Monk

Account & billing

How Monk keeps your data safe

What Monk stores, how it is encrypted, and what access it has to your Meta account.

Monk stores your brand setup, the keys it needs to do its job, and the ads it works with. Every key and token is encrypted before it is saved, and Monk's access to your Meta account is read-only. Here is exactly what that means.

What Monk stores

  • Your brand setup. Website, niche keywords, markets, competitors, funnel stages, ad copy language, and your Meta ad account IDs.
  • Your secrets. Your Meta System User token and your ad engine key, both encrypted. See below.
  • Your ads. Competitor ads pulled from Meta's public Ad Library, and the ads Monk generates for you.
  • Your account. Your email, your team, and your plan.

What access Monk has to your Meta account

Read-only, and nothing more.

  • The System User token you paste needs a single scope, ads_read. That scope allows reading ad data, and nothing else.
  • Monk uses it to read your ad performance. It never posts, never spends, and never changes anything in your account.
  • The token does not expire, so Monk keeps reading without you reconnecting.
  • You can revoke it inside Meta at any time. Monk loses access immediately.

Prefer not to share a token at all? Invite Monk to your Business Manager as an Analyst on the ad account instead. Analyst is a read-only role. See Create a Meta System User token.

How your keys are encrypted

Every secret you give Monk, your Meta token and your ad engine key, is encrypted with AES-256-GCM before it reaches the database. Nothing is stored in plain text.

  • Encrypted at rest. Your key is encrypted the moment you submit it, not later.
  • Never sent back to your browser. Settings shows a mask like AIz…4f2b, never the full value.
  • Decrypted only in the moment it is used. Monk decrypts a key on the server, at the point of calling Meta or your ad engine, and never anywhere else.

Your ad engine key is used for one thing, generating your ads on your own engine account. It is never shared.

Who can see your data

  • Sign-in is passwordless, with Google or a one-time email link. There is no password to leak. See Sign in and your account.
  • A brand can only be opened by members of the account that owns it. See Add your team.
  • Everyone you invite to your account can work on your brands, so only invite people you trust with them.

Remove or replace a key

  1. Open your brand and go to Settings.
  2. Find the key you want to change. It shows as a mask.
  3. Paste a new value to replace it, or clear the field to delete it.
  4. Save. Clearing the field removes the key from Monk entirely.

Revoking the token in Meta works too, and takes effect regardless of what Monk holds.

Related

Last updated 2026-07-13