Privacy Policy
Last updated on February 9, 2026
Section 1: Purpose of this Privacy Policy
The purpose of this Privacy Policy is to inform you of the purposes and methods of processing your personal data by LégiSchool, whose identity is set forth below, in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, establishing the General Data Protection Regulation (GDPR), Law No. 78-17 of January 6, 1978, on Information Technology, Data Files, and Civil Liberties, as well as your related rights.
Article 2: Definitions
“Personal data”: Any information that allows for the direct or indirect identification of a natural person who is identified or identifiable, as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the General Data Protection Regulation (GDPR)
“Special categories of personal data”: Personal data falling within the categories referred to in Article 9 of the GDPR, that is, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data enabling the unique identification of a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation.
“E-learning”: A learning method that provides access to interactive training courses on the Internet through the use of multimedia content, such as pre-recorded video or audio clips, self-correcting quizzes, and PDF-style handouts available online. This type of instruction is asynchronous, meaning it allows learners to study whenever they wish, at their own pace, and, if necessary, intermittently, by accessing various pre-recorded educational materials available 24/7. It differs from synchronous distance learning, in which the learner participates in real-time instruction with an instructor via a teleconferencing solution. E-learning involves the learner creating a user account on a platform known as an LMS (“learning management system”), which allows them to access modules combining the various multimedia content mentioned above, and tracks and records their progress within those modules, as well as their quiz results.
“Distance learning”: Training delivered remotely, in real time, by an instructor to one or more learners or trainees, via a video conferencing platform.
“Vocational training/Training activity/Training”:Continuing vocational training aimed at promoting the entry or re-entry of workers into the workforce, enabling them to remain employed, fostering the development of their skills, and facilitating access to various levels of professional qualifications, as defined in Article L. 6311-1 of the Labor Code.
Data Protection Act: Law No. 78-17 of January 6, 1978, on Information Technology, Data Files, and Civil Liberties (the "Data Protection Act");
“Training organization”:any entity that provides vocational training, as defined in Article L. 6313-1 of the Labor Code, is registered with the relevant administrative authority, and holds a business registration number. The training organization LégiSchool is hereinafter referred to as “the training organization.”
“GDPR”: Regulation (EU ) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the General Data Protection Regulation (GDPR).
“Trainee/Learner”: Any individual who undertakes a training program with a training organization as defined in Article L. 6313-1 of the Labor Code. Any individual who undertakes a training program with LégiSchool is hereinafter referred to as “the trainee.”
The terms “Data Controller, ” “ Data Processor, ” and “Processing” have the meanings assigned to them by the GDPR.
Our privacy commitments:
Our video conferencing and email service provider is based in Switzerland—a country with strong data protection standards—does not transfer data to any third parties, and provides a high level of security and confidentiality
The LégiSchool e-learning platform (https://formations.legischool.com), along with all the data it contains, is hosted in France: no data from this platform is transferred outside the European Economic Area or disclosed to third parties
LégiSchool’s internal databases are encrypted (AES-256) internally using encryption software and are backed up to the cloud on a very regular basis in encrypted form
Section 3: Situations in Which This Privacy Policy Applies
This Privacy Policy applies to all LégiSchool students and to individuals who have taken the free online practice tests and exams offered by LégiSchool on its website www.legischool.com or on the website www.deroudilleavocat.com. It applies in the following situations:
You are a LégiSchool student who is currently participating in or has participated in a training course organized by LégiSchool, whether in-person, remote, or via e-learning, through the https://formations.legischool.com platform (FIG.1.)
You are any person who has opened a user account on the platform https://formations.legischool.com or who has such an account (FIG.1.)
You are the legal representative of the employer of a LégiSchool student (FIG. 2.)
You have taken one of the practice tests or mock exams made available free of charge by LégiSchool on the websites www.deroudilleavocat.com or www.legischool.com (FIG.3.)
You are a casual visitor to the website www.legischool.com (FIG. 4.)
Article 4: What Is Personal Data?
4.1. What is personal data?
Personal data refers to any information relating to an identified or identifiable natural person.
Personal data is information that can be used to identify you, either directly (e.g., your first and last name, your ID photo, etc.) or indirectly (your phone number or your health insurance membership number).
It is also possible to identify you and deduce information about you by cross-referencing data about you (e.g., age, nationality, height, weight, etc.). This is the case, for example, with biometric data or your precise measurements, which, when combined, can identify a specific individual or identify that individual when combined with other information (such as date of birth).
4.2. What is “special category” or “sensitive” personal data?
Certain types of personal data are subject to specific protections. These are personal data that reveal:
racial or ethnic origin,
political views,
religious or philosophical beliefs,
union membership,
genetic data,
biometric data that uniquely identifies a natural person,
health-related data (or data revealing the existence of a disability),
data regarding sexual activity.
It should be noted that “health-related data” refers to any data that provides information about your physical condition.
As a general rule, the processing of personal data falling within these categories is always prohibited, unless specific exceptions can be justified, such as, for example, the necessity for medical diagnosis (Article 9(2)(h) of the GDPR).
Tables showing the relationships between categories of personal data, purposes, legal bases, and retention periods
Section 5: Identity of the Data Controller
For all processing activities involving personal data referred to herein, the data controller is:
LégiSchool– Simplified Joint-StockCompany with a Single Shareholder (SASU); Registered with the Paris Trade and Companies Register under number 985 120 690; Represented by Mr. Alexis Deroudille, in his capacity as President; SIRET No. 985 120 690 00013 – VAT No. FR32985120690; located at 67, rue Saint-Jacques, 75005, Paris; contact[a]legischool.fr – www.legischool.com; Tel: +33 (0) 1 43 26 58 10 – Fax: +33 (0) 1 53 61 96 10);
(Hereinafter referred to as “the training organization”).
Section 6: Identity of the Data Protection Officer
LégiSchool’s Data Protection Officer is the person you can contact if you have any questions regarding the protection of your personal data, particularly if you wish to exercise any of the rights listed below.
The Data Protection Officer at LégiSchool can be contacted at the following address:
LégiSchool's Data Protection Officer
67 Saint Jacques Street
75005 Paris,
Phone: 01 43 26 58 10
Email: privacy[at]legischool.fr
Article 7: Competent Supervisory Authority
The competent data protection authority is:
The National Commission for Information Technology and Civil Liberties (CNIL)
3 Place de Fontenoy
75007 Paris,
Phone: +33153732222
Website: www.cnil.fr
Section 8: Categories of personal data we collect directly from you
8.1. When you are a student
When you are a student at LégiSchool, we collect the following personal data directly from you when we sign the training agreement or training contract(FIG.1.):
Last Name
First name
Mailing address,
Email address
Phone number
Training date and time
Training location
Course fee
Employer's name
Signature
Qualiopi surveys (satisfaction levels, self-assessment, training evaluations, etc.)
If applicable, complaint forms: last name, first name, email address, date, nature of the complaint
If applicable, educational background, qualifications, and professional experience
If applicable, the existence of a disability, and accessibility measures implemented by LégiSchool
Statistical data derived from the preceding information
8.1. When you are the legal representative of a trainee’s employer
When you are the legal representative of a LégiSchool student, we collect the following personal data about you directly from you when we sign the agreement(FIG.2.):
Last Name
First name
Mailing address
Email address
Phone number
Signature
Qualiopi surveys (satisfaction levels, self-assessment, training evaluations, etc.)
If applicable, complaint forms: last name, first name, email address, date, nature of the complaint
Statistical data derived from the preceding information
8.3. If you are a user of the e-learning platform
When you have a user account on the LégiSchool e-learning platform (https://formations.legischool.com), we collect the following personal data about you directly from you(FIG.1.):
Last Name
First name
Email address
Phone number (optional)
Date of birth (optional)
If applicable, user photo (optional)
If applicable, information regarding consent to receive electronic solicitations
Education and Training
For each course: registration date, course start date, last access date, completion date, quiz and multiple-choice test results, course completion rate, total time spent on the course, and the learner’s progress through the course (lessons completed, lessons currently being studied).
If applicable, abandoned shopping carts (date and time of the abandoned transaction)
Log of recent logins to the platform (login date and time, IP address, login location, browser type, device type)
Statistical data derived from the preceding information
8.4. You can take free practice tests or mock exams online
When you take free practice tests or mock exams on the websites www.deroudilleavocat.com or www.legischool.com, we collect the following personal data about you directly from you(FIG.3.):
Email address
Last Name
First name
Test results
Answers to the quiz questions on the test
If applicable, complaint forms: last name, first name, email address, date, nature of the complaint
Statistical data based on the preceding information
8.5. You are simply a visitor to the website
When you are simply visiting the LégiSchool website (www.legischool.com), we collect, for security purposes, a log of your connection data to the site for the past six (6) days (IP address, location of connection, browser type, device type), and when you have consented to join our mailing list, we collect, directly from you and with your consent, your email address, your first and last name, and the date on which you consented to receive such “opt-in” communications (FIG.4.).
8.6. Irreversible anonymization and statistics
Finally, we retain irreversibly anonymized data for statistical purposes.
Article 9: Purposes and Legal Bases for the Processing of Personal Data
We process your personal data only when we have a relevant legal basis for doing so, referred to as a “legal basis.” Depending on the purposes of the processing, the processing activities we carry out as the Data Controller may be based on the legal bases set forth in the tables corresponding to the various processing situations (FIG.1, FIG.2, FIG.3, and FIG. 4).
The legal basis for our use of your personal data may include the following:
Your consent (Article 6.1(a) of the GDPR) – This applies when we send you marketing emails
Necessity for the performance of a contract to which you are a party, or for pre-contractual measures taken at your request (Article 6(1)(b) of the GDPR) – This is the case, in particular, when you are a student: the processing of personal data that we carry out is very often strictly necessary for the performance of our contractual or pre-contractual obligations
The necessity arising from a legal obligation that applies to us (Article 6.1(d) of the GDPR) – This applies in particular to our accounting activities as well as the processing operations we carry out to ensure the security of our electronic systems
Our legitimate interests (Article 6(1)(f) of the GDPR) – This applies , in particular, to the statistics we compile using the data we have about you.
If you are a student with a disability, we may also need to collect information about the nature of your disability in order to ensure that our courses are accessible and to adapt them to your situation. This data falls under the category of “special categories” of data that are specifically protected (or “sensitive data”). Therefore, we rely on the following legal basis to process this data:
The processing is necessary for the purposes of fulfilling the obligations and exercising the rights of the controller or the data subject in the field of labor law, social security, and social protection, to the extent that such processing is authorized by Union law, by the law of a Member State, or by a collective agreement concluded under the law of a Member State that provides for appropriate safeguards for the fundamental rights and interests of the data subject (Article 9(2)(b) of the GDPR)
Section 10: How long do we retain the personal data we have collected?
We retain the personal data we collect only for as long as is strictly necessary for the purposes of the processing or as required by applicable law (FIG.1, FIG.2, FIG.3, and FIG. 4).
10.1. If you are a trainee or the legal representative of a trainee’s employer
Therefore, if you are a trainee or the legal representative of a trainee’s employer (FIG. 1and FIG. 2):
We retain training agreements or contracts and related information, including Qualiopi questionnaires, for a period of five (5) years following their signing (the statutory limitation period);
We retain data related to your user account on the LégiSchool e-learning platform for a period of three (3) years following the creation of the user account;
We retain the user’s account login information for a period of six (6) months following its collection;
We retain contact information (phone number, email address) for a period of three (3) years following the completion of the last training session;
We retain accounting data for a period of 10 years following the close of the fiscal year.
10.2. When you are a user of the e-learning platform or when you take practice exams or practice tests
If you are a user of the e-learning platform or have simply taken a practice test or mock exam on the websites www.legischool.com and www.deroudilleavocat.com (FIG. 1and FIG. 3):
We retain data related to your user account on the LégiSchool e-learning platform for a period of three (3) years following the creation of the user account;
We retain the user’s account login information for a period of six (6) months following its collection;
We retain data from submitted practice tests or mock exams for three years from the date the test or exam was submitted.
10.3. When you are a visitor to the site
When you are simply visiting the website www.legischool.com (FIG. 4):
We retain the email addresses you have provided to us—when you have consented to be added to a mailing list—for a period of 3 years from the date of collection
We retain the information from contact forms for a period of 3 years following collection
We retain access to website visitors' login data for a period of 6 days following their login
Once these retention periods have expired, personal data is permanently deleted or irreversibly anonymized—in particular for the purpose of generating fully anonymous statistics.
Banking information required for online payments is not stored.
Article 11: Data Security
Our video conferencing and email service provider is located in Switzerland, a country for which the European Commission has issued an adequacy decision regarding the transfer of personal data. Personal data related to these services is therefore hosted in Switzerland and is not transferred outside of that country or disclosed to third parties. This provider can demonstrate high security standards (backups, access restrictions, data encryption,
The LégiSchool e-learning platform (https://formations.legischool.com), along with all the data it contains, is hosted in France. No data from this platform is transferred outside the European Economic Area or disclosed to third parties.
LégiSchool’s internal databases are encrypted (AES-256) internally using dedicated encryption software and are backed up to the cloud on a very regular basis in encrypted form.
We implement security measures to protect your data, such as the HTTPS protocol. All the passwords we use are strong passwords generated by a password manager. We regularly monitor our systems to detect any vulnerabilities or attacks.
Article 12: Fully Automated Decision-Making
All decisions we make regarding you, based on the personal data you provide to us, are made by human beings; therefore, they are never the result of fully automated decisions.
Article 13: International Transfers
With the exception of our email and video conferencing service providers, as well as our e-learning platform (https://formations.legischool.com), some of our partners may use the services of providers located outside the European Union or the European Economic Area. However, these partners can demonstrate compliance with adequacy decisions or appropriate safeguards required when carrying out such transfers, including the signing of standard contractual clauses with their service providers located outside the European Union or the European Economic Area.
Section 14: What are your rights regarding your personal data?
If you wish to exercise your rights regarding the protection of your personal data, please contact LégiSchool’s Data Protection Officer, whose contact information is provided above.
Your rights regarding the protection of personal data are as follows, as outlined below.
14.1. Right of access to and disclosure of data
You have the right to access your personal data that is being processed.
To assist you in this process, the French Data Protection Authority (CNIL) has provided a sample letter.
14.2. Right to rectification
You have the right to have your personal data corrected and/or updated if it is inaccurate, incomplete, ambiguous, or out of date.
To assist you in this process, the French Data Protection Authority (CNIL) has provided a sample letter.
14.3. Right to erasure or right to be forgotten
You have the right to request that we delete your personal information. This applies, in particular, if you object to the processing of such data on grounds of legitimate interest, or if you have withdrawn your consent, where such consent is the basis for the processing.
To assist you in this process, the French Data Protection Authority (CNIL) has provided a sample letter.
In accordance with our legal obligations and ethical principles, we may be unable to comply with your requests regarding the exercise of your right to be forgotten, particularly when the personal data we hold about you is necessary for the establishment or exercise of legal claims (Article 17(3)(e) of the GDPR).
14.4. Right to restrict processing
You have the right to request that the processing of your personal data be restricted in the following situations:
you dispute the accuracy of your personal data for the period necessary for us to verify its accuracy; and/or
in the event of unlawful processing on our part and you request that we restrict the use of your data rather than erase it; and/or
we no longer need the personal data for the purposes of processing, but you still need it to establish, exercise, or defend legal claims; and/or
if you exercise your right to object during the period in which we are assessing whether our legitimate interests override yours.
When the processing of your personal data is subject to a restriction, the Data Controller may, with the exception of storage, process your personal data only with your consent, or for the purposes of establishing, exercising, or defending legal claims, or protecting the rights of another natural or legal person, or for important reasons of public interest of the Union or a Member State.
14.5. Right to object to processing
When the processing of your personal data by our services is based on our legitimate interest, you have the right to object to such processing on grounds of your own legitimate interests related to your particular situation, unless we can demonstrate compelling legitimate grounds for the processing that override your interests.
14.6. Right to data portability
You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, so that you can reuse it for your own purposes by transmitting it yourself to another data controller.
14.7. Right to withdraw your consent
When processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal. To do so, simply contact us at the address provided above.
14.8. Right to provide instructions regarding personal data after death
You have the right to provide instructions regarding what you wish to happen to your personal data after your death: retention, deletion, or disclosure. We encourage you to submit such instructions to us. These instructions may specify a third party whom you designate to carry them out.
14.9. Right to file a complaint with the competent supervisory authority
You have the right to file a complaint regarding how we handle or process your data with the competent national supervisory authority (see above, 4. Competent supervisory authority).
14.10. Processing Times for Claims and Notification
We are committed to responding to your requests within a reasonable timeframe, which shall not exceed one month from the date we receive your request, and to notifying you of any actions taken by our department in accordance with your requests.