Privacy policy

Last updated: 9 July 2026

Préparation Examen Civique (published by Clémence Charbonnier, sole trader, trading as KAIROS ENTREPRISES) processes personal data to let you practise for the French civic exam. This site is private and is neither operated by nor affiliated with the Ministry of the Interior or any public authority. This page describes what data we process, why, with whom, for how long, and how to exercise your rights.

Who we are

The data controller is Clémence Charbonnier, sole trader (EI), trading as KAIROS ENTREPRISES, RCS Clermont-Ferrand 106 451 115, 71 Rue de Vallières, 63000 Clermont-Ferrand, France. Contact: contact@preparationexamencivique2026.fr.

Data we collect and legal bases

We minimise collection: no sensitive data is ever requested, and we never collect residence-permit or identity-document numbers. Your chosen procedure (CSP/CR/naturalisation) is treated as an ordinary account preference.

DataPurposeLegal basis
Email, password (hashed)Create and secure your account, sign you inPerformance of a contract (Art. 6(1)(b) GDPR)
Procedure, language, chosen levelTailor content to your situationPerformance of a contract
Answers to questions, per-theme mastery profiles, progressPower adaptive practice and show your honest scorePerformance of a contract
Payment identifiers (Stripe)Process your one-time paymentPerformance of a contract
Privacy-friendly analytics (Vercel Analytics)Understand site usage in order to improve itConsent (Art. 6(1)(a) GDPR) — see "Manage cookies"
Technical error logs (Sentry)Diagnose and fix site bugsLegitimate interest (Art. 6(1)(f) GDPR)
Security logs, anti-abuse dataPrevent fraud and abuseLegitimate interest (Art. 6(1)(f) GDPR)

Sub-processors (recipients of your data)

Your data is hosted and processed by the following providers, each bound by a data processing agreement:

  • Supabase Inc.Database and authenticationEuropean Union — Frankfurt, Germany
  • Vercel Inc.Web application hosting and analytics (Vercel Analytics, enabled only with your consent)European Union
  • StripeOne-time payment processing (no card data ever touches our servers)Standard contractual clauses for any transfer outside the EU
  • ResendTransactional email delivery (sign-in links, receipts)Standard contractual clauses for any transfer outside the EU
  • SentryTechnical error tracking (error traces only — never your quiz-answer content)Standard contractual clauses for any transfer outside the EU
  • Infomaniak Network SADomain name and mailbox hostingSwitzerland — covered by a European Commission adequacy decision

Data retention

  • Account and learning dataWhile your account is active; purged 30 days after your deletion request
  • Billing and accounting recordsUp to 10 years, as required by French tax law
  • Security logs and anti-abuse data90 days maximum
  • Proof of your consent (cookies, terms)Duration of the relationship, plus a proof period

Your rights

Under the GDPR, you have the following rights over your data:

  • Access and portability — a full JSON export in one click from your account (/app/compte).
  • Rectification — update your information directly from your account.
  • Erasure — delete your account from /app/compte; a 30-day grace period precedes permanent deletion, giving you time to change your mind.
  • Restriction and objection — contact us at the address below; withdraw your consent to analytics at any time via "Manage cookies".
  • We respond to any request within 30 days at most.
  • You may also lodge a complaint with the CNIL, the French data protection authority (www.cnil.fr).

Cookies

We use strictly necessary cookies (login, preferences) and, with your consent, analytics and additional preference cookies. No non-essential script runs before you consent. You manage your choice at any time via the "Manage cookies" link in the footer.

Transfers outside the European Union

Your data is hosted within the European Union (Supabase in Frankfurt, Vercel in an EU region). Where a provider involves a transfer outside the EU, we rely on standard contractual clauses or an equivalent certification, documented for each sub-processor.

Security

Encryption in transit (TLS) and at rest, passwords hashed with argon2id, least-privilege access, revocable sessions, rate limiting, secrets kept out of the source code. In the event of a data breach, we notify the competent authority within 72 hours and affected individuals where the law requires it.

Contact and complaints

For any question or to exercise your rights: contact@preparationexamencivique2026.fr. You may also lodge a complaint with the Commission nationale de l'informatique et des libertés (CNIL), 3 Place de Fontenoy, 75007 Paris, France — www.cnil.fr.