Privacy policy
How Vertical Monkey collects, processes, and protects personal data under Regulation (EU) 2016/679 (GDPR)
1. Controller
The controller responsible for processing your personal data in the context of our website and marketing activities is:
Modmatrix Innovations Sàrl-S
5 Am For · L-5351 Oetrange · Grand Duchy of Luxembourg
RCS Luxembourg B285027
Contact: contact form
When a climbing club uses Vertical Monkey to process personal data of its members, the club is the controller and Vertical Monkey acts as processor under a separate Data Processing Agreement (DPA). This policy covers the data we process as controller (visitors, prospects, club administrators signing up).
2. Data protection officer and authority
We have not appointed a statutory Data Protection Officer under GDPR Art. 37; the conditions requiring mandatory DPO designation do not currently apply. For any privacy-related question contact us via the contact form with the subject "Privacy".
Lead supervisory authority: Commission nationale pour la protection des données (CNPD), 15 Boulevard du Jazz, L-4370 Belvaux, Luxembourg — cnpd.public.lu. You have the right to lodge a complaint with the CNPD at any time.
3. Categories of personal data processed
Depending on your interaction with Vertical Monkey we process the following categories of data:
| Purpose | Data categories | Legal basis (Art. 6 GDPR) | Retention |
|---|---|---|---|
| Visiting the website | IP address, HTTP request metadata, referrer | Legitimate interest (Art. 6(1)(f)) — operating and securing the site | 30 days in rotating access logs |
| Creating an account (owner / admin) | Username, email, password hash, preferred language, IP at signup, club metadata | Contract performance (Art. 6(1)(b)) | Until account closure + 90 days soft-delete buffer, then hard-delete |
| Processing subscription payments | Billing email, VAT number, company address, Stripe customer ID | Contract performance (Art. 6(1)(b)) + legal obligation (Art. 6(1)(c), accounting law) | 10 years per Luxembourg commercial code (Code de commerce art. 16) |
| Responding to support requests | Email content, contact form submissions | Legitimate interest (Art. 6(1)(f)) — responding to inquiries | 24 months after last correspondence |
| Security monitoring (rate-limit, fail2ban, Turnstile) | IP address, request fingerprint, user-agent | Legitimate interest (Art. 6(1)(f)) — protecting the service from abuse | 90 days for security logs, 30 days for rate-limit state |
| Essential cookies (session, CSRF) | HttpOnly session token, CSRF token, language preference | Strict necessity (ePrivacy Directive Art. 5(3), PSD exception) | Session: until logout or 1h inactivity. Language: 12 months in localStorage |
4. Sub-processors and data transfers
We use the following sub-processors, all located within the European Economic Area (EEA) or with appropriate safeguards under Art. 44+ GDPR:
| Provider | Service | Location | Transfer safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Infrastructure (servers, storage) | Germany · Finland | EEA, GDPR Art. 28 DPA |
| Cloudflare, Inc. | CDN, DDoS protection, Turnstile (CAPTCHA) | EU edge, US parent | Standard Contractual Clauses (2021 modules) |
| Stripe Payments Europe, Ltd. | Subscription billing, invoicing, tax | Ireland | EEA, GDPR Art. 28 DPA |
| Functional Software Inc. (Sentry) | Error monitoring | EU region — sentry.io hosted in Germany | EEA, GDPR Art. 28 DPA. PII scrubbing enabled before event send |
A current list of sub-processors is available on request via the contact form. We notify existing customers at least 30 days in advance of any new sub-processor affecting their data.
5. Your rights as a data subject
Under Articles 15 through 22 of the GDPR you have the following rights. To exercise any of these, send us a request via the contact form with a description of the right you wish to exercise. We respond within one month (can be extended by two further months in complex cases, with notification).
- Right of access (Art. 15): request confirmation whether we process personal data about you, and a copy of that data in a structured format.
- Right to rectification (Art. 16): request correction of inaccurate data or completion of incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17): request deletion of your data. We honour requests unless we have a legal obligation to retain (e.g. accounting law for invoices, 10 years).
- Right to restriction (Art. 18): request we limit processing in specific circumstances.
- Right to data portability (Art. 20): receive your data in a machine-readable format (JSON) and, where technically feasible, have it transmitted to another controller.
- Right to object (Art. 21): object to processing based on legitimate interest or direct marketing at any time.
- Rights in automated decision-making (Art. 22): we do not currently make decisions that produce legal or similarly significant effects based solely on automated processing.
- Right to lodge a complaint: you may complain directly to the CNPD at any time, without contacting us first.
6. Security measures
We apply appropriate technical and organisational measures under Art. 32 GDPR, including:
- TLS 1.2/1.3 encryption for all traffic
- Per-club Fernet envelope encryption for sensitive fields (medical notes, IBAN, chat)
- Bcrypt password hashing (never plaintext storage)
- Optional two-factor authentication (TOTP)
- Per-account lockout after 5 failed attempts in 15 minutes
- Cloudflare Turnstile CAPTCHA on login, register, and password-reset forms
- Immutable audit logs with append-only filesystem flag
- Daily encrypted backups with 7-day rotation, off-site sync planned
- Role-based access control with per-tenant isolation (multi-tenant database design)
7. Processing of data of minors
The creation of a Vertical Monkey account (as club owner or admin) requires users to be of legal age in their jurisdiction. Personal data of club members who are minors is processed exclusively by the club acting as controller, subject to the safeguards in the DPA and the UK AADC defaults where applicable (GB clubs).
7.1 Verifiable parental consent (GDPR Art. 8 + COPPA)
Members under 16 (GDPR Art. 8 default; lower in some EU Member States down to 13) can never self-register an account on the public Apply form — the form rejects any submission with date-of-birth less than 18 years old. Login accounts for minors are exclusively created by a club administrator through the admin gateway, who collects the parent / legal guardian's email address. The platform then sends a verifiable consent email to that guardian containing a single-use 14-day token; the guardian must click the link, create their own parent account, and explicitly affirm consent to the minor's data processing before any access is granted. The minor's login is not enabled until the guardian also sets the initial password. This satisfies GDPR Art. 8 verifiable-parental-consent and COPPA verifiable-parental-consent requirements.
7.2 Rights exercised by the guardian
For members under 18, all data-subject rights under GDPR Art. 15–22 (access, rectification, erasure, restriction, portability, objection) are exercised on the minor's behalf by the verified parent / legal guardian via the parent dashboard at verticalmonkey.eu/guardian. The guardian can review the minor's full profile, request correction, or trigger the "Unregister from app" flow which immediately deactivates the minor's login + soft-deletes all personal data. Soft-deleted data is retained for 90 days to support accidental-undo, after which it is permanently purged from production. Audit-log entries (immutable per GoBD / Art. 30 record-keeping) are retained per the standard retention table above.
7.3 No public minor self-signup
The public Apply form on every club subdomain (e.g. club-name.verticalmonkey.eu/apply) and the mobile-app Apply screen both enforce an 18-or-older date-of-birth check at the form level (server-side validation rejects submissions failing this check with HTTP 400 AGE_RESTRICTED_SELF_SIGNUP). Minors are intentionally outside the self-signup flow to ensure parental consent is captured every time — this is also why Vertical Monkey is registered with the Google Play "Target Audience: 13+" category and never opts into the Designed-for-Families program.
8. Changes to this policy
We may update this privacy policy to reflect changes in the service, applicable law, or supervisory authority guidance. Material changes will be notified via email to account holders at least 30 days before taking effect. The "Last revised" date below always reflects the current version.