ViralMonkey · viralmonkey.ai · Legal

GDPR Compliance & Your Data Rights

Effective: 2 June 2026 · Version 1.0 · UK GDPR + EU GDPR
ViralMonkey Ltd — registration notice: Issued on behalf of ViralMonkey Ltd, incorporating England and Wales (expected June 2026). Data controller obligations will be formally assumed by ViralMonkey Ltd upon registration with Companies House and the ICO.
Our data commitment: Collect only what we need. Use it only for what we said. Store it on EU infrastructure. Never sell it, advertise with it, or use it to train public AI models. You control it — download or delete anytime.
On this page
  1. 1. Data Controller
  2. 2. Processing Activities and Legal Basis
  3. 3. Data Minimisation
  4. 4. Infrastructure and Transfer Safeguards
  5. 5. Your Rights
  6. 6. Breach Response
  7. 7. Future Platforms

1. Data Controller

ViralMonkey Ltd (incorporating England and Wales, June 2026). Registered office: [PLACEHOLDER]. ICO registration: [to be inserted]. Contact: privacy@viralmonkey.ai

ICO registration required: UK companies processing personal data must register with the Information Commissioner’s Office (ico.org.uk). ViralMonkey Ltd will register upon incorporation. The ICO registration number will be added here and in the footer of viralmonkey.ai at that time. Annual fee: £40.

2. Processing Activities and Legal Basis

ActivityDataLegal basisOpt out?
Waitlist registrationEmail, plan preferenceConsent — Art. 6(1)(a)Yes — unsubscribe anytime
Account login / authEmail, hashed passwordContract — Art. 6(1)(b)No — core function
Platform OAuth tokensOAuth tokens, platform handleContract — Art. 6(1)(b)Yes — disconnect anytime
Voice FingerprintPost history → style profileContract — Art. 6(1)(b)Partial — delete in settings
AI generationTopic + style profile (no PII in prompts)Contract — Art. 6(1)(b)No — core function
Platform publishingApproved content + OAuth tokenContract — Art. 6(1)(b)Yes — per-action approval
Subscription billingEmail → Stripe (no card data)Contract + legal obligation — Art. 6(1)(b)(c)No
Usage analyticsAnonymised events (PostHog EU)Legitimate interest — Art. 6(1)(f)Yes — Settings → Privacy
Trial fraud preventionDevice hash (non-reversible)Legitimate interest — Art. 6(1)(f)No — trial integrity
Security loggingIP, metadata (90d auto-delete)Legitimate interest — Art. 6(1)(f)No
Legitimate Interest Assessments (LIAs) on file: For each legitimate interest processing activity, we have documented that: (1) the interest is genuine and specific; (2) the processing is necessary to achieve it; and (3) our interest is not overridden by your rights and freedoms. LIAs are available on request at privacy@viralmonkey.ai.

3. Data Minimisation

  • Post history: Fetched once for Voice Fingerprint, then discarded. Only the style profile is stored.
  • AI prompts: No PII ever included. Only topic + anonymous style profile.
  • Card data: Never processed or stored by ViralMonkey. Stripe only.
  • Device fingerprint: One-way hash only. Cannot be reversed. Deleted after 90 days.
  • Security logs: Auto-deleted after 90 days.

4. Infrastructure and Transfer Safeguards

SystemProviderLocationSafeguard
Core infrastructure (all AWS services)AWSEU-West Ireland / Frankfurt EUNo transfer outside EU
Product analyticsPostHogEU cloud EUNo transfer outside EU
CDN / DDoSCloudflareEU edge nodes EU edgeEU nodes used
PaymentStripeUS SCCsUK-US adequacy + SCCs
Platform APIX CorpUS SCCsX Developer Agreement + SCCs
Trend data (no PII)TweetAPI.ioUS No PIINo personal data transmitted
Fraud preventionFingerprintJS / AWSUS/EU SCCs/EUSCCs + EU infra where possible

SCCs approved by the UK ICO are used for all non-adequate-country transfers. Copies available on request.

5. Your Rights

📋 Right to access
Copy of all data held. Provided in structured machine-readable format within 30 days.
→ privacy@viralmonkey.ai — Subject: “Data Access Request”
🗑️ Right to erasure
Delete account + all data within 30 days. Billing records retained 7 years by law.
→ Settings → Account → Delete, or privacy@viralmonkey.ai
✏️ Right to rectification
Correct inaccurate personal data.
→ Settings → Account, or privacy@viralmonkey.ai
📦 Right to portability
Download your data (JSON) including posts, fingerprint profile, account data.
→ Settings → Privacy → Download my data
🚫 Right to object
Object to legitimate-interest processing (analytics, fraud prevention).
→ Settings → Privacy → Analytics opt-out, or privacy@viralmonkey.ai
⏸️ Right to restriction
Restrict processing during a dispute. Confirmed within 5 business days.
→ privacy@viralmonkey.ai
🍪 Cookie consent
Withdraw or change cookie consent at any time.
→ “Cookie Settings” link in footer
⚖️ Right to complain
Lodge a complaint with the UK ICO. We’d appreciate the chance to resolve it directly first.
→ ico.org.uk/make-a-complaint · 0303 123 1113

We acknowledge all requests within 5 business days and fulfil within 30 calendar days (up to 3 months for complex requests — we’ll notify you).

EU residents: you may exercise GDPR rights with your national supervisory authority. California residents: additional CCPA rights apply — we do not sell data. Contact privacy@viralmonkey.ai.

6. Breach Response

  • Risk assessment within 24 hours of becoming aware of a breach
  • ICO notification within 72 hours if risk to individuals is identified
  • Direct notification to affected users without undue delay if high risk to them specifically
  • Notification includes: what happened, data involved, steps taken, what you should do
  • Report a suspected breach: security@viralmonkey.ai

7. Future Platforms

When TikTok, Instagram, YouTube, and LinkedIn are added, this document will be updated before each integration goes live, with 14 days’ email notice of material changes.

ViralMonkey Ltd — Data Controller (incorporating June 2026)Privacy: privacy@viralmonkey.ai · Security: security@viralmonkey.ai
ICO: ico.org.uk · Reg: [to be inserted] · Registered office: [PLACEHOLDER]
UK ICO · Wycliffe House, Water Lane, Wilmslow SK9 5AF · 0303 123 1113
v1.0 · 2 June 2026 · Initial publication