Profstarter — Privacy Policy

Last updated: March 4, 2026

This privacy policy describes how Cours de ASBL (BCE 0649.780.234), operating the Profstarter platform on coursde.org, collects, uses, and protects personal data when you use our services, including the Facebook and Instagram integration.

1. Data Controller

Cours de ASBL
Representative: Vincent Laurent
Email: [email protected]
Website: https://coursde-de.antipolo.ai

2. What is Profstarter

Profstarter is a platform that helps independent teachers create and manage their professional teaching website. Each teacher gets a subsite on coursde.org where they can present their courses, manage enrollments, and publish content.

The Facebook/Instagram integration allows teachers to import photos from their Facebook Page and linked Instagram Business account directly into their Profstarter dashboard, to illustrate their teaching profile and course pages.

3. Data We Collect via Facebook/Instagram

3.1 Authentication Data

When a teacher connects their Facebook account, we receive and store:

  • User access token — A long-lived token (60 days) used to access the Facebook API on behalf of the user. Automatically refreshed before expiry.
  • Page access token — A non-expiring token for the selected Facebook Page.
  • Page ID and Page name — To identify the connected Facebook Page.
  • Instagram Business Account ID and username — If the Facebook Page has a linked Instagram Business or Creator account.

3.2 Photo Data

When a teacher browses their Facebook/Instagram photos through our interface, we temporarily fetch:

  • Photo thumbnails and URLs — Displayed in a photo browser for selection. These are fetched from Meta servers in real-time and are not stored.
  • Photo metadata — Names, captions, and creation dates, displayed alongside thumbnails. Not stored.
  • Album information — Album names and cover photos for navigation. Not stored.

When a teacher chooses to import selected photos:

  • The selected photos are downloaded from Meta CDN and saved as WordPress media attachments on our server.
  • The imported photos become regular files on the teacher’s subsite, completely independent from Facebook/Instagram.
  • We do not maintain any live connection or synchronization with Facebook/Instagram after import.

3.3 Facebook Permissions Requested

  • pages_show_list — To list the Facebook Pages managed by the user.
  • pages_read_engagement — To access Page content including photos and albums.
  • pages_read_user_content — To read photos uploaded to the Page.
  • instagram_manage_insights — To access the linked Instagram Business account media feed.

We do not request permissions to post, publish, or modify any content on your Facebook Page or Instagram account. Our access is strictly read-only for the purpose of photo browsing and import.

4. How We Use Your Data

  • Authentication tokens — Used exclusively to authenticate API requests to Facebook/Instagram on your behalf. Stored in the WordPress database, accessible only to the site administrator.
  • Imported photos — Used to illustrate the teacher’s profile, courses, and workshop pages on their Profstarter subsite.
  • Page/account identifiers — Used to display the connection status in the teacher’s dashboard and to make API calls to the correct Page/account.

We do not:

  • Sell, rent, or share your data with third parties
  • Use your data for advertising or profiling purposes
  • Access your personal Facebook profile, friends list, or private messages
  • Post or publish anything on your behalf
  • Store your Facebook password

5. Data Storage and Security

  • Hosting: All data is stored on a Hetzner server located in Nuremberg, Germany (EU).
  • Database: MariaDB with restricted access (localhost only, no remote connections).
  • Encryption: All communications are encrypted via TLS/SSL (Let’s Encrypt certificates). Access tokens are stored in the WordPress options table with standard WordPress database security.
  • Access control: Only the authenticated teacher (via their WordPress account) and the network administrator can access the stored tokens.
  • SSRF protection: The photo import endpoint only allows downloads from verified Meta CDN domains (fbcdn.net, cdninstagram.com).

6. Data Retention

  • Access tokens: Stored as long as the Facebook/Instagram connection is active. Immediately deleted when the teacher disconnects.
  • Imported photos: Retained as WordPress media attachments for as long as the teacher’s subsite exists. Teachers can delete imported photos at any time from their dashboard.
  • Cached page data: Temporary cache (1 hour) of the user’s Facebook Pages list, used during the connection flow only.

7. Disconnection and Data Deletion

Teachers can disconnect their Facebook/Instagram account at any time from the « Integrations » tab in their dashboard. Upon disconnection:

  • All stored access tokens (user token, page token) are permanently deleted
  • Page and Instagram account identifiers are permanently deleted
  • Previously imported photos remain in the media library (they are independent copies)
  • No further API calls are made to Facebook/Instagram

You can also revoke access from your Facebook account directly: Facebook Settings → Business Integrations.

8. International Data Transfers

Photo data is fetched from Meta CDN servers, which may be located outside the EU. These transfers are governed by Meta’s own data processing terms. Once imported, all data resides on our EU-based server.

No personal data is shared with or transferred to any other third party.

9. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access — Obtain a copy of your personal data.
  • Right to rectification — Correct inaccurate data.
  • Right to erasure — Request deletion of your data (subject to legal obligations).
  • Right to data portability — Receive your data in a structured format.
  • Right to object — Object to the processing of your data.
  • Right to withdraw consent — At any time, without affecting the lawfulness of prior processing.

To exercise these rights, contact us at: [email protected]

10. Supervisory Authority

If you believe that the processing of your data infringes your rights, you may file a complaint with:

Belgian Data Protection Authority (APD/GBA)
Rue de la Presse 35, 1000 Brussels, Belgium
Website: www.autoriteprotectiondonnees.be
Email: [email protected]

11. Changes to This Policy

We reserve the right to modify this privacy policy at any time. Any changes will be published on this page with an updated date.