GCM for sensitive data)
  • Secure password hashing (Argon2id)
  • Regular security audits
  • Access controls and authentication
  • DDoS protection via Cloudflare

11. International Data Transfers

Our primary infrastructure is hosted in the European Union (Germany). When data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the EU Commission
  • Adequacy decisions where applicable
  • Data processing agreements with all sub-processors

12. Children's Privacy

Scriptorium is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by email or through a notice on our platform. The "Last updated" date at the top indicates when this policy was last revised.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Monasticx

Email: [email protected]

We aim to respond to all inquiries within 5 business days.