개인정보처리방침
EduGame Platform — edugame.cc
Last updated: April 2, 2026
This privacy policy describes how the EduGame platform (hereinafter "the Platform") collects, uses, protects, and shares its users' data. EduGame is an educational SaaS platform designed for French-speaking schools worldwide, enabling AI-powered exam generation, progress tracking, and educational gamification.
1. Data collected
1.1 User account data
- Identification — last name, first name, email address, username (optional)
- Role — teacher, student, parent, or administrator
- Authentication — password (hashed, never stored in plain text), session tokens
1.2 Educational data
- Exams — generated exams, questions, student answers
- Results — grades, scores, automatic and manual corrections
- Progress — acquired skills, learning statistics
- Gamification — experience points (XP), badges, connection streaks, levels and rankings
- Courses — course content created by teachers, flashcards
1.3 Technical data
- Connection — IP address, browser type, device
- Cookies — session cookies and preferences (see our Cookie Policy)
2. Legal bases for processing
- Contract performance (Art. 6.1.b GDPR) — processing necessary to provide the service (exam generation, grading, progress tracking, gamification)
- Consent (Art. 6.1.a GDPR) — for analytical cookies and parental consent for minors under 16
- Legitimate interest (Art. 6.1.f GDPR) — platform security, abuse prevention, service improvement
- Legal obligation (Art. 6.1.c GDPR) — retention of billing data in accordance with French tax law
3. Data sharing and sub-processors
EduGame never sells its users' data. Data is shared only with the technical sub-processors necessary for the service to function:
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon (PostgreSQL) | Database hosting | EU (AWS eu-central-1) |
| Google Cloud (Gemini) | AI generation | EU (eu-west) |
| Hostinger | Web application hosting | EU (Lithuania) |
| Resend | Transactional emails | US (DPF certified) |
| Lemon Squeezy | Payments (Merchant of Record) | US (DPF certified) |
| Sentry | Error monitoring | US (DPF certified) |
For more details on each sub-processor's guarantees, see our Data Processing Agreement (DPA).
For users located outside the European Union, we apply data protection standards equivalent to the GDPR. Data transfers outside the EU are governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
4. Protection of minors' data
EduGame processes data of minor students as part of its educational mission. Enhanced protection measures are applied:
- Parental consent — required for students under 16, in accordance with GDPR Article 8 and French data protection law
- Minimization — only data strictly necessary for the educational journey is collected
- Pseudonymization — students can use a username instead of their real name
- Family access — parents can track their children's progress and manage consents from the family portal
- Enhanced protection — AES-256-GCM encryption of PII, RBAC access control, PII redaction in logs
5. Data retention period
- Account data — retained while the account is active, then deleted within 30 days of account deletion
- Inactive accounts — accounts without login for 24 months are automatically deleted after prior email notification
- Academic data — retained for the duration of the current school year unless early deletion is requested
- Billing data — retained for 10 years in accordance with French tax law
- Technical logs — retained for a maximum of 12 months
6. Data subject rights
In accordance with the GDPR, you have the following rights:
- Right of access (Art. 15) — obtain a copy of your personal data
- Right of rectification (Art. 16) — correct inaccurate data
- Right to erasure (Art. 17) — request deletion of your data
- Right to portability (Art. 20) — receive your data in a structured format
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to restriction (Art. 18) — restrict processing of your data in certain circumstances
To exercise your rights, contact our DPO at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with the CNIL (French Data Protection Authority).
7. Data security
EduGame implements technical and organizational measures in accordance with GDPR Article 32:
- AES-256-GCM encryption of personal data at rest
- HTTPS/TLS 1.3 for all communications
- 4-level RBAC access control
- HttpOnly/Secure signed sessions
- Automatic PII redaction in logs
- Automated security analyses (SAST, secret scanning, dependency audits)
- Automatic backups with PITR restoration
8. Cookies
The Platform uses cookies strictly necessary for the service to function (authentication, language preferences). Analytical cookies are only set after your explicit consent. For more information, see our Cookie Policy.
9. Contact
For any questions regarding this policy or to exercise your rights: