GDPR & Data Trust Center

Last updated: July 14, 2026

BETA PROGRAM NOTICE This document applies to the Kompunik Beta Program, a free, invitation-only research pilot operated by Joss Gillet (Founder of Kompunik). This is an experimental prototype with no service guarantee.

GDPR & Data Trust Center

Effective Date: January 1, 2026

Last Updated: January 1, 2026

This Trust & Data Sheet is a plain-language companion to our Privacy Policy and Security Overview. It summarises, in one place, how Kompunik complies with the EU General Data Protection Regulation (GDPR): the legal bases we rely on, the data we process, the sub-processors we use, how long we keep your data, and how you can exercise your rights.

If anything here conflicts with the Privacy Policy, the Privacy Policy prevails as the legally binding document.


1. Data Controller

Joss Gillet (Founder of Kompunik) Avignon, France

Joss Gillet (Founder of Kompunik) is the data controller for personal data processed through the Kompunik learning platform. We determine the purposes and means of processing your personal data and are responsible for protecting it in accordance with the GDPR.

For organizations (companies, universities) that enroll their members, Kompunik acts as a data processor on the organization's behalf for the learning data generated within their space, and as a controller for account and billing data.


2. Legal Bases for Processing

Every category of personal data we process is grounded in one of the following GDPR legal bases (Article 6):

Processing activity Legal basis
Creating and maintaining your account Performance of a contract (Art. 6(1)(b))
Delivering courses, tracking progress, issuing certificates Performance of a contract (Art. 6(1)(b))
Processing payments and issuing invoices Performance of a contract + legal obligation (Art. 6(1)(b), (c))
Retaining financial records Legal obligation under French law (Art. 6(1)(c))
Sending service and security emails (verification, MFA, receipts) Performance of a contract (Art. 6(1)(b))
Product analytics computed from your own activity Legitimate interest (Art. 6(1)(f))
Optional community, public profile, and peer-comparison features Consent (Art. 6(1)(a))
AI-assisted insights (manager Pulse, translations) Legitimate interest, with opt-out (Art. 6(1)(f))
Marketing emails, where applicable Consent (Art. 6(1)(a))

You can withdraw consent at any time where consent is the basis, without affecting processing that already took place.


3. Personal Data We Process

  • Identity & account: name, email address, hashed password, preferred language, role, and organization membership.
  • Authentication: login timestamps, MFA settings, and SSO identifiers from Google Workspace or Microsoft Entra ID (if used).
  • Learning data: course progress, quiz and self-assessment answers, diagnostic results, tactics, playlists, and certificates.
  • Community data (opt-in): posts, comments, reactions, and public profile details you choose to share.
  • Payment data: billing name, transaction records, and subscription status. We never receive or store full card numbers or CVVs — these go directly to Stripe.
  • Technical data: anonymous session identifier, coarse device/browser information, and first-party page analytics used to improve the product.

We do not sell personal data, we do not use third-party advertising cookies, and we do not run third-party trackers such as Google Analytics.


4. Your GDPR Rights

Under the GDPR you have the right to:

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of your account and data.
  • Restriction — ask us to limit processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — for any processing based on consent.

How to exercise them:

  • Self-service: From your account settings you can export your personal data at any time, and delete your account directly.
  • By email: Write to compliance@kompunik.org. We respond to all requests within 30 days as required by the GDPR.

You also have the right to lodge a complaint with your local supervisory authority. In France, this is the CNIL (Commission Nationale de l'Informatique et des Libertés — cnil.fr).


5. Data Retention

Data category Retention period
Account and learning data For the life of your account
Deleted account data Purged within 30 days of the deletion request
Financial and invoicing records 7 years (legal obligation under French law)
Diagnostic results 90 days (automatic expiry)
AI-generated insight history 90 days (automatic expiry)
Anonymous page analytics Aggregated; no long-term personal identifiers
Audit logs Retained for security and compliance, then rotated

When a retention period ends, data is deleted or irreversibly anonymized.


6. Sub-Processors

We rely on a small number of carefully selected sub-processors to operate the platform. Each is bound by a Data Processing Agreement (DPA) and appropriate safeguards. Data is hosted in the EU (Frankfurt, Germany) wherever the provider offers regional hosting.

Sub-processor Purpose Data location
MongoDB Atlas Primary database (accounts, learning data) EU — Frankfurt
DigitalOcean Spaces Media, certificates, and file storage EU region, encrypted at rest
Vercel Application hosting and delivery EU function region (Frankfurt)
Upstash Redis Rate limiting EU — Frankfurt
Stripe Payment processing (PCI-DSS Level 1) EU/US with SCCs
Resend Transactional email delivery EU/US with SCCs
Google & Microsoft Optional SSO sign-in (OAuth) EU/US with SCCs
OpenAI AI-assisted manager insights (opt-out available) US with SCCs
DeepL Content translation EU (Germany)
Sentry Error monitoring EU/US with SCCs

We maintain an up-to-date list of sub-processors. If we add or replace a sub-processor that materially affects the processing of your data, we will update this page.


7. International Data Transfers

Our infrastructure is designed to keep personal data within the European Union wherever possible. Where a sub-processor processes data outside the EU (for example, in the United States), the transfer is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, together with supplementary technical safeguards such as encryption in transit and at rest.


8. Security Measures (Summary)

A full description is available in our Security Overview. In brief:

  • Encryption everywhere: TLS 1.2+ in transit; AES-256 at rest.
  • Access control: role-based permissions, MFA, and least-privilege service accounts.
  • Signed URLs: media is delivered through time-limited signed links (1-hour expiry).
  • Privacy by default: profiles are private unless you opt in.
  • Tenant isolation: every organization's data is strictly segregated.
  • Hardened application: server-side validation, content sanitization, parameterized queries, CSP, and rate limiting.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, and inform affected users without undue delay, as required by GDPR Articles 33 and 34. Our internal target is to begin investigation and remediation within 48 hours of detection.


10. Cookies and Tracking

Kompunik uses only the cookies and local storage strictly necessary to run the service (authentication session, security, language preference) plus first-party, privacy-preserving analytics. We do not use advertising cookies or cross-site tracking. A cookie banner is shown to new visitors, and details are available in our Privacy Policy.


11. Children's Data

Kompunik is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact compliance@kompunik.org and we will delete it.


12. Contact

For any question about your data, this Trust & Data Sheet, or to exercise your GDPR rights:

Joss Gillet (Founder of Kompunik) Avignon, France


This GDPR & Data Trust Center is effective as of January 1, 2026, and is provided for transparency alongside our legally binding Privacy Policy.


Beta-Specific Terms

Experimental Nature

This platform is an experimental prototype. Features may change, be removed, or malfunction without notice. No guarantee of availability, uptime, or performance is provided.

Data Handling

Data collected during the beta may be deleted at the end of the beta period. While we take reasonable care to protect your data, no guarantees are made regarding data persistence or backup.

Feedback Usage

Any feedback, suggestions, or ideas you provide during the beta may be used to improve the product without compensation or attribution.

No Financial Compensation

Participation in the beta is voluntary and unpaid. No financial compensation, credits, or refunds are applicable.

Limitation of Liability

Joss Gillet (Founder of Kompunik) shall not be liable for any direct, indirect, incidental, or consequential damages arising from your use of this beta platform. Use is entirely at your own risk.

Confidentiality (Optional)

You may encounter features or content that are not yet publicly available. While not legally binding, we kindly ask that you treat unreleased features with discretion.

No Commercial Relationship

This beta does not constitute a commercial service, contract, or subscription. No invoices will be issued, and no service-level agreements apply.