Effective date: April 25, 2026

Last updated: April 25, 2026

Monolo Privacy Policy

1. Scope

This Policy applies to everyone who uses the Services. That includes attorneys, paralegals, and law firm staff who use Monolo to manage immigration cases. It also applies to the people whose information is entered into the Services by those users, such as immigration petitioners, beneficiaries, and their family members.

When a law firm uses Monolo to serve its clients, the law firm controls the client data and Monolo processes it on the firm's behalf. We handle that data only on written instructions from the firm and only under this Policy.

2. Information We Collect

We collect the following categories of information:

Account and contact information. Name, email address, phone number, job title, law firm or employer name, and login credentials.

Immigration case information. Data that users enter about petitioners, beneficiaries, employers, and family members to prepare and track immigration filings. This can include full legal name, date of birth, country of birth, country of citizenship, Alien Registration Number (A-Number), passport and travel document data, prior U.S. immigration history, work history, education, family ties, and any other data required by U.S. Citizenship and Immigration Services (USCIS) forms.

USCIS case status data. When a user asks us to check a case with USCIS, we send a request to USCIS's Case Status API using the receipt number the user supplies. We store the reply from USCIS (status text, last updated date, form type, and related case details) with the user's account so the user can view and track that case in Monolo.

Payment information. When users pay for the Services, our payment processor collects card or bank data directly. Monolo does not store full card numbers. We keep billing records such as the amount charged, the date, and a last-four reference for receipts and taxes.

Device, log, and usage information. IP address, browser type, device identifiers, pages visited, features used, and timestamps. We collect this through cookies, log files, and similar tools.

Support and communications. Messages you send to us (support tickets, emails, chat) and our responses.

We do not intentionally collect geolocation beyond city-level IP inference, nor do we collect biometric data, precise medical records, or any other category not listed above. We do not sell personal information.

We collect the following categories of information:

Account and contact information. Name, email address, phone number, job title, law firm or employer name, and login credentials.

Immigration case information. Data that users enter about petitioners, beneficiaries, employers, and family members to prepare and track immigration filings. This can include full legal name, date of birth, country of birth, country of citizenship, Alien Registration Number (A-Number), passport and travel document data, prior U.S. immigration history, work history, education, family ties, and any other data required by U.S. Citizenship and Immigration Services (USCIS) forms.

USCIS case status data. When a user asks us to check a case with USCIS, we send a request to USCIS's Case Status API using the receipt number the user supplies. We store the reply from USCIS (status text, last updated date, form type, and related case details) with the user's account so the user can view and track that case in Monolo.

Device, log, and usage information. IP address, browser type, device identifiers, pages visited, features used, and timestamps. We collect this through cookies, log files, and similar tools.

Support and communications. Messages you send to us (support tickets, emails, chat) and our responses.

We do not intentionally collect geolocation beyond city-level IP inference, nor do we collect biometric data, precise medical records, or any other category not listed above. We do not sell personal information.

3. How We Use Information

We use the information we collect to:

Provide, operate, and improve the Services, including preparing immigration forms and checking case status with USCIS on the user's behalf;
Create and secure user accounts, authenticate users, and prevent fraud or abuse;
Process payments and send invoices and receipts;
Respond to questions, requests, and support tickets;
Send service notifications, policy updates, and, where permitted, product announcements;
Comply with legal obligations, including responses to lawful requests from government authorities; and
Analyze aggregate, de-identified usage patterns to improve the product.

We do not use personal information for automated decision-making that produces legal or similarly significant effects without human review.

We use the information we collect to:

Provide, operate, and improve the Services, including preparing immigration forms and checking case status with USCIS on the user's behalf;
Create and secure user accounts, authenticate users, and prevent fraud or abuse;
Process payments and send invoices and receipts;
Respond to questions, requests, and support tickets;
Send service notifications, policy updates, and, where permitted, product announcements;
Comply with legal obligations, including responses to lawful requests from government authorities; and
Analyze aggregate, de-identified usage patterns to improve the product.

We do not use personal information for automated decision-making that produces legal or similarly significant effects without human review.

4. How We Share Information

We share personal information only in the limited cases below. Every third party that receives personal information from us is bound by contract to the terms of this Privacy Policy. They must meet privacy and security duties at least as strong as ours. They may use the data only for the purpose we approve and must delete or return it when our contract ends.

Within the law firm or account. Data entered by a law firm is visible to users that the firm has authorized.

With USCIS. When a user checks a case, we send the receipt number and related request data to USCIS through its official API. USCIS's handling of that data is covered by USCIS policy, not this Policy.

With service providers (subprocessors). We use vendors to host, secure, and run the Services. Our current named subprocessors are:

Amazon Web Services (AWS) — cloud hosting and encrypted data storage (United States regions);
Render — cloud hosting and application deployment;
Stripe — payment processing and billing data storage;
Resend — transactional and notification email delivery;
Sentry — application error monitoring.

We will update this list before we add or change a subprocessor that handles personal information. You can see the current list any time on this page, and account admins will be notified by email of material changes at least 30 days in advance.

With professional advisors. We may share data with our lawyers, auditors, and insurers under duties of confidentiality.

For legal reasons. We may share data when required by law, subpoena, court order, or other valid legal process. We may also share it to protect the rights, property, or safety of Monolo, our users, or others.

With your direction. We share data with any other party you tell us to share it with.

We do not sell personal information, and we do not share it with marketers or ad networks.

Within the law firm or account. Data entered by a law firm is visible to users that the firm has authorized.

With USCIS. When a user checks a case, we send the receipt number and related request data to USCIS through its official API. USCIS's handling of that data is covered by USCIS policy, not this Policy.

With service providers (subprocessors). We use vendors to host, secure, and run the Services. Our current named subprocessors are:

Amazon Web Services (AWS) — cloud hosting and encrypted data storage (United States regions);
Render — cloud hosting and application deployment;
Stripe — payment processing and billing data storage;
Resend — transactional and notification email delivery;
Sentry — application error monitoring.

With professional advisors. We may share data with our lawyers, auditors, and insurers under duties of confidentiality.

For legal reasons. We may share data when required by law, subpoena, court order, or other valid legal process. We may also share it to protect the rights, property, or safety of Monolo, our users, or others.

With your direction. We share data with any other party you tell us to share it with.

We do not sell personal information, and we do not share it with marketers or ad networks.

5. Data Retention

We keep personal information only as long as needed to provide the Services and to meet our legal, accounting, or reporting obligations.

Active accounts. We retain account and case information for as long as the account is active.

Dormant accounts. An account is considered dormant if there is no login and no API activity for two (2) years. We will send a reminder email before we act. If the account remains dormant for 30 days after that reminder, we will delete or de-identify the data associated with it, except for records we are legally required to keep (for example, billing records for tax purposes).

Deleted accounts and records. Monolo does not currently offer an in-app self-service option to delete an account or its records. By default, when a law firm or one of its clients (beneficiaries, petitioners, or family members) asks to remove data from the Services, we perform a soft delete: the account or record is deactivated and hidden from the Services, but remains stored in our systems. Soft-deleted data is retained so that it can be restored if the removal was accidental or if access is later reinstated. If a law firm, or a client whose data a law firm manages in Monolo, wants data permanently and fully erased from our platform, they must contact info@monolo.co to request a hard delete. Once verified, we will permanently delete the data within 30 days, except for records we are legally required to retain.

Backups. Residual copies of deleted information may persist in encrypted backups for up to 90 days before they are overwritten. During that period the data remains protected under this Policy and is not used for any purpose other than disaster recovery.

We keep personal information only as long as needed to provide the Services and to meet our legal, accounting, or reporting obligations.

Active accounts. We retain account and case information for as long as the account is active.

Dormant accounts. An account is considered dormant if there is no login and no API activity for two (2) years. We will send a reminder email before we act. If the account remains dormant for 30 days after that reminder, we will delete or de-identify the data associated with it, except for records we are legally required to keep (for example, billing records for tax purposes).

Deleted accounts and records. Monolo does not currently offer an in-app self-service option to delete an account or its records. By default, when a law firm or one of its clients (beneficiaries, petitioners, or family members) asks to remove data from the Services, we perform a soft delete: the account or record is deactivated and hidden from the Services, but remains stored in our systems. Soft-deleted data is retained so that it can be restored if the removal was accidental or if access is later reinstated. If a law firm, or a client whose data a law firm manages in Monolo, wants data permanently and fully erased from our platform, they must contact info@monolo.co to request a hard delete. Once verified, we will permanently delete the data within 30 days, except for records we are legally required to retain.

Backups. Residual copies of deleted information may persist in encrypted backups for up to 90 days before they are overwritten. During that period the data remains protected under this Policy and is not used for any purpose other than disaster recovery.

6. Your Right to Delete Your Data

You can request deletion of your personal information at any time. Monolo does not currently provide an in-app self-service deletion option, so all deletion requests are handled by our support team. Monolo offers two types of deletion:

Soft delete (default). When a law firm or one of its clients asks us to remove an account or record, we deactivate it and hide it from the Services. The underlying data remains stored in our systems so that it can be restored if the removal was accidental or access is later reinstated. Soft-deleted data is still protected under this Policy.

Hard delete (permanent erasure). If you want your data permanently and fully erased from our platform, you must contact our team. To make a request:

Email info@monolo.co from the address associated with your account.
Tell us the account or data you want permanently deleted and state that you are requesting a hard delete.
We will confirm the request and, once verified, permanently delete the data within 30 days. You will receive a confirmation email when deletion is complete.

If a law firm controls the account that holds your data (for example, you are a beneficiary whose case is managed by a firm), please contact that firm first. If you cannot reach them, write to us at info@monolo.co and we will coordinate the request.

Some information may be retained after deletion only to the extent required by law (for example, tax and billing records), and encrypted backups may persist for up to 90 days as described in Section 5.

Soft delete (default). When a law firm or one of its clients asks us to remove an account or record, we deactivate it and hide it from the Services. The underlying data remains stored in our systems so that it can be restored if the removal was accidental or access is later reinstated. Soft-deleted data is still protected under this Policy.

Hard delete (permanent erasure). If you want your data permanently and fully erased from our platform, you must contact our team. To make a request:

Email info@monolo.co from the address associated with your account.
Tell us the account or data you want permanently deleted and state that you are requesting a hard delete.
We will confirm the request and, once verified, permanently delete the data within 30 days. You will receive a confirmation email when deletion is complete.

7. Your Privacy Rights

Depending on where you live, you may have additional rights, including:

The right to access the personal information we hold about you;
The right to correct inaccurate information;
The right to request deletion (see Section 6);
The right to restrict or object to certain processing;
The right to receive a copy of your data in a portable format; and
The right to withdraw consent where processing is based on consent.

To exercise any of these rights, email info@monolo.co. We will respond within 30 days. We will not discriminate against you for exercising any privacy right.

California residents (CCPA / CPRA). If you live in California, you have the rights listed above. You also have the right to know what personal information we collect, how we use it, whom we share it with, and (if it applied) whether we sell or share it. We do not sell personal information and we do not share it for cross-context behavioral advertising. Client data that law firms place in Monolo for case work is not "sold" or "shared" under CCPA/CPRA, because we handle it only as a service provider on the firm's written instructions. You may name an agent to act on your behalf. We will verify your identity before we act on any request. To send a CCPA request, email info@monolo.co with the subject line "California Privacy Request."

Depending on where you live, you may have additional rights, including:

The right to access the personal information we hold about you;
The right to correct inaccurate information;
The right to request deletion (see Section 6);
The right to restrict or object to certain processing;
The right to receive a copy of your data in a portable format; and
The right to withdraw consent where processing is based on consent.

To exercise any of these rights, email info@monolo.co. We will respond within 30 days. We will not discriminate against you for exercising any privacy right.

California residents (CCPA / CPRA). If you live in California, you have the rights listed above. You also have the right to know what personal information we collect, how we use it, whom we share it with, and (if it applied) whether we sell or share it. We do not sell personal information and we do not share it for cross-context behavioral advertising. Client data that law firms place in Monolo for case work is not "sold" or "shared" under CCPA/CPRA, because we handle it only as a service provider on the firm's written instructions. You may name an agent to act on your behalf. We will verify your identity before we act on any request. To send a CCPA request, email info@monolo.co with the subject line "California Privacy Request."

8. Data Security

We protect your data with a mix of people, process, and technology controls. These include:

Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent), including for backups;
Role-based access with a least-privilege rule;
Logging and alerts on access to production systems;
Secure coding practices and regular checks of third-party libraries;
Vendor security reviews before we add a subprocessor; and
Privacy and security training for our staff.

No system is perfect. If we learn of a data breach that affects your personal information, we will notify you without undue delay and within 72 hours of confirming the breach where feasible. Our notice will tell you:

What happened and when;
What types of data were affected;
What we are doing about it;
Steps you should take to protect yourself, such as resetting your password, turning on multi-factor login, and watching your accounts for unusual activity; and
How to reach us for more help.

We will also notify regulators where the law requires it.

We protect your data with a mix of people, process, and technology controls. These include:

Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent), including for backups;
Role-based access with a least-privilege rule;
Logging and alerts on access to production systems;
Secure coding practices and regular checks of third-party libraries;
Vendor security reviews before we add a subprocessor; and
Privacy and security training for our staff.

No system is perfect. If we learn of a data breach that affects your personal information, we will notify you without undue delay and within 72 hours of confirming the breach where feasible. Our notice will tell you:

What happened and when;
What types of data were affected;
What we are doing about it;
Steps you should take to protect yourself, such as resetting your password, turning on multi-factor login, and watching your accounts for unusual activity; and
How to reach us for more help.

We will also notify regulators where the law requires it.

9. Children's Privacy

Monolo is a professional tool used by law firms and is not directed to children. Law firms may enter information about children in an immigration case (for example, derivative family members) as part of their legal work. We treat that information with the same protections described in this Policy. We do not knowingly collect personal information directly from children under 13.

10. International Users

Monolo is operated from the United States. If you use the Services from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the Services, you consent to this transfer.

11. Cookies and Tracking

We use cookies and similar technologies to keep you logged in, remember preferences, and measure how the Services are used. You can control cookies through your browser settings. Disabling cookies may affect core features such as login.

We do not use cookies or similar technologies for cross-site advertising.

12. Changes to This Policy

We may update this Policy from time to time. When we make a material change, we will:

Post the updated Policy on our website with a new "Last updated" date;
Email account admins a plain-language summary of what changed at least 30 days before the change takes effect; and
Ask for your active consent before the change applies to you. The next time you sign in, you will see a notice with the summary and two choices: click "I agree" to accept the new Policy, or use Section 6 to export or delete your data before the new Policy takes effect. If you do neither within the 30-day notice period, we will pause access to affected features until you make a choice, and your data will stay protected under the current Policy during that pause.

For non-material changes such as typo fixes or clarifications, we will update the "Last updated" date without asking for new consent.

We may update this Policy from time to time. When we make a material change, we will:

Post the updated Policy on our website with a new "Last updated" date;
Email account admins a plain-language summary of what changed at least 30 days before the change takes effect; and
Ask for your active consent before the change applies to you. The next time you sign in, you will see a notice with the summary and two choices: click "I agree" to accept the new Policy, or use Section 6 to export or delete your data before the new Policy takes effect. If you do neither within the 30-day notice period, we will pause access to affected features until you make a choice, and your data will stay protected under the current Policy during that pause.

For non-material changes such as typo fixes or clarifications, we will update the "Last updated" date without asking for new consent.

13. Business Transfers, Mergers, and Closures

If Monolo is part of a merger, sale, financing, reorganization, bankruptcy, or other business change, your personal information may move to the new or buying company. Before any transfer happens:

We will email you at least 30 days before the transfer takes effect;
We will require the new owner to follow this Privacy Policy, or to offer privacy protections that are at least as strong; and
You will have a clear choice: (a) stay with the new owner under equal or stronger protections, or (b) export or delete your data under Section 6 before the transfer closes.

If Monolo shuts down its business, we will give you the same 30-day email notice and the same choice to export or delete your data before any transfer or final shutdown.

If Monolo is part of a merger, sale, financing, reorganization, bankruptcy, or other business change, your personal information may move to the new or buying company. Before any transfer happens:

We will email you at least 30 days before the transfer takes effect;
We will require the new owner to follow this Privacy Policy, or to offer privacy protections that are at least as strong; and
You will have a clear choice: (a) stay with the new owner under equal or stronger protections, or (b) export or delete your data under Section 6 before the transfer closes.

If Monolo shuts down its business, we will give you the same 30-day email notice and the same choice to export or delete your data before any transfer or final shutdown.

14. Do Not Track

Some browsers send a "Do Not Track" (DNT) signal. Because there is no industry-standard interpretation of DNT, the Services currently do not respond to DNT signals. We will update this section if that changes.

15. Contact Us

Questions, concerns, or requests about this Policy can be sent to:

MONOLO
Email: info@monolo.co
Mailing address: 41 Madison Ave, Floor 31, New York, NY 10010-2345, United States

We aim to respond to all privacy requests within 30 days.

Questions, concerns, or requests about this Policy can be sent to:

MONOLO
Email: info@monolo.co
Phone: (949) 500-7949
Mailing address: 41 Madison Ave, Floor 31, New York, NY 10010-2345, United States

We aim to respond to all privacy requests within 30 days.