For details on what data we collect and why, see our Privacy Policy.
Your rights at a glance
| Right | What it means | How to exercise |
|---|---|---|
| Access | Get a copy of all data we hold about you | Settings → Privacy → "Download my data" (JSON + CSV) |
| Rectification | Correct information that's wrong or out of date | Settings → Profile → Edit any field |
| Erasure | Delete your account and associated data | Settings → Privacy → "Delete my account" |
| Restriction | Limit how we process your data while a complaint is reviewed | Email our DPO via Contact |
| Portability | Receive your data in a machine-readable format | Same as Access — exports are open JSON |
| Object | Refuse certain processing (e.g. analytics, notifications) | Settings → Privacy → granular toggles |
| Withdraw consent | Revoke any consent you previously gave | Settings → Privacy — affects optional features only |
| Complaint | Lodge a complaint with a data protection authority | Your national DPA — see EDPB list |
Response time
We respond to all GDPR requests within 30 days. For deletion specifically, the data is purged from active systems within 30 days; encrypted backups expire on a rolling 90-day window. After 90 days no copy remains.
Legal bases we rely on
| Activity | Legal basis |
|---|---|
| Running your account | Performance of contract |
| Authentication, security, fraud prevention | Legitimate interest |
| Email/push notifications you opted into | Consent (revocable any time) |
| Service improvement (anonymized analytics) | Legitimate interest |
| Legal compliance (financial records, court orders) | Legal obligation |
Children and minors
For profiles representing a child, the parent or guardian on the account is the data subject and exercises GDPR rights on the child's behalf. We collect the minimum necessary for the educational features and never use child profile data for commercial purposes.
International transfers
Account data lives on EU servers. Static assets are cached globally via Cloudflare's CDN — but Cloudflare never sees your account data, only public assets like images and CSS.
Data Protection Officer
You can contact our DPO directly through the channels listed at Contact. All DPO requests are confidential.
Where to escalate
If we do not address your concern, you can contact a Data Protection Authority. Members in France can reach CNIL; members in other EU/EEA countries can use their national authority. The full list is maintained by the European Data Protection Board.