Data Policy (GDPR)

Last updated: May 2026

1. Our Commitment

MonkiLabs — currently an unincorporated team based in the Czech Republic — is the controller of personal data processed through this service. We comply with the EU General Data Protection Regulation (GDPR) and other applicable data-protection laws. Our application and data are hosted in a German data centre, within the EEA; we apply EU-level safeguards by default, regardless of where you live.

This Data Policy summarises the GDPR-specific rights and procedures. For the full picture of what we collect, why, and where it goes, see our Privacy Policy — Section 5 of which is the canonical sub-processor list.

2. Lawful Basis for Processing

  • Contract (Article 6(1)(b)): processing your account, child profile and story data to provide the service you signed up for.
  • Legitimate interest (Article 6(1)(f)): operating, securing, debugging the service (server-side telemetry, abuse prevention) and aggregate, non-identifying service-quality metrics. You can object via the contact form.
  • Consent (Article 6(1)(a)): parental consent under Article 8 GDPR for the limited child personal data we process (see Section 4); not used for cookies, since we run only strictly-necessary storage (see the Cookie Policy).
  • Legal obligation (Article 6(1)(c)): retaining transaction records for accounting and tax purposes once paid plans launch.

3. Data We Process

  • Name and email address (account registration).
  • Child profile: first name, age, traits, story themes, avatar (no surname, no photo, no voice).
  • Generated story content.
  • Payment records (via Stripe — we do not hold card data; not yet active in waitlist mode).
  • Session and usage activity logs, server-side telemetry (request paths, response codes, error stack traces — IP and raw user-agent are stripped before export to Axiom).

We do not use children's personal data, prompts or generated story content to train any AI model.

4. Children's Data — Parental Consent

TinyBear is designed for parents and legal guardians acting on behalf of their children under 13 (and equivalent age thresholds under Article 8 GDPR for EEA residents). We process the limited child profile data listed above only with the parent's verifiable consent, given when the child profile is created.

The parent or guardian can review the child's personal information, refuse to permit further collection or use, and request deletion at any time from account settings or via our contact form. We do not profile children, do not serve them advertising, and do not share child data for marketing.

See Privacy Policy §4 for the full COPPA / GDPR-K framing.

5. Your Rights Under GDPR

  • Right of access: request a copy of the data we hold about you.
  • Right to rectification: correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten"): request deletion of your data, subject to legal-retention exceptions (see Section 6).
  • Right to portability: receive your data in a structured, machine-readable format.
  • Right to restrict processing: ask us to pause processing your data.
  • Right to object: object to processing based on legitimate interest, including the aggregate analytics in Section 2.
  • Right not to be subject to automated decision-making: TinyBear does not make automated decisions that produce legal or similarly significant effects about you.

To exercise any right, use our contact form. We respond within 30 days (extendable by 60 further days for complex requests, in line with Article 12(3)). If you are a US-state-privacy resident, see Privacy Policy §11 for the additional rights that apply to you.

6. Data Retention Periods

Category Retention
Account data (name, email, hashed password) While the account is active; deleted within 30 days of account closure
Child profile and generated stories Same as account; deleted within 30 days of profile or account deletion
Server-side telemetry (traces, logs) Up to 90 days, then deleted automatically
Payment records (invoices, transaction metadata) Retained for up to 10 years as required by Czech / EU accounting and tax law, even after account closure
Marketing-consent records While consent is active and for 3 years after withdrawal, to evidence opt-out

7. International Data Transfers

Our hosting, Resend (transactional email), and Axiom (observability) are all in the EEA. Some sub-processors — notably OpenAI, Anthropic, Stripe, and Cloudflare — process data in the United States. Where this occurs, the transfer is protected by the European Commission's Standard Contractual Clauses (2021/914), supplementary technical and organisational measures, and a transfer impact assessment.

The full sub-processor list — including data shared, region, and DPA status — is at Privacy Policy §5. That table is the canonical version; this Data Policy defers to it.

8. Data Breach Notification

If we suffer a personal-data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and where feasible within 72 hours of becoming aware, in line with Articles 33 and 34 GDPR. We will also notify the competent supervisory authority where the law requires it.

9. Data Protection Contact

For data-protection enquiries, please use our contact form. MonkiLabs has not appointed a Data Protection Officer — Article 37 GDPR does not require one at the scale of processing we do today — and the founder responds personally to data-protection enquiries.

10. Right to Complain

If you are unhappy with how we handle your data, you have the right to lodge a complaint with your local data-protection supervisory authority. EU residents can find their authority via the European Data Protection Board; UK residents can complain to the Information Commissioner's Office (ICO).