← Back

Privacy Policy

Last updated: 2026-04-19

Who runs this service

This service is operated by Mathieu Magnin (the "data controller"), an individual based in France. For any privacy-related request, contact TODO@example.com.

What we collect

When you sign in with GitHub, we store only the fields GitHub returns about your public profile:

  • provider & uid — to identify your account across sign-ins.
  • username — your GitHub handle, displayed in the header.
  • name — your public name, if set on GitHub.
  • avatar_url — a link to your public GitHub avatar.

We also store your spaced-repetition progress (which cards you have seen, which box they are in, when they are next due).

A single session cookie is set when you sign in, so we know it is still you on the next request. This cookie is strictly necessary to operate the service and is not used for tracking.

Why we collect it (legal basis)

Processing is based on the performance of the free service you signed up for (GDPR Art. 6(1)(b)) and on our legitimate interest in recognising returning users so your progress is preserved (GDPR Art. 6(1)(f)).

What we do not collect

  • No email address. GitHub does not give us one, and we do not ask.
  • No tracking or advertising cookies.
  • No third-party analytics (no Google Analytics, no Plausible, nothing).
  • No payment information. The service is free.

How long we keep it

Your data is kept for as long as your account exists. If you ask us to delete your account, we delete the row and all associated progress within 30 days.

Where your data is processed

The application and its database run on a single server hosted in TODO: hosting region. Data does not leave that server except when you sign in via GitHub (see below).

Third parties

  • GitHub — handles the OAuth sign-in flow. See their privacy statement.
  • The hosting provider runs the server that stores the database. No other third-party processor is involved.

Your rights (GDPR)

Under the GDPR, you have the right to:

  • Access the data we hold about you.
  • Have it rectified if it is wrong.
  • Have it deleted ("right to be forgotten").
  • Object to our processing of it.
  • Receive a copy of it in a portable format.
  • Lodge a complaint with your national data-protection authority (in France, the CNIL).

To exercise any of these, email the contact address above. We reply within 30 days.

Changes to this policy

We will update this page and bump the "Last updated" date when anything changes. Material changes will also be flagged on the landing page.

Last updated: 2026-04-19