Legal
Privacy Policy
Last updated: July 4, 2026
This Privacy Policy explains how MondayFive, Inc. ("MondayFive", "we", "us") collects, uses, shares and protects personal data in connection with our AI appointment sales agent platform, our websites, and related services (together, the "Service").
MondayFive is used by service businesses ("merchants") to communicate with and book appointments for their own customers ("end customers"). We play two distinct roles: we are a data controller for the information merchants give us about themselves, and a data processorfor the information we handle about end customers on a merchant's behalf and under their instructions.
1. Data we collect
Account data (we are the controller)
When you create a MondayFive account we collect your name, email address, password credentials (stored hashed), and optional profile details. If you sign in through a third-party identity provider, we receive the profile information that provider shares with us.
Business data (we are the controller)
To operate your workspace we collect information about your business: business name, locations, staff members and their working hours, services, prices, deposit and cancellation policies, connected channel identifiers (for example your WhatsApp Business number or Instagram account), calendar connections, and knowledge-base content you upload such as PDFs, FAQs and website URLs.
End-customer and CRM data (we are a processor)
On behalf of merchants, the Service processes their end customers' contact details (name, phone number, email, channel handles), booking history, visit and spend records, tags, notes, segments, and communication preferences. Merchants — not MondayFive — decide what end-customer data to collect and how long to keep it. If you are an end customer of a business that uses MondayFive, that business is the controller of your data; please direct privacy requests to them first, and we will assist them in fulfilling those requests.
Conversation transcripts
The core of the Service is conversation. We process and store the messages exchanged between end customers and the AI agent (and any human participants) across WhatsApp, Instagram, Messenger, website chat, SMS and AI phone calls. Voice calls handled by the AI are transcribed; transcripts and, where enabled by the merchant, audio recordings are stored as part of the conversation record.
Payment metadata
Payments are processed by Stripe, PayPal and Dodo Payments. We never store card numbers or full payment credentials on our systems. We store payment metadata only — amounts, currency, timestamps, payment status, refund status and processor transaction identifiers — so that bookings, deposits and refunds can be tracked inside the Service.
Usage and device data
Like most online services we collect standard technical logs: IP address, browser and device information, pages viewed, and actions taken in the product. We use this to secure, debug and improve the Service.
2. How we use data
We use the data described above to:
- provide the Service: answering messages, booking appointments, collecting deposits, sending reminders, and maintaining the merchant's CRM;
- operate AI features, as described in Section 4;
- bill merchants for subscriptions and metered usage;
- provide support and respond to enquiries;
- secure the Service, prevent abuse and enforce our Terms of Service;
- improve the product using aggregated, de-identified usage information; and
- comply with legal obligations.
We do not sell personal data, and we do not use end-customer data to advertise to end customers.
3. Subprocessors and sharing
We share data with a limited set of service providers ("subprocessors") that help us run the Service. Each is bound by contractual obligations to protect the data and to process it only on our instructions:
| Subprocessor | Purpose |
|---|---|
| Vercel | Application hosting and content delivery |
| Neon | Managed database hosting (primary data store) |
| Anthropic | AI language model processing of conversations |
| OpenAI | AI language model processing of conversations |
| Google AI | AI language model processing of conversations |
| Meta Platforms | WhatsApp, Instagram and Messenger message delivery |
| Twilio | SMS delivery and telephony |
| Vapi | AI voice call infrastructure |
| Pusher | Real-time messaging infrastructure |
| Inngest | Background job processing (reminders, automations) |
| Resend | Transactional email delivery |
| Stripe | Payment processing |
| PayPal | Payment processing |
| Dodo Payments | Subscription billing for MondayFive plans |
We may also disclose data where required by law, to protect the rights and safety of MondayFive, our merchants or others, or as part of a merger, acquisition or asset sale (in which case this policy will continue to apply to previously collected data).
4. AI processing disclosure
MondayFive is an AI product. Conversations handled by the Service are processed by large language models operated by our AI subprocessors (Anthropic, OpenAI and Google AI) to generate replies, qualify enquiries, extract booking details and produce summaries. Voice calls are processed through Vapi for speech recognition and synthesis.
Message content is sent to these providers only to the extent necessary to generate a response, under agreements that prohibit them from using the data to train their models. AI-generated replies operate within guardrails configured by the merchant — for example, the agent only quotes prices from the merchant's own configuration, and industry safety lanes restrict what the agent may discuss for medical, dental, therapy and wellness businesses.
AI output can be imperfect. Merchants remain responsible for the commitments made in their name, and the Service is designed to hand conversations to a human when appropriate.
5. Data retention and deletion
We retain account and business data for as long as the merchant's account is active. Conversation transcripts, CRM records and booking history are retained while the merchant's workspace exists so the Service can function (for example, so a returning customer is recognised).
When a merchant deletes their account, we delete or irreversibly de-identify the workspace's data within 30 days, except where a longer period is required by law (for example, invoicing and tax records) or where data resides in encrypted backups, which roll off on a fixed schedule. Merchants can delete individual customers, conversations or knowledge-base items at any time from within the product, and can export their data before deletion.
6. Your rights
Depending on where you live (including under the GDPR and UK GDPR, and similar laws elsewhere), you may have the right to:
- access the personal data we hold about you and receive a copy in a portable format;
- correct inaccurate data;
- delete your data ("right to be forgotten");
- restrict or object to certain processing;
- withdraw consent where processing is based on consent; and
- lodge a complaint with your local supervisory authority.
To exercise these rights, email privacy@mondayfive.com. If you are an end customer of a MondayFive merchant, we will refer your request to the relevant merchant and assist them in responding, as required by our processor role.
7. Cookies
We use a small number of cookies and similar technologies: strictly necessary cookies for authentication and security (keeping you signed in, preventing cross-site request forgery), and preference cookies (such as your theme choice). Our marketing site uses privacy-respecting, aggregate analytics. We do not use third-party advertising cookies. You can control cookies through your browser settings; blocking strictly necessary cookies will prevent you from signing in.
8. Security
We protect data with encryption in transit and at rest, role-based access controls, audit logging and least-privilege access for our staff. No system is perfectly secure; if we learn of a breach affecting your personal data we will notify affected merchants and authorities as required by applicable law.
9. International transfers
Our subprocessors operate in the United States and elsewhere. Where data is transferred out of the EEA, UK or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent mechanisms.
10. Children
The Service is a business tool and is not directed to children. We do not knowingly collect personal data from children under 16 as a controller. Merchants are responsible for ensuring their own use of the Service complies with laws applicable to their customers.
11. Changes to this policy
We may update this policy from time to time. If we make material changes we will notify merchants by email or an in-product notice before the changes take effect. The "Last updated" date at the top reflects the current version.
12. Contact
MondayFive, Inc.
Email: privacy@mondayfive.com (privacy) · hello@mondayfive.com (general)
See also our Terms of Service.