Privacy Policy
Effective date: 5 May 2026 Last updated: 5 May 2026
This Privacy Policy explains how 3D Geodata Academy collects, uses, stores, secures and protects your personal data when you visit https://learngeodata.eu (the “Website”) or buy our online courses, programmes and software (“Services”). It is written to satisfy the EU General Data Protection Regulation (Regulation (EU) 2016/679, “RGPD” / “GDPR”) and the French Loi Informatique et Libertés (Loi n° 78-17, hereafter “LIL”).
This policy is part of our Terms of Use, Sale and Refund (https://learngeodata.eu/terms-of-use/).
1. Data controller
The data controller is:
3D GEODATA ACADEMY, SARL with share capital of €1,000 200 rue de la Croix Nivert, 75015 Paris, France RCS Paris 939 586 137, SIRET 939 586 137 00019 APE 85.59A (Formation continue d’adultes) VAT FR18939586137 Gérant: Florent Poux Email for any privacy or data-protection inquiry: howto@learngeodata.eu
We have not appointed a Data Protection Officer (DPO) because the conditions of article 37 RGPD are not met (we do not perform large-scale monitoring nor large-scale processing of special-category data). The contact above receives and handles every request directly.
2. Categories of personal data we collect
We collect only the data we need to deliver our Services and run our business. The categories below are exhaustive. We do not knowingly collect any special-category data within the meaning of article 9 RGPD (health, religion, political views, sexual orientation, biometrics, etc.).
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email, password (stored hashed and salted), country, professional role (optional) | You, at signup or checkout |
| Course interaction data | Courses you enrolled in, lesson and quiz progress, completion timestamps, certificates issued | Your activity on the Website |
| Payment data | Billing name and address, last 4 digits and brand of the card, transaction id, invoice. We never see or store full card numbers, that is held by our payment processors | You and the payment processor |
| Communications data | Emails you send us, support tickets, replies you receive | You |
| Marketing data | Newsletter subscription status, opt-in timestamp, engagement (open / click) with our emails | You |
| Technical and log data | IP address, browser, operating system, referring URL, pages visited, error logs, security events, login telemetry | Your browser via standard server logs and cookies (see section 12) |
| User-generated content | Questions, comments, project submissions, profile photo if you upload one | You |
| Forensic markers | Watermarks and fingerprints embedded in delivered Content for anti-piracy purposes (see Terms section 20) | Generated by us at delivery |
| Proof-of-consent data | Timestamp, IP and user-agent string at the moment you accepted these terms or marketing opt-in | Your acceptance event |
3. Why we use your data and on what legal basis
We process each category for a specific purpose, on one of the legal bases listed in Article 6(1) RGPD.
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and manage your account, give you access to the Services you bought | Account, course interaction | Performance of a contract — Art 6(1)(b) |
| Process payment, deliver invoice | Payment | Performance of a contract + legal obligation — Art 6(1)(b) + 6(1)(c) |
| Issue certificates of completion | Account, course interaction | Performance of a contract |
| Provide customer support and reply to your questions | Communications, account | Performance of a contract / our legitimate interest in answering you |
| Send you transactional emails (purchase receipt, password reset, course updates) | Account, course interaction | Performance of a contract |
| Send you our newsletter and educational marketing emails | Marketing, account | Your consent — Art 6(1)(a). Withdrawable at any time via the unsubscribe link in every email |
| Detect fraud, abuse, scraping, security incidents | Technical, account, forensic | Our legitimate interest in protecting our platform, our other learners and our IP — Art 6(1)(f) |
| Investigate Content leaks (anti-piracy) | Forensic, technical, account | Our legitimate interest in protecting our intellectual property — Art 6(1)(f) |
| Analyse anonymous usage to improve the Website | Technical | Our legitimate interest, balanced against your privacy |
| Comply with our legal, accounting and tax obligations | Account, payment | Legal obligation — Art 6(1)(c), e.g. art. L123-22 Code de commerce |
| Defend our rights in court or before a mediator | All categories | Our legitimate interest |
| Prove your acceptance of our Terms | Proof-of-consent | Performance of a contract + our legitimate interest in proof |
We do not engage in any automated decision-making that produces legal or similarly significant effects on you (Article 22 RGPD). We do not profile you for advertising purposes. We do not sell or rent your data to third parties.
4. Categories of recipients and processors
Inside the Academy, only Florent Poux and any contractor under written confidentiality has access, on a strict need-to-know basis.
We rely on a small number of external service providers acting as processors or sub-processors on our behalf. In line with article 13(1)(e) RGPD, which allows the disclosure of either named recipients or categories of recipients, we describe them by category below. Each is bound by a written contract that meets Article 28 RGPD requirements.
| Category of recipient | Role | Data processed | Where data is processed | Transfer mechanism |
|---|---|---|---|---|
| Web and database hosting provider | Hosts the Website, the database and the operational backups | All Account, course interaction, technical, communications | European Union | N/A, data stays in the EU |
| E-commerce and checkout platform | Manages the order flow and customer records | Account, payment metadata | EU and United States | EU-US Data Privacy Framework + Standard Contractual Clauses |
| Card payment processor | Captures and processes card payments. We never see or store card numbers | Payment data (full card details processed by the provider, not us) | EU and United States | EU-US Data Privacy Framework + Standard Contractual Clauses |
| Alternative payment processor (e-wallet) | Optional alternative to card payment | Payment data | EU and United States | EU-US Data Privacy Framework + Standard Contractual Clauses |
| Transactional email and newsletter delivery | Sends purchase receipts, password resets, and (with your consent) newsletters | Account email, marketing engagement | United States | EU-US Data Privacy Framework + Standard Contractual Clauses |
| Video streaming service | Hosts and streams course videos | IP address, viewing telemetry | United States | EU-US Data Privacy Framework + Standard Contractual Clauses |
| Web-fonts and anti-spam service | Serves typefaces and protects forms from automated abuse | IP address, user-agent | United States | EU-US Data Privacy Framework + Standard Contractual Clauses |
The names of our specific processors are available to any data subject on simple request to howto@learngeodata.eu, together with a copy of the relevant Standard Contractual Clauses.
We may also disclose data to French or EU authorities when required by law (judicial requisition, tax audit, CNIL request). We do not disclose data to non-EEA authorities outside of the safeguards mentioned above.
If 3D Geodata Academy is merged, acquired, or its assets transferred, your data may be transferred to the successor entity. You will be informed in advance, and the successor will be bound by this policy or an equivalent one.
5. International transfers
Some of our processors are located outside the European Economic Area, mainly in the United States. For each transfer, we rely on one of the safeguards listed in article 46 RGPD: certification under the EU-US Data Privacy Framework where available, or Standard Contractual Clauses (Implementing Decision (EU) 2021/914) adopted by the European Commission. We have assessed, where required, that no laws of the recipient country impair the level of protection of these safeguards.
6. How long we keep your data
We retain your data only for as long as necessary for the purposes set out in section 3, in accordance with the recommendations of the CNIL.
| Category | Retention |
|---|---|
| Active Account & course access | For the duration of your contract with us, plus 3 years from your last login (commercial prospection window per CNIL guidance) |
| Course progress & certificates | Same as Account, then anonymised |
| Invoices and accounting records | 10 years from issuance, per article L123-22 of the Code de commerce |
| Marketing consent and email engagement | 3 years from the last interaction with our emails |
| Communications (support tickets, email) | 3 years from the last exchange |
| Technical and server logs | 12 months for security purposes |
| Login telemetry and forensic markers | 3 years for anti-piracy investigation |
| Proof of consent (Terms acceptance, marketing opt-in) | 10 years, per article L213-1 Code de la consommation |
| Refund and dispute correspondence | 5 years from end of dispute |
| Backups | Rolling 30 days, then deleted |
After these periods we either delete the data or anonymise it so that you can no longer be identified.
7. Your rights
Under the RGPD and the LIL you have the following rights, exercisable free of charge:
- Right of access (Article 15 RGPD) — get confirmation that we process your data and a copy of it.
- Right of rectification (Article 16) — ask us to correct inaccurate or incomplete data.
- Right of erasure (Article 17), the “right to be forgotten” — ask us to delete your data when one of the legal grounds applies.
- Right to restriction of processing (Article 18).
- Right to data portability (Article 20) — receive your data in a structured, commonly used, machine-readable format, or have us transmit it to another controller where technically feasible.
- Right to object (Article 21) — object to processing based on legitimate interest, including any direct-marketing processing.
- Right to withdraw your consent (Article 7) — at any time, where processing is based on consent. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
- Right to define directives on the fate of your data after death — article 85 LIL.
- Right to obtain proof of consent — we hold a record (timestamp, IP, user-agent, version accepted) and will produce it on request.
How to exercise these rights
Send an email to howto@learngeodata.eu from the address linked to your Account, with the subject “RGPD request — [type of request]”. To protect your data, we may ask you to confirm your identity by a means proportionate to the request (typically a confirmation reply from your account email).
We respond within one (1) month from receipt of the complete request (Article 12 RGPD). For complex or numerous requests, we may extend by up to two further months and will tell you why. We do not charge for these requests, except where they are manifestly unfounded or excessive (article 12(5) RGPD), in which case we may charge a reasonable fee or refuse to act.
Right to lodge a complaint with the CNIL
If you believe we are not complying with the RGPD, you have the right to lodge a complaint with the French data-protection authority:
Commission Nationale de l’Informatique et des Libertés (CNIL) 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 https://www.cnil.fr
You can also contact the supervisory authority of your EU member state of residence.
8. Children
Our Services are intended for adult learners, typically working professionals. We do not knowingly collect data from anyone under the age of 16 (the threshold set by France under Article 8(1) RGPD). If you are under 16, please do not provide us any personal data. If we become aware that we have collected data from a child under 16 without verified parental consent, we will delete it as soon as possible.
9. Security
We apply technical and organisational measures appropriate to the risk, in line with article 32 RGPD:
- In transit: TLS encryption for every page and form (HSTS enabled).
- At rest: hashed and salted passwords (industry-standard algorithm); encrypted database backups.
- Access control: role-based access on the back end; least-privilege principle; multi-factor authentication on admin accounts.
- Software hygiene: regular patching; dependency updates; vulnerability monitoring.
- Backups: daily encrypted backups, retained 30 days; periodic restore tests.
- Logging: admin actions are logged for audit; logs retained 12 months.
- Monitoring: anomalous activity is flagged automatically (concurrent logins, geographic anomalies).
- Vendor diligence: only processors with documented security and adequacy are engaged (section 4).
- Staff: limited number of authorised persons, all bound by written confidentiality.
No method is perfect. We continue to improve our measures as the threat landscape evolves.
10. Personal-data breach response
In the event of a personal-data breach within the meaning of article 4(12) RGPD, we apply the following procedure:
- Detection and containment: as soon as we become aware, we contain the breach (revoke compromised credentials, isolate affected systems).
- Assessment: we evaluate the nature, scope, categories of data and number of individuals affected, and the likelihood and severity of risk to your rights and freedoms.
- Notification to the CNIL: where the breach is likely to result in a risk, we notify the CNIL within 72 hours of becoming aware (article 33 RGPD).
- Notification to you: where the breach is likely to result in a high risk to your rights and freedoms, we inform you directly without undue delay (article 34 RGPD), with a clear description of the breach, the likely consequences and the measures we have taken or recommend.
- Documentation: we keep an internal log of every breach, regardless of severity, including facts, effects, and remedial actions.
11. Hosting and where your data lives
Our Website and database are hosted by OVH SAS (2 rue Kellermann, 59100 Roubaix, France), in OVH data centres located in the European Union. Operational backups remain in OVH EU infrastructure.
12. Cookies and similar technologies
A cookie is a small text file that a website stores on your device. We use cookies to keep you logged in, remember your preferences, secure your session, and understand how the site is used.
We comply with article 82 of the LIL: only cookies that are strictly necessary to deliver a service you explicitly requested are set without your consent. Other cookies require your prior consent and can be refused without losing access to the core features of the Website.
12.1 Cookie categories
Essential cookies (no consent required, art. 82 LIL)
| Cookie | Vendor | Purpose | Duration |
|---|---|---|---|
wordpress_logged_in_* | WordPress (us) | Keep you logged in | Session |
wordpress_sec_* | WordPress (us) | Authentication security | Session |
wp-settings-* | WordPress (us) | Remember admin display preferences | 1 year |
surecart_* | SureCart | Cart, checkout state | Session |
| Cache cookies set by WP Rocket | WP Rocket (us) | Serve correct cached version of a page | Up to 10 hours |
Functional cookies
| Cookie | Vendor | Purpose | Duration |
|---|---|---|---|
learndash-* | LearnDash | Track lesson progress for the logged-in learner | Session |
| Elementor preview cookies | Elementor | Page-builder preview | Session |
Third-party cookies set by embedded content
| Cookie | Vendor | Purpose |
|---|---|---|
| Vimeo player cookies | Vimeo | Video playback, anti-fraud |
| reCAPTCHA cookies (when present) | Anti-spam on forms |
We do not currently run advertising trackers or third-party analytics that build a profile of you. We do not use cross-site tracking pixels.
12.2 How to control cookies
- In your browser: every modern browser lets you block or delete cookies (Chrome: “Cookies and site data”; Firefox: “Privacy & Security”; Safari: “Privacy”; Edge: “Cookies and site permissions”).
- Block third-party cookies: most browsers expose a toggle that disables Vimeo and reCAPTCHA cookies without breaking the rest of the site.
- Withdraw consent: clear your browser cookies for learngeodata.eu. The next visit will not set non-essential cookies until you opt in again.
For more information on cookies and your rights, see the CNIL guide: https://www.cnil.fr/fr/cookies-et-traceurs.
13. Anti-piracy and forensic processing (Terms section 20)
To protect the Content from unauthorised reproduction, we may embed forensic markers in delivered videos, datasets and code (per-user video stamping, fingerprints, watermarks). This processing is based on our legitimate interest in protecting our intellectual property (article 6(1)(f) RGPD), which is recognised as a legitimate interest under recital 47 RGPD. The markers identify the buyer and are used solely to investigate leaks. We retain the marker mapping for 3 years from delivery.
You may at any time exercise your right to object under section 7 (right to object); we will then assess whether your interest overrides ours under article 21 RGPD. If we cannot reconcile the two, we may decline to deliver the affected Content and refund it under section 11 of the Terms.
14. Changes to this policy
We may update this policy from time to time, for example when we add or change processors or when the law evolves. The “Effective date” at the top reflects the latest version. Material changes (new purposes, new categories of recipients, change of legal basis) are highlighted on the Website and, where required, asked for fresh consent.
15. Contact
For any privacy or data-protection question, request, complaint, breach notification or proof-of-consent request:
3D Geodata Academy howto@learngeodata.eu 200 rue de la Croix Nivert, 75015 Paris, France