Legal
What we collect, why, where it lives, and exactly what you can ask us to do about it. Drafted to meet the General Data Protection Regulation (GDPR / RGPD).
Last updated: 10 May 2026 · Version 1.0
The data controller for the win2linux course is [YOUR REGISTERED COMPANY NAME], registered at [REGISTERED ADDRESS], France, under SIRET [SIRET NUMBER]. For privacy questions, contact privacy@win2linux.org.
We have not appointed a formal Data Protection Officer (DPO) because we don't meet the legal threshold (we don't process large-scale special-category data, and we don't systematically monitor data subjects). Privacy queries go to the email above and are handled by the founder.
| Data | Source | Purpose |
|---|---|---|
| Name | You enter it during signup or on the certificate page | Issue your completion certificate; communicate with you |
| You enter it during signup, redeem, or recovery | Send receipts; deliver magic-link access recovery; (optional) progress updates | |
| Country, language preference | You enter / browser headers | VAT calculation; choose the right course version (FR / EN) |
| Payment data (card number, expiry, CVV) | You enter during Stripe checkout | Payment processing — collected and stored by Stripe, not by us |
| Learner UUID | Generated client-side at first quiz attempt | Stable handle to track your progress across attempts and devices |
| Quiz scores, lab completions, final assessment results | Generated when you complete activities | Show your progress; gate the completion certificate; let your manager (if enterprise) see your progress |
| Course code (if enterprise) | Provided by your employer | Link your progress to the right customer |
| Server access logs (IP, user agent, timestamps) | Automatic — Netlify's hosting layer | Operate the service, prevent abuse, security audit |
We do not collect: biometric data, browsing history outside our site, contacts, location precise to GPS, advertising identifiers, or special-category data (health, religion, political opinions, etc.).
Under Article 6 of GDPR, we rely on:
All learner data lives inside the EU. Specifically:
We do not transfer learner data to countries outside the EU/EEA without an appropriate safeguard (Standard Contractual Clauses or equivalent).
| Data category | Retention |
|---|---|
| Account + progress data (active learner) | For as long as your access is valid + 3 years after, to support certificate re-issuance and refresh-course access |
| Quiz / lab attempt history | Same as above; aggregated anonymously for product improvement after deletion |
| Invoice / payment records | 10 years (French commercial law) |
| Server access logs | 90 days, then deleted |
| Recovery-link tokens (Resend transactional) | 30 minutes (in transit), then deleted server-side |
We share data only with the processors listed in section 4 (Airtable, Netlify, Stripe, Resend) — each bound by a written data-processing agreement. We do not sell your data. We do not run third-party advertising tracking on the site.
If your access is provided by an employer via a redeem code, your progress data (quiz scores, lab completions, certificate status, the email you registered with) is visible to your employer's authorised managers via the /enterprise-admin portal. This is the explicit purpose of the enterprise convention your employer signed with us. The portal is scoped per customer — manager A from Company X cannot see learners from Company Y.
The course site uses browser localStorage (not cookies) to remember your progress on your device between visits. localStorage is technical, first-party only, and does not require consent under the ePrivacy Directive.
We do use one cookie: the manager session cookie (w2l_mgr_session), set only when a manager logs into the enterprise portal. This is strictly necessary for the service to function and is also exempt from consent under the ePrivacy Directive.
We do not run analytics, advertising, fingerprinting, or social-media tracking cookies. If we ever add anything beyond strictly-necessary cookies, we'll surface a proper consent banner.
You can exercise any of these rights by emailing privacy@win2linux.org:
We respond to requests within 30 days, free of charge, after verifying your identity. If you're not satisfied with our response you can lodge a complaint with the CNIL (the French data-protection authority) or your local supervisory authority.
We use industry-standard measures to protect your data: HTTPS everywhere, hashed password tokens for the manager portal, JWT-signed magic links with 30-minute expiry, scoped Airtable Personal Access Tokens, no plaintext payment data on our infrastructure.
If we ever experience a personal-data breach that's likely to result in a risk to your rights, we will notify the CNIL within 72 hours and affected learners as soon as practicable, in line with Article 33 / 34 GDPR.
The course is not directed at children under 16. We don't knowingly collect data from minors. The Module 1–6 plain-language rewrites are deliberately accessible to younger readers conceptually, but the course is sold to adults. If a parent or guardian wants their child to use the course, they can purchase it for them — we treat the parent as the data subject in that case.
We may update this Privacy Policy from time to time. Material changes will be flagged on this page (the "Last updated" date above) and emailed to active learners. We won't quietly weaken your protections.
For any privacy question or to exercise any of your rights, email privacy@win2linux.org. We aim to respond within 5 business days, always within 30 calendar days.
This Privacy Policy was drafted as a starting point for a small EU-based training organisation. It is not legal advice. Before going live for Qualiopi or OPCO-funded enrolments, have a French data-privacy lawyer review it, particularly sections 4 (where data lives), 5 (retention), and 8 (rights).