Summary of Key Points
- We collect personal information you provide (account details, payment info) and some data automatically (device info, usage data, IP address).
- We process your information to provide and improve our services, process payments, communicate with you, and ensure security.
- We share data with select third-party service providers (such as our payment processor and cloud-hosting provider) only as needed to operate our platform.
- We implement industry-standard security measures to protect your data, though no system is 100% secure.
- You have rights under GDPR including access, correction, deletion, portability, and the right to lodge a complaint with your supervisory authority.
- You can contact us at [email protected] with any privacy questions or to exercise your rights.
1. What Information Do We Collect?
Personal Information You Provide
We collect personal information that you voluntarily provide when you register on the platform, make a purchase, or contact us. This includes:
- Account data: username, email address, password (hashed)
- Profile data: display name, country, university (optional)
- Payment data: processed securely by our payment processor - we do not store your full card number
- Communications: messages you send us via email or support chat
Information Automatically Collected
When you access our platform, we automatically collect certain information, including:
- Device and browser information (browser type, operating system)
- IP address and approximate geolocation, also used to detect and prevent abuse (via a local geolocation database - no data sent to third parties)
- Usage data (pages visited, labs completed, time spent)
- Referral source (how you found our platform)
- Interaction data: to understand how the platform is used and improve it, we collect information about how you interact with our pages, such as pages viewed, clicks, and scrolling. You can manage this in your account settings.
2. How Do We Process Your Information?
We process your personal information for the following purposes:
- To create and manage your account
- To process payments and manage subscriptions
- To provide our cybersecurity learning services (labs, courses, rankings)
- To send you service-related communications (email notifications, security alerts)
- To analyze platform usage and improve our services
- To detect and prevent fraud, abuse, and security incidents
- To comply with legal obligations
3. What Legal Bases Do We Rely On?
Under the General Data Protection Regulation (GDPR), we rely on the following legal bases to process your personal data:
Consent (Art. 6(1)(a))
For non-essential cookies (analytics), marketing emails, and push notifications. You can withdraw consent at any time.
Contract Performance (Art. 6(1)(b))
To provide our services - including account creation, lab access, course delivery, payment processing, and subscription management.
Legal Obligation (Art. 6(1)(c))
To comply with applicable laws, such as tax record-keeping for transactions.
Legitimate Interest (Art. 6(1)(f))
For platform security, fraud prevention, service improvement, and analytics. We balance our interests against your rights and only rely on this basis when the processing is proportionate and expected.
4. When and With Whom Do We Share Your Personal Information?
We share your information only with the following categories of third-party service providers, strictly as needed to operate our platform:
- Payment processor - processes your payment and billing details to handle subscriptions and transactions.
- Cloud hosting and email provider - operates the servers, storage, and email delivery that run the platform.
- AI processing provider - powers our in-product AI features (the assistant, the in-lab coach, and AI-assisted profile and content generation). It receives the content you submit to those features along with limited profile attributes such as your username and public stats. This provider is based outside the EU, with transfers protected by appropriate safeguards.
- Avatar service - to display profile pictures, a hashed (irreversible) version of your email address may be sent to an external avatar provider based outside the EU, with appropriate safeguards.
- Audience-measurement provider - a privacy-friendly, cookieless tool that measures overall traffic and usage without tracking you across other websites.
- Affiliate-referral provider - when you sign up through a partner link, it credits the partner who referred you.
5. Do We Use Cookies and Other Tracking Technologies?
Yes. We use first-party essential cookies to operate our platform, together with a small number of third-party technologies that are part of the service - a cookieless audience-measurement tool and affiliate-referral attribution. For detailed information about these technologies and how to manage them, please see our Cookie Policy.
6. How Long Do We Keep Your Information?
We retain your personal information for as long as necessary to fulfill the purposes described in this policy:
- Account data: retained while your account is active. After account deletion, we delete or anonymize your personal data without undue delay, except where retention is required by law.
- Payment records: retained for the period required by applicable French tax and accounting law (Code general des impots).
- Server logs: retained for a limited period as necessary for security and debugging purposes.
- Analytics data: anonymized and aggregated data may be retained indefinitely.
- Interaction data: retained only for a limited period, then automatically deleted.
- Security data (such as the IP address used to detect and prevent abuse): retained only as long as necessary for security, then deleted.
7. How Do We Keep Your Information Safe?
We implement industry-standard technical and organizational security measures, including encrypted connections (TLS/HTTPS), hashed passwords, secure cloud infrastructure, and access controls. However, no electronic transmission or storage method is 100% secure, and we cannot guarantee absolute security.
8. What Are Your Privacy Rights?
Under the GDPR (and French data protection law, Loi Informatique et Libertes), you have the following rights regarding your personal data:
- Right of access - you can request a copy of the personal data we hold about you.
- Right to rectification - you can ask us to correct inaccurate or incomplete data.
- Right to erasure - you can request deletion of your personal data (subject to legal retention requirements).
- Right to restriction - you can ask us to limit how we process your data.
- Right to data portability - you can request your data in a structured, machine-readable format.
- Right to object - you can object to processing based on legitimate interest, including profiling.
- Right to withdraw consent - where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
- Right to define post-mortem directives - under French law (Art. 85, Loi Informatique et Libertes), you have the right to define directives regarding the storage, erasure, and communication of your personal data after your death.
- Right to lodge a complaint - you may file a complaint with the Commission Nationale de l'Informatique et des Libertes (CNIL), the French data protection authority: www.cnil.fr.
To exercise any of these rights, contact us at [email protected]. We will respond within one month as required by GDPR.
Account Information
You can review and update your account information at any time from your account settings. You may also request account deletion from the settings page.
9. International Data Transfers
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where some of our service providers are based (including our cloud-hosting, payment, AI-processing, audience-measurement, affiliate-referral, and avatar providers).
These transfers are protected by appropriate safeguards:
- EU-US Data Privacy Framework: several of our US-based providers are certified under the EU-US Data Privacy Framework.
- Standard Contractual Clauses (SCCs): where the Data Privacy Framework does not apply, our providers use EU-approved SCCs to ensure adequate data protection.
- Cloud infrastructure: our primary infrastructure runs in our cloud provider's EU region. Some services may process data in other regions with appropriate safeguards in place.
10. Age Restrictions
Our services are not directed to individuals under the age of 15, in accordance with Article 45 of the French Data Protection Act (Loi Informatique et Libertes). We do not knowingly collect personal information from anyone under 15 years of age. If we become aware that we have collected data from someone under 15, we will take steps to delete that information promptly. If you believe we have collected information from a minor, please contact us at [email protected].
11. Do We Make Updates to This Notice?
We may update this privacy notice from time to time. The updated version will be indicated by an updated "last updated" date at the top of this page. We encourage you to review this notice periodically. If we make material changes, we may notify you via email or a notice on our platform.
13. How Can You Review, Update, or Delete Your Data?
You can review and update your personal information through your account settings. To request a complete copy of your data or to request deletion of your account and associated data, please contact us at [email protected].