Effective date: 2026-04-22 Last updated: 2026-04-22
About this document
This Privacy Policy explains what personal data Awiser collects about you, why, how long it is kept, with whom it is shared, and what rights you have. It applies to everyone who uses Awiser, regardless of where you live.
Awiser tries to write this honestly. Where a practice is awkward — for example, what happens to messages when another user deletes their account — this policy describes it truthfully rather than in softened language. See §8. What happens when you delete your account and §6. Public information on Awiser for the notable disclosures.
If you have any question, email privacy@awiser.co.
1. Who is responsible for your data
The data controller for Awiser is:
Valentin LAFONT A French national currently residing in South Korea, acting as an individual. As of the effective date of this Privacy Policy, Awiser is not operated by an incorporated entity.
Contact: privacy@awiser.co Postal address for legal notices: Paris, France.
1.1. EU Representative
Because the controller resides outside the European Union, Article 27 of the GDPR would normally require appointment of a Representative in an EU Member State.
Awiser has not appointed an EU Representative under Article 27 of the GDPR. Users residing in the European Economic Area may exercise their data-subject rights directly by contacting privacy@awiser.co. Awiser will respond within the periods required by the GDPR.
Awiser intends to appoint an EU Representative when the EU user base or regulatory circumstances warrant it. Until then, direct contact is the designated channel.
1.2. Data Protection Officer
Awiser has not appointed a Data Protection Officer. The controller (Valentin LAFONT personally) handles privacy requests at privacy@awiser.co.
2. Scope
This Privacy Policy covers Awiser's processing of personal data in the operation of the service at awiser.co and related domains, applications, and APIs.
It does not cover:
- Third-party services you reach through links from Awiser. Their privacy practices are governed by their own policies.
- Data you share with other users outside Awiser (for example, on another platform or by email) after meeting them on Awiser.
- Personal data processed by sub-processors in their own capacity (for example, Google Analytics processing of your browsing on other sites).
3. Data we collect
3.1. Data you give us directly
When you sign up and use Awiser, we collect:
- Account credentials: username, email address, password (stored hashed using bcrypt)
- Profile data: first name, last name, full name, preferred language, profile picture or avatar
- Signup context: signup type (email, Google, GitHub, Discord, LinkedIn), your IP address at signup, whether you accepted the Terms of Service, whether you accepted marketing emails (default off)
- Content: posts and capsules, projects, comments, direct messages, media files, achievements descriptions, skills, interests, location information you provide, anything else you choose to submit
3.2. Data we receive from sign-in providers
If you sign in using a third-party provider, Awiser receives data from that provider to create or authenticate your account:
| Provider | Data received |
|---|---|
| Name, email address, Google account ID, avatar | |
| GitHub | Name, email address, GitHub user ID, avatar |
| Discord | Username, email address, Discord user ID, avatar |
| Name, email address, LinkedIn user ID, avatar |
Your relationship with each provider is governed by that provider's own privacy policy. Awiser has no control over what the provider sees about your use of Awiser.
3.3. Data collected automatically
When you use Awiser, the following is collected automatically:
- Technical data: IP address, browser type and version, operating system, referring URL, device type, time-zone
- Usage data: pages visited, features used, interactions with content (claps, comments, shares, views), session duration
- Engagement data: your activity feed (the platform logs the last 90 days of your activity for feature purposes — see §7. Retention)
- Cookies and similar technologies: see the Cookie Policy
3.4. Data we derive
Awiser derives limited data from the above, including achievement-eligibility counts (for example, number of claps received) and referral counts.
3.5. Data we do not collect
Awiser does not collect:
- Government-issued identifiers, including Korean resident registration numbers (주민등록번호), passport numbers, or Social Security numbers
- Payment card information (Awiser does not process payments as of this Privacy Policy's effective date)
- Sensitive-category data under GDPR Article 9 (health, political opinions, religious beliefs, sexual orientation, biometric data). If you choose to publish any such information voluntarily (for example in a bio or a post), you alone are responsible for that disclosure.
4. How we use your data and lawful bases
Awiser processes personal data for the following purposes. The lawful basis under GDPR Article 6 is listed for each.
| Purpose | Data involved | Lawful basis (GDPR) |
|---|---|---|
| Create and authenticate your account | Credentials, profile, signup context | Contract (Art. 6(1)(b)) |
| Provide the service and its features | Profile, content, technical, usage | Contract (Art. 6(1)(b)) |
| Show your profile and achievements publicly | Profile, achievements | Contract (Art. 6(1)(b)) |
| Enable messaging and collaboration | Messages, profile, notifications | Contract (Art. 6(1)(b)) |
| Moderate content and enforce the AUP | All content and conduct data | Legitimate interests (Art. 6(1)(f)) |
| Prevent fraud, abuse, and security incidents | Technical, usage, authentication logs | Legitimate interests (Art. 6(1)(f)) |
| Send transactional emails (reset, notifications) | Email, account ID | Contract (Art. 6(1)(b)) |
| Send marketing emails (newsletter) | Consent (Art. 6(1)(a)), opt-in only | |
| Perform analytics | Technical, usage | Consent (Art. 6(1)(a)) — cookie-gated |
| Comply with legal obligations | As needed | Legal obligation (Art. 6(1)(c)) |
| Defend legal claims | As needed | Legitimate interests (Art. 6(1)(f)) |
Awiser's legitimate interests are narrow: operating a safe service, preventing abuse, and defending legal claims. They are balanced against your rights. If you object to processing based on legitimate interests, see §10. How to exercise your rights.
5. Who sees your data
Personal data is shared with:
- Other users of Awiser — your public profile, posts, projects, achievements (if you have set them to public), comments and claps are visible to other users. Your direct messages are visible only to you and the other participant. See §6. Public information on Awiser.
- Sub-processors — third-party services Awiser uses to operate (hosting, email, analytics). The full list is in §12. Sub-processors.
- Authorities — where required by law, court order, or lawful request from a competent authority.
- Professional advisers — in the rare case legal or accounting advice is needed, data may be shared with advisers under confidentiality.
- Successors — if Awiser is transferred to a French entity as described in the Terms of Service §20, personal data will be transferred with the service. Users will be notified.
Awiser does not sell your personal data to anyone. Awiser does not share your personal data with advertisers at this time (see §20. Future changes).
6. Public information on Awiser
Some of what you put on Awiser is public. Please understand what that means before you share it.
6.1. Your profile
Your username, full name, avatar, bio, skills, interests, and location (if provided) are visible to other users of Awiser and may be visible to anyone who visits your profile page. Profile pages may be indexable by search engines unless you configure them otherwise.
6.2. Your posts, projects, and comments
Content you publish is visible to the audience you select for it. Public content is visible to anyone, including people without an Awiser account, and may be indexable by search engines.
6.3. Your achievements and verification pages
When you earn an achievement on Awiser, a public verification page is created at /verify/:code and /achievement/:code. These pages display your full name, username, and profile picture and are accessible to anyone with the link. They may be indexable by search engines unless you set the specific achievement to private.
If you share an achievement link with someone (for example to include on a CV or portfolio), that person and anyone they share it with can see your name and picture on the verification page.
6.4. Your activity
Some activity (projects published, achievements earned, posts shared) appears in other users' activity feeds. Your activity feed entries have a rolling 90-day retention (see §7).
7. How long we keep your data
Awiser retains personal data only as long as necessary for the purpose for which it was collected. The table below lists retention for the main data categories.
| Data category | Retention |
|---|---|
| Account data (profile, credentials) | Until you delete your account, then as described in §8 |
| Posts, projects, comments | Until you delete them, or until you delete your account |
| Direct messages | Until the conversation is deleted — see §8.3 |
| Achievements | Until revoked — see §8.4 |
| Activity feed entries | 90 days (rolling; automatically removed by database TTL) |
| Access and refresh tokens | Access token: 10 minutes. Refresh token: 14 days, rotated on use |
| Password-reset and email tokens | Until expiry (short-lived) or single use |
| Account-deletion feedback | Up to 12 months, then anonymized — see §8.2 |
| Authentication and security logs | Up to 12 months, to detect abuse |
| Moderation records | Duration of the investigation, then retained for legal defence up to 3 years |
| Deleted-comment bodies (soft-delete) | Retained with the visibility flag set to deleted; removed on request |
Specific provisions in §8 override the general table.
8. What happens when you delete your account
Awiser honours account deletion. However, some data is retained for legal, security, or third-party reasons. This section describes what actually happens when you use the account-deletion flow.
8.1. Data that is deleted
Awiser hard-deletes the following when you delete your account:
- Your user record (profile, credentials, preferences)
- Your posts, capsules, projects, adverts
- Your claps, shares, views, comments (comments are soft-deleted; see §8.5)
- Your user-to-user relations, skills, and interests
- Your direct messages you sent (see §8.3)
- Your access tokens and password-reset tokens
- Database records of your uploaded media (the files in storage are scheduled for removal separately)
8.2. Account-deletion feedback
When you delete your account, you are asked to provide feedback about your reason for leaving. This feedback is retained — together with your username and email address — for up to twelve (12) months to help Awiser understand why users leave. After twelve months, the feedback is anonymized so it can no longer be traced back to you. This retention is disclosed here because you reasonably expect "delete account" to erase everything.
8.3. Direct messages
Direct messages are stored as part of a shared conversation between you and the other participant. When you delete your account, shared conversations you participated in are removed from Awiser in full, including messages sent to you by other participants. This means the other participant loses access to their side of the conversation when you delete.
This behaviour is being changed so that your departure removes your identity from the thread while preserving the other participant's messages. Until that change ships, save important messages outside Awiser if you need to retain them.
8.4. Achievements after deletion
Achievement records themselves are not deleted when you delete your account. Verification pages at /verify/:code and /achievement/:code for achievements you earned may remain accessible. Awiser commits to anonymizing these pages on deletion — removing your full name and profile picture so that only the achievement type, the earned date, and a non-identifying verification code remain. The anonymization step is being developed; until it ships, verification pages may display your name and picture after deletion.
8.5. Soft-deleted content
Some content is flagged as deleted rather than hard-deleted, so that conversations and threads remain coherent for other participants. This currently applies to post comments and user-plugin records. The content is not displayed publicly but is retained in the database. If you wish soft-deleted content to be fully removed, email privacy@awiser.co.
8.6. Activity feed entries
Activity-feed entries expire automatically after 90 days via a time-to-live index on the database. You do not need to take action.
8.7. Retained for legal defence
Awiser may retain a narrow set of data (authentication logs, moderation records, account-deletion feedback subject to §8.2, IP addresses associated with abuse reports) for legal defence, abuse prevention, or regulatory compliance, typically for up to three (3) years.
9. Your rights
Depending on where you live, you have some or all of the rights below. The legal basis and the response period vary by jurisdiction.
| Right | EU/EEA and UK (GDPR) | California (CCPA/CPRA) | Republic of Korea (PIPA) |
|---|---|---|---|
| Access or know what is collected | Art. 15 — within 1 month | §1798.100 — within 45 days | Art. 35 — within 10 days (extendable) |
| Rectification | Art. 16 — within 1 month | §1798.106 — within 45 days | Art. 36 |
| Erasure or deletion | Art. 17 — within 1 month | §1798.105 — within 45 days | Art. 36 |
| Restriction of processing | Art. 18 | n/a (limit-use is narrower) | Art. 37 |
| Portability | Art. 20 — within 1 month | (covered by right to know) | Art. 35-2 |
| Object to processing | Art. 21 | §1798.120 — opt out of sale/share | Art. 37 |
| Rights about automated decision-making | Art. 22 | §1798.185 | Art. 37-2 |
| Non-discrimination for exercising | Art. 7(3), 21 | §1798.125 | implicit |
| File a complaint | Any EU supervisory authority | California Attorney General or CPPA | Personal Information Protection Commission (PIPC) |
Awiser does not currently make automated decisions with legal or similarly significant effects about you.
Awiser does not currently sell or share personal data for advertising purposes.
10. How to exercise your rights
Send a request to privacy@awiser.co with:
- Subject line "Data-subject request"
- A description of the right you want to exercise
- Enough information to identify you and your account (for example, the email address associated with your account)
Awiser may ask you to verify your identity before acting on a request (for example, by asking you to confirm the request from the email address on file). Awiser will respond within the period required by the law that applies to you, as listed in §9.
If you are not satisfied with Awiser's response, you have the right to complain to your national data-protection authority (for EU/UK users), the California Attorney General or CPPA (for California residents), or the Personal Information Protection Commission (for Korean residents).
11. International data transfers
Awiser is operated from South Korea and stores data across three locations. Your personal data is transferred between these locations and accessed by Awiser's sub-processors. The table below shows the flows and the legal basis for each.
| Data type | Recipient / location | Legal basis — transfers from the EEA | Legal basis — transfers from Korea |
|---|---|---|---|
| Core user data (DB) | OVH SAS — France | Intra-EU, no additional basis | PIPA Art. 28 consent obtained at signup |
| Media and avatars | Amazon Web Services — Sydney, Australia | AWS DPA, including EU Standard Contractual Clauses | PIPA Art. 28 consent obtained at signup |
| Transactional email | Namecheap, Inc. (PrivateEmail) — USA | Namecheap DPA with EU Standard Contractual Clauses | PIPA Art. 28 consent obtained at signup |
| Analytics | Google LLC — USA | EU-US Data Privacy Framework | PIPA Art. 28 consent obtained at signup |
| Session recordings | Hotjar Ltd — Malta and USA | EU Standard Contractual Clauses | PIPA Art. 28 consent obtained at signup |
| Sign-in providers | Google (USA), GitHub (USA), Discord (USA), LinkedIn (Ireland/USA) | DPF or SCCs as applicable per provider | PIPA Art. 28 consent obtained at signup |
Your consent to these overseas transfers is captured at signup when you accept this Privacy Policy. You can withdraw consent at any time by deleting your account; withdrawal does not affect processing that occurred before withdrawal.
12. Sub-processors
The organizations below process personal data on behalf of Awiser. Each has its own privacy and security obligations, agreed in a data-processing agreement or equivalent.
| Sub-processor | Role | Location | Link |
|---|---|---|---|
| OVH SAS | Database and server hosting | France | https://www.ovhcloud.com/en/personal-data-protection/ |
| Amazon Web Services | Media storage (S3) and CDN (CloudFront) | Australia (ap-southeast-2) | https://aws.amazon.com/privacy/ |
| Namecheap, Inc. | Transactional email (PrivateEmail) | United States | https://www.namecheap.com/legal/general/privacy-policy/ |
| Google LLC | Google Analytics, Google Tag Manager | United States | https://policies.google.com/privacy |
| Hotjar Ltd | Session recordings and heatmaps | Malta / United States | https://www.hotjar.com/legal/policies/privacy/ |
Sign-in providers (when used for authentication):
| Provider | Purpose | Privacy policy |
|---|---|---|
| Google LLC | Sign-in with Google | https://policies.google.com/privacy |
| GitHub, Inc. | Sign-in with GitHub | https://docs.github.com/site-policy/privacy-policies/github-general-privacy-statement |
| Discord, Inc. | Sign-in with Discord | https://discord.com/privacy |
| LinkedIn Ireland | Sign-in with LinkedIn | https://www.linkedin.com/legal/privacy-policy |
Awiser may add, change, or remove sub-processors from time to time. Material changes are reflected in updated versions of this Privacy Policy.
13. Cookies and similar technologies
Awiser uses cookies and similar technologies for authentication, functionality, analytics, and (in the future) advertising. The full list — what cookies are set, by whom, for how long — is in the Cookie Policy.
Strictly-necessary cookies are set by default because they are required to operate the service. Analytics and session-replay cookies are set only if you have given consent through the cookie banner. You can withdraw consent at any time via the banner or your browser settings.
14. Children
Awiser is not directed to children under 16 and does not knowingly collect personal data from children under 16. In the United States, Awiser does not knowingly collect personal information from children under 13 as defined by the Children's Online Privacy Protection Act (COPPA).
If you are a parent or guardian and believe your child has provided personal data to Awiser, please contact privacy@awiser.co and Awiser will delete the account and associated data promptly.
15. Security
Awiser uses reasonable administrative, technical, and physical measures to protect personal data, including:
- Passwords stored using bcrypt with a work factor of 12
- Authentication via short-lived JSON Web Tokens with rotation and reuse detection
- Tokens stored server-side as SHA-256 hashes
- HTTP-only, Secure, SameSite session cookies in production
- HTTP-security headers via
helmet - Rate limiting against brute-force and abuse
- MongoDB query sanitization against NoSQL injection
- XSS defences via DOMPurify on rendering
- Server-side request forgery (SSRF) protections on user-provided URLs
- OAuth state-cookie CSRF protection with a signed, validated redirect-URI whitelist
Awiser does not currently offer multi-factor authentication. Awiser does not represent that the service is invulnerable. No system is perfectly secure.
15.1. Breach notification
If Awiser becomes aware of a personal-data breach that creates a risk to your rights and freedoms, Awiser will notify the relevant supervisory authority within 72 hours where required by law, and will notify affected users where the risk is high, as required by GDPR Article 34 and equivalent rules.
16. Marketing communications
Awiser sends marketing emails — for example, newsletters or product updates — only to users who have explicitly opted in at signup by ticking the marketing-emails preference (the default is unticked). You can withdraw consent at any time by:
- Using the unsubscribe link in the email
- Updating your marketing preferences in account settings
- Emailing
privacy@awiser.co
Transactional emails (password reset, notifications directly related to your account) are not affected by your marketing preferences because they are necessary to perform the contract.
17. Automated decision-making
Awiser does not currently make decisions that have legal or similarly significant effects about you based solely on automated processing.
Achievement eligibility is calculated automatically from your activity on Awiser (for example, counting posts you have published). Achievements do not have legal or financial consequences for you; they are informational only. They do not qualify as automated decision-making in the sense of GDPR Article 22.
18. Regional notices
18.1. European Economic Area and United Kingdom
If you are in the EEA or the UK, the GDPR (and UK GDPR as applicable) applies to Awiser's processing of your personal data. You have the rights described in §9. You may lodge a complaint with your national supervisory authority. The controller identity is in §1. Awiser has not appointed an Article 27 Representative — see §1.1.
18.2. California (CCPA and CPRA)
If you are a California resident, you have the rights listed in §9. Awiser does not sell or share your personal information with third parties for monetary or other valuable consideration. Awiser does not use or disclose sensitive personal information for purposes that would trigger a right to limit under CPRA §1798.121.
To exercise your California-specific rights, contact privacy@awiser.co. Awiser will not discriminate against you for exercising any right under CCPA or CPRA.
California's "Shine the Light" law (Civil Code §1798.83): Awiser does not disclose personal information to third parties for their direct-marketing purposes.
18.3. Republic of Korea (PIPA)
Because the data controller (Valentin LAFONT) resides in the Republic of Korea, Korea's Personal Information Protection Act (PIPA) applies to Awiser's processing activities. You have the rights listed in §9. Awiser does not collect Korean resident registration numbers, passport numbers, or other unique government-issued identifiers. Overseas transfers of Korean users' data are listed in §11; your consent is obtained at signup when you accept this Privacy Policy.
You may file a complaint with the Personal Information Protection Commission (개인정보보호위원회) at https://www.pipc.go.kr/.
19. Changes to this Privacy Policy
Awiser may update this Privacy Policy as the service evolves or as legal requirements change. Material changes will be notified via the platform, email, or both, at least fourteen (14) days before they take effect. Non-material changes (for example, typographical corrections) may take effect immediately.
The current version and effective date are shown at the top of this document.
20. Future changes
For transparency, here are changes Awiser expects to make in the future. This section describes them so you can anticipate them; it is not a legal commitment to any particular timeline.
- Advertising. Awiser may introduce advertising on the platform. If and when advertising is enabled, this Privacy Policy and the Cookie Policy will be updated to disclose advertising partners, cookies set by those partners, and the legal basis for ad personalization.
- Payments. Awiser may introduce paid features. If and when payments are enabled, this Privacy Policy will be updated to disclose the payment processor, the data involved, and the legal basis for processing.
- Incorporation. When Awiser is transferred from Valentin LAFONT personally to a French legal entity, the controller identity in §1 will be updated and users will be notified.
- EU Representative. Awiser intends to appoint an EU Representative under Article 27 GDPR when the EU user base or regulatory circumstances warrant it. This Privacy Policy will be updated at that time.
21. Language
This Privacy Policy is published in English. The Service is currently provided in English only. If Awiser publishes translations in the future, the English version governs in the event of any conflict. This does not affect your right, under the GDPR and applicable national law, to receive essential information about the processing of your personal data in a language you understand — contact privacy@awiser.co if you need that.
22. Contact
For any privacy question, to exercise a data-subject right, or to send a legal notice:
- Email:
privacy@awiser.co - Postal address: Paris, France
End of Privacy Policy.
Questions about this document? Email privacy@awiser.co.