Privacy Policy

Last updated: May 24, 2026 — Version 1.0

This is an informational English translation. The French version is the legally binding text in case of dispute.

This Privacy Policy describes how ConjuGrec (the "Service") collects, uses and protects users' personal data ("you").

It complies with the General Data Protection Regulation (GDPR, EU Regulation 2016/679) and the French Data Protection Act n° 78-17 of January 6, 1978 (as amended).

1. Data controller

The controller of data collected through ConjuGrec is:

Olivier Aillery — Sole proprietor
15 rue Manin, 75019 Paris, France
SIRET: 489 253 906 00056
Email: contact@conjugrec.eu

No Data Protection Officer (DPO) has been appointed, as the processing does not fall within the cases of mandatory appointment provided in article 37 of the GDPR.

2. Data collected

2.1 Data provided by the user upon account creation

Email address (login identifier)
Password — stored only as a secure hash (never in plain text)
Username — freely chosen by the user
Interface language (FR / EN)

2.2 Data generated automatically by use of the Service

Progression statistics: number of answers, success rate, streaks, olive branches/trees/goats collected
Game preferences: selected verbs and tenses, active visual theme, chosen challenge level
Spaced repetition history (SM-2): performance per verb × tense × subject
Last connection date (last_played_at)
Items inventory (jokers, purchased boosts)

2.3 Payment data (paying users only)

Payments are handled entirely by our provider Stripe. ConjuGrec never stores your credit card numbers. Only a Stripe customer identifier (stripe_customer_id) and your subscription status/expiry date are kept in our database.

2.4 Technical data

During browsing, technical data may be collected by our host OVH and by Supabase for security purposes (IP address in logs, browser type). These data are kept for limited periods and are not linked to your gaming profile for commercial profiling.

3. Purposes and legal bases

Purpose	Legal basis
Creating and managing the user account	Contract performance (GDPR art. 6.1.b)
Providing Service features (progression, challenges, statistics, spaced repetition)	Contract performance (GDPR art. 6.1.b)
Processing payments and managing subscriptions	Contract performance (art. 6.1.b) and legal obligation (accounting — art. 6.1.c)
Sending in-app notifications (milestones, challenges, streaks)	Contract performance (GDPR art. 6.1.b)
Inactivity notifications (reminder after > 7 days without playing)	Legitimate interest (GDPR art. 6.1.f) — user retention
Security, fraud prevention, logging	Legitimate interest (GDPR art. 6.1.f)
Compliance with legal obligations (accounting, judicial requests)	Legal obligation (GDPR art. 6.1.c)

4. Recipients and processors

Your data is never sold to third parties. It is accessible only to the publisher and its technical processors:

Processor	Role	Location
Supabase Inc.	Database, authentication, storage	EU servers (Frankfurt, Germany)
Stripe Payments Europe Ltd	Card payment processing	Ireland (EU)
OVH SAS	Website hosting (front-end)	France

Each of these processors is bound by a Data Processing Agreement guaranteeing a level of protection compliant with the GDPR.

5. Retention period

Account and progression data: retained as long as your account is active. Deleted within a maximum of 30 days after your account deletion request.
Billing data: retained for 10 years after the end of the relevant accounting year (French legal obligation — article L123-22 of the Commercial Code).
Technical logs (hosting): 1 year maximum.
Inactive account: an account without connection for 3 years may be deleted after prior email notification.

6. Your rights

In accordance with articles 15 to 22 of the GDPR, you have the following rights:

Right of access: obtain confirmation that data concerning you is being processed and receive a copy.
Right to rectification: correct any inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): request the deletion of your data. This right is directly exercisable from your profile via the "Delete my account" button.
Right to restriction of processing in certain circumstances.
Right to portability: receive your data in a structured and commonly used format.
Right to object to processing, especially when based on legitimate interest.
Right to define directives regarding the handling of your data after your death.

To exercise these rights, contact us at contact@conjugrec.eu, attaching proof of identity if necessary. A reply will be provided within one month, extendable by two months in case of complexity.

Immediate account deletion: you can delete your account at any time from the Profile screen → Delete my account. This action is permanent and entails the deletion of your identifier, progression, inventory, statistics and notifications. Billing data is retained for the legal duration.

7. Complaint to the supervisory authority

If you believe that the processing of your data does not comply with the GDPR, you have the right to lodge a complaint with the CNIL (French National Commission on Informatics and Liberty):

3 place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07, France
Phone: +33 1 53 73 22 22
www.cnil.fr/en/plaintes

8. Cookies and local storage

ConjuGrec uses only storage technologies strictly necessary for the operation of the Service:

Supabase authentication session (JWT token) — stored in the browser's localStorage, duration 1 hour renewable.
Service Worker (PWA) — caches static assets to enable offline operation.

ConjuGrec does not use advertising cookies, marketing trackers, or third-party analytics tools (Google Analytics, Meta Pixel…). No prior consent is therefore required for these processing operations (article 82 of the French Data Protection Act).

9. Security of processing

In accordance with articles 25 and 32 of the GDPR, we implement appropriate technical and organizational measures matched to the level of risk to guarantee the security, confidentiality and integrity of your data:

Encryption in transit: HTTPS / TLS 1.3 mandatory across the entire Service
Encryption at rest: Supabase database disks encrypted with AES-256
Password hashing: bcrypt algorithm — no password is ever stored in plain text
Row-Level Security: each user only accesses their own data through PostgreSQL rules enforced server-side
Minimization: only data strictly necessary to the purposes is collected ("privacy by default")
Encrypted backups: daily backups performed automatically and encrypted
Restricted administrator access: limited to the publisher, logged, protected by a strong password and two-factor authentication
Monitoring and audits: regular reviews of access, software dependencies and known vulnerabilities

10. Data breaches

In accordance with articles 33 and 34 of the GDPR, in the event of a personal data breach likely to pose a risk to your rights and freedoms, we undertake to:

notify the CNIL within a maximum of 72 hours after becoming aware of it;
inform you personally and as soon as possible, when this breach is likely to create a high risk for your rights and freedoms (e.g.: credential leak, unauthorized access to your progression or payment data);
document the incident, its effects and the corrective measures implemented.

11. No automated decision-making or profiling

In accordance with article 22 of the GDPR, ConjuGrec carries out no fully automated decision-making producing legal effects on you or significantly affecting you. No profiling for advertising, commercial or rating purposes is performed.

The algorithms used (SM-2 spaced repetition, question selection, progression calculations) serve exclusively to adapt the educational content to your learning pace and generate no decision impacting your rights.

12. Minors

The Service is intended for an audience aged 13 and over. Users under 15 must obtain the consent of their legal representatives to create an account, in accordance with article 7-1 of the French Data Protection Act.

13. Transfers outside the EU

User data is hosted within the European Union. No recurring transfer to a third country is made as part of the normal operation of the Service. The processor Stripe may, in marginal cases related to fraud prevention, transfer certain data to the United States; this transfer is governed by the standard contractual clauses adopted by the European Commission.

14. Modifications

This Policy may be modified to reflect legal or functional changes. The version in force is always the one published at conjugrec.eu/legal/privacy_en.html. Substantial modifications will be notified to you through the application.