Last Updated: 22nd April 2026 (V4.0.0) --- 1. Scope This Privacy Policy explains how Monorail AI Ltd collects, uses, stores, and discloses personal data in connection with the Platform and Services. This Policy applies to all users of the Platform, including website visitors, account holders, and API users. --- 2. Data Controller Monorail AI Ltd is the data controller for the purposes of applicable data protection laws, including the UK GDPR and EU GDPR where applicable. If you are located in a jurisdiction with additional requirements, you acknowledge that your data may be processed in accordance with this Policy. --- 3. Categories of Data We Collect We may collect and process the following categories of personal data: Identity data, including name, username, and contact details such as email address. Account data, including login credentials, account preferences, subscription details, and communication history. Usage data, including prompts, inputs, outputs, interaction logs, feature usage, and activity timestamps. Technical data, including IP address, device identifiers, browser type, operating system, and network information. Payment data, including billing address and transaction details, noting that full payment card information is processed by third-party payment processors. Communication data, including messages sent to support or feedback submissions. We do not intentionally collect special categories of personal data unless explicitly provided by you. --- 4. How We Collect Data We collect data: Directly from you when you create an account, use the Services, or contact us. Automatically through your use of the Platform, including logs, cookies, and tracking technologies. From third parties, including payment processors, authentication providers, and analytics services. --- 5. Purposes of Processing We process personal data for the following purposes: To provide, operate, and maintain the Platform and Services. To process user inputs and generate AI outputs via Third-Party Providers. To manage accounts, billing, subscriptions, and transactions. To monitor usage, detect fraud, abuse, or security incidents. To improve, develop, and optimise the Platform and Services. To communicate with you regarding updates, support, or administrative matters. To comply with legal and regulatory obligations. --- 6. Legal Basis for Processing Where applicable under GDPR, we rely on the following legal bases: Performance of a contract, where processing is necessary to provide the Services. Legitimate interests, including maintaining security, improving services, and preventing abuse, provided such interests are not overridden by your rights. Legal obligations, where processing is required to comply with applicable laws. Consent, where required for specific processing activities such as certain cookies or marketing communications. --- 7. AI Processing and Third-Party Providers Your Content, including prompts and inputs, may be transmitted to Third-Party Providers for processing. These providers may: Process and temporarily store data to generate outputs. Operate infrastructure in multiple jurisdictions. Apply their own retention and processing policies. We do not control the independent data practices of Third-Party Providers. You are responsible for ensuring that you have the right to submit any data for processing. --- 8. International Data Transfers Personal data may be transferred to and processed in countries outside the United Kingdom or European Economic Area. Where such transfers occur, we rely on appropriate safeguards, including: Standard Contractual Clauses or equivalent mechanisms. Transfers to jurisdictions deemed to provide adequate protection where applicable. You acknowledge that data transferred to Third-Party Providers may be subject to different legal regimes. --- 9. Data Retention We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, including: Providing the Services. Maintaining security and preventing abuse. Complying with legal, regulatory, and accounting obligations. Resolving disputes and enforcing agreements. Retention periods may vary depending on the type of data and legal requirements. We may delete or anonymise data when it is no longer required. --- 10. Data Security We implement appropriate technical and organisational measures designed to protect personal data, including safeguards against unauthorised access, loss, misuse, or alteration. Such measures may include encryption, access controls, monitoring, and secure infrastructure. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. --- 11. Your Rights Subject to applicable law, you may have the following rights: The right to access personal data we hold about you. The right to request correction of inaccurate or incomplete data. The right to request deletion of your data in certain circumstances. The right to restrict or object to certain processing activities. The right to data portability where applicable. The right to withdraw consent where processing is based on consent. To exercise your rights, contact [support@mnrl.app](mailto:support@mnrl.app). We may require verification of your identity before fulfilling requests. --- 12. Automated Processing The Services involve automated processing of inputs to generate outputs. You acknowledge that: Outputs are generated algorithmically without human review. Such processing does not constitute automated decision-making with legal or similarly significant effects unless explicitly stated. --- 13. Cookies and Tracking Technologies We use cookies and similar technologies to: Enable core functionality of the Platform. Analyse usage and performance. Improve user experience. You can control or disable cookies through your browser settings. Disabling cookies may affect functionality of the Platform. --- 14. Third-Party Services and Links The Platform may contain links to or integrations with third-party services. We are not responsible for the privacy practices or content of such services. Your use of third-party services is governed by their own policies. --- 15. Data Minimisation and User Responsibility You should avoid submitting personal data unless necessary. You are responsible for ensuring that any personal data you provide is lawful and appropriate for processing. You must not submit data that you do not have the right to use. --- 16. Children’s Data The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware of such data, we may delete it. --- 17. Changes to this Policy We may update this Privacy Policy at any time. Updated versions will be posted on the Platform. Where required, we will provide notice of material changes. Continued use of the Services constitutes acceptance of the updated Policy. --- 18. Contact [support@mnrl.app] --- END