Privacy Policy
Polaris Marketplace — operated by Jean-Luc Oudart-Sintes (PolarisDEV). In accordance with the GDPR (EU 2016/679) and the French Data Protection Act (Loi Informatique et Libertés). Last updated: June 2026.
1. Data Controller
The controller of personal data collected on Polaris Marketplace is:
Jean-Luc Oudart-Sintes — PolarisDEV
13 rue des poiriers, 66200 Elne, France
Email: [email protected]
2. Data We Collect
We collect only what is necessary to operate the Marketplace and fulfil purchases:
- Account data — name, email address, and hashed password when you register with email/password.
- OAuth data — name, email address, and profile picture provided by GitHub or Google when you sign in via those services. We do not receive your OAuth passwords.
- Purchase data — templates purchased, Stripe session and payment intent IDs, amounts, and timestamps.
- Payment data — handled exclusively by Stripe, Inc. We never store card numbers or CVV.
- Download data — the date and time you first download a purchased template.
- Technical data — IP address and server access logs retained for 90 days.
- Support data — the content of emails you send to [email protected].
We use a self-hosted, cookieless analytics tool (Rybbit, hosted at analytics.polarisdev.fr on our own infrastructure) to measure traffic. It records anonymised data — page paths, referrers, browser and OS type, and approximate country derived from IP. IP addresses are not stored. No personal identification is possible from this data.
3. Purpose & Legal Basis
Each processing activity has a specific legal basis under Article 6 GDPR:
| Purpose / Finalité | Data / Données | Basis / Base légale |
|---|---|---|
| Account management | Name, email, password hash | Contract (Art. 6.1.b) |
| OAuth sign-in | Name, email (from provider) | Contract (Art. 6.1.b) |
| Order fulfilment | Email, purchase record | Contract (Art. 6.1.b) |
| Payment processing | Delegated to Stripe | Contract (Art. 6.1.b) |
| Transactional emails | Name, email | Contract (Art. 6.1.b) |
| File delivery (R2) | Auth token for download | Contract (Art. 6.1.b) |
| Security & fraud | IP, access logs | Legitimate interest (Art. 6.1.f) |
| Legal compliance | Order records (10 yrs) | Legal obligation (Art. 6.1.c) |
| Customer support | Email content | Legitimate interest (Art. 6.1.f) |
| Traffic analytics | Anonymised page views, referrers, device/browser type, approx. country | Legitimate interest (Art. 6.1.f) |
4. Third-Party Processors
We share data only where necessary, under Data Processing Agreements (DPAs) or Standard Contractual Clauses (SCCs) for transfers outside the EEA:
- PolarisDEV (self-hosted analytics) — We operate a self-hosted instance of Rybbit at analytics.polarisdev.fr on our own infrastructure in France. No analytics data is sent to a third party. IP addresses are not stored; only an approximate country is derived.
- Stripe, Inc. — Payment processing and subscription billing. SCCs apply for US transfers. Stripe Privacy ↗
- Resend, Inc. — Transactional email delivery (verification, receipts, password reset). Receives recipient name and email address. SCCs apply. Resend Privacy ↗
- Cloudflare R2 — Object storage for downloadable template files. Download requests are authenticated server-side; your IP may be logged by Cloudflare. Cloudflare Privacy ↗
- GitHub, Inc. — OAuth sign-in provider (optional). When you choose "Sign in with GitHub", GitHub transmits your name, email, and avatar. SCCs apply. GitHub Privacy ↗
- Google LLC — OAuth sign-in provider (optional). When you choose "Sign in with Google", Google transmits your name, email, and avatar. SCCs apply. Google Privacy ↗
We do not sell your personal data to any third party.
5. Retention Periods
- Account data — for the lifetime of your account, plus 12 months after deletion.
- Purchase records — 10 years (French accounting law, Art. L.123-22 Code de commerce).
- Download logs — 10 years alongside purchase records.
- Server logs — 90 days.
- Support emails — 3 years from the last exchange.
- OAuth tokens — not stored; only the email and name derived from OAuth are retained.
6. Cookies & Session
Polaris Marketplace uses only strictly necessary cookies:
- Session cookie — keeps you signed in during your browser session. Expires on browser close.
- Auth token — persistent signed, httpOnly cookie when "Remember me" is checked. Expires after 30 days.
Our analytics tool does not use cookies or any browser storage. It cannot identify individual users across sessions. No consent banner is required under the CNIL audience measurement exemption.
7. Your Rights
Under the GDPR and the French Data Protection Act, you have the following rights. Contact us at [email protected]; we respond within 30 days.
- Access — Obtain a copy of all personal data we hold about you.
- Rectification — Correct inaccurate or incomplete data.
- Erasure — Request deletion of your data, subject to legal retention obligations.
- Portability — Receive your data in a structured, machine-readable format.
- Objection — Object to processing based on legitimate interest.
- Restriction — Request limitation of processing in certain circumstances.
You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés).
8. Security
Passwords are hashed with scrypt (via Node.js native crypto). All traffic is encrypted with TLS 1.3. Payment data never transits our servers — it goes directly to Stripe. Downloadable files are served via short-lived presigned URLs; they are not publicly accessible.
9. Amendments
We may update this policy at any time. Material changes will be notified by email to registered users at least 14 days before taking effect. The current version is always available at polarisdev.fr/legal/privacy.