👾 AlienMonster

Last updated: February 26, 2026

Privacy Policy

1. What data we collect

  • Account data: email address, display name (from magic link signup or Google OAuth profile)
  • Session data: canvas items (sticky note text, positions on board), stakeholder names/identifiers, lane assignments, session metadata (goal, key questions, participant roles, energy/confidence ratings)
  • AI analysis data: all generated analysis results — classifications, assumptions detected, tensions identified, themes clustered, facilitator notes, session reports
  • Artifacts: generated documents and exports
  • Technical data: IP address, browser type, error logs (via Sentry if configured)

2. How we use the data

  • Provide the service: run collaborative canvas sessions, generate AI analysis, create artifacts
  • Improve the service: anonymized, aggregated usage patterns only — never individual session content
  • Transactional emails: magic links, session invites, report notifications (via Resend)
  • Error tracking and debugging: via Sentry if configured

See also our Terms of Service.

3. Third-party data processors

Anthropic (Claude API) — AI analysis

  • Purpose: Session canvas data is sent to Anthropic's Claude API for AI analysis (classification, assumption detection, tension mapping, theme clustering, report generation)
  • Training: API data is never used to train or improve Anthropic's AI models. This is explicitly guaranteed in Anthropic's commercial terms.
  • Retention: Anthropic retains API data for up to 7 days for safety monitoring, then automatically deletes it. Content flagged for potential policy violations may be retained longer for trust-and-safety compliance.
  • Processing location: AI inference may occur in EU data centres. However, Anthropic's infrastructure and subprocessors are primarily based in the United States.
  • Data transfer: For European customers, transfers are covered by EU Standard Contractual Clauses (SCCs). Anthropic's EU contracting entity is Anthropic Ireland, Limited.
  • Security: SOC 2 Type II, ISO 27001:2022, ISO/IEC 42001:2023 certified.
  • DPA: A Data Processing Agreement is automatically included in Anthropic's commercial terms. Details. Full subprocessor list: anthropic.com/subprocessors

Resend (resend.com) — Email

  • Purpose: transactional emails (magic link login, session invites, report notifications)
  • Data sent: email addresses only
  • Location: United States. resend.com

Sentry (sentry.io) — Error tracking (if configured)

  • Purpose: error tracking and debugging
  • Data sent: error context, IP address, browser information
  • Location: United States. sentry.io

Hetzner (hetzner.com) — Hosting

  • Purpose: server hosting and data storage
  • Location: Falkenstein, Germany (EU). All primary data stored here. hetzner.com

4. Data storage and location

Primary data storage: PostgreSQL database on Hetzner VPS in Germany (EU). Your session data, analysis results, and artifacts are stored on European servers.

If you provide a third-party API key (e.g., Anthropic), we store it encrypted at rest and use it solely to process AI analysis on your behalf. Your key is retained until you delete it or close your account.

When AI analysis runs, canvas data is temporarily processed by Anthropic's Claude API. Inference may occur in EU data centres, but Anthropic's infrastructure includes US-based components. Transactional emails are processed by Resend (US-based). Error tracking data may be processed by Sentry (US-based) if configured.

We are building a Bring Your Own Key (BYOK) feature that will allow organizations to use their own AI provider — including EU-based or self-hosted models — for full data sovereignty.

5. Data retention

  • Account data: retained while your account is active
  • Session and project data: retained while the project exists in the platform
  • AI analysis results: retained alongside session data
  • Anthropic API: retains a copy of API data for up to 7 days, then deletes automatically
  • Deleted data: removed from active database on request. May persist in encrypted backups for up to 30 days.
  • You can request deletion of your data at any time by contacting us (automated self-service coming later).

6. Your rights under GDPR

If you are in the European Economic Area or UK, you have:

  • Right of access: request a copy of all data we hold about you
  • Right to rectification: request correction of inaccurate data
  • Right to erasure: request deletion of your data ("right to be forgotten")
  • Right to data portability: receive your data in a standard format (automated export coming later — available on manual request now)
  • Right to object: object to the processing of your data
  • Right to lodge a complaint: with your local data protection authority (in the Netherlands: Autoriteit Persoonsgegevens)

To exercise any of these rights, contact us at hello@alienmonster.ai.

7. Cookies

We use session cookies for authentication only. No tracking cookies, no advertising cookies, no third-party cookies. No cookie consent banner is needed because we don't use optional cookies.

8. Children

AlienMonster.ai is not intended for use by anyone under 16 years of age. We do not knowingly collect data from children.

9. Changes to this policy

We may update this policy as our service evolves. Registered users will be notified of material changes via email. The "Last updated" date at the top of this page will reflect the most recent revision.

10. Contact

For any privacy questions or data requests: hello@alienmonster.ai. We are based in Amsterdam, Netherlands.