Legal
What we collect, why, where it lives, and exactly what you can ask us to do about it. Drafted to meet the General Data Protection Regulation (GDPR / RGPD).
Last updated: 26 May 2026 · Version 1.1 (Supabase EU cutover)
The data controller for the win2linux course is [YOUR REGISTERED COMPANY NAME], registered at [REGISTERED ADDRESS], France, under SIRET [SIRET NUMBER]. For privacy questions, contact support@win2linux.org.
We have not appointed a formal Data Protection Officer (DPO) because we don't meet the legal threshold (we don't process large-scale special-category data, and we don't systematically monitor data subjects). Privacy queries go to the email above and are handled by the founder.
| Data | Source | Purpose |
|---|---|---|
| Name | You enter it during signup or on the certificate page | Issue your completion certificate; communicate with you |
| You enter it during signup, redeem, or recovery | Send receipts; deliver magic-link access recovery; (optional) progress updates | |
| Country, language preference | You enter / browser headers | VAT calculation; choose the right course version (FR / EN) |
| Payment data (card number, expiry, CVV) | You enter during Stripe checkout | Payment processing — collected and stored by Stripe, not by us |
| Learner UUID | Generated client-side at first quiz attempt | Stable handle to track your progress across attempts and devices |
| Quiz scores, lab completions, final assessment results | Generated when you complete activities | Show your progress; gate the completion certificate; let your manager (if enterprise) see your progress |
| Course code (if enterprise) | Provided by your employer | Link your progress to the right customer |
| Organisation & procurement contact data — company / organisation name, SIRET, billing & postal address, contact name, phone number, job title, seat count, purchase-order reference, and any free-text requirements you write | You enter it on the quote form (/devis) or the enterprise inquiry form | Generate your quote / devis and invoice; respond to your enterprise inquiry; administer the B2B contract |
| Server access logs (IP, user agent, timestamps) | Automatic — Netlify's hosting layer | Operate the service, prevent abuse, security audit |
We collect a billing / postal address only from B2B buyers for invoicing. We do not collect: biometric data, browsing history outside our site, contacts, GPS-level / precise geolocation, advertising identifiers, or special-category data (health, religion, political opinions, etc.).
Under Article 6 of GDPR, we rely on:
All learner, manager, cohort, and quote data lives inside the EU. Specifically:
The complete, up-to-date list of every sub-processor we use, with data category, region, and DPA link, is published at admin/sub-processors.md. Enterprise customers receive at least 30 days' notice before any new sub-processor begins processing their data.
Four of our sub-processors (Supabase, Netlify, Resend, Anthropic) are headquartered in the United States, even though our data is stored in EU regions. Under the US CLOUD Act (2018), a US-headquartered provider could in theory be compelled by a US court to disclose data regardless of where it sits. We mitigate this by configuring EU-only storage, encryption at rest, EU Standard Contractual Clauses, and (where available) EU-US Data Privacy Framework certification. Customers with strict French national-security requirements — Defence, Interior, Justice ministries, OIV-classified entities — are routed to a Tier 2 deployment on OVH SecNumCloud (an ANSSI-qualified sovereign cloud, no US entity in the data path). Tier 2 is on the doctrine roadmap; quoted on request.
We do not transfer learner data to countries outside the EU/EEA without an appropriate safeguard (Standard Contractual Clauses or equivalent).
| Data category | Retention |
|---|---|
| Account + progress data (active learner) | For as long as your access is valid + 3 years after, to support certificate re-issuance and refresh-course access |
| Quiz / lab attempt history | Same as above; aggregated anonymously for product improvement after deletion |
| Invoice / payment records | 10 years (French commercial law) |
| Server access logs | 90 days, then deleted |
| Recovery-link tokens (Resend transactional) | 30 minutes (in transit), then deleted server-side |
We share data only with the sub-processors listed in section 4 (Supabase, Netlify, Stripe, Resend, and a small number of others detailed in admin/sub-processors.md) — each bound by a written Article-28 Data Processing Agreement. We do not sell your data. We do not run third-party advertising tracking on the site.
If your access is provided by an employer via a redeem code, your progress data (quiz scores, lab completions, certificate status, the email you registered with) is visible to your employer's authorised managers via the /enterprise-admin portal. This is the explicit purpose of the enterprise convention your employer signed with us. The portal is scoped per customer — manager A from Company X cannot see learners from Company Y.
The course site uses browser localStorage (not cookies) to remember your progress on your device between visits. localStorage is technical, first-party only, and does not require consent under the ePrivacy Directive.
We do use one cookie: the manager session cookie (w2l_mgr_session), set only when a manager logs into the enterprise portal. This is strictly necessary for the service to function and is also exempt from consent under the ePrivacy Directive.
We do not run analytics, advertising, fingerprinting, or social-media tracking cookies. If we ever add anything beyond strictly-necessary cookies, we'll surface a proper consent banner.
You can exercise any of these rights by emailing support@win2linux.org:
We respond to requests within 30 days, free of charge, after verifying your identity. If you're not satisfied with our response you can lodge a complaint with the CNIL (the French data-protection authority) or your local supervisory authority.
We use industry-standard measures to protect your data: TLS 1.2+ everywhere (HSTS preload), AES-256 encryption at rest on Supabase Postgres and Storage, bcrypt password hashing, optional TOTP MFA for learners (mandatory for managers), JWT-signed magic links with one-shot semantics, Postgres Row-Level Security as defence-in-depth, rate-limited login + sign-up + password-reset, and no plaintext payment data on our infrastructure. Full operational detail is available at admin/security-statement.md.
If we ever experience a personal-data breach that's likely to result in a risk to your rights, we will notify the CNIL within 72 hours and affected learners as soon as practicable, in line with Article 33 / 34 GDPR. Security researchers can report vulnerabilities via security@win2linux.org.
The course is not directed at children under 16. We don't knowingly collect data from minors. The Module 1–6 plain-language rewrites are deliberately accessible to younger readers conceptually, but the course is sold to adults. If a parent or guardian wants their child to use the course, they can purchase it for them — we treat the parent as the data subject in that case.
We may update this Privacy Policy from time to time. Material changes will be flagged on this page (the "Last updated" date above) and emailed to active learners. We won't quietly weaken your protections.
For any privacy question or to exercise any of your rights, email support@win2linux.org. We aim to respond within 5 business days, always within 30 calendar days.
Supporting internal documents that back this Privacy Policy:
This Privacy Policy was drafted as a starting point for a small EU-based training organisation. It is not legal advice. Before going live for Qualiopi or OPCO-funded enrolments, have a French data-privacy lawyer review it, particularly sections 4 (where data lives), 5 (retention), and 8 (rights).