Legal

Privacy Policy

Last updated: July 4, 2026

This Privacy Policy explains how MondayFive, Inc. ("MondayFive", "we", "us") collects, uses, shares and protects personal data in connection with our AI appointment sales agent platform, our websites, and related services (together, the "Service").

MondayFive is used by service businesses ("merchants") to communicate with and book appointments for their own customers ("end customers"). We play two distinct roles: we are a data controller for the information merchants give us about themselves, and a data processorfor the information we handle about end customers on a merchant's behalf and under their instructions.

1. Data we collect

Account data (we are the controller)

When you create a MondayFive account we collect your name, email address, password credentials (stored hashed), and optional profile details. If you sign in through a third-party identity provider, we receive the profile information that provider shares with us.

Business data (we are the controller)

To operate your workspace we collect information about your business: business name, locations, staff members and their working hours, services, prices, deposit and cancellation policies, connected channel identifiers (for example your WhatsApp Business number or Instagram account), calendar connections, and knowledge-base content you upload such as PDFs, FAQs and website URLs.

End-customer and CRM data (we are a processor)

On behalf of merchants, the Service processes their end customers' contact details (name, phone number, email, channel handles), booking history, visit and spend records, tags, notes, segments, and communication preferences. Merchants — not MondayFive — decide what end-customer data to collect and how long to keep it. If you are an end customer of a business that uses MondayFive, that business is the controller of your data; please direct privacy requests to them first, and we will assist them in fulfilling those requests.

Conversation transcripts

The core of the Service is conversation. We process and store the messages exchanged between end customers and the AI agent (and any human participants) across WhatsApp, Instagram, Messenger, website chat, SMS and AI phone calls. Voice calls handled by the AI are transcribed; transcripts and, where enabled by the merchant, audio recordings are stored as part of the conversation record.

Payment metadata

Payments are processed by Stripe, PayPal and Dodo Payments. We never store card numbers or full payment credentials on our systems. We store payment metadata only — amounts, currency, timestamps, payment status, refund status and processor transaction identifiers — so that bookings, deposits and refunds can be tracked inside the Service.

Usage and device data

Like most online services we collect standard technical logs: IP address, browser and device information, pages viewed, and actions taken in the product. We use this to secure, debug and improve the Service.

2. How we use data

We use the data described above to:

  • provide the Service: answering messages, booking appointments, collecting deposits, sending reminders, and maintaining the merchant's CRM;
  • operate AI features, as described in Section 4;
  • bill merchants for subscriptions and metered usage;
  • provide support and respond to enquiries;
  • secure the Service, prevent abuse and enforce our Terms of Service;
  • improve the product using aggregated, de-identified usage information; and
  • comply with legal obligations.

We do not sell personal data, and we do not use end-customer data to advertise to end customers.

3. Subprocessors and sharing

We share data with a limited set of service providers ("subprocessors") that help us run the Service. Each is bound by contractual obligations to protect the data and to process it only on our instructions:

SubprocessorPurpose
VercelApplication hosting and content delivery
NeonManaged database hosting (primary data store)
AnthropicAI language model processing of conversations
OpenAIAI language model processing of conversations
Google AIAI language model processing of conversations
Meta PlatformsWhatsApp, Instagram and Messenger message delivery
TwilioSMS delivery and telephony
VapiAI voice call infrastructure
PusherReal-time messaging infrastructure
InngestBackground job processing (reminders, automations)
ResendTransactional email delivery
StripePayment processing
PayPalPayment processing
Dodo PaymentsSubscription billing for MondayFive plans

We may also disclose data where required by law, to protect the rights and safety of MondayFive, our merchants or others, or as part of a merger, acquisition or asset sale (in which case this policy will continue to apply to previously collected data).

4. AI processing disclosure

MondayFive is an AI product. Conversations handled by the Service are processed by large language models operated by our AI subprocessors (Anthropic, OpenAI and Google AI) to generate replies, qualify enquiries, extract booking details and produce summaries. Voice calls are processed through Vapi for speech recognition and synthesis.

Message content is sent to these providers only to the extent necessary to generate a response, under agreements that prohibit them from using the data to train their models. AI-generated replies operate within guardrails configured by the merchant — for example, the agent only quotes prices from the merchant's own configuration, and industry safety lanes restrict what the agent may discuss for medical, dental, therapy and wellness businesses.

AI output can be imperfect. Merchants remain responsible for the commitments made in their name, and the Service is designed to hand conversations to a human when appropriate.

5. Data retention and deletion

We retain account and business data for as long as the merchant's account is active. Conversation transcripts, CRM records and booking history are retained while the merchant's workspace exists so the Service can function (for example, so a returning customer is recognised).

When a merchant deletes their account, we delete or irreversibly de-identify the workspace's data within 30 days, except where a longer period is required by law (for example, invoicing and tax records) or where data resides in encrypted backups, which roll off on a fixed schedule. Merchants can delete individual customers, conversations or knowledge-base items at any time from within the product, and can export their data before deletion.

6. Your rights

Depending on where you live (including under the GDPR and UK GDPR, and similar laws elsewhere), you may have the right to:

  • access the personal data we hold about you and receive a copy in a portable format;
  • correct inaccurate data;
  • delete your data ("right to be forgotten");
  • restrict or object to certain processing;
  • withdraw consent where processing is based on consent; and
  • lodge a complaint with your local supervisory authority.

To exercise these rights, email privacy@mondayfive.com. If you are an end customer of a MondayFive merchant, we will refer your request to the relevant merchant and assist them in responding, as required by our processor role.

7. Cookies

We use a small number of cookies and similar technologies: strictly necessary cookies for authentication and security (keeping you signed in, preventing cross-site request forgery), and preference cookies (such as your theme choice). Our marketing site uses privacy-respecting, aggregate analytics. We do not use third-party advertising cookies. You can control cookies through your browser settings; blocking strictly necessary cookies will prevent you from signing in.

8. Security

We protect data with encryption in transit and at rest, role-based access controls, audit logging and least-privilege access for our staff. No system is perfectly secure; if we learn of a breach affecting your personal data we will notify affected merchants and authorities as required by applicable law.

9. International transfers

Our subprocessors operate in the United States and elsewhere. Where data is transferred out of the EEA, UK or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and equivalent mechanisms.

10. Children

The Service is a business tool and is not directed to children. We do not knowingly collect personal data from children under 16 as a controller. Merchants are responsible for ensuring their own use of the Service complies with laws applicable to their customers.

11. Changes to this policy

We may update this policy from time to time. If we make material changes we will notify merchants by email or an in-product notice before the changes take effect. The "Last updated" date at the top reflects the current version.

12. Contact

MondayFive, Inc.
Email: privacy@mondayfive.com (privacy) · hello@mondayfive.com (general)

See also our Terms of Service.