Sign In Create an Account
For Agencies For Solo Creators
Pricing Downloads FAQ Help Center
Join Us on Telegram for Tips & Updates!
Sign In Create an Account

Privacy Policy of OMLAB DIGITAL LTD (OnlyMonster)

Effective Date:

Previous Version:

1. Introduction

OMLAB DIGITAL LTD ("OnlyMonster", "we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our software-as-a-service platform, including the website at onlymonster.ai, desktop applications, browser extensions, and all related services (collectively, the "Service").

It is important that you read this Privacy Policy together with our Terms and Conditions and any separate Data Processing Agreement (DPA) that may apply to you. This policy uses definitions from our Terms and Conditions. In case of any conflict between documents, the order of precedence defined in the Terms and Conditions shall apply.

2. Important Information and Who We Are

2.1. Controller vs. Processor - A Critical Distinction

  • For Personal Data of Our Direct Users (Organization Representatives, Creators): When you create an account, contact support, or pay for a subscription, OMLAB DIGITAL LTD is the Data Controller. This policy primarily addresses this relationship.
  • For Personal Data Processed Through Our Service on Behalf of Our Clients (e.g., Fan Data, Creator Data): When our client (Organization) uses the Service to process personal data (e.g., data of Fans, Creators), the legal roles change:
  • The Organization (Our Client) is the Data Controller. They determine the "why" and "how" of the processing.
  • OnlyMonster acts strictly as a Data Processor. We process such data only on the documented instructions of the Organization and in accordance with a Data Processing Agreement (DPA), which is incorporated into our Terms and Conditions.
  • If you are a Fan or a Creator whose data is being processed by an Organization via OnlyMonster, your primary point of contact for privacy rights is that Organization. We assist them in fulfilling such requests in accordance with our DPA obligations.

3. The Data We Collect About You

We collect, use, store, and transfer different kinds of personal data, which we have grouped together as follows:

Category Examples
Identity & Contact Data Name, username, email address, Telegram ID, profile picture.
Account & Profile Data Login credentials, team roles, preferences, support query history.
Financial & Transaction Data Billing address, payment method details (via tokenised payment processors), subscription history, invoice details.
Technical & Usage Data IP address, login data, browser type/version, time zone, device identifiers, operating system, platform, and other technology on the devices you use to access the Service. Details of your use of the Service (pages visited, features used, clickstream data).
Marketing & Communications Data Your preferences in receiving marketing from us and your communication preferences.
Analytics Data Aggregated, anonymized, or pseudonymized insights, scores, and predictions generated by the Service through automated processing of User-Provided Data (e.g., fan spending propensity, churn risk, Chargeback Data).
Chargeback Data Information processed by the Service regarding the history and patterns of payment reversals, which may be included in Analytics Data.
Content Data (as Controller) Information you voluntarily provide in support requests, feedback, or content uploaded to public-facing website features.
Organization-Provided Data (as Processor)

Data uploaded or imported by our Agency clients into the Service, which may include, but is not limited to: Fan identifiers (usernames, aliases), Creator data, interaction data (messages, purchase history), and media files. We process this data strictly as a Processor under our clients' instructions. Organization-Provided Data includes revenue and earnings data, marketing performance, chat performance metrics, automation history, fan interaction data, custom fields, internal notes, sheet names, and operational metadata.

We do not intentionally collect any Special Categories of Personal Data (as defined in GDPR Article 9) about you directly. If an Organization uploads such data to the Service, they do so as the responsible Controller and must have a valid legal basis under Article 9(2).

4. How We Use Your Personal Data (Our Purposes as Controller)

We will only use your personal data (where we are the Controller) when the law allows us to. The table below describes our lawful bases for processing.

Purpose / Activity Type of Data Lawful Basis for Processing
To register you as a new user and manage your account. Identity, Contact, Account Performance of a contract with you.
To provide the core Service (analytics, Media Hub, automation tools), including generating Analytics Data. All categories relevant to the Service features used, including Usage Data, Analytics Data, and Chargeback Data. Performance of a contract with you. Legitimate Interests (to provide a stable, accurate, and improving service).
To process and manage payments, fees, and charges. Identity, Contact, Financial, Transaction Performance of a contract. Necessary for compliance with a legal obligation (e.g., tax).
To manage our relationship with you (notify of changes, ask for feedback). Identity, Contact, Profile, Marketing Performance of a contract. Necessary to comply with a legal obligation. Legitimate Interests (to keep records updated and study how customers use our services).
To administer and protect our business and the Service (troubleshooting, data security, system maintenance). Identity, Contact, Technical Legitimate Interests (for running our business, provision of IT services, network security, fraud prevention).
To deliver relevant website content and measure effectiveness. Identity, Contact, Profile, Usage, Marketing, Technical Legitimate Interests (to study how customers use our services, to develop them, to grow our business, and to inform our marketing strategy). Consent (for non-essential marketing cookies on our website).
To use data analytics to improve the Service, customer relationships, and experiences. Technical, Usage, Analytics Legitimate Interests (to define types of customers for our services, to keep our website updated and relevant, to develop our business).

5. Purposes of Processing as a Data Processor

When acting as a Processor for our clients, we process personal data solely for the purposes and in the manner specified in the DPA and the client's lawful instructions, which typically include:

  • To host, store, and secure data on our infrastructure.
  • To execute data analytics and generate Analytics Data (including Chargeback Data) as per the Service's functionality.
  • To provide technical support and maintenance for the Service.
  • To comply with applicable laws or valid legal requests, as instructed by the Controller or as required by law.

This type of data we collect as a Data Processor:

Data about the Creator account Transactions (transaction size, type, who performed, date, chargebacks - was transaction reverted)
Data about Creator Messages (we store all sent and received messages, txt, date, receiver)
Chatter (workers’ performance on creator page) - (track when chatter accesses the page, sent message, made sale, track activity and inactity times for them)
Data about fans who follow the Creator (username, start date of following, end date of subscription)
Fanbase online status for creator (which fan is online within a given amount of time)
Transaction data about fans’ purchasing history (transaction size, date, transaction frequency)
Data about marketing links performance (fans clicked, subscribed, total amount of fans and total spend of fans)

This is user input-data that users generate on out platform:

  • message templates
  • fan notes, location, preferences
  • automated messages and priority messages generated on a platform. (messages dates, recipients list and purchase metrics)
  • dynamic lists (list of fans matching the criteria)
  • manual input about creator tone of voice/ biography
  • media uploaded to mediahub
  • Members with organisations and their roles and permissions
  • Referrals earnings statistics

6. Disclosures of Your Personal Data

We may share your personal data with the parties set out below for the purposes described in this policy.

  • Internal Third Parties: Other companies within our corporate group acting as joint controllers or processors.
  • External Third Parties:
  • Service Providers: Acting as processors who provide IT, system administration, payment processing, and hosting services (e.g., AWS, Google Cloud, payment gateways). A list of key sub-processors is available in our DPA.
  • Professional Advisers: Acting as processors or joint controllers including lawyers, bankers, auditors, and insurers.
  • Regulators and Authorities, Courts and Tribunals: Where disclosure is required by law, by court order, or to exercise, establish, or defend our legal rights or to comply with a Legal Hold as defined in our Terms and Conditions and DPA.
  • Our Clients (Organizations, Creators): If you are a Creator or an employee/representative of an Organization, your account data and usage data may be visible to the administrators of that Organization account, as per the Service's functionality. The Organization is the Controller for this intra-account data sharing.
  • Third Parties in Corporate Events: To a buyer or successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.

7. International Transfers

We operate globally. Your personal data may be transferred to, and processed in, countries other than your country of residence (e.g., Cyprus, the UK, the US) where our servers or service providers are located.

We ensure an adequate level of protection is provided by using one of the following safeguards:

  • Transfers to countries with an adequacy decision.
  • Standard Contractual Clauses (SCCs) approved by the European Commission, together with the UK International Data Transfer Addendum where applicable.
  • EU-US Data Privacy Framework for certified US providers.

You can request details of these mechanisms by contacting our DPO.

8. Data Security

We have implemented appropriate technical and organizational measures to secure your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These measures are detailed in Annex II of our DPA and include encryption (at rest and in transit), strict access controls, regular security testing, and more. As a Processor, we provide these same security standards for our clients' data.

9. Data Retention

9.1. Retention as Controller.

We retain your personal data (where we act as Controller) only for as long as necessary to fulfil the purposes outlined in Section 4, including for the purposes of satisfying any legal, tax, accounting, or reporting requirements.

9.2. Retention as Processor.

We retain Organization-Provided Data strictly in accordance with the duration specified in our DPA with the relevant client, which is typically for the term of the Service agreement.

9.3. Legal Hold & Extended Retention.

Notwithstanding the above, we may retain encrypted copies of your personal data (whether we act as Controller or Processor) for an extended period when necessary: (i) to comply with a legal or regulatory obligation; (ii) to resolve a dispute; (iii) to enforce our agreements (including the Terms and Conditions and the DPA); or (iv) to establish, exercise, or defend our legal claims.

This right, known as Legal Hold, is detailed in our Terms and Conditions and our Data Processing Agreement.

9.4. Deletion.

Upon expiration of the applicable retention period, or upon your valid request (where applicable), we will securely delete or irreversibly anonymize your personal data in accordance with our standard data destruction procedures, except for data subject to a Legal Hold.

10. Your Legal Rights (as a Data Subject)

Under certain circumstances, you have rights under data protection laws in relation to your personal data where we act as Controller.

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction of processing your personal data.
  • Request transfer of your personal data (data portability).
  • Withdraw consent at any time where we rely on consent to process your personal data.

If you wish to exercise any of these rights, please contact us at [email protected].

10.1. Exercising Rights Regarding Data We Process as a Processor

If your personal data is being processed by an Organization using our Service, and you wish to exercise your rights, you should contact that Organization directly.

They are the Data Controller. We will assist our clients in fulfilling such requests in accordance with our DPA obligations.

11. Cookies and Similar Technologies

Our Service uses cookies and similar tracking technologies to distinguish you from other users. This helps us provide you with a good experience, improve our Service, and understand how it is used.

For detailed information on the cookies we use, the legal bases, and how to manage your preferences, please see our separate Cookies & Tracking Technologies Policy.

12. Changes to This Privacy Policy

We may update this policy periodically. The "Last Updated" date at the top will indicate when changes were made.

We will notify registered users of any material changes via email to the address associated with their Account or via an in-Service notice, in accordance with our Terms and Conditions.

Continued use of the Service after such notification constitutes acceptance of the revised policy.

13. Contact Details & Complaints

Our full company details:

OMLAB DIGITAL LTD
Ifigeneias, 14, 3036, Limassol, Cyprus

Data Protection Officer (DPO): [email protected]
General Inquiries: [email protected]

You have the right to lodge a complaint with a supervisory authority, in particular in the EU country of your habitual residence, place of work, or place of the alleged infringement. In Cyprus, this is the Office of the Commissioner for Personal Data Protection (www.dataprotection.gov.cy). In the UK, this is the Information Commissioner's Office (ICO) (www.ico.org.uk).

Strictly necessary cookies are placed automatically. Analytics and marketing cookies are deployed only where consent is obtained in accordance with GDPR and ePrivacy rules.

Data Protection Officer (DPO)

OnlyMonster has appointed a Data Protection Officer in accordance with the GDPR. The DPO has expert legal knowledge in data protection, information security, and digital law and oversees compliance with applicable data protection legislation.

You may contact our DPO regarding any questions about personal data processing or your rights at: [email protected]

By using our website, you agree that we use cookies