Legal
Privacy Policy
Last updated: April 2026
1. Data Controller
The data controller for entrevia.dev is:
- —Arnaud Lasserre — Sole proprietor (Entrepreneur individuel)
- —SIREN: 100 137 959
- —Address: 14 rue du 8 mai 1945, 32600 L'Isle Jourdain, France
Our servers are hosted in France (European Union).
For privacy-related inquiries, contact: privacy@entrevia.dev
2. Data We Collect
We collect only what is necessary to provide the Service:
Account data (if you sign in)
Email address, display name, and profile picture from your OAuth provider (GitHub or Google), or just your email address if you use a magic link. We do not receive or store OAuth passwords.
Session data
When you complete a practice session, we store which questions you answered, your self-assessed scores (0–3), time spent per question, timestamps, and — in simulation mode — the text responses you typed. This data powers your progress tracking and spaced repetition.
Technical data
Standard server logs (IP address, browser type, pages visited) retained for up to 30 days for security and abuse prevention.
OAuth tokens
When you sign in via Google or GitHub, we temporarily store the access and refresh tokens provided by the OAuth provider. These tokens are deleted when you delete your account.
Question reports
If you report a question, we store the report reason and your optional comment, linked to your account.
Error data
When errors occur, Sentry may capture a stack trace, the URL, and limited browser context to help us fix bugs. No passwords, simulation responses, or payment data are included in these reports.
Billing data (if you subscribe)
Your Stripe customer ID and subscription history. Card numbers never pass through our servers and are handled directly by Stripe (PCI-DSS certified).
Job postings: When you use the job posting analysis feature, uploaded documents (PDF or text) are processed transiently by our AI provider (Anthropic PBC) to extract the technologies mentioned. They are immediately discarded and never written to persistent storage.
3. Purposes and Legal Basis
Providing the Service
Account creation, authentication, and progress tracking are necessary to perform the contract with you (Art. 6.1.b GDPR).
Improving question quality and the platform
We analyse aggregate, anonymised usage patterns (e.g., which questions are most often answered incorrectly) to improve the Service. This is based on our legitimate interest (Art. 6.1.f GDPR). You may object to this processing at any time.
Security and abuse prevention
Server logs and error monitoring are processed under legitimate interest (Art. 6.1.f GDPR) to protect the integrity of the Service.
Transactional emails
Magic link sign-in emails are sent based on your direct request (Art. 6.1.b GDPR). We do not send marketing emails without your explicit consent.
4. Data Retention
- —Account data (email, name, OAuth profile): retained until you request deletion.
- —Session data: retained for a maximum of 12 months. A weekly automated cleanup removes data beyond this period.
- —Verification tokens: expired tokens are automatically cleaned up during the weekly maintenance.
- —Server logs: retained for up to 30 days.
- —Error reports (Sentry): retained for 90 days.
5. Third-Party Processors
We share data with the following sub-processors, each bound by a Data Processing Agreement (DPA):
| Processor | Purpose | Location |
|---|---|---|
| GitHub OAuth | Authentication | US (SCCs) |
| Google OAuth | Authentication | EU / US (SCCs) |
| Resend | Transactional email (magic links) | US (SCCs) |
| Sentry | Error monitoring | US (SCCs) |
| Stripe | Payment processing | US (SCCs) |
| Anthropic PBC | Job posting AI analysis | US (SCCs) — no training on user data |
SCCs = Standard Contractual Clauses approved by the European Commission for international transfers.
6. International Data Transfers
Our servers are hosted in France (EU). Some third-party processors listed above operate in the United States. All such transfers are covered by Standard Contractual Clauses (SCCs) adopted under Art. 46.2.c GDPR, ensuring an adequate level of protection for your personal data.
7. Cookies and Local Storage
We use only the cookies and local storage required to operate the Service. No tracking or advertising cookies are used.
| Cookie | Purpose | Duration |
|---|---|---|
| authjs.session-token | Authentication session | 7 days |
| authjs.callback-url | Redirect URL after sign-in | Session |
| authjs.csrf-token | CSRF protection | Session |
All three cookies are strictly necessary for the Service to function and do not require your consent under the ePrivacy Directive. You can delete them at any time via your browser settings.
Our progressive web app (PWA) also uses browser cache and local storage (Cache Storage, localStorage) to enable offline access and improve performance. This data remains on your device and is not transmitted to our servers.
8. Your Rights (GDPR)
If you are in the European Economic Area, you have the following rights regarding your personal data:
- —Access: Request a copy of the personal data we hold about you.
- —Rectification: Ask us to correct inaccurate or incomplete data.
- —Erasure: Delete your account from Account Settings (immediate deletion of personal data, anonymization of session data) or contact us at privacy@entrevia.dev.
- —Restriction: Ask us to limit how we process your data in certain circumstances.
- —Portability: Receive your data in a structured, machine-readable format. A JSON export is available from your account Settings.
- —Objection: Object to processing based on legitimate interest (Art. 6.1.f), including analytics.
- —Lodge a complaint: File a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at cnil.fr.
To exercise any of these rights, contact us at privacy@entrevia.dev. We will respond within 30 days.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encrypted connections (HTTPS/TLS), access controls limited to what is necessary, and regular dependency updates.
No transmission over the internet is 100% secure. While we work to protect your data, we cannot guarantee absolute security.
10. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top. For material changes, we will notify you via email (if you have an account) or via a prominent notice on the Service.
12. Contact
For any privacy-related questions or to exercise your rights, contact us at privacy@entrevia.dev.