Privacy Policy
Last updated: March 2, 2026
1. Introduction
This privacy policy describes how FoldOrNot (hereinafter "we", "our" or "the Site") collects, uses and protects your personal data when you use our website foldornot.com and related services.
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and applicable data protection laws.
2. Data Controller
- Name: [TO BE COMPLETED — First Last Name]
- Status: Sole Proprietor (Auto-entrepreneur, France)
- Email: contact@foldornot.com
3. Data We Collect
3.1 Data You Provide
- Account data: email address, name/username, profile picture (if signing in via Google OAuth)
- Training preferences: chosen difficulty, selected categories, table format
3.2 Automatically Collected Data
- Progress data: scenario results, training statistics, scores, correct answer streaks
- Usage data: pages visited, features used, session duration, actions taken
- Technical data: IP address, browser type, operating system, device type, browser language
- Cookies and trackers: see our Cookie Policy
3.3 Data from Third Parties
- Google OAuth: if you sign in via Google, we receive your email address, name and profile picture as configured in your Google account
4. Purposes and Legal Bases
| Purpose | Legal Basis |
|---|---|
| Providing the service (training, simulation, statistics) | Performance of contract (Art. 6.1.b GDPR) |
| User account management | Performance of contract (Art. 6.1.b GDPR) |
| Saving and syncing progress | Performance of contract (Art. 6.1.b GDPR) |
| Audience analytics and service improvement | Legitimate interest (Art. 6.1.f GDPR) |
| Performance monitoring and bug detection | Legitimate interest (Art. 6.1.f GDPR) |
| Subscription and payment management | Performance of contract (Art. 6.1.b GDPR) |
| Marketing communications (if opted in) | Consent (Art. 6.1.a GDPR) |
| Legal compliance | Legal obligation (Art. 6.1.c GDPR) |
5. Data Recipients
Your data may be shared with the following technical service providers acting as data processors:
| Provider | Service | Location |
|---|---|---|
| Supabase Inc. | Authentication, database, storage | USA (Standard Contractual Clauses) |
| Vercel Inc. | Hosting, CDN | USA (Standard Contractual Clauses) |
| PostHog Inc. | Analytics, audience measurement | EU (European hosting available) |
| Stripe Inc. | Payments (coming soon) | USA (Standard Contractual Clauses) |
| Google LLC | OAuth authentication | USA (Standard Contractual Clauses) |
We never sell your personal data to third parties. Your training statistics and results are confidential and are never shared with other users without your explicit consent.
6. International Transfers
Some of our providers are located outside the European Economic Area (EEA), particularly in the United States. These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Article 46 of the GDPR.
7. Data Retention
| Category | Duration |
|---|---|
| Account data | Account duration + 3 years after deletion |
| Progress / statistics data | Account duration + 1 year |
| Usage data (analytics) | 26 months (anonymized thereafter) |
| Payment data | Legal retention period (10 years) |
| Analytical cookies | 13 months maximum |
| localStorage data (non-registered visitors) | Stored locally on your device only |
8. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15): obtain a copy of your personal data
- Right to rectification (Art. 16): correct inaccurate or incomplete data
- Right to erasure (Art. 17): request deletion of your data
- Right to restriction (Art. 18): restrict the processing of your data
- Right to data portability (Art. 20): receive your data in a structured format
- Right to object (Art. 21): object to processing based on legitimate interest
- Right to withdraw consent at any time, without affecting the lawfulness of prior processing
To exercise your rights, email us at contact@foldornot.com. We will respond within one month.
You may also file a complaint with the CNIL (French Data Protection Authority): cnil.fr.
9. Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, alteration or disclosure, including:
- Data encryption in transit (HTTPS/TLS)
- Secure authentication via Supabase (JWT tokens, OAuth 2.0)
- Restricted database access with Row Level Security (RLS)
- Hosting on SOC 2 compliant platforms
10. Children
The Site is not intended for children under 16. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at contact@foldornot.com.
11. Changes
We reserve the right to modify this policy at any time. In case of substantial changes, we will notify you by email or through a notification on the Site. The last update date is indicated at the top of this page.
12. Contact
For any questions about this privacy policy or the processing of your data, contact us at: contact@foldornot.com