Légal / Legal

Privacy Policy — Politique de confidentialité

Conformément au RGPD (Règlement UE 2016/679) et à la loi Informatique et Libertés. In compliance with the GDPR (EU Regulation 2016/679).
Version française

Contents
  1. Data controller
  2. Data we collect
  3. Purposes and legal basis
  4. Third-party processors
  5. Retention periods
  6. International transfers
  7. Your rights
  8. Security
  9. Cookies
  10. Updates

1. Data controller

Name: Ramisa Besnard

Legal form: Entrepreneur individuel

SIREN: 106 375 124

Contact for data requests: contact@frequence.academy

No Data Protection Officer (DPO) is legally required at this scale. All data-related requests are handled directly by the controller.

2. Data we collect

Account data

DataHow collectedRequired?
Email addressRegistration form or Google OAuthYes
Display nameRegistration form or Google profileYes
Password (bcrypt hash)Registration form (email signup only)Yes*
Google account IDGoogle OAuth flow (if used)No

* Only for email/password signups. Google OAuth users have no password stored.

Learning data

DataPurpose
SRS progress per word (ease factor, interval, repetitions, next review date)Spaced repetition algorithm
Lesson completion status per lessonCourse progress tracking
Daily study activity (date, review count)Streak and dashboard display
Quiz scoresLevel progression
Saved vocabulary (notebook)Personal study list
Chat messages (AI tutor)Conversation history within session

Payment data

We do not store your card details. Payment is processed directly by Stripe. We store only: Stripe customer ID, subscription plan name, subscription status, and subscription expiry date — necessary to activate your account access.

Technical data

Server access logs (IP address, timestamp, HTTP method, URL, user-agent string) are retained for security and abuse prevention purposes. These are generated automatically by the hosting infrastructure.

Audience measurement data (with your consent)

If you accept cookies in the consent banner, Google Analytics (loaded via Google Tag Manager) collects: pages visited, approximate location (city level), device and browser type, and a pseudonymous identifier stored in cookies. It does not load before you accept. We also run a first-party, cookie-free visit counter that stores a daily-rotating hash and cannot follow you across days.

Level test data

The free level test can be taken without any account. If you choose to leave your email to receive your result, we store: your email, your estimated level, and your score.

3. Purposes and legal basis

PurposeData usedLegal basis (GDPR art. 6)
Provide and operate the serviceAccount, learning, payment dataContract performance — art. 6.1(b)
Authentication (login / session)Email, password hash, JWT cookieContract performance — art. 6.1(b)
Send transactional emails (verification, password reset)Email addressContract performance — art. 6.1(b)
Process payments and manage subscriptionsEmail, Stripe customer IDContract performance — art. 6.1(b)
Security and fraud preventionIP address, server logsLegitimate interest — art. 6.1(f)
Legal obligation (invoice retention)Payment recordsLegal obligation — art. 6.1(c)
Audience measurement (Google Analytics)Pages visited, device data, pseudonymous cookie IDConsent, art. 6.1(a), via the cookie banner
Send your level test result by emailEmail address, estimated level, scoreConsent, art. 6.1(a), you provide the email for this purpose

We do not use your data for advertising and do not sell your data to third parties. Google Analytics runs only with your consent and can be refused or withdrawn at any time with no effect on the service.

4. Third-party processors

ProcessorRoleLocationDPA
Stripe, Inc.Payment processing, subscription managementUSA (EU Standard Contractual Clauses)stripe.com/privacy
Brevo (Sendinblue)Transactional email (verification, password reset)France (EU)brevo.com/legal/privacypolicy
Railway CorpCloud hosting (servers, database, file storage)USA (EU Standard Contractual Clauses)railway.app/legal/privacy
Google LLCOptional OAuth login (Google Sign-In)USA (EU Standard Contractual Clauses)policies.google.com/privacy
Google LLCAudience measurement (Google Analytics via Google Tag Manager), only after cookie consentUSA (EU Standard Contractual Clauses)policies.google.com/privacy
Functional Software, Inc. (Sentry)Error monitoring (technical error reports, may include IP address), when enabled in productionUSA (EU Standard Contractual Clauses)sentry.io/privacy

Each processor is contractually bound to process your data only on our documented instructions and in accordance with GDPR requirements.

5. Retention periods

Data categoryRetention period
Account and learning dataDuration of account + 3 years after last activity, or until deletion request
Payment records (invoices)10 years (French legal obligation — art. L123-22 Code de commerce)
Withdrawal waiver logs5 years (consumer law compliance)
Server access logs12 months (CNIL standard recommendation)
Level test leads (email, level, score)3 years after collection, or until deletion request
Google Analytics data14 months (Google Analytics 4 retention setting)
Cookie consent choice6 months, then the banner asks again
Email verification tokens24 hours (auto-expired)
Password reset tokens1 hour (auto-expired)

6. International transfers

Some of our processors (Stripe, Railway, Google) are based in the United States. Data transfers to these processors are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an equivalent level of protection to that guaranteed within the EU.

7. Your rights

Under GDPR Articles 15–22, you have the following rights regarding your personal data:

  • Right of access (art. 15): obtain a copy of all data we hold about you.
  • Right to rectification (art. 16): correct inaccurate or incomplete data.
  • Right to erasure (art. 17): request deletion of your account and all associated data (subject to legal retention obligations for payment records).
  • Right to portability (art. 20): receive your learning data in a structured, machine-readable format.
  • Right to restriction (art. 18): request that we limit processing in certain circumstances.
  • Right to object (art. 21): object to processing based on legitimate interest.
How to exercise your rights: Send an email to contact@frequence.academy with the subject line "GDPR Request — [type of request]". We will respond within 30 days. We may ask you to verify your identity before processing the request.

You also have the right to lodge a complaint with the French supervisory authority, the CNIL (Commission Nationale de l'Informatique et des Libertés), if you believe your rights have not been respected.

8. Security

We implement the following technical and organisational measures to protect your data:

  • Passwords stored as bcrypt hashes (never in plaintext)
  • Authentication via signed, httpOnly JWT cookies (not accessible to JavaScript)
  • All data in transit encrypted via TLS/HTTPS
  • Database access restricted to application server only (no public endpoint)
  • Stripe payment processing — we never receive or store card numbers

9. Cookies

Cookie / storagePurposeDurationConsent required?
tokenAuthentication session (JWT, httpOnly)30 daysNo — strictly necessary
_ga, _ga_* (Google Analytics)Audience measurement: visits, pages, device dataUp to 13 monthsYes, set only after you accept the banner
fq-cookie-consent (localStorage)Remembers your consent choice6 monthsNo — stores the choice itself

Google Analytics is loaded through Google Tag Manager and does not run before you accept. You can refuse, and you can change your mind at any time via the "Cookie settings" link in the site footer. Refusing has no effect on the service.

We also use a first-party, cookie-free visit counter. It stores a hash that changes every day, so it cannot track you across days and needs no consent.

No advertising cookies are used.

10. Updates to this policy

We may update this policy to reflect changes in our practices or applicable law. Material changes will be communicated by email to registered users at least 14 days before taking effect. The "last updated" date below indicates the current version.

Last updated: June 2026 — Version 1.0