Transaction Services Training

Política de privacidad

Última actualización: 2026-05-21

This policy describes the personal data Transaction Services Training ("we") collects, how it is used and stored, and your rights regarding it. It applies to transactionservicestraining.com and the associated training platform.

1. Data controller

Transaction Services Training — contact: contact@transactionservicestraining.com. Privacy questions, GDPR requests or incident reports can be sent to this address.

2. Data we collect

2.1 When you sign up

  • Name and email address (entered manually or fetched via Google Sign-In)
  • Password (bcrypt-hashed with cost=12 — we never store plaintext passwords)
  • Locale detected at signup (FR/EN/DE/ES/IT/PT)
  • Acquisition source (UTM source/medium/campaign, external referrer, landing path) captured via sessionStorage to measure our marketing channels

2.2 While using the platform

  • Learning progress: completed lessons, quiz attempts, submissions, scores
  • Gamification: XP, streak, badges
  • Public community activity: posts, replies, likes (only if you interact)
  • Last seen timestamp (for the "online" indicator)
  • Profile picture (only if you upload one)
  • LinkedIn URL (only if you provide one)

2.3 At purchase

  • Payment data: handled exclusively by Stripe. We never see your card number. We only receive: transaction status, amount, currency, Stripe ID, date.
  • Invoice: URL hosted by Stripe, kept for legal accounting requirements (10 years, French Commerce Code art. L123-22).

3. Use of Google user data (Google API Services)

This section details how the application uses Google data, in compliance with the Google API Services User Data Policy and the Google APIs Terms of Service.

3.1 Google Sign-In (end user)

When you choose to sign in with Google rather than with an email + password, the application requests access to the following scopes:

  • openid
  • https://www.googleapis.com/auth/userinfo.email
  • https://www.googleapis.com/auth/userinfo.profile

Data accessed: your email address, display name, and public Google profile picture URL.

Use: create your platform account, authenticate you on subsequent sign-ins, send you transactional emails (signup confirmation, submission feedback notifications, etc.) and — unless you have unsubscribed — the onboarding email sequence.

Storage: your email, name, and Google profile picture URL are stored in our PostgreSQL database hosted by Neon (EU region), encrypted at rest. We do not retain Google OAuth tokens for end users beyond what is strictly necessary for authentication (NextAuth.js JWT, 30-day session).

Third-party sharing: this data is not shared with other third parties, except our email delivery provider (Resend) which receives your email address to deliver transactional emails.

3.2 Administrative access to Google Ads, Search Console and Analytics (GA4) APIs

The application also accesses the Google Ads, Search Console and GA4 APIs, exclusively using the personal Google account of the Transaction Services Training founder (never with end users' accounts). Scopes:

  • https://www.googleapis.com/auth/adwords — Google Ads API
  • https://www.googleapis.com/auth/webmasters.readonly — Search Console (read-only)
  • https://www.googleapis.com/auth/analytics.readonly — GA4 Data API (read-only)

Data accessed: advertising performance metrics (spend, impressions, clicks, conversions, keywords) of our own Google Ads account; Search Console statistics (queries, positions, CTR) for the domain we own; sessions and events from our own GA4 property.

Use: generate internal weekly analytics reports to inform marketing and product decisions. This data is only visible to the admin team via the /admin/reports console.

Storage: the OAuth refresh token is stored encrypted at rest in Vercel Environment Variables. Pulled data snapshots are stored in our PostgreSQL database (Neon, EU), accessible only to admin accounts.

Third-party sharing: none of this data is shared with third parties.

Limited Use compliance: in accordance with the Limited Use clause, Transaction Services Training commits to never using data obtained via these APIs to train AI / ML models, never reselling it, and never granting third-party access except as required by law.

4. Sub-processors and third-party services

We use the following services to operate the platform. Each has access to a strictly necessary subset of your data:

  • Stripe (Ireland, US transfers under SCCs) — payment processing
  • Neon (EU) — PostgreSQL database
  • Vercel (USA, under SCCs) — application hosting
  • Resend (USA, under SCCs) — transactional and marketing email delivery
  • Crisp (France) — customer chat (only if you accept analytics cookies)
  • Microsoft Clarity (USA, under SCCs) — anonymised heatmaps (only if you accept analytics cookies)
  • Google Analytics 4 (USA, under SCCs) — audience analytics (only if you accept cookies)
  • Google Ads (USA, under SCCs) — ad conversion tracking (only if you accept cookies)

5. Legal basis (GDPR)

  • Contract (Art. 6.1.b): account creation, course access, payment, support
  • Legitimate interest (Art. 6.1.f): security, fraud prevention, internal analytics
  • Consent (Art. 6.1.a): analytics cookies, marketing email sequences (one-click unsubscribe available)
  • Legal obligation (Art. 6.1.c): invoicing retention

6. Retention

  • Active account: as long as you use the platform
  • Inactive 24 months: automatic deletion (except Stripe history — 10-year accounting requirement)
  • Deletion request (GDPR Art. 17): executed within 30 days via the "Delete my account" button in /profile or by email
  • Payment data: 10 years (French Commerce Code)
  • Analytics logs: 14 months maximum (CNIL recommendation)

7. Your rights (GDPR Art. 15-22)

You can exercise the following rights at any time by emailing contact@transactionservicestraining.com or via the in-app controls in /profile:

  • Right of access (Art. 15)
  • Right of rectification (Art. 16)
  • Right to erasure / "right to be forgotten" (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to unsubscribe from emails (one click via the link in every marketing email)
  • Right to lodge a complaint with a supervisory authority (in France: cnil.fr)

8. Cookies

See our dedicated cookie policy. In short: no analytics cookies are set without your explicit consent (CNIL-compliant banner). Technical cookies (session, CSRF) are strictly necessary and do not require consent.

9. Security

  • TLS 1.3 encryption for all communications
  • Passwords stored as bcrypt hashes (cost=12)
  • HSTS, CSP, X-Frame-Options in place (OWASP security headers)
  • Databases encrypted at rest (Neon, Vercel)
  • Rate-limiting on sensitive routes (sign-in, sign-up, password reset)

10. Changes to this policy

In case of a significant change, we will notify you by email at least 30 days before it takes effect. The last update date is shown at the top of this page.

11. Contact

For any question, GDPR request or incident report: contact@transactionservicestraining.com.