Privacy Policy
Last updated: 14 May 2026 Effective date: 14 May 2026
This Privacy Policy describes how InSkillBoost ("we", "us", or the "Service") collects, uses and protects your personal information. We are committed to compliance with:
- Quebec Law 25 (An Act to modernize legislative provisions as regards the protection of personal information),
- The Canadian PIPEDA (Personal Information Protection and Electronic Documents Act),
- The EU GDPR (General Data Protection Regulation 2016/679) and the UK Data Protection Act 2018,
- The California CCPA/CPRA (where applicable),
- The Brazilian LGPD (where applicable).
1. Who we are (data controller)
The data controller / responsible party is:
Haythem Rehouma — InSkillBoost Quebec, Canada Email (privacy / DPO): privacy@inskillboost.com
2. What data we collect
2.1 Data you provide directly
- Course-access password input when accessing protected courses (verified locally; we do not transmit it).
- Email address if you contact us.
- Feedback or messages sent through forms or email.
2.2 Data collected automatically
- Technical/log data: IP address (truncated), browser type and version, operating system, referring URL, pages visited, timestamps. These may be retained briefly by our hosting provider (Vercel) for security and performance.
- Cookies and similar technologies — see our Cookie Policy.
- Analytics (only after your consent): page views, anonymized device data via Google Analytics 4 with IP anonymization and Google Consent Mode v2.
2.3 Data we do NOT collect
- We do not collect payment data. The Service is free.
- We do not sell or rent your personal information to third parties.
3. Why we process your data (legal basis under GDPR)
| Purpose | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|
| Operate and secure the Site | Legitimate interest (Art. 6(1)(f)) | Up to 12 months (logs) |
| Verify access to protected courses | Contract / legitimate interest | Session only |
| Reply to your messages | Consent + legitimate interest | Up to 24 months |
| Analytics (aggregated, anonymized) | Consent (Art. 6(1)(a)) | Up to 14 months |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) | As required by law |
4. Cookies and consent
By default, no non-essential cookie or analytics script is loaded until you give explicit consent through our cookie banner.
- For users in the EU, EEA, UK and Quebec, we apply Google Consent Mode v2 in default-deny mode.
- You can change your preferences at any time via the "Manage cookies" link in the footer.
5. Data sharing and processors
We share your data only with the strict minimum of vetted processors:
- Vercel Inc. (hosting / CDN) — USA, with Standard Contractual Clauses for EU transfers.
- Google LLC (Analytics, optional, only after consent) — USA, with Standard Contractual Clauses.
- Cloudflare (CDN, partial) — global.
We do not sell, rent or trade your personal information.
6. International transfers
Some processors are located outside Quebec/Canada/EU. Where applicable, we rely on:
- Adequacy decisions of the European Commission, or
- Standard Contractual Clauses (SCCs) approved by the European Commission, or
- Privacy framework certifications (e.g. EU-US Data Privacy Framework).
For Quebec residents, transfers outside Quebec are subject to a privacy impact assessment as required by Law 25.
7. Your rights
Subject to your country's law, you have the following rights:
- Right of access — obtain a copy of your data.
- Right of rectification — correct inaccurate data.
- Right of erasure / "right to be forgotten" (GDPR / Law 25).
- Right to restrict or object to processing.
- Right to data portability.
- Right to withdraw consent at any time (without affecting prior lawful processing).
- Right not to be subject to a fully automated decision with legal effect.
- Right to lodge a complaint with your supervisory authority:
- Quebec: Commission d'accès à l'information du Québec
- Canada (federal): Office of the Privacy Commissioner
- EU/EEA: your national DPA (e.g. CNIL in France, AEPD in Spain, BfDI in Germany)
- UK: Information Commissioner's Office (ICO)
To exercise any right, email privacy@inskillboost.com. We respond within 30 days (extendable to 60 days for complex requests, with notice).
8. Data security
We apply reasonable technical and organizational measures, including:
- HTTPS/TLS for all traffic.
- Strict HTTP security headers (HSTS, X-Content-Type-Options, etc.).
- Password-hashing for protected courses.
- Principle of least privilege for administrative access.
- Periodic security reviews.
In the event of a personal data breach likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours (GDPR / Law 25) and inform affected users without undue delay.
9. Data retention
We keep personal data only as long as necessary for the purposes described. Default retention periods are listed in section 3. After that, data is deleted or irreversibly anonymized.
10. Children
The Service is not directed to children under 13. We do not knowingly collect personal information from children under that age (or 16 in the EU/EEA where stricter law applies). Parents may contact us to request deletion.
11. Changes to this policy
We may update this policy. The "Last updated" date reflects the latest revision. Material changes will be highlighted on the Site for 30 days.
12. Contact / DPO
For any privacy question, request or complaint:
InSkillBoost — Privacy / DPO Email: privacy@inskillboost.com Postal mail: Quebec, Canada (full address provided on request)
For users in the EU, you also have the right to contact our EU representative (where required by Article 27 GDPR — currently being designated; details will appear here when finalized).