>_ Privacy Policy

1. Data controller

2. Hosting

3. Data collected

• Email - login identifier
• Password - bcrypt-hashed (never stored in plaintext)
• Display name - optional, chosen by user
• Progress - completed courses, solved exercises, XP score
• Consents - current state and dated history
• Activity log - logins, profile changes
• Payment data - handled by Stripe (we never store card numbers)

4. Legal basis and purpose

5. Third-party processors

• Stripe - payment processing (certification). Data shared: email, amount. Stripe Policy
• Resend - transactional emails. Data shared: email. Resend Policy
• Google - OAuth authentication (optional). Data received: email, name. Google Policy

6. Retention period

• Account data - retained while the account is active
• Account deletion - personal data erased, activity log anonymised (user_id set to NULL)
• Payment data - retained by Stripe per their legal obligations

7. Your rights (GDPR)

• Access - view your data in the "My data" tab
• Portability - download your data as JSON
• Rectification - update your display name from your profile
• Erasure - delete your account from the "Settings" tab
• Objection - withdraw marketing consents at any time
• Complaint - you may file a complaint with CNIL (French DPA)

8. Cookies

This site only uses a technical session cookie (iron-session) required for authentication. No advertising, analytics, or tracking cookies are used.

9. Security

• Passwords hashed with bcrypt (factor 12)
• Sessions encrypted with iron-session (AES-256)
• Login rate-limited to 10 attempts per 15 min per IP
• HTTPS enforced in production
• Security headers (CSP, HSTS, X-Frame-Options)

10. Contact

For any question about your personal data: contact@fpgapourtous.fr