Privacy Policy

Last updated: April 17, 2026

1. Who we are

MonCron (the "Service") is operated by HwangLabs (registration number 475-13-01727) ("we", "us", "our"), the data controller for the personal data described in this policy. MonCron is a cron-job monitoring and alerting service for software teams: you register scheduled jobs, push run telemetry and log lines to our API, and we tell you when those jobs fail, run late, or never start.

2. Data we collect

Account data. Email address, full name, and a hashed password you set during sign-up. We never store your password in plain text — it is hashed with bcrypt before persistence.

Project and job configuration. Project names, slugs, cron expressions, job identifiers, grace periods, and any payload metadata you choose to attach.

Execution data. Each time one of your jobs reports to MonCron via our API, we record the run ID, status, started/finished timestamps, computed duration, and the log lines you send.

API keys. We store only a salted hash of each API key plus a non-secret prefix/suffix for display. We can never recover the raw key from our database — revoke and reissue if you lose it.

Billing data. Paid subscriptions are processed by Lemon Squeezy (LS GmbH, a Merchant of Record). Lemon Squeezy collects and stores your billing information (card details, billing address, tax identifiers where applicable) under its own privacy policy. We receive only the subscription metadata required to manage your plan: order ID, plan name, status, renewal date, and the last four digits of your card.

Technical data. IP address, user agent, and request metadata used for authentication, rate limiting, abuse prevention, and incident investigation. We log authentication events (sign-in, password reset, API-key creation, API-key revocation) for security purposes.

Cookies. See Section 7 below for the full list of cookies we set, their purpose, and lifetime.

3. How we use it

  • Provide the Service: run your monitors, evaluate schedules, record executions, ingest logs, and deliver alerts.
  • Bill you: manage subscription lifecycle via Lemon Squeezy.
  • Communicate with you: transactional email only (sign-up confirmation, password reset, renewal notices, incident notifications). We do not send marketing email.
  • Keep the Service safe: detect abuse, prevent fraud, enforce quotas, and comply with applicable law.
  • Operate and improve: anonymised, aggregate usage statistics. We do not profile individual users for advertising.

We do not sell or rent your personal data. We do not use your data to train AI or machine-learning models.

4. Legal bases (EU / UK / EEA visitors)

We rely on the following GDPR legal bases:

  • Contract (Art. 6(1)(b)) — to provide the Service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — security, abuse prevention, service operation.
  • Consent (Art. 6(1)(a)) — optional cookies or communications that require it (where applicable).
  • Legal obligation (Art. 6(1)(c)) — tax, accounting, and law-enforcement requests.

5. How we store and secure data

  • Application traffic is served exclusively over HTTPS.
  • Passwords are hashed with bcrypt before persistence.
  • API keys are stored as hashes only; the raw key is shown to you exactly once at creation and never recoverable thereafter.
  • Database access is restricted to the application service account; no other MonCron user can read your projects, jobs, executions, or logs.
  • Authentication events and admin actions are recorded in a separate audit trail.
  • Sensitive operations (plan changes, API-key revocation, password reset) trigger email notifications to the account holder.

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you and the appropriate authorities as required by law.

6. Sub-processors and third parties

We share personal data only with the following service providers, strictly to operate the Service. None of these providers receive your data for advertising.

  • Lemon Squeezy (LS GmbH) — payment processing, billing, tax, and Merchant of Record.
  • Resend — transactional email delivery.
  • Our hosting and infrastructure providers — to operate the application and database.

We do not share personal data with any other third party except where required by valid legal process.

7. Cookies

MonCron uses only strictly necessary cookies — those required to deliver the Service you asked for. We do not use cookies for advertising, marketing, retargeting, or third-party analytics. Because every cookie we set is strictly necessary, no consent banner is required under the ePrivacy Directive (Art. 5(3)) or GDPR.

The cookies we set:

NamePurposeLifetimeType
access_tokenJWT used to authenticate API requests after sign-in.Until access token expires (short-lived).Strictly necessary
refresh_tokenLong-lived token used to refresh the access token without re-authenticating.Until refresh token expires or sign-out.Strictly necessary
logged_inUI flag so the frontend can render the signed-in state.Matches access-token expiry.Strictly necessary
pref_langYour selected interface language (en, ru).1 year.Strictly necessary (user preference)
pref_mktYour market region (world, ru) — drives pricing currency and locale defaults.1 year.Strictly necessary (user preference)

All cookies are first-party, set with SameSite=Lax, and scoped to the MonCron domain. You can delete them at any time from your browser settings. Deleting the authentication cookies will sign you out; deleting the preference cookies will reset language and market to the defaults inferred from your browser.

If we ever add analytics, marketing, or third-party tracking cookies, we will update this section and present a consent banner before such cookies are set.

8. Email communications

We send transactional email only — no marketing. Categories include:

  • Account & lifecycle — registration confirmation, password reset, account deletion.
  • Billing — subscription confirmations, renewal notices, payment failures.
  • Product — incident notifications, quota alerts.
  • Security — critical account-security notifications (cannot be disabled).

9. Data retention

  • Account data — kept while your account exists. Deleted within 30 days after you close your account.
  • Execution data and logs — retained according to your plan's retention window (7 days on Free, 30 days on Starter, 90 days on Pro, 365 days on Business). Older entries are purged automatically.
  • Billing records — retained for as long as required by tax and accounting law (typically 6–10 years).
  • Security and audit logs — retained for up to 12 months.

If your account is inactive for more than 24 months, we may delete it after prior email notification.

10. Your rights

Depending on your jurisdiction (including the EU/EEA, UK, California, and the Republic of Korea), you may have the right to:

  • access a copy of the personal data we hold about you,
  • correct inaccurate data,
  • request deletion (right to be forgotten),
  • export your data in a portable format,
  • restrict or object to certain processing,
  • withdraw consent at any time (where processing is based on consent),
  • lodge a complaint with your local data-protection authority.

California residents (CCPA / CPRA): you also have the right to know the categories of personal information we collect, the right to delete that information, and the right to opt out of any sale or sharing of personal information. We do not sell personal information.

To exercise any of these rights, email [email protected]. We aim to respond within 30 days.

11. How to delete your data

You can permanently delete your MonCron account at any time from Settings → Account → Delete Account. When you confirm deletion:

  • Deletion is immediate and irreversible: projects, jobs, executions, logs, API keys, preferences, and subscription history are removed in the same request, and you are signed out.
  • A confirmation email is sent to your registered email address.
  • An audit record (your email and the time of deletion) is retained to satisfy legal and abuse-prevention obligations. No project, job, execution, or log data is part of this record.
  • Anonymised, aggregate analytics may be retained indefinitely with no personally identifiable information.

Once processed, your data cannot be recovered. There is no grace period.

12. International transfers

Our service providers may process data in countries other than your own, including the European Union, the United States, and the Republic of Korea. Where required, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

13. Children

MonCron is not directed at children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

14. Governing law

This Privacy Policy and our processing of your personal data are governed by the laws of the Republic of Korea, without prejudice to any mandatory data-protection rights you may have under the laws of your country of residence (including the EU/EEA GDPR, the UK GDPR, the CCPA/CPRA, and Korea's PIPA).

15. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or through an in-app notice. The "Last updated" date at the top of this policy reflects the most recent revision.

16. Contact

For privacy questions, data requests, or to exercise any of your rights, email [email protected].


MonCron is operated by HwangLabs (registration number 475-13-01727).