GDPR

Privacy Policy

CAPIA.AI SASU attaches particular importance to the protection of personal data. This policy describes the processing operations carried out as part of the Wander Sensei service, in application of Règlement (UE) 2016/679 ("GDPR") and the amended French Data Protection Act.

Last updated · May 2, 2026
This page is provided for informational purposes only. Only the French version is authoritative in case of dispute.

1. Data controller

The data controller is:

Company
CAPIA.AI (SASU)
SIREN
942 853 201
Registered office
5e étage, 2 place de Barcelone, 75016 Paris, France
President
Wen Ching Ying
Contact
privacy@wandersensei.com

For any request relating to your personal data: privacy@wandersensei.com

2. Data collected

We collect the following categories of data:

  • Account: email address, hashed password, first name (optional), selected track, creation date.
  • Authentication: Google OAuth identifiers if you sign in with Google.
  • Payment: amount, date, transaction ID, last digits of the card (full bank details are never stored by CAPIA.AI; they are processed solely by Stripe).
  • Service usage: questions attempted, scores, progress, estimated level.
  • Technical data: truncated IP address, device type, browser, locale.
  • Communications: content of emails and messages you send us.

3. Purposes and legal bases

  • Provide the service (account, access to content, progress tracking)
    Performance of the contract (art. 6.1.b GDPR)
  • Manage orders and payments
    Performance of the contract
  • Send transactional emails (confirmation, invoices, access)
    Performance of the contract
  • Improve the service and fix bugs
    Legitimate interest (art. 6.1.f GDPR)
  • Comply with our legal and accounting obligations
    Legal obligation (art. 6.1.c GDPR)
  • Anonymised audience measurement
    Legitimate interest — without identifying cookie
  • Newsletter and marketing communications
    Consent (art. 6.1.a GDPR), revocable at any time

4. Retention periods

  • Active account: for the entire duration of use, then three (3) years from the last connection.
  • Billing data: ten (10) years from invoicing (accounting obligation).
  • Payment data: retained by Stripe according to its own rules (generally 13 months for transaction records).
  • Technical logs: twelve (12) months maximum.
  • Newsletter: until consent is withdrawn, then three (3) years for evidentiary purposes.

5. Recipients and processors

Your data may be communicated to our processors, strictly to the extent necessary for their tasks:

  • Vercel Inc.
    USA / EU edges
    Hébergement front-end, edge network, analytics
    Standard Contractual Clauses (SCC) — UE/USA
  • Google Cloud (Cloud Run, Cloud SQL, Cloud Storage)
    europe-west9 (Paris)
    Backend API, base de données, stockage des PDF
    Données stockées en UE
  • Stripe Payments Europe Ltd.
    Irlande (UE)
    Traitement des paiements
    Données stockées en UE — PCI-DSS niveau 1
  • Google Firebase Authentication
    USA / multi-régions
    Authentification (email, Google OAuth)
    Standard Contractual Clauses (SCC)
  • Resend
    USA
    Envoi d'emails transactionnels
    Standard Contractual Clauses (SCC)
  • Vercel Analytics
    USA / EU
    Mesure d'audience anonymisée (sans cookies)
    Pas de données personnelles directement identifiantes

6. Transfers outside the EU

Some processors may process your data outside the European Economic Area (notably Vercel, Firebase, Resend). Such transfers are governed by the Standard Contractual Clauses adopted by the European Commission (décision 2021/914) or by any other appropriate safeguard provided for by the GDPR.

7. Your rights

In accordance with articles 15 à 22 of the GDPR, you have the following rights:

  • right of access to your data;
  • right of rectification;
  • right to erasure ("right to be forgotten");
  • right to restriction of processing;
  • right to data portability;
  • right to object to processing based on legitimate interest;
  • right to withdraw your consent at any time where processing is based on it;
  • right to set instructions regarding the fate of your data after your death.

To exercise these rights, write to us at privacy@wandersensei.com specifying your request. We will reply within thirty (30) days. You also have the right to lodge a complaint with the CNIL (www.cnil.fr).

8. Security

CAPIA.AI implements appropriate technical and organisational measures to protect your data against any loss, alteration or unauthorised access: encryption in transit (TLS), encryption at rest for the database, password hashing, strictly limited access to authorised personnel, regular backups.

9. Cookies and trackers

The site uses a limited number of cookies and trackers strictly necessary for the operation of the Service as well as, subject to your consent, audience measurement tools. For more details and to change your choices at any time, see our Cookies page.

10. Minors

The service is intended for natural persons of legal age. We do not knowingly collect data concerning minors under 15 years of age.

11. Updates

This policy may be updated. The date of last update appears at the top of the page. In the event of a substantial modification, you will be informed by email or by notification within the Service.

A legal question or a GDPR request?

Write to us; we reply within 30 days at the latest.

Contact us