Privacy Policy

Introduction

FrançaisFlow is operated by Klaudia Kromołowska ("we", "us", "our"). We are committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data when you use our French learning platform, in accordance with the General Data Protection Regulation (GDPR).

Data Controller

The controller of your personal data is Klaudia Kromołowska, with correspondence address at ul. Warszawska 111, 42-200 Częstochowa, Poland. Tax ID (NIP): 6793269779. Contact: salut@francaisflow.com. As the controller, we determine the purposes and means of processing your personal data.

Data We Collect

We collect: your email address and display name when you create an account; your learning progress, exercise results, and spaced repetition state; your preferences (language, theme, learning goals); payment information processed by Stripe (we do not store card details); and aggregated, anonymised usage analytics to improve the platform.

Legal Basis for Processing

We process your data on the following bases under GDPR Article 6: (a) Contract performance (Art. 6(1)(b)) — account data, learning progress, and subscription management are necessary to deliver the service you signed up for; (b) Legal obligation (Art. 6(1)(c)) — billing and transaction records are retained to comply with Polish accounting law (5-year statutory requirement); (c) Consent (Art. 6(1)(a)) — if you opt in to marketing communications, your email is processed for that purpose; consent may be withdrawn at any time without affecting the lawfulness of prior processing.

How We Use Your Data

Your data is used to: provide personalised learning experiences through spaced repetition; track your progress and generate statistics; process subscription payments; improve our platform and content; and send account-related transactional notifications. Marketing communications are sent only with your explicit, separate consent.

Third-Party Processors

We share data with the following processors, each bound by a Data Processing Agreement: Supabase Inc. (USA) — database and authentication infrastructure; Stripe Inc. (USA) — payment processing and subscription management; Sentry / Functional Software Inc. (USA) — anonymised error tracking; Plausible Insights OÜ (Estonia, EU) — privacy-first analytics, no personal data collected. We do not sell your data to any third party.

International Data Transfers

Some processors are based outside the European Economic Area (EEA), specifically in the United States. These transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c), ensuring your data receives equivalent protection.

Data Storage & Security

Your data is stored on Supabase (PostgreSQL) with row-level security policies. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is restricted to authorised personnel only.

Data Retention

We retain your data as follows: account and learning data — kept for the lifetime of your account and deleted within 30 days of an account deletion request; billing and transaction records — retained for 5 years as required by the Polish Accounting Act (Ustawa o rachunkowości); server and error logs — retained for 90 days; marketing consent records — retained until you withdraw consent or request deletion.

Cookies & Tracking

We use essential cookies required for authentication (session tokens) and user preferences (language, theme). We use Plausible Analytics, a privacy-first tool that collects no personal data and sets no tracking cookies — it is fully GDPR-compliant without a consent banner for analytics. You may disable non-essential cookies in your browser settings without affecting core platform functionality.

Your Rights

Under GDPR you have the right to: access your personal data (Art. 15); correct inaccurate data (Art. 16); request deletion of your data (Art. 17); restrict processing (Art. 18); receive your data in a portable format (Art. 20); object to processing based on legitimate interests (Art. 21); withdraw consent for marketing at any time. To exercise these rights, visit the Settings page or contact us at salut@francaisflow.com.

Right to Lodge a Complaint

If you believe we are processing your personal data in violation of GDPR, you have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl.

Contact

For privacy-related questions or to exercise your rights, contact us at: salut@francaisflow.com. We will respond within 30 days.