Privacy Policy

Last updated: September, 2025

INTRODUCTION

This Privacy Policy describes how Cephalgo SAS (“we,” “us,” or “our”), a Société par actions simplifiée (SAS) with share capital of 45 168 euros, registered in the Strasbourg Trade and Companies Register under number 904 447 323, with its registered office at 8 rue des Veaux, 67000 Strasbourg, France, processes your personal information when you use Listen, our emotional well‑being app with intelligent chat assistance (the “App” or the “Service”).

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) Articles 13-15. This application analyzes your emotional data (such as voice tone, text input, and interaction patterns) to provide personalized wellbeing recommendations through AI-driven profiling (Article 22). Under Articles 15-21, you have the right to access, correct, delete, or transfer your data, object to processing, withdraw consent at any time, and lodge complaints with your data protection authority. We process your data based on your explicit consent under Article 6(1)(a) for regular personal data and Article 9(2)(a) for special category data (emotional and health-related information), store it securely for 6 months, and delete it on user request. For detailed information about data processing, retention periods, security measures, and how to exercise your rights, please review our complete Privacy Policy or contact our Data Protection Officer at dpo@cephalgo.com.

This Privacy Policy is an integral part of the Application’s Terms and Conditions of Use. Capitalized terms have the meanings given to them in the Terms and Conditions of Use.

1. KEY POINTS

  • Listen is an emotional well‑being tool that uses artificial intelligence.
  • Your data is processed and stored exclusively in Europe.
  • Your conversations are encrypted in transit and at rest. We process them on secure servers to provide the Service. For details, see “Data Security.”
  • You retain full control over your data.
  • Your data is never sold to third parties.
  • You can request the deletion of your data at any time.
  • No audio recordings are stored. Voice/audio is processed only in real time to produce a text conversation transcript; audio is not retained.
  • We store conversation transcripts only (for accurate emotion journaling and service functionality) and retain them for up to 6 months unless you delete them earlier.
  • Your data may be transferred in business transactions (mergers, acquisitions, or sale of assets) with continued privacy protections.

2. CATEGORIES OF INFORMATION COLLECTED

2.1 Personal Information

Basic identification data

  • Email address (required to create an account)
  • First name (optional)
  • Age or date of birth (optional, to tailor the service)
  • Gender (optional, to tailor the service)

Account data

  • Login credentials (encrypted)
  • Subscription type
  • Payment history
  • User preferences and settings

Audio and voice

  • No voice recordings are stored. If you use voice features, your device’s microphone streams audio ephemerally to enable real‑time responses; the audio is processed to generate text and then immediately discarded. We may record microphone access permissions and settings (e.g., whether you enabled voice), but not the audio itself.
  • We do not use audio data for biometric identification.

We do not collect the following information without your explicit consent:

  • Full contact details (postal address, telephone number)
  • Identity documents
  • Detailed medical or health information

2.2 Conversation Data

  • Full conversation transcripts from exchanges with our chatbot (including transcripts created from voice input). These are stored for up to 6 months for accurate emotion journaling and core Service functionality.
  • Conversations may incidentally contain personal data about third parties. We do not seek or encourage you to share such information and you should avoid doing so. If included, we process it only as strictly necessary to host, transmit, and display your conversations and provide the Service (GDPR Art. 6(1)(f)). We do not use third‑party data for analysis, profiling, model training, or disclosure. Providing individual notices would involve disproportionate effort (GDPR Art. 14(5)(b)). We apply data minimisation, purpose limitation, and restricted access.
  • Support style preferences
  • Selected wellness exercises
  • Progress data and emotional indicators
  • Usage patterns (frequency, duration, times of day)

2.3 Technical Data

  • Device information (device type, operating system, version)
  • Connection data (IP address, approximate location based on IP)
  • Technical identifiers (cookies, application identifiers)
  • Language settings
  • Anonymized usage statistics
  • Performance data and technical errors
  • Audio device information (e.g., microphone presence), but not audio content
  • Voice session metadata (e.g., feature enabled/disabled, duration), without storing audio

2.4 Feedback and Survey Data

  • Feedback content and suggestions about the App
  • Email addresses voluntarily provided for feedback follow‑up (optional)
  • User satisfaction ratings and survey responses
  • Feature requests and improvement suggestions

3. USE OF AI TECHNOLOGIES

3.1 Our AI Technology

Our application uses artificial intelligence to:

  • Provide personalized conversational support
  • Generate CBT‑based and psychotherapy‑inspired exercises tailored to your needs
  • Analyze conversations to identify emotional trends and patterns
  • Gradually improve the quality of service
  • Offer support tailored to your preferences

Voice and Audio Processing

  • Voice input is processed in real time to enable voice‑based conversations with our chatbot.
  • Audio is converted to text; only the text transcript is stored (for up to 6 months). Audio is not stored.
  • Analysis focuses on text and interaction patterns; any prosodic or tonal assessment is performed in real time and not retained as raw audio.

3.2 Technology Security

Our technological infrastructure is:

  • Based and hosted exclusively in the European Union
  • Subject to strict data processing agreements in accordance with the GDPR
  • Selected for high standards of security and confidentiality
  • Regularly audited and updated to ensure data protection and cybersecurity best practices

3.3 Data Processing by AI

  • No complete audio recordings are stored. Audio is processed transiently for conversation generation and discarded immediately after processing.
  • Conversation transcripts (including those derived from voice) are stored for up to 6 months to provide emotion journaling and context continuity.
  • User feedback and ratings may be used to refine system performance, but conversation data is not used for model retraining.
  • You can request human intervention for any automated decision and challenge any automated suggestion.
  • You retain control over whether your non‑essential feedback data is used for system improvement.

3.4 Use of Artificial Intelligence API Services

Listen uses third‑party AI API services to power certain features. In this regard:

  • Conversation content (text) and ephemeral audio streams may pass through AI API providers solely for real‑time generation.
  • Audio is not stored by us and providers are contractually bound not to retain or use it for training without explicit consent.
  • Transmissions are secure and encrypted; we limit data to the minimum necessary.
  • We maintain strict contractual and security controls and conduct periodic reviews of provider compliance.
  • We do not allow your conversation transcripts to be used for training AI models by API providers or for our internal model training.

4. LEGAL BASIS FOR PROCESSING

4.1 Performance of the Contract

Processing necessary to:

  • Provide the Listen service
  • Manage your account and subscription
  • Ensure the chat interface provides responsive, contextually relevant feedback

4.2 Consent

You choose how your information is used. We will only do the following with your explicit consent:

  • Use your conversation data for non‑essential service‑improvement purposes
  • Send you marketing communications
  • Process special‑category data (e.g., health‑related information)
  • Share reports with third parties you designate

You can change your preferences at any time in your settings.

4.3 Legitimate Interests

We may process certain data based on our legitimate interests, in particular to:

  • Ensure application security
  • Prevent fraud
  • Improve and develop our services
  • Analyze use of our services in an anonymized manner
  • Collect and process user feedback to improve our services

4.4 Legal Obligation

We may process your data to comply with legal obligations, including:

  • Responding to requests from competent authorities
  • Complying with tax and accounting obligations
  • Complying with consumer protection regulations

4.5 Special‑Category Data

For any special‑category data (e.g., health‑related information in conversations), processing is based on your explicit consent (GDPR Art. 9(2)(a)). You can withdraw consent at any time in Settings; core features that require such processing will then be unavailable.

5. THIRD‑PARTY SERVICES AND DATA PROCESSING

5.1 Categories of Sub‑processors

We share data only with:

  • Cloud services (EU‑based hosting)
  • Analytics and technical tools (EU‑based)
  • Authentication services (EU‑based)
  • Secure payment services

List of main processors:

  • AWS (EU): data hosting
  • Stripe (EU): payment processing

5.2 Protection Guarantees

Our sub‑processors are primarily based in the EU. Where processing or access occurs outside the EEA, we implement the European Commission’s Standard Contractual Clauses, rely on any applicable adequacy decisions, and apply supplementary measures. All sub‑processors are:

  • Bound by GDPR‑compliant data‑processing agreements
  • Subject to strict security standards and regular audits
  • Required to apply appropriate technical and organisational measures

5.3 Data Collected by Third‑Party Services

Third‑party services may collect:

  • Technical usage data
  • Device information
  • Performance data
  • Connection logs
  • Payment information (for payment services only)

5.4 International Data Transfers

We prefer EU‑based partners. In rare cases where data transfer outside the EU is necessary, we ensure that:

  • Appropriate safeguards are in place
  • Data subject rights are preserved
  • Additional technical measures protect your data
  • You are informed of such transfers

Where we transfer data outside the EEA, we use Standard Contractual Clauses, any applicable adequacy decisions, and supplementary measures.

5.5 Data Sharing and Third Parties

Service Providers: With trusted third parties who assist with App operation, including:

  • Cloud hosting and data storage platforms (AWS EU)
  • AI/chatbot service providers
  • Audio processing and speech‑to‑text services (ephemeral processing only; no audio storage)
  • Analytics and performance monitoring platforms
  • Authentication and security services
  • Payment processing services (Stripe EU)

These providers are obligated to protect your information and use it only for specified purposes.

Legal Compliance: If required by law or to protect our rights, we may disclose your information in response to: subpoenas, court orders, other legal processes, requests from competent authorities, tax/accounting obligations, consumer protection regulations, or to prevent fraud/illegal activities.

Business Transfers: We may share or transfer your information in connection with or during negotiations of any merger, sale of company assets, financing, or acquisition. Your information will remain subject to the applicable privacy policy.

Audio Data Specific Sharing:

  • No voice recordings are stored or shared.
  • When you use voice features, audio may be streamed to EU‑based service providers only for real‑time processing and is not retained.
  • Providers are contractually bound not to use audio for their own purposes and not to retain it.

6. COOKIES AND SIMILAR TECHNOLOGIES

We use cookies, device identifiers, and mobile SDKs. You can manage preferences via our in‑app consent tool and device settings.

6.1 Types of Cookies Used

  • Essential cookies: necessary for the application to function
  • Performance cookies: to analyze performance and use
  • Functionality cookies: to personalize your experience
  • Targeting cookies: only with your consent

6.2 Cookie Management

You can manage your cookie preferences:

  • Via the cookie preferences panel in the app
  • Through your browser or device settings
  • By contacting us directly

Some essential cookies cannot be disabled.

7. DATA SECURITY

7.1 Technical Measures

  • Encryption in transit and at rest for conversation transcripts
  • Secure transmission protocols for voice streams
  • Strict access controls and least‑privilege access
  • Secure servers in Europe
  • Continuous automated security monitoring
  • Advanced security protocols (HTTPS, TLS)
  • Intrusion detection systems
  • Regular security updates

7.2 Organisational Measures

  • Regular staff training
  • Security audits
  • Incident management procedures
  • Regular updates
  • Limited access to data by staff
  • Strict internal privacy policies
  • Rigorous verification process

7.3 Data Protection

  • Systematic anonymization where appropriate
  • Data minimization
  • Secure deletion protocols
  • Encrypted backups
  • Data partitioning (chat data and user‑identifiable information stored separately)
  • Periodic security checks

7.4 Personal Data Breach Notifications

In the event of a personal data breach, we will notify the CNIL and affected users where required (GDPR Arts. 33–34).

8. DATA RETENTION

8.1 Retention Periods

Active User Accounts

  • Conversation Transcripts: retained for up to 6 months on a rolling basis to provide accurate emotion journaling and core functionality. You can delete them at any time through the App.
  • Audio and Voice Data: not stored; audio is processed in real time and discarded immediately after processing.
  • Account and Profile Data: retained for the duration of your active account.
  • Payment History: retained for active accounts plus 10 years as required by law.
  • Technical and Usage Data: retained up to 6 months (anonymized statistics may be kept longer as they do not allow identification).
  • Error Logs and Performance Data: retained up to 6 months.

Inactive Accounts

  • If your account is inactive for 6 months, we will contact you to confirm continued retention.
  • If you do not respond within 30 days, we will begin the data deletion process.

Deleted Accounts

  • Immediate deletion is available upon request.
  • Standard deletion occurs within 30 days after account deletion.
  • Legal retention: billing data retained for 10 years as required by law.

8.2 Archiving and Deletion

User Controls

  • Delete specific conversations, date ranges, or all conversation history
  • Export your data before deletion
  • Set automatic deletion schedules within the 6‑month retention window
  • Request immediate full account and data deletion

Our Obligations

  • Periodic retention reviews
  • User notification of material retention policy changes
  • Secure deletion from active systems immediately and from backups within 30 days
  • Retention logs maintained for compliance

8.3 Retention Justification

  • Contract performance: necessary for ongoing service provision
  • Legitimate interests: limited historical context supports journaling while respecting data minimization
  • Consent: you control retention through account settings within the 6‑month window

9. YOUR GDPR RIGHTS

You have the following rights regarding your personal data:

9.1 Access Rights

  • Access your account information and settings
  • Access generated reports and summaries of your conversations
  • View usage statistics and progress data
  • Access raw conversation transcripts via the App or by request to dpo@cephalgo.com

9.2 Correction Rights

  • Correct account information (name, email, preferences)
  • Update profile settings and preferences
  • Conversation data cannot be modified to preserve integrity, but can be deleted if inaccurate

9.3 Deletion Rights

  • Delete specific conversations, date ranges, or all conversation history
  • Delete your entire account and all associated data
  • Request immediate deletion without waiting periods

9.4 Data Portability Rights

  • Export your generated reports and summaries in a structured format
  • Export your account information and preferences
  • Export conversation summaries and transcripts where feasible under GDPR Art. 20

9.5 Consent Withdrawal

  • Withdraw consent for marketing communications
  • Withdraw consent for non‑essential service‑improvement data use
  • Withdraw consent for optional data processing features
  • Note: Withdrawing consent for core service functionality may prevent app usage

9.6 Objection and Restriction Rights

  • Object to processing for marketing purposes (service access continues)
  • Object to non‑essential improvement processing (service access continues)
  • Object to core service processing (prevents continued app usage)
  • Restrict processing for specific purposes (may limit functionality)

9.7 Automated Decision‑Making Rights

  • Our automated features (e.g., conversation generation and emotional analysis) do not produce legal or similarly significant effects within the meaning of GDPR Art. 22.
  • You may request human review of any AI‑generated response or suggestion.
  • You may challenge automated recommendations or assessments.
  • You may opt out of non‑essential automated emotional analysis; however, the core functionality of Listen relies on automated processing.

10. EXERCISING YOUR RIGHTS

10.1 How to Exercise Your Rights

  • Email: dpo@cephalgo.com
  • Post: Cephalgo SAS, 8 rue des Veaux, 67000 Strasbourg, France
  • Via the App: in your account settings

10.2 Processing Process

  • Confirmation within 48 hours
  • Processing within 30 days (may be extended by 60 days for complex requests)
  • Identity verification required
  • Free assistance
  • Detailed response provided
  • Possibility of appeal to the CNIL in case of dissatisfaction

11. CHANGES TO THE POLICY

We will inform you of any changes by:

  • Email
  • In‑app notification
  • Message on our website

Changes take effect 30 days after notification.

Reasons for changes may include:

  • Legal or regulatory developments
  • Changes in our data processing practices
  • Introduction of new features
  • Changes to our technical infrastructure
  • Recommendations from data protection authorities

12. PROTECTION OF MINORS

12.1 Minimum Age

Listen is not intended for persons under the age of 18.

12.2 Protective Measures

If we learn that a user is under 18, we will:

  • Immediately delete their account
  • Erase all personal data collected
  • Take measures to prevent re‑registration

13. AUDIO DATA AND MICROPHONE ACCESS

13.1 Microphone Permissions

Listen may request access to your device’s microphone to enable voice‑based features. You can:

  • Grant or deny microphone access at any time in device settings
  • Use the Service without voice features if microphone access is denied
  • Modify audio permissions without affecting other functionality

13.2 Voice Data Processing

  • No audio recordings are stored.
  • Audio is processed only in real time to enable conversational AI, converted to text, and discarded immediately.
  • We do not use voice data for biometric identification or authentication.
  • Processing occurs primarily on secure servers within the EU.

13.4 Third‑Party Audio Processing

  • When using voice features, audio may be processed by EU‑based speech/AI providers ephemerally for real‑time generation.
  • All providers are subject to GDPR‑compliant agreements and are not permitted to retain audio.

13.5 Assignment and Business Transfers

Cephalgo reserves the right to assign or transfer rights and obligations under the Terms of Use to a third party. We may share or transfer your information in connection with any merger, sale of assets, financing, or acquisition. In such cases:

  • Users will be notified of any change in data handling
  • The acquiring entity will be bound by the same privacy protections
  • Users retain all rights regarding their personal data (including transcripts)
  • Users may request data deletion before transfer completion
  • The applicable privacy policy will continue to govern data use

The user may not assign or transfer their rights and obligations under the Terms of Use without Cephalgo’s prior written consent. For contractual assignment terms, see the “Assignment” clause in our General Terms and Conditions of Use.

14. CONTACT

14.1 Contact

14.2 Data Protection Officer

Our Data Protection Officer (DPO) can be contacted at dpo@cephalgo.com.

14.3 Supervisory Authority

Commission Nationale de l’Informatique et des Libertés (CNIL)

  • Website: www.cnil.fr
  • Telephone: 01 53 73 22 22
  • Address: 3 Place de Fontenoy, 75007 Paris, France

IMPORTANT

Listen is a wellness and support tool. It is not a medical device and does not replace a healthcare professional. In case of emergency, call 15, 3114, or 112.

About ListenPlansFAQContact UsBlog
Data protection in accordance with GDPR
In any critical situation, please contact the local emergency services on 15, 112, or 3114 as in France.
Privacy PolicyTerms and Conditions