Back to home

Legal

Privacy Policy

Last updated: 1 June 2026

Monkey Speaks (es.monkeybrain.pro)

1. Controller

The controller responsible for data processing in connection with the web application Monkey Speaks (the "Service") is:

Delphi Analytics GmbH
Rheinsberger Strasse 76
10115 Berlin
Germany
Email: ben@delphi-analytics.de

We have not appointed a data protection officer, as we are not legally required to do so.

2. Overview of Processing

We process personal data only to the extent necessary to provide the Service, to fulfil contracts, to comply with legal obligations, and to protect our legitimate interests. The following sections describe the categories of data, purposes, legal bases, recipients, and retention periods.

3. Account Data (Sign-in via Google)

3.1 When you register, sign-in is performed via Google (Google OAuth). We receive and store from Google: your name, email address, and a unique account identifier. We do not receive your Google password.

3.2 Purpose: creation and administration of your user account; authentication. Legal basis: Article 6(1)(b) GDPR (performance of a contract).

3.3 Google's own processing in connection with the sign-in is the responsibility of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Details: https://policies.google.com/privacy

4. Learning and Usage Data

4.1 When you use the Service, we process data about your learning activity: exercises completed, answers given (including free-text answers), correctness, difficulty ratings, spaced-repetition scheduling parameters, progress, levels, and streaks.

4.2 Purpose: providing the core functionality of the Service (adaptive exercise scheduling, progress tracking, feedback). Legal basis: Article 6(1)(b) GDPR.

5. AI-Based Answer Evaluation

5.1 For certain exercise types (free-text translation), the answer you submit, together with the exercise sentence, is transmitted to an AI service for automated evaluation. For this purpose we use OpenRouter, Inc. (USA) as an API gateway, which routes requests to the AI model provider Anthropic, PBC (USA).

5.2 Submitted content is limited to the exercise text and your answer; we do not transmit your name or email address with these requests. We have configured and contracted these services so that submitted content is not used to train AI models.

5.3 Purpose: automated evaluation of and feedback on your answers as a core feature of the Service. Legal basis: Article 6(1)(b) GDPR.

5.4 The automated evaluation of individual exercise answers serves learning feedback only and produces no legal effect concerning you or any similarly significant effect within the meaning of Article 22 GDPR.

5.5 For transfers to the USA, see Section 10.

6. Payment Data

6.1 If you purchase a paid subscription, payment is processed by Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland ("Stripe"). Stripe collects and processes your payment data (e.g., card details) directly; we do not store full payment card numbers. We receive from Stripe confirmation of payment, the payment method type, and billing-related data necessary for accounting.

6.2 Purpose: processing of payments, subscription management, invoicing, fraud prevention (by Stripe). Legal basis: Article 6(1)(b) GDPR; for the retention of accounting records, Article 6(1)(c) GDPR in conjunction with statutory retention obligations (Sections 147 AO, 257 HGB).

6.3 Stripe may transfer data to Stripe, Inc. in the USA; Stripe is certified under the EU–U.S. Data Privacy Framework. Details: https://stripe.com/privacy

7. Hosting and Technical Infrastructure

7.1 The Service is delivered via Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA ("Vercel"). When you access the Service, technically necessary data is processed by Vercel on our behalf: IP address, date and time of access, requested resource, browser type and version, operating system, and referrer URL. This data is processed in server log files for the purpose of delivering the Service, ensuring stability and security, and diagnosing faults.

7.2 Our application database is operated by Supabase, Inc. ("Supabase"); the database storing your account and learning data is hosted in the European Union.

7.3 Purpose: technical provision, security, and stability of the Service. Legal basis: Article 6(1)(f) GDPR; our legitimate interest lies in the secure and reliable operation of the Service. Log data is retained only as long as necessary for these purposes.

7.4 Both Vercel and Supabase act as processors under Article 28 GDPR on the basis of data processing agreements.

8. Cookies and Local Storage

8.1 The Service uses only technically necessary cookies and browser storage (e.g., session/authentication tokens and local application state). These are required to provide the Service you have requested. Legal basis: Section 25(2) No. 2 TDDDG and Article 6(1)(f) GDPR.

8.2 We do not use advertising, tracking, or third-party analytics cookies. Should this change, we will update this policy and, where required, obtain your consent in advance.

9. Email Communication

We use your email address to send transactional messages relating to your account and contract (e.g., registration confirmation, payment receipts, material changes to the Service or terms). Legal basis: Article 6(1)(b) GDPR. We do not send marketing emails without your consent (Article 6(1)(a) GDPR); any such consent can be withdrawn at any time.

10. Transfers to Third Countries

Where data is transferred to providers in the USA (Vercel, Stripe Inc., OpenRouter, Anthropic), the transfer is safeguarded by an adequacy decision of the European Commission pursuant to Article 45 GDPR (EU–U.S. Data Privacy Framework) where the provider is certified, and otherwise by the European Commission's Standard Contractual Clauses pursuant to Article 46(2)(c) GDPR, supplemented by additional safeguards where appropriate. You may request a copy of the relevant safeguards using the contact details in Section 1.

11. Retention

11.1 Account and learning data are stored for the duration of your contract. If you delete your account, this data is deleted without undue delay, unless statutory retention obligations require longer storage.

11.2 Accounting-relevant data (invoices, payment records) is retained for the statutory periods (currently up to ten years under German tax and commercial law) and is blocked from any other use during that time.

11.3 Server log data is retained for a short period appropriate to security and fault diagnosis and is then deleted or anonymized.

12. Your Rights

You have the following rights under the GDPR with respect to your personal data:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object to processing based on Article 6(1)(f) GDPR (Article 21 GDPR); where we process data on the basis of legitimate interests, you may object on grounds relating to your particular situation, and we will cease processing unless we demonstrate compelling legitimate grounds
  • Right to withdraw any consent at any time with effect for the future (Article 7(3) GDPR)

To exercise these rights, contact us at ben@delphi-analytics.de.

You also have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR), in particular in the EU member state of your habitual residence, your place of work, or the place of the alleged infringement. The supervisory authority competent for us is the Berliner Beauftragte für Datenschutz und Informationsfreiheit, Alt-Moabit 59-61, 10555 Berlin (www.datenschutz-berlin.de).

13. Obligation to Provide Data

Provision of account data is necessary for the conclusion and performance of the usage contract; without it, the Service cannot be used. There is no statutory obligation to provide data.

14. Changes to This Privacy Policy

We will update this Privacy Policy where changes to the Service or the legal situation require it. The current version is always available within the Service.