PRIVACY POLICY

Monkey Brain LLC, operator of the Monkey DESK (M:DESK) platform, is committed to protecting the privacy and security of the personal information of its Users, Clients, and visitors. This Privacy Policy describes how we collect, use, store, disclose, and protect your personal information in compliance with applicable laws, including Puerto Rico Act 81-2019 on the Protection of Privacy and Data, the Federal Trade Commission Act (FTC Act), the Children's Online Privacy Protection Act (COPPA), and other applicable regulations in Puerto Rico and the United States of America.

‍

1. INFORMATION WE COLLECT

1.1 Information You Provide Directly

When you create an account, subscribe to a plan, complete forms, or contact us, we may collect:

• Full name and business or trade name
• Email address
• Phone number (mobile and/or landline)
• Postal or business address
• Billing and payment information (processed by Stripe; M:DESK does not store card data)
• Username and password (stored in encrypted format)
• Tax information (EIN, SSN, or other identifier, where applicable)
• Content, data, files, images, and documents you upload to the Platform

1.2 Automatically Collected Information

When you access the Platform or visit our website, we may automatically collect:

• IP address
• Browser type and version
• Operating system and device used
• Pages visited and browsing time
• Referring URL (site from which you arrived)
• Cookie data, tracking pixels, and similar technologies (see our Cookie Policy)
• Platform feature usage data

1.3 Information from Third Parties

We may receive information about you from sources such as:

• Payment platforms (Stripe) regarding completed transactions
• Integrated service providers (Twilio for SMS/VOIP, Mailgun for email, Google for calendar integration)
• Social networks when you connect those accounts to the Platform
• Business partners and referral programs

1.4 User's Customer Data

When you, as an M:DESK subscriber, use the Platform to manage your own clients ('End Clients'), you control the data entered into the system. In relation to such data, Monkey Brain LLC acts as a data processor on behalf of the subscriber. You, as the subscriber, are the data controller and are responsible for: (a) obtaining necessary consents from your End Clients; (b) informing them about the processing of their data; and (c) responding to any data rights requests from End Clients.

‍

2. HOW WE USE YOUR INFORMATION

We use the information collected for the following legitimate purposes:

• To provide, maintain, improve, and personalize M:DESK Platform services
• To process transactions and manage your subscription account
• To send service-related communications (confirmations, notifications, updates)
• To provide technical support and customer service
• To send commercial and marketing communications (with your consent or as permitted by law)
• To analyze usage patterns to improve the User experience
• To detect, prevent, and investigate fraud, unauthorized activity, or violations of these Terms
• To comply with applicable legal, regulatory, and tax obligations
• To enforce our Terms and Conditions
• To operate artificial intelligence (AI) features available on the Platform

‍

3. LEGAL BASIS FOR PROCESSING

The processing of your personal data is based on one of the following legal bases:

• Performance of a contract: to provide the services you have requested.
• Consent: for marketing communications, use of non-essential cookies, and other optional processing.
• Legitimate interest: to improve the Platform, prevent fraud, and maintain security.
• Legal obligation: to comply with requirements from governmental or regulatory authorities.

‍

4. DISCLOSURE OF YOUR INFORMATION

4.1 Subprocessors and Service Providers

To operate the M:DESK Platform, we share information with service providers acting as subprocessors. These include, but are not limited to:

• Primary Infrastructure Provider — Enterprise platform services, CRM, and data management
• Stripe, Inc. — Secure payment processing
• Twilio, Inc. — SMS and VOIP communications
• Mailgun — Transactional email delivery
• Google LLC — Calendar integration, advertising, and web analytics
• Meta Platforms, Inc. — WhatsApp Business API and social media integration

‍

All technology partners and subprocessors are subject to contractual agreements obligating them to maintain the confidentiality and security of your data and to use it only for authorized purposes. The names of our strategic technology partners are not publicly disclosed for operational security and commercial strategy reasons.

4.2 Legal Disclosure

We may disclose your information when required by law, in response to valid legal processes, to comply with court or governmental orders, or when we reasonably believe disclosure is necessary to protect the rights, property, or safety of Monkey Brain LLC, its Users, or others.

4.3 Business Transfers

In the event of a merger, acquisition, asset sale, or corporate reorganization, your information may be transferred as part of the process. In such case, we will notify you before your data becomes subject to a different privacy policy.

4.4 We Do Not Sell Your Data

Monkey Brain LLC does NOT sell, rent, or exchange your personal information with third parties for commercial purposes unrelated to the provision of M:DESK services.

‍

5. DATA RETENTION

We retain your personal information for as long as your account is active or as necessary to provide you services, comply with our legal obligations, resolve disputes, and enforce our agreements. After account cancellation, we may retain certain information for up to thirty-six (36) months as required by applicable laws, after which we will delete or anonymize it.

‍

6. YOUR RIGHTS

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right of access: request a copy of the personal data we hold about you.
• Right of rectification: request correction of inaccurate or incomplete data.
• Right of erasure: request deletion of your data in cases permitted by law.
• Right of portability: receive your data in a structured, machine-readable format.
• Right to object: object to the processing of your data for direct marketing purposes.
• Right to withdraw consent: withdraw your consent at any time for consent-based processing.

‍

To exercise any of these rights, send your request to: Hello@monkeydesk.io. We will respond within no more than thirty (30) calendar days. We may request identity verification before processing your request.

‍

7. INFORMATION SECURITY

We implement reasonable technical, administrative, and physical security measures to protect your information against unauthorized access, loss, alteration, or destruction. These measures include:

• Data encryption in transit using TLS/SSL protocol
• Password encryption using secure hashing algorithms
• Role-based access control within the Platform
• Continuous security monitoring
• Subprocessors certified under recognized security standards (SOC 2, ISO 27001, PCI DSS)

‍

However, no internet data transmission system or electronic storage is completely secure. In the event of a security breach affecting your personal data, we will notify you in accordance with applicable law in the shortest reasonable time possible.

‍

8. CHILDREN'S PRIVACY (COPPA)

The M:DESK Platform is directed exclusively to individuals 18 years of age or older and is not designed for use by minors. We do not intentionally collect personal information from children under 13 years of age. If we become aware that we have collected personal information from a child under 13 without the verifiable parental consent required by COPPA, we will promptly delete such information. If you believe we may have information from a minor, please contact us at Hello@monkeydesk.io.

‍

9. ARTIFICIAL INTELLIGENCE

Some M:DESK features use artificial intelligence (AI) tools to enhance the User experience. We do not use your personal information to train generalized or publicly available AI models. The use of AI is limited to providing the specific services you have contracted, through specialized subprocessors operating under restricted instructions.

‍

10. LINKS TO THIRD-PARTY SITES

The Platform may contain links to third-party websites. This Privacy Policy does not apply to those sites. We recommend reviewing the privacy policies of any external sites you visit. Monkey Brain LLC assumes no responsibility for the privacy practices of third parties.

‍

11. PROTECTED HEALTH INFORMATION (PHI) — HEALTHCARE SECTOR CLIENTS

The provisions of this section apply when M:DESK is used by healthcare providers or other Covered Entities under HIPAA.

11.1 Monkey Brain LLC's Role as Business Associate

When the M:DESK Platform is used by a HIPAA Covered Entity to manage patient-related information, Monkey Brain LLC acts as a Business Associate as defined in 45 C.F.R. § 160.103. In this role, Monkey Brain LLC may create, receive, maintain, or transmit Electronic Protected Health Information (ePHI) on behalf of the Covered Entity, exclusively for the purposes established in the Business Associate Agreement (BAA) in effect.

11.2 BAA Requirement

Monkey Brain LLC will not process PHI from any Covered Entity without a duly executed and effective Business Associate Agreement (BAA) between the Parties. The absence of a BAA constitutes a HIPAA violation that falls exclusively on the Covered Entity.

11.3 Permitted Uses of PHI

Under the BAA, Monkey Brain LLC will use patient PHI from the Covered Entity solely to:

• Provide the contracted business management services (CRM, communications, appointments, medical billing)
• Comply with applicable federal or state legal requirements
• Manage internal operations directly related to the services provided

‍

Monkey Brain LLC will NOT use PHI for: advertising, third-party marketing, data sales, or to train generalized artificial intelligence models.

11.4 ePHI Security

When the HIPAA Compliance Add-On is active, the M:DESK Platform implements additional security safeguards specific to ePHI, including: AES-256 encryption at rest, TLS encryption in transit, audit logs, enhanced access controls, and active BAA agreements with the underlying technology infrastructure provider.

11.5 Breach Notification

In the event of a security breach involving patient ePHI from the Covered Entity, Monkey Brain LLC will notify the Covered Entity without undue delay and in no case later than thirty (30) days after discovery of the breach. The Covered Entity is responsible for making HIPAA-required notifications to affected individuals and to HHS.

11.6 Patient Rights

Monkey Brain LLC will cooperate with the Covered Entity's requests related to patient rights under HIPAA, including requests for access, correction, restriction, and accounting of PHI disclosures, in accordance with the terms established in the BAA.

‍

12. CHANGES TO THIS POLICY

We reserve the right to update this Privacy Policy periodically. We will notify you of material changes through a notice on the Platform or by email at least fifteen (15) days before the changes take effect. Continued use of the Platform after notification will constitute your acceptance of the updated Policy.

‍

13. CONTACT — PRIVACY

If you have questions, concerns, or wish to exercise your privacy rights, please contact us:

‍

Monkey Brain LLC — Monkey DESK (M:DESK)

Privacy Officer: Hello@monkeydesk.io

Phone: (787) 558-5868

Support: Service@monkeydesk.io

Website: monkeydesk.io

Puerto Rico, United States of America

‍