Our Commitment
Civytech takes the protection of your personal data very seriously. This policy describes how we collect, use and protect your data in accordance with the General Data Protection Regulation (GDPR) and French Data Protection Law (Loi Informatique et Libertés).
Data Collected and Purposes
PassCitoyen collects the following categories of data, as required by Apple App Store and Google Play Store disclosure requirements:
| Category | Data | Purposes | Attributes |
|---|---|---|---|
| Contact Info | Name | App Functionality · Analytics · Product Personalization | Linked to Identity Tracking |
| Contact Info | Email Address | Analytics · Product Personalization · App Functionality | Linked to Identity Tracking |
| User Content | Gameplay Content | Product Personalization · Analytics · App Functionality | Linked to Identity Tracking |
| User Content | Customer Support | Analytics · App Functionality · Product Personalization | Linked to Identity Tracking |
| Identifiers | User ID | Analytics · App Functionality · Product Personalization | Linked to Identity Tracking |
| Usage Data | Product Interaction | Product Personalization · App Functionality · Analytics | Linked to Identity Tracking |
| Diagnostics | Crash Data | Analytics · Product Personalization · Developer Advertising · App Functionality | Linked to Identity Tracking |
| Diagnostics | Performance Data | Developer Advertising · App Functionality · Product Personalization · Analytics | Linked to Identity Tracking |
1.1 Data Provided Directly by the User
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, communication | Contract performance |
| Username / first name | Personalization | Contract performance |
| Password (hashed) | Secure authentication | Contract performance |
| Profile picture (optional) | Visual identification | Consent |
1.2 Payment Data
Payment data is processed directly by certified PCI-DSS payment partners. Civytech does not store any banking data. Only a payment customer ID and subscription status are retained.
Legal Basis for Processing
| Processing | Legal Basis |
|---|---|
| Account creation and management | Contract performance |
| Content personalization | Contract performance / Legitimate interest |
| Usage analytics and statistics | Legitimate interest |
| Push notifications | Consent |
| Payment processing | Contract performance |
| Developer advertising and marketing | Consent |
Data Retention
| Category | Retention Period |
|---|---|
| Active account data | Duration of the account |
| Data after account deletion | 3 years (legal obligations) |
| Connection logs | 12 months |
| Diagnostic and performance data | 12 months |
| Payment data | Per our payment partners' policy (5–7 years) |
| Educational progress data | Duration of the account |
Data Sharing
Civytech never sells your personal data. Data may be shared only with:
- Certified payment partners — payment processing (United States, EU Standard Contractual Clauses)
- Expo / Firebase — push notification delivery (optional)
- OVH VPS hosting — server infrastructure in France
These providers are bound by GDPR-compliant data processing agreements.
Your Rights
Under the GDPR, you have the following rights:
- Right of Access — obtain a copy of your data
- Right of Rectification — correct inaccurate data
- Right to Erasure — "right to be forgotten"
- Right to Data Portability — receive your data in a structured format
- Right to Object — object to certain processing activities
- Right to Restriction — temporarily limit processing
To exercise your rights: privacy@passcitoyen.fr. Response within 30 days. You may also lodge a complaint with the CNIL (French Data Protection Authority) at cnil.fr.
Cookies and Trackers
The PassCitoyen mobile app does not use cookies. The website passcitoyen.fr uses only essential cookies required for proper operation (authentication session). No advertising or third-party tracking cookies are used.
Security
Civytech implements appropriate security measures:
- HTTPS encryption (TLS 1.2/1.3) for all communications
- Passwords hashed using a secure algorithm (bcrypt/argon2)
- JWT authentication with short expiry and refresh token
- Restricted and logged server access
- Regular encrypted backups
Data Protection Officer
For any question about the protection of your data:
Civytech — 35131 Pont-Péan, France
SIREN 104 052 709