Last updated June 2026
This page is maintained by Medstack Limited to answer common security and privacy questions about Monj. It describes the controls we currently have enabled in the app and the shared responsibilities between us, our infrastructure provider and you. It is editable product content, not an independent audit or certification.
Monj runs on managed cloud infrastructure provided by Supabase. Supabase is responsible for the security of the underlying platform (physical data centres, managed Postgres, network protection). Medstack Limited is responsible for how Monj is built and configured on top of it — access rules, what data we collect, how we store it, and how long we keep it. You are responsible for keeping your account credentials private and choosing what information to share with the app.
All traffic between your device and Monj is encrypted in transit using HTTPS/TLS. Data at rest is stored on Supabase's managed Postgres infrastructure, which provides encryption at the storage layer. We do not currently offer customer-managed keys or end-to-end encryption of your records.
We collect the minimum information needed to run the service: account details (email), profile details (name), and the health information you choose to log (medication, dose, height, weight, goals, safety answers). Full details — including our lawful basis under UK GDPR — are in our Privacy Policy.
We do not sell your personal information, and we do not use your health data for advertising.
If we add a new subprocessor that processes personal data, we will update this page and our Privacy Policy.
You can delete your account from within the app. When you do, your account is soft-deleted immediately and scheduled for permanent erasure after a 30-day recovery window. A scheduled job (authenticated with a server-only secret) hard-deletes accounts whose recovery window has elapsed, removing your records from the authentication system and the linked application tables.
You can access, correct or delete your data from within the app, withdraw consent at any time, and contact us to exercise any other rights you have under UK GDPR. See the Privacy Policy for the full list and how to contact the ICO if you have a concern.
If you believe you've found a security vulnerability in Monj, please email security@monj.app with details so we can investigate. Please do not test against other people's accounts or data.
Monj is a UK-based consumer companion app and is not currently certified to SOC 2, ISO 27001, HIPAA or PCI DSS. We design the product to be consistent with UK GDPR obligations as a data controller and review our practices as the product evolves. We will update this page if our certification status changes.