Privacy policy

Data controller

OrkestrAI — SARL Paye ta com !

3 chemin de Plisseau, 33710 Bayon-sur-Gironde, France

Email: contact@orkestrai.org

Data protection officer (DPO)

For any question regarding the protection of your personal data, contact our DPO at: contact@orkestrai.org

Data collected

We collect and process the following personal data:

  • Identity and account: full name, email address, hashed password
  • Exam data: answers, scores, certification level, verification code
  • Proctoring data: suspicious events (tab switches, fullscreen exits), screenshots captured during the exam
  • Payment data: payment status, dates (payment processing handled by Stripe — we do not store card details)
  • Assisted correction data: text voluntarily entered in the AI correction module

Legal basis for processing

Your data is processed on the following legal bases:

  • Contract execution: providing the certification service (exam, results, certificate)
  • Legitimate interest: anti-fraud measures and proctoring during exams
  • Consent: screen capture during the exam (explicit consent required before starting)

Data retention

Your data is kept for the following durations:

  • User account: for the duration of the account, plus 3 years after deletion
  • Exam sessions and results: 3 years after the exam date
  • Proctoring screenshots: 1 year after the exam date
  • Invoices: 10 years (legal obligation)
  • AI correction prompts: kept in our systems only for request processing time (no dedicated persistent storage on the platform side)

Data recipients

Your data is not sold or shared for commercial purposes. It is accessed only by:

  • Stripe: secure payment processing (PCI DSS certified)
  • IONOS: hosting provider (data stored on a European server)
  • Mistral AI: response-generation processor for the assisted correction feature

AI processing (Mistral AI)

Assisted correction is provided through the Mistral AI API. Text entered in this module is sent to this provider to generate feedback and then displayed in the interface.

Do not use this module to transmit sensitive personal data, application secrets, or confidential information not required for correction.

Your rights

In accordance with the GDPR, you have the following rights over your personal data:

  • Right of access: obtain a copy of all your personal data
  • Right of rectification: correct inaccurate data
  • Right of erasure: request deletion of your account and all associated data
  • Right of portability: export your data in a machine-readable format (JSON)
  • Right of restriction: limit the processing of your data
  • Right of objection: object to the processing of your data

You can exercise your right of portability and erasure directly from your profile page. For other requests:

Submit a GDPR request

Right to lodge a complaint

If you believe that your rights are not being respected, you can lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés) at www.cnil.fr.

Data security

We implement appropriate technical and organizational measures to protect your data: encrypted passwords, encrypted screenshots at rest (AES-256), HTTPS, admin audit logging, and automatic purging of expired data.