Privacy Policy

Security and data protection are very important to us. We therefore strictly adhere to the rules of data protection laws. Beyond the legal requirements, we respect and honor the privacy of our users.
With the following information we inform you according to Art. 13 DSGVO about the processing of your personal data and the rights you are entitled to according to data protection.

NO MONKEY Security GmbH
Management: Jochen Fischer, Marco Hammel
Kurfürsten-Anlage 61
69115 Heidelberg

If you would like to contact us directly, you can use the following contact options:
Phone: +49 6221 3216890


1. concept of personal data
Personal data is information with the help of which a person can be determined, i.e. information that can be traced back to a person. This includes, for example, your name, address, telephone number or e-mail address.

Personal data is only collected, stored, used and passed on by us for contractual purposes and only if this is legally permitted or you have consented to the collection of the data.

Special personal data in the sense of Art. 9 DSGVO are such data, from which the racial and ethnic origin, the political opinion, the religious or ideological conviction or the trade union membership, genetic or biometric data, health data and data on sexual life or sexual orientation.

2. when do we collect which data from you and for what purpose?

a) Academy
In order to use our Academy, you must create an account. To create an account, we request the following data from you at
First name, last name and e-mail address.
The data processing is based on the consent you have given and is necessary for the purposes stated below (3.) according to Art. 6 para. 1 p. 1 lit. a DSGVO.
Your personal data will be deleted again as soon as they are no longer required for the purposes stated below (3.) and no retention obligations exist. Otherwise, as soon as any retention periods to be observed have expired.

b) Website
When using the website, we only collect the personal data that your browser transmits to our server. If you wish to use our website or our Academy, we collect the following data, which is technically necessary for us to display our website to you and to ensure its stability and security (legal basis is Art. 6 para. 1 p. 1 lit. f DS-GVO):
IP address,
Date and time of the request
Time zone difference to Greenwich Mean Time (GMT)
Content of the request (specific page)
Access status/HTTP status code
amount of data transferred in each case
Website from which the request comes
Operating system and its interface
Language and version of the browser software.
This data is stored for a period of 1 year and then deleted.

c) Cookies

In addition to the previously mentioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive associated with the browser you are using and through which certain information flows to the entity that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer. They are used to make the website as a whole more user-friendly and effective.
Our website uses the following types of cookies, the scope and functionality of which are explained below:
aa) Transient cookies.
Transient cookies are automatically deleted when you close the browser. These include, in particular, session cookies. These store a so-called session ID, with which various requests of your browser can be assigned to the common session. This allows your computer to be recognized when you return to our website. The session cookies are deleted when you log out or close the browser.
The data processing is carried out on the basis of the usage contract concluded with you (the Academy) and is necessary according to Art. 6 para. 1 p. 1 lit. a and lit. b DSGVO for the aforementioned purposes for the appropriate processing of the contract and for the fulfillment of obligations arising from this contract.
bb) Persistent cookies

3. disclosure of your data to third parties
In principle, your personal data will only be collected, stored, processed and used for purposes related to the use of the Academy.

Within our company, only those employees receive information about your data who need it to fulfill our contractual obligations. All employees entrusted with data processing are obliged to maintain the confidentiality of your data and are subject to the agreed duty of confidentiality.

We use the following service providers to maintain and improve our services:
(aa) Learnworlds
We transfer to Learnworlds (service provider: LearnWorlds (CY) LtdRegistered address: Gladstonos 120, Foloune Building, 2nd Floor, B1, Limassol, 3032, Cyprus; Website:; Privacy Policy:
The following personal data of our users:
Name, address; email address; payment information, IP- address; web browser, operating system.
The transfer takes place for the application of the platform and the provision of our services such as the connection of our online courses.
The legal basis for data processing in the implementation of e-learning courses via Learnworlds is Art. 6 para. 1 lit. a) of the DSGVO.
Processing of personal data also takes place via Learnworlds in a third country. We have concluded an order processing agreement with Learnworlds that complies with the requirements of Art. 28 DSGVO. We only use Learnworlds with your prior express consent pursuant to Art. 49 (1) lit. a DSGVO.
bb) Zoom
We use the video conferencing system "Zoom" to conduct telephone conferences, online meetings, video conferences and/or webinars (hereinafter referred to as online conferences). Zoom is a service provided by Zoom Video Communications, Inc. which is based in the United States.
When using Zoom, different types of data are processed. The processing also depends on how much and what information the participants* of online conferences provide themselves.
Personal data:
Mandatory information about the user: first name and/or last name.
Optional information about the user: telephone, e-mail address, password, profile picture, department


Topic and (if available) description of the online conference, information about the device/hardware used, IP address(es) of the participants.

For telephone dial-in: Information on incoming and outgoing phone number, country name, start and end time. If applicable, further connection data, e.g. IP address of the device.

If an online conference is recorded (optional):
MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the chat.
Data from video transmission, audio transmission and text files (in chat):

Participants* can choose to transmit audio and/or video of themselves and, if approved by the host, use the chat, a question or poll function. These are processed in order to display them to the other participants in the online conference and to log them if necessary.

If the participants have opted for the transmission of audio and/or video signals, the data from the microphone and/or a video camera of the terminal device or connected microphones or video cameras are processed during the online conference. Participants* can turn off or mute the camera or microphone themselves at any time in the Zoom application.

We use Zoom to deliver our e-learning courses. If these are recorded, we make participants aware of this transparently. During a recording, the Zoom app also displays it for participants to see. All participants have the option to turn off their video signal during the recording or not to agree to the recording by leaving the online conference. We do not record chat content by default. In exceptional cases - for example, if this should be indispensable for logging results - we point this out to the participants before the start of the online conference.

You can participate in our online conferences without being registered as a Zoom user. However, if you create a (free) user account, statistics about your participation in Zoom meetings of all kinds can be stored by Zoom for up to one month. In particular, the following data will be stored: Metadata about the meetings you attend, if you dial in by phone: Telephone dial-in data, information they enter on Zoom's webinar platform.

The legal basis for data processing when conducting e-learning courses via Zoom is Art. 6 para. 1 lit. a) of the DSGVO.

Zoom is a service provided by a provider from the USA. Processing of personal data thus also takes place in a third country. We have concluded an order processing agreement with Zoom Video Communications, Inc. that complies with the requirements of Art. 28 DSGVO. We only use Zoom with your prior explicit consent pursuant to Art. 49 (1) lit. a DSGVO.

Further information on the data protection of Zoom Video Communications, Inc. is available at

c) Hubspot
We use Hubspot to analyze our website. This allows us to constantly optimize the website and make it more user-friendly. In addition, we use the analysis to optimize our advertising offer for you.
HubSpot is a software company from the USA with a branch in Ireland. Contact: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland, Phone: +353 1 5187500.
Hubspot is an integrated software solution that we use to cover various aspects of our online marketing. These include:
Email Marketing, Social Media Publishing & Reporting, Reporting, Contact Management (e.g. user segmentation & CRM), Landing Pages and Contact Forms.
Our sign-up service allows visitors to our website to learn more about our company, download content, and provide their contact information and other demographic information. This information, as well as our website content, is stored on servers operated by our software partner HubSpot. It may be used by us to contact visitors to our website and to determine which of our company's services are of interest to them. All information we collect is subject to this privacy policy. We use all collected information exclusively to optimize our marketing measures.
More information on HubSpot's privacy policy is available at
As part of optimizing our marketing efforts, Hubspot may collect and process the following data:
  • Geographic location
  • Browser type
  • Navigation information
  • Referral URL
  • Performance data
  • Information about how often the application is used
  • Login information for the HubSpot subscription service
  • Files that are displayed on site
  • Domain names
  • Pages viewed
  • Aggregate usage
  • Operating system version
  • Internet service provider
  • IP address
  • Device identifier
  • Duration of visit
  • Where the application was downloaded from
  • Operating system
  • Events that occur within the application
  • Access times
  • Clickstream data
  • Device model and version

The legal basis of the processing is your consent pursuant to Art. 6 (1) lit. a DSGVO.
In the context of processing via HubSpot, data may be transmitted to the USA. We only use Hubspot with your prior express consent pursuant to Art. 49 (1) lit. a DSGVO.

d) Matomo
This website uses the web analytics service Matomo (formerly Piwik) to analyze and regularly improve the use of our website. The statistics obtained enable us to improve our offer and make it more interesting for you as a user. The legal basis for the use of Matomo is Art. 6 para. 1 p. 1 lit. a DS-GVO.

Cookies are stored on your computer for this evaluation. The information collected in this way is stored by the responsible party exclusively on its server in the EU. You can set the evaluation by deleting existing cookies and preventing the storage of cookies. If you prevent the storage of cookies, we point out that you may not be able to use this website in full. Preventing the storage of cookies is possible through the setting in your browser.

This website uses Matomo with the extension "AnonymizeIP". This means that IP addresses are processed in abbreviated form, which means that they cannot be directly linked to a specific person. The IP address transmitted by your browser via Matomo is not merged with other data collected by us.

The Matomo program is an open source project. Information from the third-party provider on data protection is available at

e) Stripe
We offer the option of processing the payment transaction via the payment service provider Stripe, 510,Townsend St., San Francisco, CA 94103 (Stripe). This is in line with our legitimate interest in offering an efficient and secure payment method (Art. 6 para. 1 lit. f DSGVO). In this context, we share the following data with Stripe to the extent necessary for the performance of the contract (Art. 6 para. 1 lit b. DSGVO):
  • Name of the cardholder
  • E-mail address
  • Customer number
  • Order number
  • Bank details
  • Credit card data
  • Credit card validity period
  • Credit card verification number (CVC)
  • Date and time of transaction
  • Transaction amount
  • Name of the provider
  • Place

Processing of the data provided under this section is not required by law or contract. We cannot process a payment through Stripe without the submission of your personal data.

Stripe has a dual role as a controller and processor in data processing activities. As a controller, Stripe uses your submitted data to comply with regulatory obligations. This is in accordance with Stripe's legitimate interest (pursuant to Art. 6 (1) lit. f DSGVO) and serves the performance of the contract (pursuant to Art. 6 (1) lit. b DSGVO). We have no influence on this process.

Stripe acts as an order processor in order to be able to complete transactions within the payment networks. Within the scope of the order processing relationship, Stripe acts exclusively according to our instructions and has been contractually obligated within the meaning of Art. 28 DSGVO to comply with the provisions of data protection law.

You can find more information on objection and removal options vis-à-vis Stripe at:

Your data will be stored by us until the payment processing is completed. This also includes the period required for processing refunds, receivables management and fraud prevention.

4. duration of data storage
We delete your personal data as soon as they are no longer required for the above-mentioned purposes and no retention obligations exist. Otherwise, as soon as any retention periods to be observed have expired. Corresponding retention obligations arise primarily from the German Commercial Code, as well as from the German Fiscal Code, but also from other laws. The retention period according to the German Commercial Code is 6 years, according to medical professional law 10 years, according to tax law also 10 years.

5. your rights according to the EU Basic Data Protection Regulation:
You have the right:
  • Pursuant to Art. 7 (3) DSGVO, to revoke your consent once given to us at any time. This has the consequence that we may no longer continue the data processing based on this consent for the future. However, your revocation will not affect the lawfulness of the processing carried out on the basis of the consent until the revocation;
  • to request information about your personal data processed by us in accordance with Art. 15 DSGVO. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data, if it was not collected from or by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
  • in accordance with Art. 16 DSGVO, to demand the correction of incorrect or the completion of your personal data stored by us without delay;
  • pursuant to Art. 17 DSGVO, to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or in the exercise of official authority or for reasons of public interest in the field of public health or for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes or for the establishment, exercise or defense of legal claims;
  • in accordance with Article 18 of the GDPR, to request the restriction of the processing of your personal data while the accuracy of your data, which you dispute, is being verified; if you object to the erasure of your data due to unlawful data processing and instead request the restriction of the processing of your data; if we no longer need your data for the purposes of processing, but you require your data for the assertion, exercise or defense of legal claims; if you have objected to the processing in accordance with Article 21 of the GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds. If the processing of your personal data has been restricted, this data may - apart from being stored - only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. If you have obtained a restriction of processing, you will also be informed by the controller before the restriction is lifted.
  • in accordance with Art. 20 DSGVO, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller; and
  • complain to a supervisory authority in accordance with Art. 77 DSGVO. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or the place of the alleged infringement or our company headquarters for this purpose.
  • If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 (1) p. 1 lit. f DSGVO, you have the right to object to the processing of your personal data pursuant to Art. 21 DSGVO, provided that there are grounds for doing so that arise from your particular situation. If you wish to exercise your right to object, an e-mail to: is sufficient.