Legal

Privacy Policy

Effective date: June 21, 2026 · Last updated: June 21, 2026 · Cullum Studio LLC · Santa Fe, NM · hello@heymonalista.com

This Privacy Policy describes how Mona Lista ("we," "us," or "our"), operated by Cullum Studio LLC, collects, uses, and shares information when you use the Mona Lista mobile application and website (collectively, the "Service"). By using the Service, you agree to the practices described in this policy.

This policy is published at a stable, public address and is accessible without registration or geographic restriction. We retain all versions of this Privacy Policy; prior versions are available upon request at hello@heymonalista.com.

1. Information We Collect

Account information. When you create an account, we collect your name, email address, and password (stored in encrypted form).

Shop and marketplace data. When you connect a marketplace account (such as Etsy, Shopify, or Amazon Handmade) via OAuth, we access only the data you explicitly authorize. This may include your shop listings, product information, and shop settings. We access and use this data solely to provide the features you use within Mona Lista, and we collect only the minimum data necessary for those features. We process Etsy member personal information only as a service provider to you (the seller), and only to fulfill the services you have authorized.

eBay. Mona Lista does not connect to eBay through the eBay API. Listings prepared for eBay are exported by you as a file and uploaded to eBay yourself; we do not access, store, or process eBay account data through any API.

Social media account data. When you connect a social media account (such as Instagram, Facebook, Pinterest, or TikTok) via OAuth, we access only the permissions you grant. This may include the ability to publish content on your behalf. We use this data solely to provide the publishing features you request and for no other purpose. We do not combine your social media account data with data from other users' accounts.

Product images. When you upload product photos, we store them to provide the image creation features of the Service. You retain full ownership of all images you upload.

Usage data. We collect information about how you use the Service, including which features you use, which outputs you keep or discard, and how long you spend in each studio. This data is used to improve the Service.

Device information. We may collect device type, operating system, and app version for troubleshooting and performance purposes.

2. How We Use Your Information

3. Models, Training, and Connected-Platform Data

We do not use your data, or data accessed through any connected platform API, to train artificial-intelligence or machine-learning models without your explicit written consent. This applies to data accessed through Etsy, Shopify, Amazon, Meta, Pinterest, and TikTok, and to any other platform you connect.

As a matter of design, data drawn from a connected shop or social account is segregated by default and excluded from any model-training data set. It enters a trainable data set only where you have given specific, informed consent to that use. We do not build or augment a profile of you from connected-platform data without a valid legal basis and, where required, your consent.

Content you generate within the Service is produced using third-party model and infrastructure providers, listed in the section below, which process your inputs solely to return the output you requested.

4. How We Share Your Information

We do not sell your personal information, and we do not share your information with third parties for their own marketing purposes.

We share information only in the following circumstances:

5. Connected Platform API Data — Specific Platform Terms

Mona Lista connects to third-party platforms on your behalf. The following describes how we handle data accessed through each platform's API.

Etsy. We access your Etsy shop data solely to provide listing services to you. We act as a service provider to you (the Etsy seller) and process Etsy member data only as authorized by your Application Terms with us and in accordance with all applicable privacy laws. We do not process Etsy member personal information for any purpose beyond providing our services to you.

Shopify. We access merchant and store data solely to provide our services to you, collecting only the minimum data necessary. We do not sell, share, or use Shopify merchant or customer data for any purpose other than providing our services, and we do not use it to train AI or machine-learning models without your explicit consent. Sensitive data is encrypted in transit and at rest, access is restricted on a need-to-know basis, and we maintain records of our processing activities. Where we handle protected customer data (such as a customer's name, address, email, or phone number), we apply Shopify's protected-customer-data requirements and minimize what we access and retain. We comply with Shopify's mandatory data-deletion requirements and implement the required compliance webhooks: when you disconnect your Shopify store or delete your account, we delete your Shopify data promptly.

Amazon. We access Amazon seller data solely to provide our services to you, in accordance with Amazon's Selling Partner API Data Protection Policy and Acceptable Use Policy, and we handle that data in compliance with Amazon's Solution Provider Agreement.

Meta (Instagram and Facebook). We access Instagram and Facebook account data only with your authorization via OAuth, and we use it solely to publish content you have explicitly directed us to post. We do not use Meta data for any other purpose and do not build or augment any user profile from it without your valid consent. This Privacy Policy remains publicly available, crawler-accessible, and free of geographic restriction, and we retain all prior versions as required by Meta's Platform Terms.

Pinterest. We access your Pinterest account data only with your authorization, and use it solely to publish Pins and content you have explicitly directed us to post. We do not store Pinterest data beyond what is necessary to provide the service and do not retain it as a cache, except for limited campaign-analytics data where applicable. We do not combine your Pinterest account information with information from other users' accounts or other services, and we do not share or sell Pinterest API information to any third party. Any generated content posted to Pinterest is handled in line with Pinterest's content and generative-content guidelines.

TikTok. We access your TikTok account data only with your authorization, and use it solely to help you post content to your TikTok account at your explicit direction. You are shown a consent confirmation before any content is posted and have full awareness and control of what is posted to your TikTok account through Mona Lista. We comply with TikTok's Developer Terms of Service and all applicable content-posting guidelines.

6. OAuth and Connected Accounts

When you connect a marketplace or social media account, you authorize Mona Lista to access specific data through that platform's OAuth system. We request only the permissions necessary to provide the features you use.

You can disconnect any connected account at any time from within the app or from your settings on the connected platform. Disconnecting revokes our access to that platform's data going forward.

We do not store your passwords for any connected platform. OAuth tokens are stored securely and used only to perform actions you explicitly request.

7. Data Retention and Deletion

We retain your account information for as long as your account is active. You may request deletion of your account and all associated data at any time by contacting us at hello@heymonalista.com. We will process deletion requests promptly.

When you disconnect a connected platform account or delete your Mona Lista account, we delete the associated platform data promptly, in accordance with our data-retention policies and each platform's requirements.

Product images you upload are retained to provide the Service and are deleted when you delete the associated content or your account.

8. Data Security

Our Service is delivered over HTTPS. We use industry-standard security measures to protect your information, including encrypted connections, encryption of sensitive data in transit and at rest, secure token storage, and role-based access controls. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

9. Your Rights

Depending on where you live, you may have rights regarding your personal information, including the right to access, correct, delete, or obtain a portable copy of your data, the right to opt out of the sale or sharing of personal information and of targeted advertising, and the right to appeal a decision about a privacy request. We do not sell personal information. To exercise any of these rights, contact us at hello@heymonalista.com. We honor recognized universal opt-out signals, including Global Privacy Control (GPC), where required by law.

California residents have rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), including the rights to know, access, correct, delete, and limit the use of sensitive personal information, and to opt out of sale/sharing.

European Economic Area and United Kingdom residents have rights under the EU and UK General Data Protection Regulation (GDPR), including the rights to access, rectify, erase, restrict, and port personal data, and to object to certain processing.

United States — other states. Residents of states with comprehensive privacy laws have rights under those laws, including Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Montana, Oregon, Delaware, New Hampshire, New Jersey, Nebraska, Kentucky, Maryland, Minnesota, Rhode Island, and Florida, and — effective July 1, 2026 — Arkansas. We extend the rights described above to residents of these states as their laws require, and will honor additional rights as further state laws take effect.

Users in other jurisdictions may have additional privacy rights under applicable local laws. We are committed to complying with all applicable privacy laws in the jurisdictions where we operate.

10. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us at hello@heymonalista.com and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we update the effective and last-updated dates above, retain the prior version, and notify you of material changes by email or through the app. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, please contact us:

Cullum Studio LLC
Santa Fe, NM
hello@heymonalista.com