BETA PROGRAM NOTICE This document applies to the Kompunik Beta Program, a free, invitation-only research pilot operated by Joss Gillet (Founder of Kompunik). This is an experimental prototype with no service guarantee.

Privacy Policy

Effective Date: January 1, 2026

Last Updated: January 1, 2026

Joss Gillet (Founder of Kompunik) ("Kompunik," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Kompunik platform, including all courses, community features, and related services (the "Service").

This Policy is designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable French data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

Joss Gillet (Founder of Kompunik) Avignon, France

Privacy inquiries: compliance@kompunik.org
Data Protection Officer: compliance@kompunik.org

If you have any questions or concerns about how we handle your personal data, you may contact our Data Protection Officer at any time.

2. Data We Collect

We collect the following categories of personal data:

2.1 Personal Information

Information you provide directly when creating and using your account:

Account information: name, email address, password (hashed, never stored in plain text)
Profile information: display name, language preference, country, age range, gender, industry, experience level, education level, years of experience
Avatar configuration: your selected avatar style and customization choices
Community profile: handle (username), profile visibility settings, bio

2.2 Usage Data

Information generated through your use of the Service:

Learning progress: course progress, skill completion status, audio listening time, video watch time, quiz scores, questionnaire responses, self-assessment answers
Streak and achievement data: daily activity streaks, badges earned, certificates issued
Community activity: posts created, comments, reactions, votes, circle memberships, challenge participation, practice room responses, ambassador program activity
Planner data: scheduled learning sessions, configuration preferences
Favorites and playlists: tactic favorites, personal playlists, shared playlist assignments

2.3 Device and Technical Data

Information collected automatically when you access the Service:

Browser information: browser type, version, and language
Device information: device type (desktop, mobile, tablet), operating system
Network information: IP address, approximate geographic location (country/region level)
Access patterns: pages visited, features used, timestamps, session duration
Referral information: how you arrived at the Service (e.g., referral links)

2.4 Community Data

Information you voluntarily share in community features:

Posts and comments: text content you write and share in the community feed, circles, challenges, and practice rooms
Reactions and votes: your interactions with other users' content
Shared playlists: playlist names and tactic selections shared by managers

2.5 Payment Data

Information related to your purchases:

Payment processing: payments are processed by Stripe, our PCI-DSS Level 1 compliant payment processor. We do not store your credit card number, CVV, or full payment card details on our servers.
Transaction records: we retain transaction identifiers, amounts, dates, invoice numbers, and subscription status for billing and accounting purposes
Billing contact: name and email associated with the payment

3. How We Use Your Data

We use your personal data for the following purposes:

3.1 Service Delivery

Creating and managing your account
Providing access to courses, content, and learning materials
Tracking your learning progress and generating progress reports
Issuing certificates of completion
Delivering community features (posts, circles, challenges, practice rooms)
Processing your payments and managing your subscription

3.2 Progress Tracking and Personalization

Calculating and displaying your constellation map (soft skills profile)
Computing and displaying your learning streaks and badges
Generating your planner schedule and sending session reminders
Providing personalized learning recommendations (future feature)

3.3 Analytics and Improvement

Analyzing aggregated, anonymized usage patterns to improve the Service
Understanding feature adoption and engagement
Identifying and resolving technical issues
Measuring the effectiveness of our educational content

3.4 Communication

Sending essential service communications (account verification, password resets, security alerts)
Sending in-app notifications about community activity, feedback, and achievements
Sending planner reminders and session invitations (when you opt in)
Responding to your support requests

3.5 Security and Moderation

Protecting against fraud, abuse, and security threats
Enforcing our Terms of Use and Acceptable Use Policy
Moderating community content through our automated and human review systems
Rate limiting and preventing unauthorized access

3.6 Legal Compliance

Complying with applicable laws, regulations, and legal processes
Responding to lawful requests from public authorities
Maintaining records as required by French commercial and tax law

4. Legal Basis for Processing

We process your personal data under the following legal bases as defined by the GDPR:

4.1 Contract Performance (Article 6(1)(b))

Processing necessary for the performance of our contract with you, including:

Account creation and management
Providing access to courses and content
Processing payments and managing subscriptions
Tracking progress and issuing certificates

4.2 Legitimate Interest (Article 6(1)(f))

Processing necessary for our legitimate interests, provided these interests are not overridden by your rights and freedoms:

Improving and optimizing the Service
Analyzing aggregated usage data for product development
Ensuring the security and integrity of the Service
Preventing fraud and enforcing our policies

4.3 Consent (Article 6(1)(a))

Processing based on your explicit consent, which you may withdraw at any time:

Participating in community features and sharing your content publicly
Enabling your public profile and share cards
Receiving planner email reminders and calendar invitations
Enabling peer comparison features

4.4 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations:

Retaining financial and transaction records as required by French law
Responding to lawful requests from authorities

5. Third-Party Data Sharing

We share your personal data with the following third-party service providers, solely to the extent necessary for them to perform services on our behalf:

5.1 Stripe (Payment Processing)

Purpose: Secure payment processing for subscriptions
Data shared: name, email, payment details (processed directly by Stripe)
Compliance: Stripe is PCI-DSS Level 1 certified
Privacy policy: https://stripe.com/privacy

5.2 Resend (Email Delivery)

Purpose: Transactional email delivery (verification, password reset, MFA codes, planner reminders)
Data shared: email address, email content
Privacy policy: https://resend.com/legal/privacy-policy

5.3 OpenAI (AI-Assisted Features)

Purpose: AI writing assistance in community features (Magic Wand) and content moderation classification
Data shared: text content submitted for AI assistance (no personally identifiable information is sent; only the text being processed)
Note: We do not send your name, email, profile information, or learning progress to OpenAI
Privacy policy: https://openai.com/policies/privacy-policy

5.4 DigitalOcean (Infrastructure and Storage)

Purpose: Storage of media content (audio tracks, videos, images, certificates) and hosting infrastructure
Data shared: uploaded content, certificates, avatar images
Privacy policy: https://www.digitalocean.com/legal/privacy-policy

5.5 MongoDB Atlas (Database)

Purpose: Primary database for all application data
Data shared: all account, progress, and community data (encrypted at rest)
Compliance: SOC 2 Type II certified
Privacy policy: https://www.mongodb.com/legal/privacy-policy

5.6 We Never Sell Your Data

Kompunik does not sell, rent, trade, or otherwise commercially transfer your personal data to third parties. We do not share your data with advertisers or data brokers.

6. Cookies and Local Storage

6.1 Essential Cookies

We use a single strictly necessary cookie:

Authentication session cookie (authjs.session-token): A secure, HttpOnly, SameSite cookie managed by Auth.js that maintains your signed-in session. This cookie is required for authentication and cannot be disabled.

6.2 Local Storage (Browser)

We store the following values in your browser's localStorage for UI preferences. These are strictly necessary for the Service to function correctly and are never transmitted to our servers:

kompunik_theme — your light/dark/system theme preference
kompunik_accent — your accent color theme (indigo, rose, amber, sky)
kompunik_active_course — your currently selected course identifier
kompunik_avatar_banner_dismissed — whether you have dismissed the avatar setup prompt

We also store the following values related to the free diagnostic feature. These are used to remember your access state and are never transmitted to our servers:

kompunik_diagnostic_unlocked — whether you have unlocked the diagnostic results by providing your email address
kompunik_diagnostic_email — the email address you entered to unlock the diagnostic results
kompunik_diagnostic_timestamp — the date and time when you first viewed the diagnostic results (used for the limited-time access countdown)

6.3 Analytics

We use anonymized, aggregated analytics to understand how the Service is used. All analytics are processed internally using our own database — we do not use third-party analytics services such as Google Analytics, Mixpanel, or similar tools.

6.4 No Third-Party Tracking Cookies

We do not use third-party tracking cookies, advertising cookies, or cross-site tracking technologies. We do not participate in ad networks or retargeting programs.

Note: When payments are enabled via Stripe Checkout, Stripe may set its own cookies (e.g., __stripe_mid, __stripe_sid) during the checkout process for fraud prevention. These are third-party cookies set by Stripe and subject to Stripe's Privacy Policy.

7. Data Retention

We retain your personal data for the following periods:

7.1 Account Data

During active account: Your account information, profile data, and preferences are retained for the duration of your active account
After account deletion: Account data is deleted within thirty (30) days of account deletion, except where retention is required by law

7.2 Learning Progress Data

During active account: Your progress data (completion status, quiz scores, listening time, etc.) is retained for the duration of your active account
After account deletion: Progress data is deleted within thirty (30) days of account deletion

7.3 Community Content

Posts and comments: Retained until you delete them or until your account is deleted
Reported content: Content that has been reported and actioned may be retained for up to ninety (90) days after deletion for moderation audit purposes
After account deletion: Community content is deleted within thirty (30) days of account deletion

7.4 Payment Records

Transaction records: Retained for seven (7) years from the date of the transaction, as required by French commercial law (Article L123-22 of the Code de commerce)
This includes: Transaction identifiers, amounts, dates, and invoice data
This does not include: Payment card details (held only by Stripe)

7.5 Notifications

In-app notifications: Automatically deleted after thirty (30) days via database TTL (time-to-live) index

7.6 Security Logs

Rate limiting data: Retained in memory only and cleared on server restart
Moderation records: Retained for up to one (1) year for policy enforcement purposes

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

8.1 Right of Access

You have the right to request a copy of the personal data we hold about you. We will provide this information in a commonly used, machine-readable format.

8.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update most of your information directly through your profile settings.

8.3 Right to Erasure (Right to Be Forgotten)

You have the right to request deletion of your personal data, subject to certain exceptions (such as legal retention requirements for financial records).

8.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

8.5 Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.

8.6 Right to Object

You have the right to object to the processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

8.7 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

8.8 How to Exercise Your Rights

To exercise any of these rights, you may:

Use the in-app contact form at kompunik.org/help (requires sign-in)
Email us directly at compliance@kompunik.org
Data Protection Officer: compliance@kompunik.org

For GDPR erasure (right to be forgotten) and data portability requests, you can also use the self-service tools in your Profile Settings > Privacy & Data section, which allow you to export your data or delete your account directly.

We will respond to your request within thirty (30) days. If the request is complex or if we receive a large number of requests, this period may be extended by an additional sixty (60) days, in which case we will inform you of the extension and the reasons for it.

8.9 Right to Lodge a Complaint

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the French data protection authority:

Commission Nationale de l'Informatique et des Libertes (CNIL) 3 Place de Fontenoy, TSA 80715 75334 Paris Cedex 07, France Website: https://www.cnil.fr

9. Children's Privacy

The Service is not intended for children under sixteen (16) years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child under 16 has provided personal data to us, please contact us at compliance@kompunik.org.

10. International Data Transfers

10.1 Primary Data Storage

Your data is primarily stored within the European Union through MongoDB Atlas, which provides EU-based cluster options.

10.2 DigitalOcean Spaces

Media content (audio tracks, videos, images, certificates) is stored in DigitalOcean Spaces, which may utilize data centers located in the United States or other regions outside the EU.

10.3 Transfer Safeguards

When personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions by the European Commission where applicable
Appropriate technical and organizational measures to protect the data

10.4 Other Processors

Our third-party processors (Stripe, Resend, OpenAI) may process data in the United States. Each operates under appropriate transfer mechanisms, including the EU-U.S. Data Privacy Framework where applicable.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
Encryption at rest: Database data is encrypted at rest using AES-256 encryption
Authentication security: Passwords are hashed using bcrypt; multi-factor authentication (MFA) is available for all users and enabled by default for personal accounts (email OTP)
Access controls: Role-based access control limits data access to authorized personnel and functions
Signed URLs: Media content is delivered through time-limited signed URLs (1-hour expiry)
Security headers: Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and other security headers are enforced
Input validation: All user inputs are validated and sanitized to prevent injection attacks

For more details about our security practices, please visit our Security page.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.

12.1 Notification of Changes

When we make material changes to this Policy, we will:

Notify you by email at the address associated with your account
Display a prominent notice within the Service
Update the "Last Updated" date at the top of this Policy

12.2 Review

We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.

13. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your data, please contact us at:

Joss Gillet (Founder of Kompunik) Avignon, France

Privacy inquiries: compliance@kompunik.org
Data Protection Officer: compliance@kompunik.org
General support: contact@kompunik.org

This Privacy Policy is effective as of January 1, 2026.

Beta-Specific Terms

Experimental Nature

This platform is an experimental prototype. Features may change, be removed, or malfunction without notice.

Data Handling

Data collected during the beta may be deleted at the end of the beta period.

Limitation of Liability

Joss Gillet (Founder of Kompunik) shall not be liable for any damages arising from your use of this beta platform. Use is entirely at your own risk.

No Commercial Relationship

This beta does not constitute a commercial service, contract, or subscription.