Legal

Privacy Policy

Last updated: April 2026

1. Data Controller

The data controller for entrevia.dev is:

—Arnaud Lasserre — Sole proprietor (Entrepreneur individuel)
—SIREN: 100 137 959
—Address: 14 rue du 8 mai 1945, 32600 L'Isle Jourdain, France

Our servers are hosted in France (European Union).

For privacy-related inquiries, contact: privacy@entrevia.dev

2. Data We Collect

We collect only what is necessary to provide the Service:

Account data (if you sign in)

Email address, display name, and profile picture from your OAuth provider (GitHub or Google), or just your email address if you use a magic link. We do not receive or store OAuth passwords.

Session data

When you complete a practice session, we store which questions you answered, your self-assessed scores (0–10), time spent per question, timestamps, and — in simulation mode — the text responses you typed. If you request an AI analysis, the resulting scores and feedback are also stored alongside your answers. This data powers your progress tracking and spaced repetition.

Technical data

Standard server logs (IP address, browser type, pages visited) retained for up to 30 days for security and abuse prevention.

OAuth tokens

When you sign in via Google or GitHub, we temporarily store the access and refresh tokens provided by the OAuth provider. These tokens are deleted when you delete your account.

Question reports

If you report a question, we store the report reason and your optional comment, linked to your account.

Error data

When errors occur, Sentry may capture a stack trace, the URL, and limited browser context to help us fix bugs. We have configured Sentry to exclude simulation responses and payment data from error reports as much as possible. Limited technical data may be captured unintentionally when an error occurs.

Billing data (if you subscribe)

Your Stripe customer ID and subscription history. Card numbers never pass through our servers and are handled directly by Stripe (PCI-DSS certified).

Job postings: When you use the job posting analysis feature, uploaded documents (PDF or text) are processed transiently by our AI provider (Anthropic PBC) to extract the technologies mentioned. They are immediately discarded and never written to persistent storage.

3. Purposes and Legal Basis

—

Providing the Service

Account creation, authentication, and progress tracking are necessary to perform the contract with you (Art. 6.1.b GDPR).

—

Improving question quality and the platform

We analyse aggregate, anonymised usage patterns (e.g., which questions are most often answered incorrectly) to improve the Service. This is based on our legitimate interest (Art. 6.1.f GDPR). You may object to this processing at any time.

—

Security and abuse prevention

Server logs and error monitoring are processed under legitimate interest (Art. 6.1.f GDPR) to protect the integrity of the Service.

—

Transactional emails

Magic link sign-in emails (on your direct request), welcome emails upon account creation, purchase confirmations upon subscription, and deletion confirmations upon account closure are sent under Art. 6.1.b GDPR (performance of contract). We do not send marketing emails without your explicit consent.

4. Data Retention

—Account data (email, name, OAuth profile): retained for the duration of account activity. After 3 years of inactivity, a confirmation email is sent before automatic deletion.
—Session data: retained for a maximum of 12 months. A weekly automated cleanup removes data beyond this period.
—Verification tokens: expired tokens are automatically cleaned up during the weekly maintenance.
—Server logs: retained for up to 30 days.
—Error reports (Sentry): retained for 90 days.

5. Third-Party Processors

We share data with the following sub-processors, each bound by a Data Processing Agreement (DPA):

Processor	Purpose	Location
GitHub OAuth	Authentication	US (SCCs)
Google OAuth	Authentication	EU / US (SCCs)
OVHcloud	Infrastructure hosting (database, server)	France (EU)
Resend	Transactional email (email address only)	US (SCCs)
Sentry	Error monitoring	US (SCCs)
Stripe	Payment processing	US (SCCs)
Anthropic PBC	AI scoring of answers + job posting analysis	US (SCCs) — no training on user data

SCCs = Standard Contractual Clauses approved by the European Commission for international transfers.

6. International Data Transfers

Our servers are hosted in France (EU). Some third-party processors listed above operate in the United States. All such transfers are covered by Standard Contractual Clauses (SCCs) adopted under Art. 46.2.c GDPR, ensuring an adequate level of protection for your personal data.

7. Cookies and Local Storage

We use only the cookies and local storage required to operate the Service. No tracking or advertising cookies are used.

Cookie	Purpose	Duration
authjs.session-token	Authentication session	7 days
authjs.callback-url	Redirect URL after sign-in	Session
authjs.csrf-token	CSRF protection	Session

All three cookies are strictly necessary for the Service to function and do not require your consent under the ePrivacy Directive. You can delete them at any time via your browser settings.

Our progressive web app (PWA) also uses browser cache and local storage (Cache Storage, localStorage) to enable offline access and improve performance. This data remains on your device and is not transmitted to our servers.

8. Your Rights (GDPR)

If you are in the European Economic Area, you have the following rights regarding your personal data:

—Access: Request a copy of the personal data we hold about you.
—Rectification: Ask us to correct inaccurate or incomplete data.
—Erasure: Delete your account from Account Settings (immediate and complete deletion of all personal and session data) or contact us at privacy@entrevia.dev.
—Restriction: Ask us to limit how we process your data in certain circumstances.
—Portability: Receive your data in a structured, machine-readable format. A JSON export is available from your account Settings.
—Objection: Object to processing based on legitimate interest (Art. 6.1.f), including analytics.
—Withdrawal of consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
—Lodge a complaint: File a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at cnil.fr.

To exercise any of these rights, contact us at privacy@entrevia.dev. We respond within 30 days. For complex requests, this period may be extended by two further months, in which case we will notify you within the first month (Art. 12.3 GDPR).

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encrypted connections (HTTPS/TLS), access controls limited to what is necessary, and regular dependency updates.

No transmission over the internet is 100% secure. While we work to protect your data, we cannot guarantee absolute security.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours and inform you without undue delay in accordance with Articles 33 and 34 of the GDPR.

10. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top. For material changes, we will notify you via email (if you have an account) or via a prominent notice on the Service.

12. Contact

For any privacy-related questions or to exercise your rights, contact us at privacy@entrevia.dev.