Privacy Policy.

What we collect, why we collect it, what we do with it, and the rights you have to control it.

Monarch Consulting (“Monarch,” “we,” “us”) builds AI agents and custom software for small businesses. This policy explains the limited information we collect when you visit monarchlegacy.tech, submit a project intake, book a call, or receive text messages from us.

Plain-English version: we collect what you give us through forms, basic site analytics, and the phone numbers of people who opt in to our text messages. We don’t sell your personal information. We don’t share your mobile number or text-message opt-in data with third parties or affiliates for their marketing. We use a small set of vendors (listed below) to operate the site and send messages, and they’re bound by contract to use the data only for those purposes.

Monarch Consulting is a Maryland-based software development and AI consulting firm. For purposes of state privacy laws that use the term, Monarch is the “controller” of personal data collected through this site. Our business address and contact information are at the bottom of this policy.

Information you give us

When you fill out a form on this site (project intake, contact, or newsletter), we collect the information you provide. That typically includes:

• Name and business name.
• Email address.
• Phone number (only if you provide one).
• Information about your business — industry, size, current tools, the problem you’re trying to solve, and any details you choose to share in free-text fields.
• Scheduling information when you book a call (handled through Cal.com).

Information collected automatically

When you visit the site, we (or our hosting and analytics providers) automatically receive:

• Device and browser information (browser type, operating system, screen size, language).
• IP address and approximate location derived from it (city/region level).
• Pages viewed, referring URL, and basic interaction events (clicks, scroll depth).
• Cookies and similar identifiers — see § 07 below.

Information from third parties

If you reach us through a referral platform, an embedded scheduler, or an integration you authorize (for example, a calendar service), we may receive identifiers and contact details from that platform. We only use that information for the purpose you authorized.

Sensitive personal information

We do not solicit, and we ask that you do not submit, sensitive personal information through our forms — that includes Social Security numbers, government IDs, financial account numbers, precise geolocation, biometric data, health information, immigration status, and similar categories. If you send sensitive information anyway, we’ll delete it on receipt unless it’s strictly necessary to respond to your request.

We limit collection and use of personal data to what is reasonably necessary and proportionate to provide the product or service you requested. Specifically, we use information to:

• Respond to your inquiry or project intake.
• Schedule and conduct calls, send appointment reminders and booking confirmations.
• Provide the services you engage us for and communicate about ongoing work.
• Send transactional messages (account, scheduling, billing) and, only if you opt in separately, our occasional newsletter.
• Operate, secure, and improve the site — including diagnosing errors and analyzing aggregate traffic.
• Comply with legal obligations and enforce our Terms & Conditions.

We do not use personal information for profiling that produces legal or similarly significant effects, and we do not sell personal information.

If you give us your mobile number and opt in to receive text messages, we use your number to send the messages described in our SMS Program Terms (booking confirmations, appointment reminders, and replies to messages you send us).

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All the categories of information described in this policy specifically exclude text-messaging originator opt-in data and consent; that information will not be shared with any third parties.

We use Twilio Inc. as our messaging gateway to deliver SMS on our behalf. Twilio processes phone numbers and message content solely to transmit messages and is contractually prohibited from using the information for its own marketing. We do not sell, rent, or transfer SMS opt-in lists, and we do not buy them.

You can opt out at any time by replying STOP to any message from us, or by emailing info@monarchlegacy.tech. Full SMS terms, including frequency and message-and-data-rates disclosures, are in our SMS Program Terms.

What we don’t do

• We do not sell personal information for money or other valuable consideration.
• We do not share mobile numbers or SMS opt-in data with third parties or affiliates for their marketing or promotional purposes.
• We do not engage in cross-context behavioral advertising or targeted advertising based on data collected on this site.
• We do not run automated profiling that produces legal or similarly significant effects on you.

Categories of recipients

We share personal information only with a small set of vendors (“processors” or “service providers”) under written contracts that limit their use to providing services to us. These categories include:

• Hosting and infrastructure — our website host and content delivery network.
• Analytics — privacy- respecting analytics that produce aggregate metrics.
• Email — our transactional email provider.
• Messaging — Twilio, for SMS delivery.
• Scheduling — Cal.com, for booking calls.
• Payment processing — only if and when you become a paying client; processors handle card data and we never store it.

We may also disclose information when required by law (subpoena, court order, legitimate government request), to protect the safety or rights of any person, or in connection with a corporate transaction (merger, acquisition, sale of assets) — in which case this policy will continue to govern the data, or you will be notified of any change.

We use a minimal set of cookies and similar technologies — strictly necessary cookies that make the site work (for example, your dark- mode preference) and analytics that help us understand aggregate usage. We do not use third-party advertising cookies, and we do not permit third parties to track you across other sites through this site.

Most browsers let you block or delete cookies in your settings. Blocking strictly necessary cookies may break parts of the site.

• Form submissions— kept while we’re communicating with you about the request and for up to 24 months after the last contact, unless you ask us to delete them sooner.
• Client engagement records — kept for the life of the engagement and for the period required by tax, accounting, and contractual record-keeping rules (typically 7 years).
• SMS opt-in records — retained as long as you remain opted in, plus a record of your consent (timestamp, the exact opt-in language shown to you, and the channel) for as long as legally required to demonstrate compliance.
• Analytics — kept in aggregated, non-identifying form.
• Backups — retained for a short rolling window for disaster recovery; deletion requests are applied to backups on the next rotation.

We use reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, disclosure, alteration, or destruction. These include encrypted transport (HTTPS), access controls, vendor due diligence, and incident-response procedures. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

If a security breach affects your personal information, we will notify affected individuals and applicable regulators (including the District of Columbia Office of the Attorney General where required by D.C. Code § 28-3851 et seq.) in the time frames required by law.

This site is for businesses and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has submitted information to us, email info@monarchlegacy.tech and we will delete it. We do not knowingly process the data of consumers known to be 13 to 17 for targeted advertising or sell it.

We give every visitor — regardless of where they live — the rights described below. State-specific rights are then layered on top.

• Know and access — request a copy of the personal information we hold about you and how we use it.
• Correct — ask us to fix inaccurate information.
• Delete — ask us to delete personal information we hold about you.
• Portability — receive a portable copy of personal information you provided.
• Opt out of sale and targeted advertising— though we don’t do either.
• Withdraw consent — when we relied on consent (for example, SMS or marketing emails).
• Non-discrimination— we won’t treat you worse for exercising these rights.

Maryland residents

Effective October 1, 2025, the Maryland Online Data Privacy Act (Md. Code Ann., Com. Law § 14-4601 et seq.) gives Maryland residents specific rights, including the rights listed above. In addition:

• We commit to data minimization: we limit collection of personal information to what is “reasonably necessary and proportionate” to provide the specific product or service you have requested, and we apply this rule regardless of any consent you give.
• We treat sensitive data (including racial or ethnic origin, religious beliefs, mental or physical health, sex life, sexual orientation, transgender or nonbinary status, citizenship or immigration status, genetic or biometric data, precise geolocation within 1,750 feet, and data of a known child) as collected and processed only when strictly necessary to provide a service you requested. We do not sell sensitive data — period.
• We do not sell personal data of consumers known to be 13 to 17 and do not process such data for targeted advertising.
• You have the right to appeal a denial of your privacy request (see § 12). If we deny your appeal, you may submit a complaint to the Maryland Attorney General at marylandattorneygeneral.gov.

Virginia residents

The Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.) gives Virginia residents the rights listed above, exercised through the same process described in § 12. Sensitive personal data (as defined by the Act) is processed only with your opt-in consent. If we deny a request, you may appeal, and if we deny the appeal you may submit a complaint to the Virginia Attorney General at oag.state.va.us.

Washington, D.C. residents

The District of Columbia does not currently have a comprehensive consumer privacy law, but D.C. residents are protected under the D.C. Security Breach Notification Act (D.C. Code § 28-3851 et seq.) and the D.C. Consumer Protection Procedures Act (D.C. Code § 28-3901 et seq.). We honor every commitment in this policy as a binding statement to D.C. residents and extend the access, correction, deletion, and opt-out rights described above to D.C. consumers as a matter of practice. You may contact the D.C. Office of the Attorney General at oag.dc.gov/consumer-protection.

Other state residents

Residents of other U.S. states with comprehensive privacy laws (Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah) and California consumers may also exercise the rights listed above. Where the laws of your home state require additional disclosures or processes, we will follow them on request.

To exercise any right, email info@monarchlegacy.tech with the subject line “Privacy Request” and tell us which right you are exercising and the email or phone number you want us to look up. We may need to verify your identity using information already associated with your account or request — we will only use that information to verify and then delete it.

We respond within 45 days of receipt and may extend by an additional 45 days when reasonably necessary, with notice to you. Your first request in any 12-month period is free; we may charge a reasonable fee or decline manifestly unfounded or excessive requests, but we’ll explain why if we do.

Right to appeal. If we deny your request, you may appeal by replying to our denial email within 60 days. We will respond in writing within 60 days of receiving the appeal with our decision and the reasons for it. If we deny the appeal, we will tell you how to contact your state Attorney General.

Authorized agents. You may use an authorized agent to submit a request on your behalf. We will require written, signed permission from you and may contact you to confirm.

We honor the Global Privacy Control (GPC) browser signal as a valid opt-out of sale and targeted advertising for visitors from every U.S. state, regardless of residency. Because we don’t sell personal information or run targeted advertising, the practical effect of GPC on this site is to confirm what we already do.

We’ll update this policy when our practices change or when law requires it. Material changes will be announced on the site before they take effect, and the “Effective” date at the top will be updated. Continuing to use the site after the effective date means you accept the updated policy.

Questions about this policy, or about our handling of your information, should go to:

This policy is provided for informational purposes and is not legal advice. Specific situations may require advice from a licensed attorney.