Privacy Policy

Effective 26 June 2026 · Last updated 26 June 2026

Your trust matters to us. Chat Sync for monday.com (the “App”) is a two-way integration between monday.com and Google Chat: it posts monday.com board activity into Google Chat as interactive cards, and lets you act on monday items — reply, assign, change status, create — directly from Chat, where the App appears as the mondayBot Chat app. It is provided by PluginPro (“PluginPro”, “we”, “us”, “our”). This Privacy Policy explains, in plain language, what data the App processes, why, the legal bases we rely on, who we share it with, where it is processed, how long we keep it, how we protect it, and the rights and choices you have. We collect only what we genuinely need to run the service, we host your data on monday.com's own infrastructure, the App integrates only monday.com and Google Chat, and we never sell your data or use it for advertising.

1. Scope & who this applies to

The App is a business-to-business tool installed by an administrator of a monday.com account and connected to one or more Google Chat spaces, where it appears as the mondayBot Chat app. This policy describes the data processed by the App itself in the course of providing its features. It does not cover monday.com's or Google Chat's own processing of your data, which is governed by their respective privacy policies and terms — we encourage you to review those as well, because your monday.com content, the cards delivered into Google Chat, and the messages you exchange with the App also live on, and are processed by, those platforms.

This policy applies to everyone whose data the App may process: the installing administrator, the monday.com users whose names appear on the boards you connect, and the Google Chat users who interact with the App in connected spaces or in direct messages with mondayBot.

2. Our privacy commitment & principles

We aim to earn and keep your confidence by following a few clear principles:

  • Data minimisation — we process only the data needed to deliver the features you switch on. Content that crosses the bridge — monday item data rendered into cards, and Chat thread replies posted to monday items as updates — is handled in the moment of delivery, without storing the content itself; we store only the configuration, credentials and message-to-item link mappings the App needs to function.
  • Purpose limitation — we use data to run the App and support you, never for advertising, and we do not sell it.
  • Security by design — we encrypt credentials, host on monday.com's Secure Storage, isolate each installation's data, and request the least access we need.
  • Transparency & control — you can see and change your configuration at any time, disconnect spaces, and remove all of your data by uninstalling the App.
  • No surprise third parties — the App integrates only monday.com and Google Chat (monday.com also hosts the App, on monday Code, which runs on Google Cloud Platform). The settings interface and this website load web fonts from Google Fonts (fonts.googleapis.com / fonts.gstatic.com) for typography only — this sets no cookies and is not used to track you. There are no analytics, advertising, tracking, profiling, or AI/large-language-model services involved.

3. Definitions

  • “App” — Chat Sync for monday.com, including its settings interface, the monday board webhooks it registers, and the mondayBot app in Google Chat, through which cards are delivered and messages, slash commands and card interactions are received via the Google Chat API.
  • “Customer” — the organisation whose monday.com account the App is installed on.
  • “Administrator” — a person authorised to install and configure the App for the Customer.
  • “Space” — a Google Chat space or direct-message conversation connected to the App, in which mondayBot posts cards and receives messages and interactions.
  • “Connected user” — a person who has connected their own monday.com account to the App via OAuth so that actions they take from Google Chat are attributed to them in monday.com.
  • “Personal data” / “personal information” — information relating to an identified or identifiable individual, as defined by applicable law.
  • “Processing” — any operation performed on data, such as collection, use, storage, disclosure or deletion.
  • “Controller” and “Processor” — have the meanings given under the GDPR (broadly, the party that decides the purposes of processing, and the party that processes on the controller's behalf).
  • “Sub-processor” — a third party we rely on to help deliver the App that may process data on our behalf.

4. Our role (controller & processor)

For most data flowing through the App — the content of your monday boards and items that the App renders into cards and delivers to Google Chat, and the Chat messages and actions it carries back into monday.com — the Customer is the data controller and PluginPro acts as a data processor, processing that data on the Customer's documented instructions (i.e. the configuration set by the Administrator in the App). For a limited set of data whose purposes we determine ourselves — such as the administrator contact details we use to provide support and operate the service — we act as a controller. Where we act as a processor, requests from individuals are generally directed to, and handled by, the Customer (the controller), and we will provide reasonable assistance.

5. Information we process

The table below lists the categories of data the App handles. Wherever possible we process content transiently — reading monday board and item data at the moment we need it to build and deliver a card, and passing Chat messages through to monday.com at the moment you send them — and we do not retain that content in our own storage. The items marked “stored” are the configuration, credential and linking data the App must keep to function.

CategoryExamplesSourceStored by the App?
monday account & install recordsmonday account id and slug; the install record that ties your configuration to your accountmonday.com API / OAuth / install lifecycleStored (install record)
monday board contentBoards, groups and columns you connect; item names, references, statuses, assignees, priority, due dates, column values and updates — read at delivery time to render cards, and written to (as updates, assignments, status changes or new items) on your instruction from Chatmonday.com API, on your instructionTransient (not stored)
Google Chat identifiers & space connectionsGoogle Chat user ids, space ids and thread ids for connected spaces and conversations; the message-to-monday-item link mappings that keep card threads and item updates in sync; space names and the default space for notificationsGoogle Chat APIStored
Bridged message contentThread replies you send in Chat that are posted to the linked monday item as updates; monday item data (names, statuses, assignees, column values, comments) rendered into Chat cards and thread messagesGoogle Chat API / monday.com APITransient (delivered to the other platform, not retained by the App)
Authentication credentialsmonday.com OAuth tokens: one admin token per installation (granted by the installing administrator), plus an optional per-user token for each user who connects their own monday.com accountmonday.com OAuthStored, encrypted at rest (AES-256-GCM)
Google account email addressesUsed to match your Google identity to your monday.com user, which enables “Assign to me” targeting and the personal DM feed; matching is for identity only and never authorises writesGoogle Chat APIProcessed to establish the match; the resulting user mapping is stored
Configuration & operational dataYour settings, notification rules, scheduled digests, deadline/SLA reminders, connected spaces, personal DM feed preferences, time zone, and your current subscription planCreated by you in the App / monday billing eventsStored
Support communicationsThe contact details and contents of messages you send us for supportYouRetained only as long as needed to handle your request
Technical logsOperational and error logs needed to run and secure the service; these do not contain credentials, board content or message contentGenerated by the AppStored briefly (typically up to 30 days)

Users may optionally connect their own monday.com account to the App via OAuth (a one-time step). Once connected, every action taken from Chat — assigning, changing status, creating items, commenting — is performed with that user's own token and attributed to them in monday.com's activity log. Without a connection, write actions are blocked (the user is prompted to connect); thread replies are still posted to the monday item, by the App, with the author's name as a prefix. We do not intentionally collect special categories of personal data (such as health, biometric, racial, political or similar data), and we ask that you do not use the App to transmit such data through it.

6. How data flows & what the App does not do

The App is a two-way integration. From monday.com to Google Chat, it posts interactive cards to your connected spaces when your notification rules match (item created, changed, moved, commented on or deleted, filtered by group, column, value or keyword), delivers scheduled daily/weekly digests and deadline/SLA reminders, unfurls pasted monday.com item links into live cards, and — if you enable it — sends a personal DM feed about items assigned to you. From Google Chat to monday.com, replying in a card's thread posts your reply to the monday item as an update (and new monday updates flow back into the same thread), card buttons and dialogs let you assign yourself, change status, comment or view the item, and slash commands (/monday_tasks, /monday_search, /monday_create_item, /monday_help) and plain DM keywords let you look up, create and act on your work.

The App receives from Google Chat only what Google delivers to it: messages in threads the App participates in, direct messages to mondayBot, @mentions, slash commands and card interactions. It does not read unrelated conversations in your spaces, and it uses message content solely to perform the sync or command you asked for — never for advertising, profiling or model training. Note one consequence of syncing: once a card or message has been delivered, it lives in your Google Chat space under Google Chat's own retention, and updates posted to a monday item live in monday.com under its retention — removing a space connection in the App, or uninstalling the App, does not delete content already delivered to either platform.

7. Why we process it & legal bases

  • To provide the features you configure — notification rules, scheduled digests, deadline/SLA reminders, link unfurling and the optional personal DM feed, delivered as cards to your connected Google Chat spaces. Legal basis: performance of a contract; and, where we act as processor, the controller's instructions.
  • To sync activity from Google Chat back into monday.com — posting your thread replies to the linked monday item as updates, and carrying out the actions you take through card buttons, dialogs, slash commands and direct messages. Legal basis: performance of a contract; and, where we act as processor, the controller's instructions.
  • To attribute your actions to you — when you connect your own monday.com account via OAuth, the App uses your token so that assignments, status changes, item creation and comments appear under your name in monday.com's activity log; without a connection, write actions are blocked. Legal basis: performance of a contract, at your request.
  • To recognise you across the two platforms — matching your Google account email address to a monday.com user, solely so that “Assign to me” targets the right person and the personal DM feed reaches you; the match is never used to authorise writes. Legal basis: legitimate interests.
  • To read your boards and register the webhooks that drive notifications, using the admin OAuth token granted at installation. Legal basis: performance of a contract / legitimate interests.
  • To operate, secure, troubleshoot and improve the service, including keeping minimal logs and preventing abuse. Legal basis: legitimate interests.
  • To manage subscriptions and provide support, including responding to your requests. Legal basis: performance of a contract / legitimate interests.
  • To comply with legal obligations where applicable. Legal basis: legal obligation.

Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms. We do not use your data for advertising, and we do not sell or “share” it for cross-context behavioural advertising as those terms are defined under applicable law.

8. How we share it & sub-processors

We share data only with the platforms strictly needed to run the App, each under their own data-protection obligations. The App does not integrate any analytics, advertising, error-tracking, email-marketing, or AI/large-language-model services.

RecipientRoleWhat it processes
monday.com Ltd.The platform the App runs on, reads from and writes to on your instruction (the monday.com API); our host (the App runs on “monday code”, monday.com's app hosting, which uses Google Cloud infrastructure in the US); and, for paid plans, the marketplace and merchant of record that handles billingAccount id and slug, board/item content and bridged message content (in transit), the encrypted OAuth tokens, Google Chat identifiers and link mappings, your configuration (at rest), and billing/subscription events
Google LLCThe provider of the Google Chat API, through which the App posts cards to your connected spaces and receives the messages, slash commands and card interactions you address to itThe card content (rendered from your monday board/item data) sent to connected spaces, the messages and interactions you send to the App, and the associated Google Chat user, space and thread identifiers

Because the App is hosted on monday code, your stored configuration, Google Chat identifiers and message-to-item link mappings, and encrypted OAuth tokens reside within monday.com's infrastructure (which runs on Google Cloud); we do not operate separate servers or databases of our own for your data. We may also disclose data where reasonably necessary to comply with law or legal process, to enforce our terms, or to protect the rights, safety and security of our users, the public or the service. If we are ever involved in a merger, acquisition, financing or sale of assets, data may be transferred as part of that transaction, subject to this policy and applicable law.

9. International data transfers

The App is hosted on monday code (monday.com's app hosting, running on Google Cloud), with infrastructure located in the United States. If you are located elsewhere, the configuration, Google Chat identifiers and link mappings, and encrypted OAuth tokens described above are processed in the US, and the content the App bridges in the moment between monday.com and Google Chat is processed there too. For residents of the EEA, UK or Switzerland, this is an international transfer of personal data. Where required, we and our providers rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum — to protect your data to a standard consistent with your home jurisdiction. You may contact us for more information about these safeguards.

10. How long we keep it

We keep stored data only for as long as we need it to provide the service. Your configuration, connected spaces, Google Chat identifiers and message-to-item link mappings, encrypted OAuth tokens (the admin token and any per-user tokens) and subscription record are retained while the App is installed. When the App is uninstalled from a monday.com account, its per-account data — settings, notification rules, digests, deadline reminders, connected spaces, identifiers and link mappings, the subscription record and the stored OAuth tokens — is deleted, and the App's webhooks on your monday boards are removed.

Board content, item updates and Chat messages the App bridges in the moment are not retained by the App. Technical logs are kept only as long as needed for operational and security purposes (typically up to 30 days) and are then deleted or aggregated. As noted in Section 6, cards and messages already delivered to a Google Chat space remain in Google Chat under Google Chat's retention, and updates posted to monday items remain in monday.com under its retention — removing a space connection here only deletes the App's record of that space. We may retain limited information for longer where required to comply with legal obligations or to resolve disputes.

11. How we protect it

We apply safeguards designed to protect your data against unauthorised access, alteration, disclosure or loss:

  • The monday.com OAuth tokens — the installation's admin token and any per-user tokens — are encrypted by the App using AES-256-GCM before they are written to storage, so credentials are never held in plain text.
  • All App data is held in monday.com's Secure Storage, which is access-controlled and logically isolated per installation; we do not keep your data on separate servers or databases of our own.
  • Access is limited to the running application, and we request the least-privilege set of monday.com OAuth scopes and Google Chat permissions the App needs.
  • Communication with monday.com and Google Chat uses encrypted (HTTPS/TLS) connections, and inbound monday webhooks are cryptographically verified so the App acts only on authentic events.
  • Actions that write to monday.com require the acting user's own OAuth connection — matching a Google account email to a monday user is used for identity only and never authorises writes.
  • Our diagnostic logs are written without credentials, board content or message content.

If we ever become aware of a personal-data breach affecting your information, we will act promptly to investigate and address it, and will notify affected parties and authorities where and as required by applicable law. No method of transmission or storage is completely secure, so while we work hard to protect your data, we cannot guarantee absolute security.

12. Your rights & choices

Depending on where you live, you may have rights to access, correct, delete, or obtain a portable copy of your personal data, to restrict or object to certain processing, to withdraw consent where processing is based on consent, and not to be subject to decisions based solely on automated processing. Because we often act as a processor on behalf of the Customer, we will, where appropriate, refer your request to that Customer (the controller) or assist them in responding. You can exercise applicable rights, or ask us to route a request, using the contact details in Section 20. We will not discriminate against you for exercising your rights, and we may need to verify your identity before responding. Note that, because much of the App's data is keyed to an installation, the most complete way to erase a Customer's data is to uninstall the App, which deletes the App's stored per-account data and removes its webhooks from your boards.

13. EEA & UK disclosures (GDPR)

If you are in the European Economic Area, the United Kingdom or Switzerland, the legal bases on which we process your personal data are set out in Section 7, and our international-transfer safeguards in Section 9. You have the right to lodge a complaint with your local data-protection supervisory authority if you believe our processing infringes applicable law, although we would appreciate the chance to address your concerns first. You can reach us using the contact details in Section 20.

14. California disclosures (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect and how we use and disclose it (the categories are described in Sections 5–8), to request access to or deletion of your personal information, to correct inaccurate information, and to not be discriminated against for exercising your rights. We do not sell your personal information and we do not “share” it for cross-context behavioural advertising as those terms are defined under the CCPA/CPRA. The personal information we process is used for the business purposes described in this policy; we retain it as described in Section 10, and the only categories of third parties to whom we disclose it are our service providers, monday.com Ltd. and Google LLC. You may submit a request, including through an authorised agent, using the contact details below; we may need to verify your identity before responding.

15. Your responsibilities as the customer

When you act as the controller of your workspace content, you are responsible for having a lawful basis to process the data you connect through the App, for configuring the App appropriately (including which boards and spaces are connected and which notifications are enabled), and for informing the people on your boards and in your connected spaces about how the App is used in your organisation as required by applicable law. You should not connect data you are not permitted to process, and you should ensure your use of monday.com and Google Chat complies with their terms.

16. Automated decisions & “Do Not Track”

The App does not make decisions producing legal or similarly significant effects about you based solely on automated processing, and it does not perform profiling for those purposes. Because there is no industry-standard response to browser “Do Not Track” signals, the App does not respond to them; it does not use advertising or cross-site tracking in any event.

17. Children

The App is a workplace tool and is not directed to children. It is not intended for use by anyone under the age of 16 (or the minimum age required in your jurisdiction), and we do not knowingly collect their personal data. If you believe a child has provided us data, please contact us and we will take appropriate steps to delete it.

18. Cookies & technical storage

The App's settings interface is loaded inside monday.com and uses only what is technically necessary to operate — for example, the session token monday.com provides to authenticate the embedded view. We do not use advertising cookies or cross-site tracking technologies. This website (pluginpro.io) similarly serves static pages without advertising trackers.

19. Changes to this policy

We may update this policy from time to time to reflect changes to the App, our practices, or legal requirements. Material changes will be reflected by the “Last updated” date above and, where appropriate, communicated through the App or the marketplace listing. Your continued use of the App after an update takes effect constitutes acceptance of the revised policy.

20. How to contact us

We are here to help. For any question about this policy or your data, to exercise a right, or to raise a concern, you can contact PluginPro by email at support@pluginpro.io. We will do our best to respond promptly and, in any event, within the timeframes required by applicable law. If you require PluginPro's full legal-entity details, or information about a representative for the EEA or UK, please contact us and we will provide them. See also our Support page and our Terms of Service.