Privacy Policy
Last updated: June 2026
Introduction
FrançaisFlow is operated by Klaudia Kromołowska ("we", "us", "our"). We are committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data when you use our French learning platform, in accordance with the General Data Protection Regulation (GDPR).
Data Controller
The controller of your personal data is Klaudia Kromołowska, with correspondence address at ul. Warszawska 111, 42-200 Częstochowa, Poland. Tax ID (NIP): 6793269779. Contact: salut@francaisflow.com. As the controller, we determine the purposes and means of processing your personal data.
Data We Collect
We collect: your email address and display name when you create an account; your learning progress, exercise results, and spaced repetition state; your preferences (language, theme, learning goals); payment information processed by Lemon Squeezy, our merchant of record (we do not store card details); and aggregated, anonymised usage analytics to improve the platform.
Legal Basis for Processing
We process your data on the following bases under GDPR Article 6: (a) Contract performance (Art. 6(1)(b)) — account data, learning progress, and subscription management are necessary to deliver the service you signed up for; (b) Legal obligation (Art. 6(1)(c)) — billing and transaction records are retained to comply with Polish accounting law (5-year statutory requirement); (c) Consent (Art. 6(1)(a)) — if you opt in to marketing communications, your email is processed for that purpose; consent may be withdrawn at any time without affecting the lawfulness of prior processing.
How We Use Your Data
Your data is used to: provide personalised learning experiences through spaced repetition; track your progress and generate statistics; process subscription payments; improve our platform and content; and send account-related transactional notifications. Marketing communications are sent only with your explicit, separate consent.
Third-Party Processors
We share data with the following processors, each bound by a Data Processing Agreement: Supabase Inc. (USA) — database and authentication infrastructure; Lemon Squeezy, LLC (USA) — our merchant of record for payments, invoicing, and subscription management (acts as an independent controller for transaction data); Sentry / Functional Software Inc. (USA) — anonymised error tracking; PostHog, Inc. (USA; data hosted in the EU) — product analytics and conversion funnels, loaded only after you accept analytics cookies. We do not sell your data to any third party.
International Data Transfers
Some processors are based outside the European Economic Area (EEA), specifically in the United States. These transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c), ensuring your data receives equivalent protection.
Data Storage & Security
Your data is stored on Supabase (PostgreSQL) with row-level security policies. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is restricted to authorised personnel only.
Data Retention
We retain your data as follows: account and learning data — kept for the lifetime of your account and deleted within 30 days of an account deletion request; billing and transaction records — retained for 5 years as required by the Polish Accounting Act (Ustawa o rachunkowości); server and error logs — retained for 90 days; marketing consent records — retained until you withdraw consent or request deletion.
Cookies & Tracking
We use only essential cookies (authentication session, invite gate, demo mode) and functional cookies that you control (interface language, theme). We also use PostHog for product analytics and conversion funnels — it sets cookies and collects usage data, so under our strict consent settings it loads only after you accept analytics cookies. If you choose ‘Essential only’, all non-essential scripts (analytics and browser error monitoring) stay switched off. You can change or withdraw your choice at any time via Cookie settings (below or in the footer), or through your browser.
| Name | Category | Purpose |
|---|---|---|
| sb-*-auth-token | Essential | Login session (Supabase authentication) |
| ff-invite | Essential | Invite-token gate during pre-launch |
| ff_demo_mode | Essential | ‘Try demo’ mode flag |
| NEXT_LOCALE | Essential | Selected interface language (en/pl) |
| francaisflow-theme | Functional | Remembers your dark/light theme |
| ff-onboarded | Functional | Skips onboarding once you have completed it |
| ff-cookie-consent | Essential | Stores your cookie choice (browser local storage) |
Analytics and error monitoring load only after you accept. To review, change, or withdraw your choice:
Your Rights
Under GDPR you have the right to: access your personal data (Art. 15); correct inaccurate data (Art. 16); request deletion of your data (Art. 17); restrict processing (Art. 18); receive your data in a portable format (Art. 20); object to processing based on legitimate interests (Art. 21); withdraw consent for marketing at any time. To exercise these rights, visit the Settings page or contact us at salut@francaisflow.com.
Right to Lodge a Complaint
If you believe we are processing your personal data in violation of GDPR, you have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl.
Contact
For privacy-related questions or to exercise your rights, contact us at: salut@francaisflow.com. We will respond within 30 days.