MonkeyGrade Privacy Policy

Effective date: 2026-06-16

Version: 1.0 — 2026-06-16
Applies to: MonkeyGrade web application and mobile app (iOS/Android)

1. Who we are — the data controller

MonkeyGrade by Figiel
Buckhauserstrasse 49
8048 Zürich
Switzerland

MonkeyGrade by Figiel (the sole proprietorship of Jean-Yves Figiel, trading as “MonkeyGrade”) is the sole data controller for the personal data described in this policy.

For the purposes of this policy, "we", "us", and "our" refer to the entity identified above (the data controller).

Our privacy contact / Data Protection Officer (DPO):

Jean-Yves Figiel
Email: dpo@monkeygrade.cloud
Buckhauserstrasse 49, 8048 Zürich, Switzerland

Jean-Yves Figiel is the appointed Data Protection Officer for MonkeyGrade.

We are subject to the revised Swiss Federal Act on Data Protection (revFADP) and, because we serve individuals located in the European Union, also to the EU General Data Protection Regulation (GDPR).

The supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC) — https://www.edoeb.admin.ch/.

EU representative (GDPR Art. 27): We have assessed whether an EU representative must be appointed in respect of our processing of EU residents' personal data. At this stage we have accepted the risk of not appointing a representative, and we will re-evaluate this decision as our processing activities and user base evolve.

2. What data we process and why (legal bases)

MonkeyGrade is a bouldering-gym application. We process personal data to provide the member-facing service — session tracking, climb logging, skill analytics, and optional social features — and to operate the platform.

2.1 Account and profile data

Data	Purpose	Legal basis
Email address	Account creation, authentication, transactional email	GDPR Art. 6(1)(b) (contract); revFADP Art. 31
Password (stored as Argon2id hash — never in plain text)	Authentication	GDPR Art. 6(1)(b)
Optional display name / profile fields	Personalisation, social features	GDPR Art. 6(1)(a) (consent, since it is voluntary) / Art. 6(1)(b)
Optional profile photo	Display in-app	GDPR Art. 6(1)(a) (consent)
TOTP 2FA secret (if enabled)	Account security	GDPR Art. 6(1)(b)
Gym membership linkage (which gym(s) a member belongs to)	Scoping the service to the correct gym	GDPR Art. 6(1)(b)

2.2 Climbing activity data

Data	Purpose	Legal basis
Boulder sends/attempts (grade, date, flash/attempt count, boulder ID)	Skill analytics, session planning, statistics	GDPR Art. 6(1)(b) (core service)
Favourited boulders	Personal bookmark list	GDPR Art. 6(1)(b)
Personal comments on boulders	Community grading feature	GDPR Art. 6(1)(b)
Session plan content (chosen duration, phase structure, boulder picks, tick state)	Session Planner feature	GDPR Art. 6(1)(b)

Climbing activity data is entered by the member voluntarily and constitutes the core of the service. We do not collect or infer any biometric data.

2.3 Video analysis data (optional feature)

The video-analysis / climbing-pose feature is currently in beta and not enabled in production. No member video is processed in production today. The description below explains how the feature works when a gym enables it; it will apply only once the feature is released to production.

Where the gym enables the video-analysis feature:

Members may upload short climbing video clips.
The clip is processed on-server by a pose-estimation model (MediaPipe) to extract numeric body-landmark metrics (positions, joint angles).
Numeric metrics (not video) may be forwarded to the Anthropic API for coaching suggestions. No video or image frames are transmitted to Anthropic.
Videos are stored on the file-storage backend (see §4 vendor list).

Legal basis: GDPR Art. 6(1)(a) (explicit member consent, obtained at upload time).

Biometric data and DPIA: Pose data may qualify as biometric data under GDPR Art. 9. Before this feature is enabled in production, we will complete a Data Protection Impact Assessment (DPIA) and obtain explicit consent under GDPR Art. 9(2)(a) for the processing.

2.4 Communication data

Data	Purpose	Legal basis
In-app private messages between members	Social feature	GDPR Art. 6(1)(b)
Transactional email logs (delivery, bounce)	Service delivery, spam prevention	GDPR Art. 6(1)(f) (legitimate interest — sending email the member requested)

We do not send marketing email. Transactional email only.

2.5 Support, abuse reports, and moderation data

Data	Purpose	Legal basis
Support tickets	Providing support	GDPR Art. 6(1)(b)
Abuse/content reports	Safety and platform integrity	GDPR Art. 6(1)(f) (legitimate interest)

2.6 Security and audit data

Data	Purpose	Legal basis
Audit log (account events, admin actions, significant security events)	Security, integrity, accountability	GDPR Art. 6(1)(f) (legitimate interest — protecting users and the platform)
Rate-limit counters, failed-login records	Brute-force protection, account lockout	GDPR Art. 6(1)(f)

We do not use cookies beyond strictly necessary session / authentication cookies and a consent-tracked preference cookie. A cookie consent banner is shown on first visit. See our Cookie Policy for details.

2.7 Location data — GPS gym-arrival feature

See §6 below for a full, dedicated description of location processing.

This is set out separately because location is the only sensitive permission the app requests, and we want the purpose and limitations to be fully transparent.

2.8 Health & fitness data — optional Health sync

See §7 below for a full, dedicated description of health-data handling.

This is set out separately because health and fitness data is sensitive, the feature integrates with the operating-system health store (Apple Health / Android Health Connect), and we want the purpose and limitations to be fully transparent. The feature is opt-in and off by default.

3. Data we do NOT collect

We do not sell personal data to third parties.
We do not build advertising profiles.
We do not use third-party analytics SDKs that track behaviour across apps or websites (e.g. Google Analytics, Meta Pixel, Firebase Analytics).
We do not collect precise GPS coordinates. The location feature described in §6 uses only approximate (coarse) device position, momentarily, on-device only.
We do not store or transmit the member's device location.
We do not access the device camera, microphone, or contacts (the mobile app requests camera/photo only for the video-upload feature if enabled).

4. Who we share data with — processors and sub-processors

We share data only with service providers acting as data processors under a Data Processing Agreement (DPA). They may not use member data for their own purposes.

Vendor	Role	Data accessed	Location	Transfer basis
OVH (VPS — Strasbourg, France)	Infrastructure / hosting	All app data (app runs on these servers)	EU 🇫🇷	EU — no transfer mechanism needed
PostgreSQL (self-hosted on OVH VPS)	Database	All member data stored in the DB	Same VPS	n/a
Redis (self-hosted on OVH VPS)	Cache / session store	Session tokens, short-lived cache	Same VPS	n/a
AWS S3, region eu-central-2 (Zurich)	File storage	Uploaded photos and videos (if MEDIA_BACKEND=s3)	Switzerland 🇨🇭	n/a (Swiss storage)
SMTP2GO (EU endpoint)	Transactional email delivery	Email address + email body	EU	DPA signed; EU endpoint in use.
Google reCAPTCHA v3 (optional)	CAPTCHA / bot detection	IP address, browser fingerprint	US 🇺🇸	EU-US DPF + SCCs
Sentry (optional)	Error monitoring	Stack traces — PII scrubbed before sending	US 🇺🇸	EU-US DPF + SCCs; PII scrubbing configured
Anthropic (conditional)	AI coaching suggestions in video-analysis feature	Numeric pose metrics only (no video, no images, no names) — only if ANTHROPIC_API_KEY is set	US 🇺🇸	DPA signed. Used only by the beta video-analysis feature (not enabled in production); no member data sent to Anthropic in the current production build.
Apple App Store / Google Play Store	App distribution	Store-collected data per their own terms; distributors, not processors of member data.	Global	Their own terms

The vendors listed above are the complete set of third parties that may process member personal data. We do not use any other third-party service that processes member personal data.

5. Data retention

Data category	Retention period
Active account data	Until the account is deleted
Account data after deletion	Deleted within 30 days of receiving a deletion request
Database backups	Retained for up to 90 days then overwritten/deleted
Transactional email delivery logs	30 days
Security / audit logs	90 days
Video files (if enabled)	Deleted on account deletion, or within 90 days of upload, whichever is earlier (applies when the video-analysis feature is enabled).

These retention periods are based on our operational needs and our obligation to be able to respond to legal requests. We do not retain personal data longer than necessary.

6. Location data — the GPS gym-arrival feature

This section describes the app's only sensitive device permission.

6.1 Purpose

The Session Planner feature can detect when you arrive at your gym and offer to start or resume your planned climbing session. This is purely a convenience feature — you can always start a session manually without granting location access.

6.2 What we access and how

We request approximate (coarse) device location only — not precise GPS coordinates. Coarse location is accurate to roughly 3 km (Android) or a city-block level (iOS), which is sufficient to detect that you are near your gym without pinpointing your exact position.
Location is accessed in the foreground only, when the app is open. The app does not access your location in the background, when the screen is locked, or when the app is closed.
The device computes a single haversine distance between your approximate position and your gym's stored coordinates (latitude/longitude kept in our database for each registered gym). This calculation runs entirely on your device.
Your device position is never stored. It is used for the distance check only and discarded immediately afterwards.
Your device position is never transmitted to our servers or to any third party.

6.3 What we store

We store the gym's coordinates (latitude/longitude) in our database so the on-device distance check can work. Gym coordinates are not personal data.

We do not store:

Your device's location (at any point in time)
A history of where you have been
Whether or how often the arrival check was triggered

6.4 Legal basis

GDPR Art. 6(1)(a) / revFADP Art. 31 — explicit consent, obtained through the OS permission prompt before location is accessed for the first time. You may decline at any time.

6.5 How to revoke

You can revoke location permission at any time in your device's Settings:

iOS: Settings → Privacy & Security → Location Services → MonkeyGrade → Never
Android: Settings → Apps → MonkeyGrade → Permissions → Location → Don't allow

Revoking location permission does not affect any other app functionality. Session planning and all other features remain fully available; you start sessions manually instead of via the arrival prompt.

6.6 Summary

What	Answer
Data accessed	Approximate (coarse) device location
When	Foreground / app-open only
Where the distance check runs	On your device — never on our servers
Is your position stored?	No
Is your position transmitted?	No
Can you opt out?	Yes — deny or revoke OS permission; no feature is blocked

7. Health & fitness data — the optional Health sync feature

This section describes the optional integration with the device's health store (Apple Health on iOS / Android Health Connect on Android).

The feature is opt-in and off by default. It is enabled only if you turn on the "Sync to Health" toggle in your Profile. In the current version the integration is write-only: MonkeyGrade writes workout entries to the health store and does not read any health data back from it.

7.1 Purpose

When you complete a planned training session, MonkeyGrade can record that session as a workout in your device's health store so it appears alongside your other fitness activity. This is purely a convenience feature — you can use the Session Planner and all other features without enabling it.

7.2 What we access and write

When the "Sync to Health" toggle is on, for each completed training session we write the following to the OS health store (Apple Health / Android Health Connect):

A "Rock climbing" workout and a short "Flexibility / Preparation & Recovery" workout, each with a start time, end time, and duration.
An estimated active energy (kcal) for the workout. This value is an estimate computed on your device from the session duration and your body weight. We do not use a heart-rate sensor and we do not measure your actual energy expenditure.
Optional height and weight samples, if you have entered them to enable the estimate.

To compute the active-energy estimate you may enter your sex, height, and weight. As with the location feature, these inputs are stored only on your device and are never transmitted to MonkeyGrade servers or to any third party. They are used solely to calculate the on-device estimate.

The workout and body-measurement entries are written into Apple Health / Android Health Connect, which are governed by Apple's and Google's own terms — not onto MonkeyGrade servers. In this version we do not read these entries (or any other health data) back from the health store.

7.3 What we store

MonkeyGrade does not store any of the following on our servers:

Your sex, height, or weight
The active-energy estimate
The workout entries written to the health store
Any other data read from Apple Health or Android Health Connect (we do not read any back in this version)

The sex/height/weight values you provide and the resulting estimate live only on your device and in the OS health store you write them to.

7.4 Legal basis

GDPR Art. 6(1)(a) / revFADP Art. 31 — explicit consent, given when you turn on the "Sync to Health" toggle and grant the corresponding OS Health / Health Connect permission. The feature is off until you opt in, and you may withdraw consent at any time (see §7.5).

7.5 How to revoke

You can stop the Health sync at any time:

Turn off the "Sync to Health" toggle in your Profile; and/or
Revoke the app's Health permission in your device's settings:
- iOS: Settings → Privacy & Security → Health → MonkeyGrade → turn off access
- Android: Settings → Security & privacy → Health Connect → App permissions → MonkeyGrade → remove access

Revoking stops MonkeyGrade from writing any further entries. Revoking does not delete entries already written to Apple Health / Android Health Connect; you can remove those directly in the Apple Health or Health Connect app.

Apple Health data is never used for advertising. Android Health Connect data is handled in accordance with Google's Health Connect data-use policy — it is not used for advertising and is not sold.

7.6 Summary

What	Answer
Data written	"Rock climbing" + "Flexibility / Preparation & Recovery" workouts (start/end, duration, estimated kcal); optional height & weight
Default state	Off — opt-in via the Profile "Sync to Health" toggle
Direction	Write-only — we do not read health data back in this version
Where it goes	Apple Health / Android Health Connect (Apple's / Google's terms) — never MonkeyGrade servers
Is the energy figure measured?	No — it is an on-device estimate from duration and body weight (no heart-rate sensor)
Are your sex/height/weight sent to us?	No — stored only on your device, never transmitted
Advertising / resale	None — never used for ads; Health Connect data handled per Google's Health Connect data-use policy (no ads, no resale)
Can you opt out?	Yes — turn off the toggle and/or revoke OS permission; no feature is blocked

Version note: This Health & fitness data section was added when the optional Health sync feature was introduced. The corresponding bump of the policy version (above) is tracked under issue #707.

8. International data transfers

Our primary hosting and database are located in the EU / EEA (France) and Switzerland (file storage). No personal data is transferred outside these jurisdictions in the standard configuration.

Where optional services process data in the United States (reCAPTCHA, Sentry, Anthropic), we rely on the following mechanisms:

EU-US Data Privacy Framework (DPF) for transfers from the EU to certified US companies.
Swiss-US DPF (effective 15 September 2024) for transfers from Switzerland.
Standard Contractual Clauses (SCCs) as a fallback where DPF is unavailable or does not cover the specific processing.

Each US vendor we use is covered either by certification under the EU-US and Swiss-US Data Privacy Framework or by Standard Contractual Clauses, and the corresponding DPAs and SCC documentation are retained in our legal records. Note that Anthropic is used only by the beta video-analysis feature, which is not enabled in production, so no member data is transferred to Anthropic in the current production build.

9. Your rights

Under the revFADP and GDPR you have the following rights regarding your personal data. To exercise any of them, contact us at dpo@monkeygrade.cloud.

Right	What it means
Access (Art. 15 GDPR / revFADP Art. 25)	Request a copy of the personal data we hold about you
Rectification (Art. 16 GDPR)	Ask us to correct inaccurate data
Erasure (Art. 17 GDPR / revFADP Art. 32)	Ask us to delete your account and personal data
Restriction (Art. 18 GDPR)	Ask us to pause processing in certain circumstances
Data portability (Art. 20 GDPR)	Request your data in a machine-readable format
Objection (Art. 21 GDPR)	Object to processing based on legitimate interests
Withdraw consent	Where processing is based on consent, withdraw it at any time (this does not affect processing that already occurred)

We will respond within 30 days (revFADP) / one month (GDPR). If your request is complex, we may extend this by a further two months with notice.

You also have the right to lodge a complaint with the FDPIC (https://www.edoeb.admin.ch/) or, if you are in the EU, with your national data protection authority.

Self-service in-app data export (Art. 15/20) and account deletion (Art. 17) are both available from your member profile (Download my data / Delete account). Requests made outside the app are still answered manually within the statutory deadline.

10. Security

We apply appropriate technical and organisational measures to protect personal data, including:

Passwords stored using Argon2id (strong hashing, never in plain text)
Optional TOTP two-factor authentication
CSRF protection on all state-changing requests
Rate-limiting and brute-force lockout
TLS/HTTPS for all connections
Encrypted file storage in transit and at rest (AWS S3 standard encryption)
Audit logging for security-relevant events
Non-root container execution
Regular dependency audits (automated pip-audit / npm-audit in CI)

11. Children's data

MonkeyGrade is not directed at children under 16. Where a gym's membership includes minors, the gym is responsible for obtaining any required parental or guardian consent, and a parent or guardian should consent to and supervise the minor's use of the app. We do not knowingly process the personal data of children under 16 without such consent. If you believe a child has provided us with personal data without the required consent, please contact us at dpo@monkeygrade.cloud and we will take appropriate steps. An age-appropriate flow is tracked under issue #187.

12. Changes to this policy

We will notify registered members by email of material changes to this policy before they take effect. The effective date will be updated at the top of this document.

Effective date: 2026-06-16

13. Contact

For any questions about this privacy policy or to exercise your rights, contact:

Jean-Yves Figiel (Data Protection Officer)
Email: dpo@monkeygrade.cloud
Buckhauserstrasse 49, 8048 Zürich, Switzerland

For complaints you may also contact the FDPIC:

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1, 3003 Bern, Switzerland
https://www.edoeb.admin.ch/

Last reviewed and approved by the operator: 2026-06-16. Reviewed periodically and whenever processing activities change.