Privacy Policy

Last Updated: March 17, 2026

Introduction

Welcome to Monstera AI! Monstera AI LLC ("Monstera AI," "we," "us," or "our") operates the monstera.club platform. Your trust is of the utmost importance to us. We are committed to protecting your personal privacy and data security. This Privacy Policy is intended to explain in a clear and transparent manner how we collect, use, store, share, and protect your information when you use our services (including the monstera.club website and all related services). Please read and understand this policy carefully before using our services.

1. Information We Collect

To provide and optimize our services, we collect the following types of information:

1.1. Information You Provide Directly

1.1.1. Account Information

When you register for a Monstera AI account, we collect your username (or nickname) and email address. Your password is one-way hashed and stored, as detailed in Section 7.

1.1.2. Bot Configuration Information

When you create or configure an AI Bot instance (which we refer to as a "role"), you will provide the role's name, the target live-streaming platform, the channel/room ID, and, optionally, an AI nickname and Custom Prompts.

1.1.3. Platform Account Credentials

To enable your AI Bot to log in and operate on third-party platforms on your behalf, we collect and store platform access credentials through one of two methods: * **OAuth Authorization (Preferred):** For platforms that support it, we use industry-standard OAuth 2.0 to securely obtain authorization tokens. You explicitly authorize our service to access your account through the platform's official authorization flow, and we store the resulting access tokens and refresh tokens. * **Cookie-Based Authentication:** For platforms that do not yet support OAuth, we store the platform account cookies that you provide and authorize. We understand the extreme sensitivity of this information. Therefore, all credentials (both OAuth tokens and cookies) are encrypted at the application layer before being stored in our database. For details, please see Section 7, "Data Security."

1.1.4. Payment and Transaction Information

When you purchase a subscription, acquire virtual currency, redeem a code, or conduct any other transaction on our platform, we record your transaction history and account balance changes. Please note that your payment information, such as credit card details, is processed directly by third-party payment service providers. We do not store your full payment card information on our servers.

1.1.5. Contact Information

When you communicate with us via a contact form or email, we collect the information you provide.

1.2. Information We Automatically Collect When You Use Our Services

1.2.1. Device and Log Information

When you visit our website, we automatically record technical information including your IP address, browser type, operating system, access time, and your activity logs on our website. This information is mainly collected through Vercel (our hosting provider) and Cloudflare Turnstile (our human verification service) to ensure service security, conduct traffic analysis, and implement rate limiting.

1.2.2. Website Analytics and Performance Monitoring

To continuously improve the performance and content of our website, and to ensure you enjoy a fast, smooth, and useful browsing experience, we need to analyze anonymous, aggregated statistical data. We promise that all data collected in this category cannot be traced to an individual.

Purpose of Analysis

This statistical data is mainly used for the following purposes:

  • Service Optimization: Analyzing overall user traffic and sources (e.g., which country visitors are from) to optimize our infrastructure and service performance.
  • Content Improvement: Understanding which pages and features are most popular so we can focus our resources on the content that is most valuable to you.
  • Technical Compatibility: Tallying the types of browsers and devices used by visitors to ensure our website's compatibility and display effectiveness across different platforms.
Tools Used

The main tools we use are:

  • Vercel Analytics & Speed Insights: Used to collect anonymous, aggregated website traffic data and front-end performance metrics.
  • Google Analytics: Used for website traffic analysis only, with all advertising tracking features (such as ad personalization) disabled.

1.2.3. User Experience Improvement Program

To genuinely improve every detail of your experience with our service, we have established a 'User Experience Improvement Program,' powered by trusted technology partners.

Program Goals

The program aims to achieve two core goals: first, to help us visually understand how users interact with pages, thereby discovering and improving potential inconveniences in the design; and second, when technical problems occur, to assist our engineers in reproducing and locating hard-to-track program errors (Bugs), in order to enhance the stability and reliability of the service.

Privacy Safeguards

We treat your privacy as our highest priority. All potentially sensitive information (such as text you type in forms, passwords, etc.) is automatically removed or obscured on your device before it is ever recorded, ensuring it is never sent.

Data Association Explained

To provide more effective support and personalized experiences, for logged-in users, we associate this 'desensitized' interaction data with an internal account identifier. For anonymous visitors, we use a random identifier within the browser to understand overall trends.

Our Promise

We solemnly promise that all data collected by this program is used solely for improving our products and services. It will never be used for advertising, nor will it ever be shared with third parties for marketing purposes.

Your Control

Your participation is completely voluntary. You can opt out of this program at any time through your account settings, and your choice will not affect your access to our services in any way.

1.3. Information Processed by Your AI Bot on Your Behalf

Core Principles

The AI Bot is an automated agent that works for you. The ownership and control of all live-stream data it processes (chat, audio, and video) remain with you. We only perform the necessary, real-time, automated technical processing required to deliver the service functions you have configured.

Purpose of Data Processing

The Bot processes live-stream data (including chat, audio, and video) in real-time solely to generate appropriate AI interactions based on your configuration.

Data Storage

Live audio and video streams from your live-streaming sessions are processed in real-time and are not permanently stored in their original form. To enable AI continuity across sessions, we maintain two types of derived data: a short-term context window (recent conversation history, automatically cleared) and a long-term compressed memory (key information the AI retains for personalization, encrypted at rest). Both are fully deletable by you at any time through your account settings. Operational logs that may contain service interaction metadata are maintained for system reliability and security purposes, and are subject to automatic rotation and periodic cleanup.

Sharing with Third Parties

To enable AI functionality, your Custom Prompts and processed, anonymized summaries of live-stream content may be sent to the third-party Large Language Model (LLM) service providers we partner with. We select our partners based on strict criteria, ensuring they meet high standards in both technical capability and data security.

AI Memory and Personalization

To provide a more personalized and contextually relevant experience, our AI may develop and retain a contextual understanding of your live-streaming sessions, including interaction preferences, conversation patterns, and user-specified configurations. This information may be stored in our databases to maintain continuity of service across sessions. You may request deletion of this data at any time through your account settings or by contacting us.

2. How We Use Your Information

We use your information mainly for the following purposes:

  • Provide and maintain services: Create and manage your account, run the AI Bots you configure.
  • Process transactions: Process your plan purchases and top-up code redemption requests.
  • Personalize experience: Optimize and improve our services based on your usage and feedback.
  • Security protection: Prevent fraud, abuse, and protect the security of our services and other users, for example through rate limiting and human verification.
  • Communicate with you: Send you emails related to account verification, password reset, service updates, and customer support.

3. Who We Share Your Information With

We promise not to sell your personal information. We only share parts of your information with trusted third-party service providers in the following necessary circumstances:

Cloud Infrastructure and Hosting Providers

To host our website, store your account data, and ensure our services run efficiently and securely, we partner with top-tier cloud infrastructure service providers. This includes our website hosting, database storage, task queuing, and caching services. We select reputable partners with robust security measures to process and store your data.

Payment and Communication Services

  • Payment Gateway Providers: To process your payments.
  • Email Service Providers: To send necessary service-related emails.

Security and Verification Services

Security and Bot Abuse Prevention Providers: We use third-party services to protect our website from malicious bot attacks and to perform human verification.

Analytics and Experience Optimization Services

Analytics and Experience Optimization Service Providers: To improve our website and services, we share anonymous, aggregated, or desensitized data with partners who provide website traffic analysis, performance monitoring, and user experience analysis. We have described these activities in detail in Section 1.2.

Core AI Functionality Providers

  • Large Language Model (LLM) Service Providers: As described in Section 1.3, we share necessary processed data with them to provide AI functionality.
  • Content Moderation and Safety Providers: We may use third-party services to ensure content safety and compliance.
  • Error Monitoring and Logging Providers: We may share anonymized diagnostic data with third-party services to monitor system health and improve service reliability.

4. International Data Transfers

Our services are based on a global cloud infrastructure. Consequently, your personal information may be transferred to, stored, and processed on servers located outside of your country or region, where data protection laws may differ from those in your jurisdiction. Regardless of where your information is processed, we will handle it in accordance with this Privacy Policy. Our infrastructure providers maintain Data Processing Agreements (DPAs) incorporating EU Standard Contractual Clauses (SCCs) for international data transfers where applicable, and we take necessary technical measures to ensure your data is adequately protected.

5. Cookies and Similar Technologies

5.1. What Are Cookies?

Cookies are small text files that websites store on your device to remember information and your preferences as you browse.

5.2. Types of Cookies We Use

Strictly Necessary Cookies

These cookies are essential for the operation of our website and cannot be disabled. For example, we use cookies from NextAuth.js to maintain your login session.

Analytics and Performance Cookies

These cookies help us collect information about how visitors use our website, such as which pages are visited and for how long. We use this information to improve our website's functionality and performance. These cookies are essential for enabling the Website Analytics and User Experience Improvement Program activities described in detail in Sections 1.2.2 and 1.2.3.

5.3. Your Choices Regarding Cookies

We respect your privacy choices. When you first visit our website, you will see a cookie consent banner. You can use it to accept or reject non-essential analytics and performance cookies. You can change your preferences at any time via the "Cookie Settings" link in our website footer. Please note that disabling certain cookies may affect your ability to use some of our services properly.

6. Your Rights and Choices

You have control over your personal information:

Access and Correction: You can log into your profile page at any time to access and modify your information, such as your name.

Data Deletion: You can delete your account at any time through the self-service option in your account settings. Your account will be deactivated immediately, and all personal information and configuration data associated with your account will be permanently purged within 30 days (unless otherwise required by law).

Unsubscribing from Emails: You can opt out of receiving our marketing emails at any time by using the unsubscribe link included in them.

Legal Requests: If we receive a government or legal data request concerning your account, we will notify you to the extent permitted by law before disclosing any information.

7. Data Security

Your trust is paramount. We take data security seriously and have designed a multi-layered, Defense-in-Depth system to protect your information, ensuring that your core sensitive data remains secure even if some components are compromised.

7.1. Password Security

We use a salted hashing algorithm (bcrypt) to store your login password one-way encrypted. This means your original password is never stored in plain text in our database. Not even our internal engineers can see or recover your original password. In a worst-case scenario, if the database were accessed, an attacker would only obtain irreversible hash values.

7.2. Platform Account Credential Security

This is the core of our security design. All platform access credentials (both OAuth tokens and cookies) are encrypted using the AES-256-GCM algorithm with a high-strength application-layer key, which is stored independently from the database. This means that even if our database server were to be fully compromised, an attacker would only obtain meaningless encrypted gibberish and would be unable to access your original credentials. Decryption operations are performed only in a strictly authenticated in-memory environment, thereby providing the maximum possible protection for your accounts on third-party platforms. For OAuth-based platforms, we additionally benefit from the platform's built-in security features, including token expiration and the ability to revoke access at any time through the platform's account settings.

7.3. Security in Transit

We use industry-standard TLS/SSL to encrypt all network data transmissions between your browser and our servers, as well as between our services and third-party services, to prevent data from being intercepted or tampered with during transit.

7.4. Inter-Service Communication Security

All internal API calls between the microservices distributed across different servers in our system are protected using key-based message authentication codes (HMAC-SHA256). Each request includes a time-sensitive signature, effectively preventing request forgery, replay attacks, and unauthorized internal service access.

7.5. Regular Reviews

We regularly review our data collection, storage, and processing practices to ensure they align with the latest security standards and best practices.

8. Data Retention

We retain your personal information only for as long as reasonably necessary to fulfill the purposes described in this policy, or as required or permitted by applicable law. The specific retention period may vary depending on the nature of the data and the purpose for which it was collected.

  • As long as your account is active, we will keep your account information and configuration data.
  • When you request deletion of your account, we will securely delete your personal identity information within a reasonable time (e.g., 30 days), unless there are special circumstances.
  • To comply with financial and legal obligations (e.g., tax, accounting, or anti-fraud requirements), some transaction records may be retained for several years after your account is closed.
  • Please note that your data may be retained in our backup systems for a limited time until the backup cycle ends and the backup data is securely overwritten.
  • AI-generated contextual data and contextual memory may be retained for as long as your account remains active, and will be deleted upon account deletion unless otherwise required by law.

9. Children's Privacy

Our services are not directed to children under the age of 13.

We do not knowingly collect personally identifiable information from children under 13. If you are a parent or guardian and discover that your child has provided us with personal information without your consent, please contact us immediately.

If we become aware that we have collected personal information from a child without parental or guardian consent, we will take steps to remove that information from our servers immediately.

10. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time to reflect changes in our services or updates to legal requirements, so please review it frequently.

For non-material changes (such as correcting typos or formatting adjustments), we will only update the "Last Updated" date at the top of this page.

If we make material changes to this policy, we will provide you with a clear notice before the changes take effect, through one or more of the following methods:

  • Posting a prominent notice on our website;
  • Sending a notification email to your registered email address;
  • Displaying an update prompt the next time you log in to our service.

Your continued use of our services after the changes take effect signifies your full acceptance of and agreement to the revised Privacy Policy.

11. Contact Us

If you have any questions, comments, or concerns about this Privacy Policy, please contact us via:

Email: [email protected]