Depending on where you live, you may have the right to access, correct, delete, or port your personal data held by monday.com, and you can exercise these rights by emailing privacy@monday.com.
This analysis describes what Monday.com's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These rights give users meaningful control over their personal data, but the policy qualifies them as dependent on location and applicable law, meaning not all users have the same rights.
EU and UK users have GDPR-based rights to access, correct, delete, restrict, and port their personal data; California residents have equivalent CCPA/CPRA rights; all users can contact privacy@monday.com to submit a request, though the scope of rights honored depends on your jurisdiction.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
Monitoring
Monday.com has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Depending on your location and subject to applicable law, you may have the following rights with regard to your personal data: the right to access personal data we hold about you; the right to rectify inaccurate personal data; the right to request the deletion of your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and the right to withdraw consent at any time where processing is based on consent. To exercise any of these rights, please contact us at privacy@monday.com.— Excerpt from Monday.com's Monday.com Privacy Policy
(1) REGULATORY LANDSCAPE: This provision directly implements GDPR Articles 15 through 22 (data subject rights) for EEA and UK users, and CCPA/CPRA Sections 1798.100 through 1798.125 for California residents. The GDPR requires responses to data subject access requests within one month (extendable to three months in complex cases). CCPA/CPRA requires responses within 45 days (extendable to 90 days). Enforcement is by EU/UK supervisory authorities and the California Privacy Protection Agency respectively. (2) GOVERNANCE EXPOSURE: Medium. The single point of contact (privacy@monday.com) must be operationally capable of verifying identity, locating data across systems, and responding within statutory timeframes. For enterprise customers, the processor relationship means monday.com is obligated under Article 28 to assist the controller customer in responding to DSARs from employees or end users, which requires operational coordination. (3) JURISDICTION FLAGS: GDPR-regulated users have the broadest rights, including the right to object to processing based on legitimate interests. California residents under CPRA have additional rights including the right to correct inaccurate personal information and the right to limit use of sensitive personal information. Users in other US states with comprehensive privacy laws (Virginia, Colorado, Connecticut) may have analogous but narrower rights. Users outside these jurisdictions may have limited or no enforceable rights under this policy. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise DPAs should include specific provisions obligating monday.com to assist with DSARs within timeframes that allow the controller to meet its own statutory deadlines. The DPA should address what happens to data upon contract termination, including return or deletion obligations. (5) COMPLIANCE CONSIDERATIONS: Organizations using monday.com as a processor should establish internal DSAR workflows that include a step for requesting responsive data from monday.com. Identity verification procedures for DSAR submissions to privacy@monday.com should be tested to confirm they are not so burdensome as to be de facto barriers to right exercise. Records of DSAR responses should be maintained for regulatory audit purposes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These rights give users meaningful control over their personal data, but the policy qualifies them as dependent on location and applicable law, meaning not all users have the same rights.
EU and UK users have GDPR-based rights to access, correct, delete, restrict, and port their personal data; California residents have equivalent CCPA/CPRA rights; all users can contact privacy@monday.com to submit a request, though the scope of rights honored depends on your jurisdiction.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Monday.com.