Name: Ramisa Besnard
Legal form: Entrepreneur individuel
SIREN: 106 375 124
Contact for data requests: contact@frequence.academy
No Data Protection Officer (DPO) is legally required at this scale. All data-related requests are handled directly by the controller.
| Data | How collected | Required? |
|---|---|---|
| Email address | Registration form or Google OAuth | Yes |
| Display name | Registration form or Google profile | Yes |
| Password (bcrypt hash) | Registration form (email signup only) | Yes* |
| Google account ID | Google OAuth flow (if used) | No |
* Only for email/password signups. Google OAuth users have no password stored.
| Data | Purpose |
|---|---|
| SRS progress per word (ease factor, interval, repetitions, next review date) | Spaced repetition algorithm |
| Lesson completion status per lesson | Course progress tracking |
| Daily study activity (date, review count) | Streak and dashboard display |
| Quiz scores | Level progression |
| Saved vocabulary (notebook) | Personal study list |
| Chat messages (AI tutor) | Conversation history within session |
We do not store your card details. Payment is processed directly by Stripe. We store only: Stripe customer ID, subscription plan name, subscription status, and subscription expiry date — necessary to activate your account access.
Server access logs (IP address, timestamp, HTTP method, URL, user-agent string) are retained for security and abuse prevention purposes. These are generated automatically by the hosting infrastructure.
If you accept cookies in the consent banner, Google Analytics (loaded via Google Tag Manager) collects: pages visited, approximate location (city level), device and browser type, and a pseudonymous identifier stored in cookies. It does not load before you accept. We also run a first-party, cookie-free visit counter that stores a daily-rotating hash and cannot follow you across days.
The free level test can be taken without any account. If you choose to leave your email to receive your result, we store: your email, your estimated level, and your score.
| Purpose | Data used | Legal basis (GDPR art. 6) |
|---|---|---|
| Provide and operate the service | Account, learning, payment data | Contract performance — art. 6.1(b) |
| Authentication (login / session) | Email, password hash, JWT cookie | Contract performance — art. 6.1(b) |
| Send transactional emails (verification, password reset) | Email address | Contract performance — art. 6.1(b) |
| Process payments and manage subscriptions | Email, Stripe customer ID | Contract performance — art. 6.1(b) |
| Security and fraud prevention | IP address, server logs | Legitimate interest — art. 6.1(f) |
| Legal obligation (invoice retention) | Payment records | Legal obligation — art. 6.1(c) |
| Audience measurement (Google Analytics) | Pages visited, device data, pseudonymous cookie ID | Consent, art. 6.1(a), via the cookie banner |
| Send your level test result by email | Email address, estimated level, score | Consent, art. 6.1(a), you provide the email for this purpose |
We do not use your data for advertising and do not sell your data to third parties. Google Analytics runs only with your consent and can be refused or withdrawn at any time with no effect on the service.
| Processor | Role | Location | DPA |
|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription management | USA (EU Standard Contractual Clauses) | stripe.com/privacy |
| Brevo (Sendinblue) | Transactional email (verification, password reset) | France (EU) | brevo.com/legal/privacypolicy |
| Railway Corp | Cloud hosting (servers, database, file storage) | USA (EU Standard Contractual Clauses) | railway.app/legal/privacy |
| Google LLC | Optional OAuth login (Google Sign-In) | USA (EU Standard Contractual Clauses) | policies.google.com/privacy |
| Google LLC | Audience measurement (Google Analytics via Google Tag Manager), only after cookie consent | USA (EU Standard Contractual Clauses) | policies.google.com/privacy |
| Functional Software, Inc. (Sentry) | Error monitoring (technical error reports, may include IP address), when enabled in production | USA (EU Standard Contractual Clauses) | sentry.io/privacy |
Each processor is contractually bound to process your data only on our documented instructions and in accordance with GDPR requirements.
| Data category | Retention period |
|---|---|
| Account and learning data | Duration of account + 3 years after last activity, or until deletion request |
| Payment records (invoices) | 10 years (French legal obligation — art. L123-22 Code de commerce) |
| Withdrawal waiver logs | 5 years (consumer law compliance) |
| Server access logs | 12 months (CNIL standard recommendation) |
| Level test leads (email, level, score) | 3 years after collection, or until deletion request |
| Google Analytics data | 14 months (Google Analytics 4 retention setting) |
| Cookie consent choice | 6 months, then the banner asks again |
| Email verification tokens | 24 hours (auto-expired) |
| Password reset tokens | 1 hour (auto-expired) |
Some of our processors (Stripe, Railway, Google) are based in the United States. Data transfers to these processors are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an equivalent level of protection to that guaranteed within the EU.
Under GDPR Articles 15–22, you have the following rights regarding your personal data:
You also have the right to lodge a complaint with the French supervisory authority, the CNIL (Commission Nationale de l'Informatique et des Libertés), if you believe your rights have not been respected.
We implement the following technical and organisational measures to protect your data:
| Cookie / storage | Purpose | Duration | Consent required? |
|---|---|---|---|
token | Authentication session (JWT, httpOnly) | 30 days | No — strictly necessary |
_ga, _ga_* (Google Analytics) | Audience measurement: visits, pages, device data | Up to 13 months | Yes, set only after you accept the banner |
fq-cookie-consent (localStorage) | Remembers your consent choice | 6 months | No — stores the choice itself |
Google Analytics is loaded through Google Tag Manager and does not run before you accept. You can refuse, and you can change your mind at any time via the "Cookie settings" link in the site footer. Refusing has no effect on the service.
We also use a first-party, cookie-free visit counter. It stores a hash that changes every day, so it cannot track you across days and needs no consent.
No advertising cookies are used.
We may update this policy to reflect changes in our practices or applicable law. Material changes will be communicated by email to registered users at least 14 days before taking effect. The "last updated" date below indicates the current version.