Privacy Policy
Effective 2026-06-12 — the French version (« Politique de confidentialité ») prevails.
1. Who we are
Roadmaps is operated by BUREAU, a business registered in France (see the legal notice), the controller of your personal data under the GDPR. Contact for any data question: sideprojectmq@gmail.com.
2. Data we collect
- Account (via Google): email, Google identifier, name, profile picture, chosen learning language and tone.
- Learning content: your free-text goals; the steps, lessons, quizzes (and your answers), concepts and comics generated for you; your progress (XP, streaks).
- Payment (Premium subscribers only): Stripe customer ID and Stripe subscription ID. We never store your card details — those are handled directly and exclusively by Stripe (see section 4).
- Technical logs: IP address, pages visited, technical identifiers, and — for moderation — submitted goals and generation requests.
We collect no passwords (Google sign-in only), no card numbers, no location data.
3. Why (purposes and legal bases)
- Providing the service (contract): building your personalized roadmaps, lessons, quizzes and comics.
- Subscription management (contract): processing payment, activating Premium access, managing renewals and cancellations.
- Security and moderation (legitimate interest): technical logs, quotas, abuse prevention.
- Anonymous analytics (legitimate interest): usage statistics without identification — see section 8.
We never sell, rent, or use your data for advertising.
4. Processors and transfers outside the European Union
Your data is hosted by OVH on servers located in Canada — a country covered by a European Commission adequacy decision for the processing concerned. To generate your content and process payments, some data is sent to providers outside the EU. Your identifiers (email, name, account ID) are never sent to content-generation services — only the text needed for generation:
| Provider | Location | Data sent | Purpose |
|---|---|---|---|
| DeepSeek | China | Goal, step titles/descriptions | Generating roadmaps, lessons, quizzes (API data is not used for training per their policy) |
| Tavily | United States | Search queries derived from steps | Finding learning resources |
| Google (Gemini) | United States | Scene descriptions derived from steps | Comic image generation |
| Google (OAuth) | United States | Sign-in flow | Authentication |
| Stripe | United States | Email (to pre-fill payment form), customer/subscription ID | Premium payment processing — Stripe collects and stores your card data under its own policy (stripe.com/privacy) |
| PostHog | European Union | Anonymous usage events | Analytics (section 8) |
Depending on the provider, these transfers rely on an adequacy decision (Canada), certification under the EU–US Data Privacy Framework (Google, Stripe) or contractual safeguards, and are limited to what is strictly necessary (Art. 44 et seq. GDPR) — generation services only receive text not linked to your identity.
5. Shared public content
Submitted goals are generalized and anonymized into common learning subjects (e.g. "learn guitar" becomes the subject "Guitar"), shared between users. Your text is never published verbatim nor linked to your identity. A subject only becomes publicly visible once it has been independently generated and completed by several distinct users — guaranteeing it reflects no identifiable person's goal.
6. Retention
| Data | Duration |
|---|---|
| Account and learning content | Lifetime of the account; immediate, permanent erasure upon deletion |
| Stripe payment identifiers (Premium subscribers) | Retained while the account is active, then erased upon account deletion. Billing records remain with Stripe per their policy. |
| Technical logs | Up to 90 days |
| Session cookie | 30 days |
| Failed generations | 7 days |
| Backups (where applicable) | 30 days |
| Anonymized shared subjects | Retained (not linked to any account) |
7. Your rights (GDPR)
- Deletion: "Delete my account" button in your settings — immediate, permanent erasure of your account and all your content. If you have an active Premium subscription, cancel it first via the Stripe portal (accessible from your billing page) before deleting your account.
- Access and portability: on request at sideprojectmq@gmail.com, answered within 30 days.
- Rectification: language and tone editable in settings; anything else on request.
- Objection and restriction: on request at sideprojectmq@gmail.com, in particular for processing based on legitimate interest.
- Complaints: CNIL (cnil.fr) — or the data protection authority of your country of residence.
8. Cookies and analytics
We use only three strictly necessary cookies: sign-in session (30 days), one-shot messages, and Google sign-in security (10 minutes). Stripe may set its own cookies during checkout — those fall under Stripe's policy. We use no advertising or tracking cookies — which is why no consent banner is required for our own use.
Analytics (PostHog, hosted in the European Union) are anonymous and cookieless: no identifier is attached to events, nothing is stored on your device, and your goals or content are never transmitted. Embedded YouTube videos use the "youtube-nocookie" domain.
9. Security
Encrypted connections (HTTPS), signed and protected cookies, strict content security policy, authentication delegated to Google (no stored passwords), database access restricted to the application server. Card data is processed directly by Stripe (PCI-DSS certified) — we never see it.
10. Data breaches
We keep an incident register. In case of a breach presenting a risk to your rights and freedoms, we will notify the CNIL within 72 hours (Art. 33 GDPR) and, where the risk is high, affected individuals without undue delay.
11. Minors
The service is not directed at people under 15 and we do not knowingly collect their data (French digital-consent age). If you believe a child under 15 uses the service, contact us for deletion.
12. Changes
Substantial changes will be announced on this page with a new effective date. History: 2026-06-12 — initial version; Stripe and Premium subscription amendment; move to the France/GDPR framework (operating entity: BUREAU).