Privacy Policy
What we collect, where it lives, and how you exercise your GDPR rights. No tracking, no marketing cookies, no third-party analytics.
Last updated · May 13, 2026Versuz is a solo project operated from France. We comply with the EU General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Libertés). This policy explains what data we collect, why, and how you control it.
1. What we collect
Authentication data (when you sign in with GitHub via Supabase Auth) :
- GitHub username and numeric user ID
- Email associated with your GitHub account
- Avatar URL (public)
Purchase data (only if you buy a premium item) :
- Stripe Payment Intent ID, amount, currency, status, timestamp
- Buyer profile reference (your Versuz user ID)
- We never see or store your card details — Stripe handles those entirely on PCI-DSS-compliant infrastructure.
Seller data (only if you activate Stripe Connect to sell) :
- Stripe Connect account ID
- Charges-enabled status, payouts-enabled status (binary flags, not financial data)
CLI submission audit (only if you publish via npx versuz submit) :
- GitHub user ID
- Submitted URL, action (success / duplicate / rejected)
- Timestamp
Newsletter (only if you subscribe via the footer) :
- Email address
- Subscription date
- Unsubscribe token
2. Why we collect it
- Account / Auth : let you sign in, claim ownership of skills you authored, manage your profile. Legal basis : performance of contract.
- Purchases : process payments, deliver download links, generate receipts. Legal basis : performance of contract.
- CLI audit : prevent spam / abuse / impersonation. Legal basis : legitimate interest.
- Newsletter : send weekly digest. Legal basis : consent (opt-in via footer form, unsubscribe link in every email).
3. Where it lives
- Database : Supabase, EU region (Frankfurt, Germany). Data is encrypted at rest and in transit.
- Payment processing : Stripe Inc. (USA, with EU data processing addendum). See Stripe's privacy policy ↗.
- Email delivery : Resend (USA, with EU data processing addendum). See Resend's privacy policy ↗.
- Hosting : Vercel Inc. (USA, with EU edge network). See Vercel's privacy policy ↗.
Transfers to the US are covered by the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable.
4. How long we keep it
- Account data : as long as your account exists, plus 1 year of inactivity, then purged.
- Purchase data : 10 years (French accounting / tax requirement).
- CLI audit logs : 30 days, then anonymised (GitHub ID nulled, keep aggregate stats).
- Newsletter : until you unsubscribe.
6. Your GDPR rights
You can exercise all the following rights by emailing contact@flukxstudio.fr :
- Right of access : we send you a JSON export of all data we hold about you, within 30 days.
- Right to rectification : we correct any inaccurate data.
- Right to erasure : we delete your account and all associated data within 30 days, except where retention is legally required (purchase records).
- Right to portability : your data is exported in machine-readable JSON.
- Right to object : you can opt out of newsletter, audit logging (within technical constraints), or any non-essential processing.
- Right to lodge a complaint : with the CNIL (cnil.fr ↗) if you believe we mishandle your data.
7. Data Protection Officer
Versuz is a solo project and is not required to appoint a formal DPO under GDPR Article 37. Privacy questions and rights requests are handled directly by the founder at contact@flukxstudio.fr.
8. Data breach notification
If we become aware of a data breach affecting your personal data, we will notify you and the CNIL within 72 hours, as required by GDPR Article 33-34.
9. Contact
contact@flukxstudio.fr for all privacy questions or requests. See the Imprint for legal entity details.