>_ Privacy Policy

1. Data controller

2. Hosting

3. Data collected

• Email - login identifier
• Password - bcrypt-hashed (never stored in plaintext)
• Display name - optional, chosen by user
• Progress - completed courses, exercises, quizzes, XP, badges, quests and streaks
• Consents - current state and dated history
• Activity logs - logins, completions, recent activity and security events
• Security and abuse prevention - signup IP, login attempts, aggregated editor telemetry (keystrokes, paste, focus loss, DevTools opening) used to detect abuse, notify the administrator and send limited learning reminders
• Public profile - nickname, level, badges, streak and activity only if you enable it
• Payment data - handled by Stripe for Premium and certification; we keep a minimal payment and session log (reference, product, amount, status), never card numbers

4. Legal basis and purpose

5. Third-party processors

• Stripe - Premium and certification payment processing. Data shared: email, purchased product, amount, session reference. Stripe Policy
• Resend - transactional emails. Data shared: email. Resend Policy
• Google - OAuth authentication (optional). Data received: email, name. Google Policy
• Plausible Analytics - cookie-free web analytics, aggregated and anonymous data (no browser fingerprinting). Plausible Policy
• Sentry - application error capture (stack traces, URL). No personal data intentionally sent. Sentry Policy
• Transfers outside the EU - some providers may process data outside the European Union. In that case, transfers rely on GDPR safeguards, including standard contractual clauses where required.

6. Retention period

• Account data - retained while the account is active
• Security logs - login attempts retained for 15 minutes; anti-cheat telemetry retained while the account exists
• Transactional email logs - retained while the account exists
• Account deletion - personal data erased; internal audit log anonymised (user_id set to NULL)
• Payment data - retained by Stripe per their legal obligations; the local minimal log is retained while the account exists, and references required for disputes or refunds are handled through Stripe

7. Your rights (GDPR)

• Access - view your data in the "My data" tab
• Portability - download a complete JSON export from your account
• Rectification - update your display name from your profile
• Erasure - delete your account from the "Settings" tab
• Restriction - request restriction of processing where GDPR allows it
• Objection / withdrawal - withdraw marketing consent, disable the public profile and object to processing based on legitimate interest where GDPR allows it
• Complaint - you may file a complaint with CNIL (French DPA)

8. Cookies

This site only uses necessary technical cookies: iron-session and temporary Google OAuth state. The browser may also store offline progress, code drafts and interface preferences locally. No advertising cookies are used. Any web analytics uses cookie-free Plausible Analytics, subject to a configuration compatible with the CNIL consent exemption.

9. Security

• Passwords hashed with bcrypt (factor 12)
• Sessions encrypted with iron-session (AES-256)
• Login rate-limited to 10 attempts per 15 min per IP
• HTTPS enforced in production
• Security headers (CSP, HSTS, X-Frame-Options)

10. Contact

For any question about your personal data: dangremontjayson.pro@gmail.com