External Approval Links icon External Approval Links
Privacy

Privacy Policy

This policy describes how External Approval Links handles data in the course of providing the app.

Who operates the app

External Approval Links is operated by WebSprites, by Rodney Earl Zanoria, based in the Philippines.

What data the app uses

  • monday item identifiers, board identifiers, status-mapping metadata, item title, and optional item description needed to generate approval links and sync results back to monday
  • approval link tokens, approval status, timestamps, and optional reviewer comments needed to operate the approval workflow and audit trail
  • per-user monday OAuth installation records, including encrypted monday OAuth access tokens, so each monday user can authorize once and the backend can make monday API calls for that user
  • recipient email addresses only when reminder functionality is enabled and configured

How data is used

  • to generate secure approval links
  • to show the external reviewer enough item context to review the request
  • to store approval records and audit events
  • to write approval status back to monday when configured
  • to send reminder emails when reminder support is enabled and configured

Data the app does not store

  • monday user names or monday user email addresses in the product database
  • unencrypted monday access tokens or other end-user third-party login tokens in the product database
  • webhook payloads in the product database

Data security

The app stores operational records in Supabase-hosted Postgres and accesses that database only over HTTPS/TLS. Stored monday OAuth access tokens are encrypted before database insert using server-side key material from the Cloudflare Worker runtime. Supabase also documents encryption at rest by default for project data, including the optional recipient email address when reminders are enabled.

Third-party services and domains

The app currently uses a small set of operational third-party services. These are not analytics, advertising, or tracking partners.

  • monday.com (auth.monday.com and api.monday.com) for installation, authorization, embedded app context, and writing approval results back to monday when configured
  • jsDelivr (cdn.jsdelivr.net) to load the official monday-sdk-js script used by the embedded monday item-menu frontend
  • Supabase (*.supabase.co) for hosted Postgres data storage and REST access used to store approval records and audit events
  • Resend (api.resend.com) for reminder email delivery when reminders are enabled and configured

Analytics and tracking

The current MVP does not use third-party analytics, ad platforms, advertising pixels, or tracking SDKs.

Data sharing

Data is only shared with the service providers needed to operate the app. Data is not sold.

Retention

Approval records and related audit data are retained only as long as needed for operational and support purposes. If monday.com or an end user de-authorizes, deactivates, uninstalls, or otherwise terminates the app, the related End User Data and metadata are deleted within 10 days unless explicit written consent exists to retain them longer.

Separate operational app logs are retained for at least 60 days for incident review and support. These logs include request timestamps, route names, outcome status, IP address, user agent, and the monday account, board, and item references needed to investigate access or workflow activity.

Contact

For privacy-related questions, contact support@websprites.com.