Privacy Policy
Last updated: January 2026
In accordance with the General Data Protection Regulation (GDPR — EU 2016/679), this page informs you about the collection and processing of your personal data on the Worldseas platform.
1. Data Controller
Worldseas (Sole trader)
200 rue de la Croix Nivert, 75015 Paris, France
SIRET: 101 454 577 00012
GDPR contact: privacy@worldseas.com
2. Data Collected
Upon registration and use of Worldseas:
| Data | Purpose | Legal basis |
|---|---|---|
| Email, password (bcrypt hashed) | Authentication | Contract performance |
| Username | User profile | Contract performance |
| Avatar (profile picture) | Profile customisation | Consent |
| Messages, posts, comments | Social network operation | Contract performance |
| Points, badges, level, progression | Gamification | Contract performance |
| IP address (login) | Security (rate limiting, anti-abuse) | Legitimate interest |
| Activity logs (login, logout) | Security, moderation | Legitimate interest |
| Preferred language | Interface localisation | Consent |
3. Cookies Used
Worldseas uses only strictly necessary cookies for the service to function. No advertising or third-party tracking cookies are placed.
| Cookie | Purpose | Duration |
|---|---|---|
| next-auth.session-token | Authentication session (JWT) | 14 days |
| next-auth.csrf-token | Protection against CSRF attacks | Session |
| next-auth.callback-url | Redirect after login | Session |
These cookies are exempt from prior consent (ePrivacy Directive, Art. 5§3).
4. Retention Period
- Active account data: lifetime of the account
- Activity logs (login/logout): 12 rolling months
- IP addresses collected at login: 6 months
- Post-account deletion: 30 days, then permanently deleted
5. Sub-processors & Transfers
Worldseas uses the following sub-processors, all contractually committed to GDPR compliance:
- Hostinger International Ltd. (Cyprus, EU) — website and database hosting
- Cloudinary Inc. (United States) — media storage and delivery (transfer governed by SCCs)
6. Your Rights
Under the GDPR, you have the following rights:
- Access — obtain a copy of your data
- Rectification — correct your information
- Erasure — delete your account and data
- Portability — receive your data in a readable format
- Objection — object to certain processing
- Restriction — temporarily restrict processing
To exercise your rights: privacy@worldseas.com — Response within 30 days maximum.
7. Data Security
Worldseas implements the following measures: password hashing (bcrypt), signed JWT tokens, CSRF protection, rate limiting on login attempts, and role-based access control (RBAC).
8. Minors
Worldseas is intended for users aged 16 and over. Below 16 years of age, the consent of a legal guardian is required (GDPR Art. 8).
9. Changes
In the event of a material change, users will be notified by email or via a platform notification.