Privacy Policy
Last updated: April 28, 2026 · Version 3.0🇨🇦 Your account data (email, encrypted password, licence) is hosted in Canada
🛡️ Student personal data never leaves your browser
💳 Payments are processed by Stripe — your card details never touch our servers
📧 Emails go through Resend (USA) — transit only, not stored
🚫 We never sell or share your data for commercial purposes
1. Data Controller
| Company | EDUsolutions |
| Product | GroupeSync — groupesync.ca |
| Contact | The personal data protection officer |
| info@groupesync.ca | |
| Country | Canada (Quebec) |
2. Personal Data Collected
2.1 Account data
- Email address
- Password (bcrypt hash, 10 rounds — never stored in plain text)
- First name, last name, and school name
- Unique licence key
- Licence expiry date
- Activation log (max 6 devices per licence)
2.2 Payment data
Processed exclusively by Stripe Inc. (PCI-DSS Level 1). GroupeSync never stores any card numbers. We only retain: Stripe session ID, payment confirmation, amount and date.
2.3 Contact form data
Email, name, and message transit through Resend to our inbox. Not stored in a database.
2.4 Student list data
🛡️ Core principle
- Imported Excel file: processed in memory — never transmitted to our servers
- Generated groups: stay in browser RAM only
- Local history: stored on the user's own computer (localStorage)
- Cloud save (optional): hosted in Canada, tied exclusively to your account
- PDF export: generated on-the-fly — never stored on our servers
3. Purposes of Processing
| Purpose | Legal basis |
|---|---|
| Account management and application access | Contract performance |
| Payment processing and receipt issuance | Contract performance |
| Notifications (renewal reminders, password reset) | Contract performance / Legitimate interest |
| Responding to contact or demo requests | Legitimate interest |
| Aggregated anonymous analytics (Plausible) | Legitimate interest |
| Legal compliance and security | Legal obligation |
4. Data Hosting and Location
| Data type | Provider | Country |
|---|---|---|
| Account data, licences | Upstash / Vercel KV | 🇨🇦 Canada |
| Cloud save (optional) | Upstash / Vercel KV | 🇨🇦 Canada |
| Application & landing | Vercel Inc. | Global CDN |
| Payments | Stripe Inc. | 🇺🇸 USA (PCI-DSS L1) |
| Transactional emails | Resend Inc. | 🇺🇸 USA |
| Analytics (optional) | Plausible | 🇪🇺 European Union |
Transfers to the United States (Stripe, Resend) are governed by contractual clauses compliant with PIPEDA. These providers are contractually required to protect your data.
5. Security Measures
| Measure | Description |
|---|---|
| Password encryption | bcrypt, 10 rounds — never stored in plain text |
| Communication encryption | TLS 1.3 mandatory (HTTPS) |
| Session cookies | HttpOnly + Secure + SameSite=Lax |
| Brute-force protection | Max 5 login attempts per 15 min per IP |
| Password reset | 64-character random token, expires in 1h, single use |
| Payment verification | Stripe cryptographic signature (constructEvent) |
| HTTP security headers | HSTS 2yr, X-Frame-Options, CSP, Permissions-Policy |
| Data isolation | Each account can only access its own data |
6. Data Retention
| Data | Retention |
|---|---|
| Active account data | Duration of licence + 30 days after expiry |
| Deleted account data | Deleted within 30 days of request |
| Session tokens | 30 days (auto-renewed on login) |
| Password reset tokens | 1 hour — deleted after use |
| Pre-payment temporary hash | 2 hours — deleted after payment confirmation |
| Stripe transactions | Per Stripe policy (typically 7 years, tax compliance) |
| Connection logs | 90 days maximum |
7. Your Rights
Under PIPEDA (Canada), Quebec Law 25, and GDPR (EU), you have the following rights. We guarantee a response within 30 days.
| Right | Description | How to exercise |
|---|---|---|
| Access | Obtain a copy of your personal data | info@groupesync.ca |
| Rectification | Correct inaccurate or incomplete data | Via your account or email |
| Erasure | Request deletion of your data | info@groupesync.ca |
| Portability | Receive your data in a structured format | info@groupesync.ca |
| Objection | Object to certain processing activities | info@groupesync.ca |
8. Cookies and Trackers
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| gs_session | User session authentication | 30 days | Strictly necessary |
| Plausible Analytics | Anonymous audience measurement (no cookie) | No cookie | Analytics — no individual tracking |
| Stripe.js | Fraud detection during payment | Session | Functional (payment only) |
No advertising cookies, no behavioural tracking, no fingerprinting.
9. Protection of Minor Students' Data
- GroupeSync is intended for education professionals — not students themselves
- Student data is processed within the user's legal professional capacity
- GroupeSync does not collect data directly from minor students
- Student data is never used for commercial or advertising purposes
- The user is responsible for obtaining required authorizations from their school board
10. Policy Updates
In case of substantial changes, you will be notified by email at least 30 days before the changes take effect. The current version is always available at groupesync.ca/privacy.
11. Contact and Complaints
EDUsolutions
📧 info@groupesync.ca
🌐 groupesync.ca
If you believe your rights have not been respected, you may contact:
- Office of the Privacy Commissioner of Canada — priv.gc.ca
- Commission d'accès à l'information du Québec (CAI) — cai.gouv.qc.ca
- Your national data protection authority (for EU residents)
Version in force: April 28, 2026