Privacy Policy

1. What Information Do We Collect?

Personal Information You Provide

We collect personal information that you voluntarily provide when you register on the platform, make a purchase, or contact us. This includes:

• Account data: username, email address, password (hashed)
• Profile data: display name, country, university (optional)
• Payment data: processed securely by Stripe - we do not store your full card number
• Communications: messages you send us via email or support chat

Information Automatically Collected

When you access our platform, we automatically collect certain information, including:

• Device and browser information (browser type, operating system)
• IP address and approximate geolocation (via MaxMind GeoIP local database - no data sent to third parties)
• Usage data (pages visited, labs completed, time spent)
• Referral source (how you found our platform)

2. How Do We Process Your Information?

We process your personal information for the following purposes:

• To create and manage your account
• To process payments and manage subscriptions
• To provide our cybersecurity learning services (labs, courses, rankings)
• To send you service-related communications (email notifications, security alerts)
• To analyze platform usage and improve our services
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations

3. What Legal Bases Do We Rely On?

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases to process your personal data:

Consent (Art. 6(1)(a))

For non-essential cookies (analytics), marketing emails, and push notifications. You can withdraw consent at any time.

Contract Performance (Art. 6(1)(b))

To provide our services - including account creation, lab access, course delivery, payment processing, and subscription management.

Legal Obligation (Art. 6(1)(c))

To comply with applicable laws, such as tax record-keeping for transactions.

Legitimate Interest (Art. 6(1)(f))

For platform security, fraud prevention, service improvement, and analytics. We balance our interests against your rights and only rely on this basis when the processing is proportionate and expected.

4. When and With Whom Do We Share Your Personal Information?

We share your information only with the following categories of third-party service providers, strictly as needed to operate our platform:

• Stripe - payment processing. Stripe processes your payment card data directly. Stripe Privacy Policy
• Amazon Web Services (AWS) - hosting (ECS), email delivery (SES), load balancing (ALB), and file storage (S3). AWS Privacy Notice
• LogRocket - conditional session replay, enabled only for specific debugging sessions to diagnose technical issues. LogRocket Privacy Policy
• Crisp - live chat support widget (total privacy mode enabled - no cookies set until you manually open the chatbox). Crisp Privacy Policy

We do not sell your personal information. We do not share your data with advertisers or data brokers.

5. Do We Use Cookies and Other Tracking Technologies?

Yes, we use essential cookies to operate our platform. We do not use any third-party analytics or tracking cookies. For detailed information about the cookies we use and how to control them, please see our Cookie Policy.

6. How Long Do We Keep Your Information?

We retain your personal information for as long as necessary to fulfill the purposes described in this policy:

• Account data: retained while your account is active. After account deletion, we delete your personal data within 30 days, except where retention is required by law.
• Payment records: retained for 10 years after the transaction, as required by French tax law (Code general des impots).
• Server logs: retained for 12 months for security and debugging purposes.
• Analytics data: anonymized and aggregated data may be retained indefinitely.
• Email communication records: retained for 3 years after the last interaction.

7. How Do We Keep Your Information Safe?

We implement industry-standard technical and organizational security measures, including encrypted connections (TLS/HTTPS), hashed passwords, secure cloud infrastructure (AWS), and access controls. However, no electronic transmission or storage method is 100% secure, and we cannot guarantee absolute security.

8. What Are Your Privacy Rights?

Under the GDPR (and French data protection law, Loi Informatique et Libertes), you have the following rights regarding your personal data:

• Right of access - you can request a copy of the personal data we hold about you.
• Right to rectification - you can ask us to correct inaccurate or incomplete data.
• Right to erasure - you can request deletion of your personal data (subject to legal retention requirements).
• Right to restriction - you can ask us to limit how we process your data.
• Right to data portability - you can request your data in a structured, machine-readable format.
• Right to object - you can object to processing based on legitimate interest, including profiling.
• Right to withdraw consent - where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
• Right to define post-mortem directives - under French law (Art. 85, Loi Informatique et Libertes), you have the right to define directives regarding the storage, erasure, and communication of your personal data after your death.
• Right to lodge a complaint - you may file a complaint with the Commission Nationale de l'Informatique et des Libertes (CNIL), the French data protection authority: www.cnil.fr.

To exercise any of these rights, contact us at [email protected]. We will respond within one month as required by GDPR.

Account Information

You can review and update your account information at any time from your account settings. You may also request account deletion from the settings page.

9. Controls for Do-Not-Track Features

Most web browsers and some mobile operating systems include a Do-Not-Track (DNT) feature. There is currently no uniform standard for recognizing DNT signals. If a standard is established that we must follow, we will update this policy accordingly.

10. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where some of our service providers are based (AWS, Stripe, Google, LogRocket).

These transfers are protected by appropriate safeguards:

• EU-US Data Privacy Framework: some of our providers (Google, Stripe) are certified under the EU-US Data Privacy Framework.
• Standard Contractual Clauses (SCCs): where the Data Privacy Framework does not apply, our providers use EU-approved SCCs to ensure adequate data protection.
• AWS data processing: our primary infrastructure runs in AWS EU (Ireland) region. Some AWS services may process data in other regions with appropriate safeguards in place.

11. Age Restrictions

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from anyone under 16 years of age. If we become aware that we have collected data from someone under 16, we will take steps to delete that information promptly. If you believe we have collected information from a minor, please contact us at [email protected].

12. Do We Make Updates to This Notice?

We may update this privacy notice from time to time. The updated version will be indicated by an updated "last updated" date at the top of this page. We encourage you to review this notice periodically. If we make material changes, we may notify you via email or a notice on our platform.

14. How Can You Review, Update, or Delete Your Data?

You can review and update your personal information through your account settings. To request a complete copy of your data or to request deletion of your account and associated data, please contact us at [email protected].