ViralMonkey · viralmonkey.ai · Legal

Privacy Policy

Effective: 2 June 2026 · Version 1.0 · Governing law: England and Wales + UK GDPR
ViralMonkey Ltd — registration notice: This policy is issued on behalf of ViralMonkey Ltd, a company in the process of incorporation in England and Wales (expected June 2026). Company No. and registered office address are placeholders until registration completes. All obligations described here will be formally assumed by ViralMonkey Ltd upon registration. Until then, the service is operated by its founders acting on behalf of the company to be incorporated.
Plain English: We collect only what we need — your email, your encrypted platform connection, and anonymous usage data. We use it only to run ViralMonkey. We store it on EU infrastructure. We never sell it, advertise with it, or use it to train any AI model. You can download or delete all your data at any time.
On this page
  1. 1. Who We Are
  2. 2. Waitlist Data
  3. 3. Account Data We Collect
  4. 4. Legal Basis (UK GDPR)
  5. 5. AI Generation — What Gets Sent Where
  6. 6. Third-Party Processors
  7. 7. International Transfers
  8. 8. Your Rights
  9. 9. Retention
  10. 10. Security
  11. 11. Children
  12. 12. Policy Changes

1. Who We Are

ViralMonkey Ltd (Company No. [to be inserted]) — registered in England and Wales. Registered office: [PLACEHOLDER — to be updated upon registration]. ICO registration number: [to be inserted upon registration]. Data protection contact: privacy@viralmonkey.ai

2. Waitlist Data

Before launch, we collect your email address and plan preference when you join the waitlist at viralmonkey.ai. This data is used only to send you a single launch notification email and, if eligible, apply your waitlist discount. We will not send marketing communications to waitlist members without a separate explicit opt-in. You may withdraw from the waitlist at any time by emailing privacy@viralmonkey.ai or clicking the unsubscribe link in any email we send.

3. Account Data We Collect

3.1 Account credentials

  • Email address — account creation, login, transactional notifications, billing communications
  • Password — stored as a one-way bcrypt hash via AWS Cognito. Irrecoverable. We cannot read your password.

3.2 Connected platform tokens (OAuth)

When you connect a social media platform (currently X/Twitter; additional platforms added in future phases), we receive OAuth 2.0 tokens. These are:

  • Encrypted with AES-256 via AWS KMS before storage in DynamoDB
  • Decrypted only at the exact moment an authorised API call is made on your behalf
  • Never logged, never included in any analytics event, never transmitted to any third party
  • Rotated when you reconnect your account or when a suspected compromise is detected
  • Immediately invalidated when you disconnect your platform account
You can revoke access at any time from Settings → Connected Accounts → Disconnect, or directly from the platform’s own settings (e.g. X Settings → Security → Connected Apps). Revocation is immediate.

3.3 Voice Fingerprint (post analysis)

To build your Voice Fingerprint, we fetch your recent original posts (up to 100–200; reposts and replies excluded) via the platform API. This content is processed to extract writing style attributes. Only the resulting style profile is stored. The raw post history is discarded after processing and not retained.

3.4 Generated and published content

Posts, replies, and comments generated and published via ViralMonkey are stored in your account for history, viral score tracking, and engagement analytics.

3.5 Payment data

All payments processed by Stripe. ViralMonkey never receives, stores, or transmits card numbers, CVVs, or bank details. We receive only non-sensitive billing records (plan, status, subscription ID). Retained 7 years per UK law.

3.6 Usage analytics

Anonymised feature usage events via PostHog (EU cloud). No post content or PII included in events. Opt out via Settings → Privacy → Analytics. Retained 24 months.

3.7 Device fingerprint

At trial activation, a one-way device fingerprint hash is generated (AWS Fraud Detection / FingerprintJS). Non-reversible. Used only to prevent one device claiming multiple free trials. Deleted after 90 days.

3.8 Security logs

AWS CloudWatch and Cloudflare log IP addresses, request timestamps, and metadata for security monitoring. Auto-deleted after 90 days.

4. Legal Basis (UK GDPR)

Processing activityLegal basisOpt out?
Waitlist emailConsent — Art. 6(1)(a)Yes — unsubscribe anytime
Account creation / loginContract — Art. 6(1)(b)No — core function
OAuth platform tokensContract — Art. 6(1)(b)Yes — disconnect anytime
Voice FingerprintContract — Art. 6(1)(b)Partial — delete in settings
AI content generationContract — Art. 6(1)(b)No — core function
Platform publishingContract — Art. 6(1)(b)Yes — per-action approval
Billing recordsContract + legal obligation — Art. 6(1)(b)(c)No — legal requirement
Usage analyticsLegitimate interest — Art. 6(1)(f)Yes — Settings → Privacy
Trial fraud preventionLegitimate interest — Art. 6(1)(f)No — trial integrity
Security loggingLegitimate interest — Art. 6(1)(f)No — security requirement
Legitimate interest assessments (LIA): Where we rely on legitimate interest, we have assessed that our interest is not overridden by your rights. Analytics: you benefit from a better product; you can opt out at any time. Fraud prevention: you benefit from a fair trial system; the data is a non-reversible hash. Security logging: essential for protecting your account; retained only 90 days. Full LIA available on request.

5. AI Generation — What Gets Sent Where

Content generation uses AWS Bedrock (Claude Haiku and other models). Prompts sent to AI models contain only your topic or idea and your anonymous style profile. No PII — no name, email, X handle, account ID, or OAuth tokens — is ever included in any AI prompt. We do not use your content to train any AI model.

Future platforms: When TikTok, Instagram, YouTube, and LinkedIn are added in future phases, the same OAuth handling and prompt hygiene standards apply. This policy will be updated before each platform goes live, with 14 days’ advance email notice of material changes.

6. Third-Party Processors

We share data only with the following processors, each bound by a Data Processing Agreement, processing data only on our instructions:

ProviderData receivedLocationPurpose
AWS (Amplify, Cognito, Lambda, DynamoDB, SQS, EventBridge, SES, Bedrock, KMS, CloudWatch)Account data, encrypted tokens, app processingEU-West (Ireland/Frankfurt) EUFull infrastructure, auth, AI, email, encryption
StripeEmail, billing info (no card details)US SCCsPayment processing
PostHogAnonymised usage eventsEU EUProduct analytics
X Corp (X API)OAuth tokens + approved contentUS SCCsPublishing / reading posts per your instruction
TweetAPI.ioNo PII — topic/niche queries onlyUS No PIIViral trend data for Viral Finder
FingerprintJS / AWS FraudHashed device data (non-reversible)US/EU SCCsTrial fraud prevention
CloudflareIP, request metadata (edge)EU edge EU edgeDDoS, DNS, CDN

We do not sell your data. We do not share it with advertisers. We do not allow any processor to use your data for their own purposes.

7. International Transfers

Where data is transferred outside UK/EU (Stripe, X API, FingerprintJS), we use UK ICO-approved Standard Contractual Clauses (SCCs) as the transfer safeguard. Copies available on request at privacy@viralmonkey.ai.

8. Your Rights

  • Access — request a copy of all data we hold. Response within 30 days.
  • Erasure — delete account and all associated data. Billing records retained 7 years by law.
  • Rectification — correct inaccurate personal data.
  • Portability — download your data (JSON) via Settings → Download my data.
  • Object — object to legitimate-interest processing. Opt out via Settings → Privacy.
  • Restriction — restrict processing during a dispute about accuracy or legality.
  • Withdraw consent — withdraw waitlist or cookie consent at any time.
  • Complain — lodge a complaint with the UK ICO at ico.org.uk/make-a-complaint.

EU residents: you may also exercise rights with your national supervisory authority. California residents: you have additional CCPA rights including right to know, delete, and opt out of sale (we do not sell data). Contact privacy@viralmonkey.ai for any rights request.

9. Retention

DataRetention
Waitlist email + planUntil launch notification + 90 days, or until removal requested
Account data (email)Account lifetime + 30 days post-deletion
OAuth tokensUntil platform disconnected or account deleted
Voice Fingerprint profileAccount lifetime
Post / content historyAccount lifetime
Billing records7 years (UK tax law)
Analytics events24 months, then anonymised
Device fingerprint hash90 days
Security logs90 days

10. Security

  • All data in transit: TLS 1.2+ enforced
  • OAuth tokens: AES-256 at rest via AWS KMS; key never stored in database; rotated on reconnect or suspected compromise
  • Passwords: bcrypt via AWS Cognito — irrecoverable
  • AWS infrastructure: CloudWatch alarms, dead-letter queues, IAM least-privilege, VPC isolation
  • Row-level access controls: users cannot access other users’ data
  • Security reviews conducted prior to launch and periodically thereafter
  • Data breach: ICO notification within 72 hours; affected user notification without undue delay where high risk

To report a security concern: security@viralmonkey.ai. See also our Security & Responsible Disclosure page.

11. Children

Not directed at children under 13. We do not knowingly collect data from children. Contact privacy@viralmonkey.ai if you believe we have.

12. Policy Changes

Material changes notified by email and via viralmonkey.ai at least 14 days before taking effect. Continued use after effective date constitutes acceptance.

ViralMonkey Ltd — Data Controller (incorporating June 2026)Privacy: privacy@viralmonkey.ai · Security: security@viralmonkey.ai
Website: viralmonkey.ai · Registered office: [PLACEHOLDER]
Company No: [to be inserted] · ICO Reg: [to be inserted]
Version history
VersionDateChanges
1.02 June 2026Initial publication