Privacy Policy
Last updated: March 1, 2026
1. Data controller
The data controller for your personal information is NextFlutter SAS. For any questions related to this policy, you may contact us at: privacy@nextflutter.com.
2. Data we collect
We collect two types of data. Data you provide directly: username, email address, avatar, and profile information you voluntarily enter. Data generated by your use of the platform: course progress, submitted exercises and scores, AI Coach analysis history, login sessions (date, time, IP address), and platform preferences. If you sign in via Discord, we only receive the information Discord shares according to your permissions (ID, username, email address).
3. Purposes and legal bases
Your data is processed for the following purposes: contract performance (account management, access to courses and features, progress tracking); legitimate interests (platform improvement, fraud prevention, security); consent (marketing communications, analytics cookies); legal obligation (retention of billing data). You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
4. Cookies and trackers
NextFlutter uses essential cookies to maintain your authenticated session. Your JWT access tokens are stored in secure httpOnly cookies (with Secure and SameSite=Strict attributes), inaccessible to JavaScript, to prevent XSS attacks. We also use Google Analytics (via Google Tag Manager) to measure platform audience and analyze navigation behaviors in aggregate. Analytics cookies are only placed with your consent, collected via our cookie banner. You may withdraw consent at any time through the banner or by clearing your browser cookies.
5. Data sharing
We never sell your personal data. It may be shared only with technical sub-processors strictly necessary for service delivery: cloud hosting provider, payment processor, audience analytics service (Google Analytics), and third-party authentication service (Discord). Each sub-processor is bound by a GDPR-compliant data processing agreement. In the event of a sale or merger of NextFlutter, you will be informed in advance and your rights will remain unchanged.
6. Data retention
Account data is retained for the duration of your registration, then deleted within 30 days of your deletion request, unless a longer retention is legally required. Billing data is retained for 10 years in accordance with French accounting and tax obligations. Analytics data collected via Google Analytics is retained for 26 months, in line with CNIL-recommended settings.
7. Your rights (GDPR)
Under the General Data Protection Regulation (GDPR — EU 2016/679), you have the following rights: right of access, right to rectification, right to erasure ("right to be forgotten"), right to restriction of processing, right to data portability, right to object. To exercise these rights, send a request to privacy@nextflutter.com with proof of identity. We will respond within 30 days. If your request is not resolved, you may lodge a complaint with your national data protection authority (in France: the CNIL at www.cnil.fr).
8. Security
We apply technical and organizational security measures proportionate to the risks involved: encrypted communications (HTTPS/TLS), robust password hashing (bcrypt), JWT tokens stored in httpOnly cookies inaccessible to JavaScript, strict access control to production data, and regular security audits. In the event of a data breach posing a risk to your rights and freedoms, you will be notified within 72 hours, in accordance with Article 34 of the GDPR.
9. Changes to this policy
NextFlutter may update this Privacy Policy to reflect changes in our practices or legal requirements. For material changes, you will be notified by email or through a prominent notice on the platform. The date of the latest update is always shown at the top of this page.