The controller of the personal data processed through Grademe is GLASSFULL, a French SASU operating Grademe at grademe.fr and beta.grademe.fr. For privacy requests, rights requests, and data-protection questions, contact ask@glassfull.fr. Glassfull has not publicly designated a separate DPO; privacy matters are handled through that address.

Depending on how you use the Service, we may process the following categories of data:

• Account and authentication data: email address, auth-provider identifier, session information, and limited account metadata.
• Profile data: username, avatar URL, profile creation date, and related account settings.
• Exercise and challenge activity: submitted files, code, attempts, grading outputs, traces, scores, timestamps, progression markers, cooldowns, and result history.
• Technical and security data: request metadata, logs, IP address and user-agent, anti-abuse signals, and diagnostics.
• Usage and interaction analytics: pages viewed, features used, session activity, and how you interact with the interface, used to understand and improve the product.
• Client-side storage data: local drafts, temporary auth and challenge handoff data, and essential UI preferences in cookies, local storage, or session storage.

We process personal data for the following purposes:

• Providing the Service, including account authentication, profile creation, grading, persistence of attempts, and display of progress. Legal basis: performance of a contract or steps taken at your request.
• Service security and abuse prevention, including detecting misuse, preserving service integrity, and investigating incidents. Legal basis: Glassfull's legitimate interests and, where applicable, legal obligations.
• Operational maintenance and debugging, including logs, diagnostics, and reliability improvements. Legal basis: legitimate interests.
• Product analytics and improvement, including understanding which features are used and how the interface is used, in order to improve the Service. Legal basis: our legitimate interest in operating and improving the Service. You may object to this processing as described in Section 10.
• Compliance with legal obligations, for example responding to lawful requests or enforcing our rights. Legal basis: legal obligation and legitimate interests.

Grademe relies on the technical or strictly necessary storage mechanisms listed below. We also use a limited set of non-essential analytics technologies, which are described in Section 5.

• Authentication and session cookies used by the authentication layer to keep you signed in and secure your session.
• Functional UI cookies for interface state preferences needed for the normal operation of the app.
• Local storage or session storage for exercise drafts, temporary handoff state during sign-in flows, and similar work-preservation functionality.

Because these technologies are used for core functionality, they may be exempt from consent under applicable French cookie rules. We still disclose them here for transparency. Non-essential analytics cookies (PostHog and Google Analytics) are covered separately in Section 5 below.

We use PostHog (hosted in the European Union) and Google Analytics to:

• understand which features of the platform are actually used,
• see what works well and what doesn't, so we can keep improving the product,
• spot recurring errors on exercises that are poorly designed and fix them,
• generally improve the learning experience.

We never sell your data to any third party, and we never use it for any purpose other than improving the platform. Each provider processes the data under its own data processing agreement.

Personal data is accessible on a need-to-know basis by authorized people acting for Glassfull. We also rely on carefully selected service providers acting on our behalf, including:

• authentication, database, and object-storage providers;
• infrastructure and hosting providers required to operate the web service and grading workloads;
• identity providers you choose to use when signing in, such as Google or GitHub;
• product analytics and observability providers, including PostHog (hosted in the European Union) and Google Analytics, used solely for understanding product usage and improving the platform — not for selling data or any other purpose.

We may also disclose data when required by law, to respond to lawful process, or to defend Glassfull's rights, users, or systems.

Some service providers may process data outside the European Economic Area. Where that happens, we rely on a valid transfer mechanism such as an adequacy decision or the European Commission's Standard Contractual Clauses (2021). Some identity or infrastructure vendors may be based in, or accessible from, the United States or other third countries; those transfers are expected to be governed by the provider's applicable transfer mechanism and contractual commitments.

We retain personal data only for as long as necessary for the purposes described above.

• Account and profile data: active account lifetime, then up to 12 months after closure or deletion unless law or dispute handling requires longer.
• Exercise and challenge submissions, attempts, and results: active account lifetime, then up to 24 months after closure or last relevant activity, unless longer retention is necessary for security, anti-abuse, or legal-defense.
• Technical and security logs: up to 12 months, unless an incident requires a longer preservation period.
• Browser-side drafts and handoff state: cleared by the application lifecycle or your browser settings.

We implement technical and organizational measures to protect personal data. No online service can guarantee absolute security, so you should avoid uploading secrets or highly sensitive information to Grademe. These measures may include authentication controls, access restrictions, isolated execution environments, logging, rate limiting, and other anti-abuse or operational safeguards appropriate to the service.

Subject to applicable law, you may have the right to access, rectify, erase, restrict, or object to certain processing of your personal data, to withdraw your consent at any time where processing is based on consent, and to data portability where applicable. To exercise any of these rights — including account deletion, data access, or correction — contact ask@glassfull.fr. We may ask for reasonable proof of identity before processing a request.

You also have the right to lodge a complaint with a competent supervisory authority, including the French data-protection authority (CNIL), if you believe your rights have been violated.

Grademe is intended for users aged 15 or older, consistent with our Terms of Service. We do not knowingly collect personal data from children below the age of digital consent applicable in their country without the authorization required by law. If you believe a minor has provided personal data without the required authorization, contact ask@glassfull.fr and we will take appropriate steps to address the request.