As of: May 2026
The legally binding version of this Privacy Policy is the German version available at /de/datenschutz. In case of conflict, the German version prevails.
§ 1 Controller
The controller within the meaning of the GDPR is:
21Solutions GmbH Feldbergstraße 35, 60323 Frankfurt am Main, Germany Email: info@ppl-monkey.com
A statutory data protection officer is not required. For data protection matters please contact the email address above.
§ 2 Purposes and legal bases
We process personal data only insofar as necessary to provide our learning platform, to perform a contract, to fulfil legal obligations or on the basis of your consent.
Purposes: providing the platform, account management, authentication, processing of paid premium features (once active), sending system emails, security and abuse prevention, server logs, privacy-friendly aggregated analytics, optional AI-supported features.
Legal bases: Art. 6 (1) b GDPR (contract), Art. 6 (1) c (legal obligations), Art. 6 (1) f (legitimate interests), Art. 6 (1) a (consent where applicable).
§ 3 Server logs
When accessing the platform, technically required connection data is processed (shortened IP address, user agent, date/time, requested URL, referrer, HTTP status). It is used for stability, security and abuse prevention and is anonymised or deleted within 30 days. Legal basis: Art. 6 (1) f GDPR.
§ 4 User accounts & authentication
For access to protected areas we create a user account. We process email address, hashed password, role, language preference and login timestamps. Authentication and session management are provided by Supabase Auth (see § 9). Legal basis: Art. 6 (1) b GDPR.
§ 5 Learning progress
If you are logged in, we store learning progress, bookmarks and similar data linked to your user ID. No transfer to third parties takes place. Legal basis: Art. 6 (1) b GDPR.
§ 6 Paid premium features (Stripe)
Once paid features are offered, payment is processed by Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin, Ireland. We only receive the data necessary to perform the contract (payment status, amount, payment method, Stripe reference IDs). Full payment data (card or bank details) is processed exclusively by Stripe and is not transferred to us. Stripe may transfer data to the United States; transfers are safeguarded by EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Legal basis: Art. 6 (1) b GDPR. Stripe privacy notice: https://stripe.com/privacy
§ 7 Email sending (Resend)
System emails (signup confirmation, password reset, invoices, notifications) are sent via Resend (Resend.com, Inc., Delaware/USA). Email address, content and sending metadata are transferred. Transfers are safeguarded by EU SCCs and the EU-US Data Privacy Framework. Legal basis: Art. 6 (1) b/f GDPR. Privacy notice: https://resend.com/legal/privacy-policy
§ 8 AI-supported features (Lovable AI Gateway)
Where AI-supported features are offered (e.g. explanatory text, glossary support), prompts are forwarded anonymously via the Lovable AI Gateway to underlying language models (e.g. OpenAI, Anthropic, Google). Only data necessary for the request is transmitted; use for model training by providers is contractually excluded. Do not enter personal or sensitive data in AI prompts. Transfers to third countries (e.g. USA) may occur and are safeguarded by EU SCCs and the EU-US Data Privacy Framework. Legal basis: Art. 6 (1) b/f GDPR.
§ 9 Hosting, backend and delivery
- Supabase Inc. (Singapore) — database, auth, storage, edge functions. Data is stored exclusively in the EU region (Frankfurt). DPA pursuant to Art. 28 GDPR concluded.
- Lovable GmbH (Munich, Germany) — build & deploy platform.
- Cloudflare, Inc. (San Francisco, USA) — global CDN and edge runtime for delivery of the website. Transfers to the USA are safeguarded by EU SCCs and the EU-US Data Privacy Framework. Privacy notice: https://www.cloudflare.com/privacypolicy/
§ 10 Analytics (Plausible)
We use Plausible Analytics by Plausible Insights OÜ, Tartu, Estonia, for privacy-friendly analytics. Plausible does not set cookies, does not create device fingerprints and does not transfer personal data to third countries outside the EU. Only anonymous aggregated statistics are collected. Legal basis: Art. 6 (1) f GDPR. No consent under § 25 TDDDG is required.
§ 11 Google Search Console (operator tool only)
To monitor the visibility of our pages in Google Search we use the Google Search Console (Google Ireland Ltd., Dublin). Only aggregated search and crawling data is processed, which Google collects anyway as a search-engine operator. No user identification by us takes place. Legal basis: Art. 6 (1) f GDPR.
§ 12 Cookies & local storage
This website uses only technically necessary cookies / local-storage entries (login session, language, bot protection, Stripe checkout where applicable). No marketing or tracking cookies are set. Details: see Cookie Notice. Legal basis: § 25 (2) no. 2 TDDDG.
§ 13 Recipients / processors (overview)
| Provider | Purpose | Location / region | Legal basis |
|---|---|---|---|
| Supabase Inc. | Database, auth, storage, edge | EU region (Frankfurt), DPA Art. 28 | Art. 6 (1) b |
| Lovable GmbH | Build & deploy platform | Germany | Art. 6 (1) b/f |
| Cloudflare, Inc. | Hosting/CDN, edge runtime | USA, SCC + DPF | Art. 6 (1) f |
| Resend | Transactional & auth emails | USA, SCC + DPF | Art. 6 (1) b/f |
| Stripe Payments Europe Ltd. | Payment processing (premium) | Ireland/USA, SCC + DPF | Art. 6 (1) b |
| Plausible Insights OÜ | Cookieless analytics | Estonia (EU) | Art. 6 (1) f |
| Lovable AI Gateway (incl. OpenAI/Anthropic/Google) | AI features | EU/USA, SCC + DPF | Art. 6 (1) b/f |
| Google Ireland Ltd. (Search Console) | SEO monitoring (operator) | Ireland/USA, DPF | Art. 6 (1) f |
DPAs pursuant to Art. 28 GDPR and — for third-country transfers — appropriate safeguards under Art. 46 GDPR are in place.
§ 14 Retention
- User accounts: until deletion by the user; in case of inactivity at the latest after 36 months following prior notice
- Server and security logs: ≤ 30 days
- Payment and invoice data: 10 years (§§ 147 AO, 257 HGB)
- Resend sending logs: ≤ 30 days
§ 15 Your rights
You have the rights under Art. 15–21 GDPR (access, rectification, erasure, restriction, portability, objection for processing based on legitimate interests) and the right to withdraw consent (Art. 7 (3) GDPR). To exercise your rights, an informal email to info@ppl-monkey.com is sufficient.
§ 16 Right to lodge a complaint
You have the right to lodge a complaint with a data-protection supervisory authority. Competent for us:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit Postfach 31 63, 65021 Wiesbaden, Germany https://datenschutz.hessen.de
You may also contact any other supervisory authority, in particular at your place of habitual residence.
§ 17 Minimum age
The platform is intended for persons aged 16 and older. Younger persons may only use the platform with the consent of a legal guardian (Art. 8 GDPR).
§ 18 SSL/TLS
This website uses SSL/TLS encryption for security reasons.
§ 19 Updates
We reserve the right to update this Privacy Policy to reflect changes in legislation or in our service. The current version is always available on this page.