MONOKO — PRIVACY NOTICE
Last Updated: 2026-05-17 Effective Date: 1 June 2026
This Privacy Notice describes how AEDOWON SINGAPORE PTE. LTD. (UEN 202612161D), operating the Monoko AI Ads Studio service ("Monoko", "we", "us", "our"), collects, uses, discloses, retains, and protects Your personal data when You access or use the Service.
This Notice is provided in compliance with:
- The Personal Data Protection Act 2012 of the Republic of Singapore (Singapore PDPA)
- The Personal Data Protection Act B.E. 2562 (2019) of the Kingdom of Thailand (Thailand PDPA)
- The EU General Data Protection Regulation 2016/679 (GDPR) and UK GDPR
- The California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA)
- Other applicable data protection laws
PLAIN-LANGUAGE SUMMARY
- We are Aedowon Singapore, a Singapore-registered company. We are the sole controller and processor of Your data.
- We collect what we need to provide the AI Ads Studio service: account info, payment info, content You generate, usage telemetry, support correspondence.
- We share data only with Sub-Processors (AI providers, payment processors, hosting) listed in our Sub-Processor List, and only where necessary.
- You have the right to access, correct, delete, port, object to processing, and withdraw consent — via Account → Privacy or dpo@monoko.ai.
- We retain Your data only as long as necessary, then delete or anonymize.
- We do not sell or share Your personal data for cross-context behavioral advertising except where You have affirmatively opted in.
1. WHO WE ARE
Data Controller and Processor: AEDOWON SINGAPORE PTE. LTD. UEN: 202612161D Registered Office: 8 Temasek Boulevard, #17-02A, Suntec Tower Three, Singapore 038988 Contact: support@monoko.ai Data Protection Officer (DPO): dpo@monoko.ai
Aedowon Singapore is the sole data controller and sole data processor of personal data collected through Monoko, including data of Users resident in Thailand. Aedowon Singapore engages personnel located in various jurisdictions (including Thailand) as authorized agents bound by confidentiality and the technical and organizational measures set out in our Data Processing Addendum.
2. WHAT PERSONAL DATA WE COLLECT
We collect the following categories of personal data:
2.1 Data You Provide Directly
| Category | Examples | When Collected |
|---|---|---|
| Account Identity | Name, email, password (hashed), date of birth, country | At signup |
| Contact | Mobile phone (KYC), business name, organization | At signup or upgrade |
| Billing | Payment method tokens, billing address, tax ID, withholding-tax docs | At first paid subscription |
| Profile / Brand | Brand assets (logos, colors), product info, brand voice | When You configure Brand Setting |
| User Input | Text prompts, images, audio, files, brand assets, target-audience data | When You use the Service |
| Generated Content (Output) | Ad creatives, copy, social posts, video, audio | When AI generates content for You |
| KOS Identity Verification | Thai NID image / international passport image, issuing authority, ID number, name, DOB, photo | If You apply to the KOS Program |
| Affiliate / KOS Tax Forms | W-9 / W-8BEN / W-8BEN-E, CRS/FATCA self-certification, TIN, bank details | If You enroll as non-SG/TH-resident Affiliate / KOS |
| Support Correspondence | Email, in-app chat, screenshots You share | When You contact support |
| Marketing Preferences | Opt-in to marketing, ad-network sharing, newsletter | At consent capture and updates |
2.2 Data Collected Automatically
| Category | Examples |
|---|---|
| Device / Technical | IP address, browser type, OS, device fingerprint, screen resolution, language |
| Usage Telemetry | Pages visited, features used, clicks, time spent, errors encountered |
| Cookies / Local Storage | Session ID, preferences, attribution cookies (see Cookie Notice) |
| Fraud-Detection Signals | Payment-method hash, email-domain match, IP/device patterns, conversion rates |
2.3 Data Collected from Third Parties
| Source | Data |
|---|---|
| Payment / payout processors (Polar.sh for customer checkout/MoR; Currenxie for banking and Affiliate / KOS payouts; Wise reserved but not active at launch) | Payment authorization status, 3DS or equivalent authentication result, chargeback notifications, payout status |
| Identity Verification Vendors | KOS NID/passport verification results |
| Anti-Fraud Services | Risk scores, sanctions-list match results |
| Advertising Platforms (with Your consent) | Audience-list matching results, ad-attribution data |
| Sanctions / Restricted-Parties Databases | Match results for compliance screening |
2.4 Sensitive Personal Data
We do not require sensitive personal data for ordinary Service use. Where the Service processes sensitive data, we obtain Your explicit consent:
(a) KOS NID / passport image (Thailand PDPA §26 sensitive category) — collected with verbatim consent at KOS application; used only for identity verification, anti-fraud, and tax-residency purposes.
(b) Sensitive data in Your Input. Where Your Input contains sensitive data of third parties (health, race or ethnicity, religion, sexual orientation, biometric, genetic, criminal-record, political-opinion data), You represent that You have obtained the required explicit consent from those data subjects under Thailand PDPA §26, Singapore PDPA Schedule 2, and/or GDPR Art 9. You indemnify Aedowon Singapore against any claim arising from Your failure to do so.
2.5 Children
Monoko is not directed to children under 13 and does not knowingly collect data from children under 13. The minimum age for the Service is 18 (or the higher local age of majority). Where mandatory parental consent permits use by minors (13–17) in specific jurisdictions, separate parental-consent collection applies.
3. WHY WE PROCESS YOUR DATA (PURPOSES AND LAWFUL BASES)
| Purpose | Lawful Basis (PDPA / GDPR) |
|---|---|
| Create and operate Your account | Contract performance (PDPA TH §24(3), SG §13, GDPR Art 6(1)(b)) |
| Bill You and process payments | Contract performance |
| Deliver AI Ads Studio features (generation, brand memory, auto-pilot) | Contract performance |
| Provide customer support | Contract performance |
| Detect fraud, prevent abuse, enforce Terms | Legitimate interests (GDPR Art 6(1)(f)) + legal obligation |
| Comply with tax, accounting, and regulatory obligations | Legal obligation (GDPR Art 6(1)(c)) |
| Train / improve AI models | Consent (GDPR Art 6(1)(a)) — opt-in only |
| Send marketing communications | Consent — opt-in only |
| Share data with advertising networks (Meta, Google, TikTok, LINE) | Consent — per-network opt-in only |
| Send Newsletter | Consent — opt-in only (double opt-in for EEA/UK) |
| Defend or pursue legal claims | Legitimate interests |
| Respond to data-subject rights requests | Legal obligation |
4. WHO WE SHARE YOUR DATA WITH
4.1 Sub-Processors
We engage third-party Sub-Processors to operate the Service. A current list is published in our Sub-Processor List and includes:
- AI model providers — Anthropic, OpenAI, Google (Gemini), Stability AI, Replicate, and successor providers
- Payment / payout processors — Polar.sh (customer checkout / Merchant of Record) + Currenxie (banking + Affiliate / KOS payouts); Wise reserved but not active at launch
- Hosting / infrastructure — Supabase, Vercel, Cloudflare
- Customer support — Dabby (an AI chatbot operated by Aedowon Singapore itself — internal tool, not a third-party Sub-Processor)
- Email transport — Resend (transactional email + delivery transport for in-house-composed marketing emails)
- Product analytics — first-party only (Supabase + Vercel under Aedowon Singapore's controllership); no third-party product-analytics Sub-Processor at launch
We provide at least 30 days' prior notice before engaging any new material Sub-Processor, with a right of objection on reasonable grounds.
4.2 Advertising Networks (Opt-In Only)
Where You have affirmatively opted in via §13B of our Terms, we share behavioral / inferred-preference data with selected advertising networks (per-network granularity):
- Meta (Facebook / Instagram)
- Google (Google Ads / YouTube)
- TikTok
- LINE Ads
- Others listed in our Sub-Processor List
You may withdraw any of these consents at any time via Account → Privacy → Ad-Network Sharing.
4.3 Legal / Regulatory Disclosures
We may disclose personal data:
- To comply with applicable law, court order, subpoena, or regulator request
- To protect rights, property, or safety of Aedowon Singapore, our Users, or others
- In connection with merger, acquisition, sale of assets, or insolvency, subject to notice and successor-assumption-of-obligations per our Terms §20.3
- To enforce or defend legal claims
4.4 What We Do NOT Do
- We do NOT sell personal data for monetary consideration.
- We do NOT share personal data for cross-context behavioral advertising as defined under CCPA/CPRA, VCDPA, CPA, CTDPA, or UCPA, except where You have affirmatively opted in (§4.2 above).
- We do NOT disclose Your Input or Output as identifiable to You without Your consent, except as required by law.
- We do NOT train AI models on Your Input or Output without Your separate opt-in consent.
5. WHERE YOUR DATA GOES (CROSS-BORDER TRANSFERS)
Your data may be transferred to and processed in jurisdictions outside Your country of residence, including Singapore, Thailand, the United States, the European Union, the United Kingdom, Hong Kong, and other locations where our Sub-Processors operate.
Lawful transfer mechanisms (in order of preference):
(a) Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) or by the PDPC — primary basis for routine recurring transfers. (b) Adequacy decisions recognized by Thailand PDPC or European Commission. (c) Contract necessity for performance of Your contract with us (Thailand PDPA §28 ¶2(3); GDPR Art 49(1)(b)) — used where SCC / adequacy unavailable. (d) Your explicit consent after being informed of the absence of adequate safeguards — last-resort basis only. (e) Compliance with legal obligation, public interest, vital interests, or legal claims.
A current mapping of each Sub-Processor's jurisdiction and applicable safeguard is published in our Sub-Processor List.
6. HOW LONG WE KEEP YOUR DATA (RETENTION)
| Data Category | Retention Period |
|---|---|
| Account profile + billing identity | 24 months post-account-termination |
| Generated Content (Outputs) and Inputs | 24 months post-account-termination, or earlier on User deletion request (subject to legal hold) |
| Service usage logs / telemetry | 12 months |
| Fraud-detection signals (IP, device fingerprint, payment-method hash, email-domain match) | 24 months |
| Support tickets and correspondence | 36 months |
| Chargeback / dispute evidence | 7 years (regulatory minimum) |
| Marketing preferences and consent records | Duration of consent + 24 months post-withdrawal |
| KOS NID / passport verification records | 24 months after KOS termination (longer where required by tax / fraud / sanctions / legal hold) |
| Accounting and tax records (Thai Revenue Code §87/3, Thai Accounting Act B.E. 2543 §14, Singapore Companies Act §199, Singapore Income Tax Act §67) | Minimum 5 years |
After the applicable retention period, personal data is securely deleted or irreversibly anonymized, with an audit trail.
7. YOUR RIGHTS
You have the following rights regarding Your personal data:
7.1 Right Catalog
| Right | What It Means | Where It Lives in Law |
|---|---|---|
| Be informed | Know what data we collect and why | TH PDPA §23, GDPR Art 13–14, SG PDPA §20 |
| Access | Get a copy of Your data | TH PDPA §30, GDPR Art 15, SG PDPA §21 |
| Portability | Receive Your data in machine-readable format and transfer to another controller | TH PDPA §31, GDPR Art 20 |
| Rectification | Correct inaccurate or incomplete data | TH PDPA §35–36, GDPR Art 16 |
| Erasure | Request deletion ("right to be forgotten") | TH PDPA §33, GDPR Art 17 |
| Restriction | Limit processing in certain circumstances | TH PDPA §34, GDPR Art 18 |
| Object | Object to processing based on legitimate interests or direct marketing | TH PDPA §32, GDPR Art 21 |
| Withdraw consent | Withdraw consent any time (without affecting prior lawfulness) | TH PDPA §19 ¶5, SG PDPA §16, GDPR Art 7(3) |
| Complaint | Lodge complaint with supervisory authority | TH PDPC, SG PDPC, EU DPA, UK ICO |
| No automated decisions | Not be subject to solely automated decision-making with legal effect | GDPR Art 22 |
7.2 How to Exercise Your Rights
Easiest method: Account → Privacy → "Manage My Data" — one-click controls for most rights.
Alternative: Email dpo@monoko.ai with:
- Your full name and email associated with the account
- The right You wish to exercise
- Any relevant context (e.g., specific data to delete)
We may ask for additional verification to confirm Your identity.
7.3 Response Timeline
We respond to verified requests within 30 calendar days of receipt, extendable by a further 60 days for complex or high-volume requests (with prior notice and reasons given within the original 30-day period). This is in accordance with Thailand PDPA §32, Singapore PDPA §21(2), and GDPR Art 12(3).
7.4 No Charge
We respond to data-subject requests free of charge, except where requests are manifestly unfounded, excessive, or repetitive — in which case we may charge a reasonable administrative fee or refuse.
7.5 U.S. State Privacy Rights (CCPA / CPRA / VCDPA / CPA / CTDPA / UCPA)
If You are a U.S.-resident User, You additionally have:
- Right to know the categories and specific pieces of personal information we collect, sell, or share
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt out of any future "sale" or "sharing" for cross-context behavioral advertising
- Right to limit use of sensitive personal information
- Right to non-discrimination for exercising privacy rights
To exercise these rights, contact privacy@monoko.ai or use the in-app "Do Not Sell or Share My Personal Information" control. We do not currently "sell" or "share" Your personal information for cross-context behavioral advertising except where You have opted in.
7.6 Withdrawal of Consent — One-Click
You may withdraw any consent at any time using one-click in-app controls (Account → Privacy → "Withdraw consent") or by emailing dpo@monoko.ai. Withdrawal mechanisms are at least as easy as the original consent action. We process valid withdrawal requests within 7 calendar days. Withdrawal does not affect lawfulness of prior processing.
8. SECURITY
We implement administrative, technical, and physical safeguards consistent with industry standards and PDPA / GDPR security requirements:
- Encryption of personal data at rest (AES-256 or equivalent) and in transit (TLS 1.2+, TLS 1.3 preferred)
- Role-based access control with least-privilege grants and quarterly access review
- Multi-factor authentication for all administrative, production, payment, and DPO tooling
- Logging of security-relevant events for at least 12 months
- Backup with tested restore (quarterly minimum)
- Vendor risk management for Sub-Processors
- Documented incident-response procedure
- Periodic security audits and penetration testing
Full technical and organizational measures (TOMs) are documented in our Data Processing Addendum Annex II.
9. BREACH NOTIFICATION
In the event of a personal-data breach, we notify regulators and affected individuals in accordance with the following statutory clocks:
| Jurisdiction | Clock |
|---|---|
| Thailand PDPC (TH PDPA §39) + EU/EEA Supervisory Authority (GDPR Arts 33–34) | 72 hours from awareness |
| Singapore PDPC (Notifiable Data Breaches Regulations 2021) | 3 calendar days from credible assessment |
| U.S. state authorities | Per applicable state breach-notification statutes |
Affected individuals are notified where the breach is likely to result in significant harm or high risk to rights and freedoms.
10. COOKIES AND TRACKING
The Service uses cookies, local storage, and similar technologies as described in our Cookie Notice. Non-essential cookies — including analytics, retargeting, and the 90-day Affiliate / KOS attribution cookie — are set only with Your affirmative consent via our cookie banner.
11. THIRD-PARTY LINKS
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage You to read their privacy notices.
12. AUTOMATED DECISION-MAKING
We use automated processes for:
- Fraud detection (cohort fraud monitoring, IP/device matching, anomalous-pattern flagging)
- Tier promotion in the Affiliate Program (automated MRR threshold check)
- Credit allocation (signup-anchored drip)
- Auto-Pilot ad optimization (where You have enabled it)
These do not produce legal effects on You without human review where required by GDPR Art 22. Affiliate / KOS commission decisions involving forfeiture or termination are reviewed by Monoko staff before being finalized.
13. CHILDREN
The Service is not directed to and may not be used by children under 13 in any circumstance. The minimum age is 18 or the local age of majority. See Terms §8.1 for full age-eligibility rules.
14. CHANGES TO THIS NOTICE
We may update this Privacy Notice from time to time. Material changes will be notified by email and in-app banner at least 30 days before they take effect; non-material clarifications take effect immediately upon posting. The "Last Updated" date at the top of this Notice reflects the most recent change. Prior versions are available on request to dpo@monoko.ai.
15. CONTACT US
Data Protection Officer (DPO): dpo@monoko.ai General Privacy Inquiries: privacy@monoko.ai Address: AEDOWON SINGAPORE PTE. LTD., 8 Temasek Boulevard, #17-02A, Suntec Tower Three, Singapore 038988
Supervisory Authorities:
- Thailand: Personal Data Protection Committee (PDPC), Ministry of Digital Economy and Society — pdpc.or.th
- Singapore: Personal Data Protection Commission of Singapore — pdpc.gov.sg
- EU/EEA: Your local Data Protection Authority
- UK: Information Commissioner's Office (ICO) — ico.org.uk
You may also lodge a complaint with the supervisory authority of Your habitual residence or place of alleged infringement.
END OF MONOKO PRIVACY NOTICE — V1 Last Updated: 2026-05-17