Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
MonoBill is a billing and checkout platform for SaaS and digital products. It manages plans, trials, dunning, invoices and VAT and connects to leading payment providers. Hosted in the EU or self hosted, it sets only strictly necessary cookies and therefore does not require prior consent under GDPR and ePrivacy.
MonoBill is a subscription billing and checkout platform aimed at SaaS vendors, digital product sellers and online services. It handles plans, trials, recurring charges, dunning, invoices, EU VAT and revenue reporting, and connects to leading payment service providers such as Stripe, Mollie, GoCardless or Adyen. Once embedded in a website, MonoBill creates and maintains the customer billing record, sends transactional emails and exposes a customer portal where end users can view invoices, update payment methods and cancel subscriptions.
In its default configuration MonoBill only writes strictly necessary first party cookies and a small amount of localStorage on the checkout and customer portal pages. These items keep the shopping cart, the currency selection, the CSRF token and the signed in customer session. They expire when the browsing session ends or after a short retention period. No advertising or analytics cookies are set by MonoBill itself: any tracking is the responsibility of the operator who embeds the widget.
The MonoBill SaaS is hosted in the European Union and can also be self hosted by the operator on its own infrastructure. In the default configuration no systematic transfer of personal data takes place outside the EEA. Operators who connect MonoBill to a non EU payment processor, tax engine or accounting tool must document those transfers, identify an Article 46 GDPR safeguard (typically EU Standard Contractual Clauses with a transfer impact assessment) and reflect the chain in the record of processing activities.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Because MonoBill is used to fulfil a paid contract, the primary lawful basis is Article 6(1)(b) GDPR (performance of the contract). Article 6(1)(c) GDPR applies to invoicing and tax retention obligations, and Article 6(1)(f) GDPR can support narrowly scoped fraud prevention. The strictly necessary cookies fall under the second limb of Article 5(3) of the ePrivacy Directive: they do not need prior consent but the operator still has to mention them in the cookie policy. Marketing channels added on top (Google Ads conversion, Meta Pixel, Klaviyo) keep their own consent regime.
List MonoBill in the record of processing activities as a processor, sign a Data Processing Agreement with MonoBill, and update the privacy notice with the EU hosting location, the categories of data processed (identity, billing address, VAT number, payment card token, order history), the legal accounting retention period and the payment processors used downstream. Document the strictly necessary cookies in the cookie table even though consent is not required. Restrict access to the MonoBill back office using single sign on and per role permissions, and enable two factor authentication for finance staff.
Customers retain the full set of GDPR rights against MonoBill processing: access, rectification, portability of their invoicing history, restriction and objection. The right to erasure is balanced against the legal obligation to retain accounting documents (typically 6 to 10 years in EU Member States). Plan a periodic purge of expired customer accounts, anonymise inactive records and document the retention schedule in the privacy notice.
Websites using MonoBill must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for routine billing and accounting carried out under contract performance and legal obligations. A DPIA becomes relevant when MonoBill is connected to large scale automated decisions, customer profiling or anti fraud scoring that produces significant effects on customers, or when special category data is processed by mistake. Document retention periods (typically 6 to 10 years for accounting records under national tax law) and the access controls applied to the MonoBill back office.
Sample consent text
We use MonoBill to process your subscription, invoicing and payment information. This processing is based on the performance of your contract and on our legal accounting obligations and does not require your consent. You may exercise your data subject rights at any time by contacting our support team.
Third-party domains contacted
monobill.ioapp.monobill.iocheckout.monobill.iocdn.monobill.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mb_session | http_cookie | session | Holds the signed in customer session in the MonoBill checkout and customer portal |
| mb_csrf | http_cookie | session | CSRF protection token issued on form submission to prevent cross site request forgery |
| mb_cart | http_cookie | 7 days | Stores the current shopping cart and selected plan to allow returning visitors to resume checkout |
| mb_currency | http_cookie | 30 days | Stores the visitor currency preference used to display localized prices |
| mb_consent | http_cookie | 180 days | Records the operator level cookie consent state used to gate optional marketing pixels around the checkout |
MonoBill uses cookies for user preferences — inform visitors with a consent banner.
MonoBill writes only strictly necessary first party cookies on the checkout and customer portal pages: a session cookie, a CSRF token, the cart contents, the currency choice and the signed in customer reference. No advertising or analytics cookies are set by the platform itself. localStorage is used for the cart and the currency selection. Anything beyond that, such as Google Ads conversion tags, Meta Pixel or Klaviyo events, comes from the operator and remains under its own consent regime.
No. The cookies and storage entries set by MonoBill are strictly necessary to deliver a service explicitly requested by the user (the contractual transaction). They fall under the second limb of Article 5(3) of the ePrivacy Directive and the equivalent national rules and do not require opt in consent. They must still be described in the cookie policy. Marketing pixels added on top of MonoBill keep their normal consent obligation.
The primary lawful basis is Article 6(1)(b) GDPR, performance of the sale contract. Article 6(1)(c) GDPR covers invoicing and the legal obligation to retain accounting records (typically 6 to 10 years in EU Member States). Article 6(1)(f) GDPR can support strictly scoped anti fraud controls. Choose the basis that fits the operation rather than relying on consent, which is inappropriate for billing.
In the default SaaS configuration MonoBill is hosted in the European Union and does not transfer billing data outside the EEA. If the operator connects MonoBill to a non EU payment service provider, tax engine or accounting tool, those downstream transfers become the operators responsibility. They must be backed by Article 46 GDPR safeguards (typically Standard Contractual Clauses plus a transfer impact assessment) and documented in the record of processing.
A DPIA is generally not required for routine billing performed under contract performance and legal obligation. Trigger a DPIA when MonoBill feeds large scale automated decisions, customer profiling or anti fraud scoring with significant effects, or when the platform is integrated with sensitive flows (health, children, vulnerable users). Document the assessment outcome even if you decide that no full DPIA is required.
Sign a Data Processing Agreement with MonoBill and list it in your record of processing as a processor. Update the privacy notice with the EU hosting location, the categories of data processed, the legal retention period and any downstream payment providers. Display the strictly necessary cookies in the cookie table. Restrict access to the MonoBill back office via SSO and per role permissions and enable two factor authentication for finance and admin users.
EU based alternatives include Paddle MoR, Lemon Squeezy EU entity, Chargebee EU residency, Recurly EU, Mollie Subscriptions and self hosted options such as Lago or Killbill on EU infrastructure. The choice depends on whether you want a Merchant of Record handling sales tax, whether you need pure subscription management or a full checkout, and the level of automation around accounting and dunning.
Add a section for MonoBill in the cookie policy listing each strictly necessary cookie (name, purpose, retention) even though no consent is required. Mention the lawful basis (contract performance and legal obligation), the EU hosting location and the downstream payment providers used. Update the record of processing activities and the privacy notice in parallel and notify any downstream tools that scan the site for tracker changes.