Privacy Policy

Last updated: September, 2025

INTRODUCTION

This Privacy Policy describes how Cephalgo SAS (‘we,’ ‘us,’ or ‘our’), a Société par actions simplifiée (SAS) with share capital of 45 168 euros, registered in the Strasbourg Trade and Companies Register under number 904447323, with its registered office at 8 rue des Veaux, 67000 Strasbourg, France, processes your personal information when you use Listen, our emotional well-being app with intelligent chat assistance (hereinafter referred to as the ‘App’ or the ‘Service’).
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act.
This Privacy Policy is an integral part of the Application's Terms and Conditions of Use. Capitalized terms have the meanings given to them in the Terms and Conditions of Use.

1. KEY POINTS

  • Listen is an emotional well-being tool that uses artificial intelligence
  • Your data is processed and stored exclusively in Europe
  • Your conversations are encrypted in transit and at rest. We process them on secure servers to provide the Service. For details, see ‘Data Security.’”
  • You retain full control over your data
  • Your data is never sold to third parties
  • You can request the deletion of your data at any time
  • Your data may be transferred in business transactions (mergers, acquisitions, or sale of assets) with continued privacy protections

2. CATEGORIES OF INFORMATION COLLECTED

2.1 Personal Information

Basic identification data:

  • Email address (required to create an account)
  • First name (optional)
  • Age or date of birth (optional, to tailor the service)
  • Gender (optional, to tailor the service)

Account data:

  • Login credentials (encrypted)
  • Subscription type
  • Payment history
  • User preferences and settings

Audio and voice data:

  • Voice recordings from conversations with our chatbot
  • Audio input during voice-enabled sessions
  • Voice patterns and characteristics (for service improvement, not for biometric identification)
  • Microphone access permissions and settings

We do not collect the following information without your explicit consent:

  • Full contact details (postal address, telephone number)
  • Identity documents
  • Detailed medical or health information

2.2 Conversation Data

  • Full conversation transcripts from exchanges with our chatbot
  • Conversations may incidentally contain personal data about third parties. We do not seek or encourage you to share such information and you should avoid doing so. If included, we process it only as strictly necessary to host, transmit, and display your conversations and provide the Service (GDPR Art. 6(1)(f)). We do not use third-party data for analysis, profiling, model training, or disclosure. Providing individual notices would involve disproportionate effort (GDPR Art. 14(5)(b)). We apply data minimisation, purpose limitation, and restricted access.
  • Support style preferences
  • Selected wellness exercises
  • Progress data and emotional indicators
  • Usage patterns (frequency, duration, times of day)

2.3 Technical Data

  • Device information (device type, operating system, version)
  • Connection data (IP address, approximate location based on IP)
  • Technical identifiers (cookies, application identifiers)
  • Language settings
  • Anonymized usage statistics
  • Performance data and technical errors
  • Audio device information (microphone specifications, audio quality settings)
  • Voice session metadata (duration, frequency, technical performance)
  • Audio processing logs and error reports

2.4 Feedback and Survey Data

  • Feedback content and suggestions about the App
  • Email addresses voluntarily provided for feedback follow-up (optional)
  • User satisfaction ratings and survey responses
  • Feature requests and improvement suggestions

3. USE OF AI TECHNOLOGIES

3.1 Our AI Technology

Our application uses artificial intelligence to:

  • Provide personalized conversational support
  • Generate Cognitive-behavioural-therapy-based and psychotherapy-based exercises tailored to your specific needs
  • Analyze conversations to identify emotional trends and patterns
  • Gradually improve the quality of service
  • Offer support tailored to your preferences

Voice and Audio Processing
Our application may collect and process audio data to:

  • Enable voice-based conversations with our chatbot
  • Provide audio-responsive emotional support
  • Analyze speech patterns for emotional well-being insights (anonymized)
  • Improve voice recognition and response accuracy
  • Facilitate hands-free interaction with the service

3.2 Technology Security

Our technological infrastructure is:

  • Based and hosted exclusively in the European Union
  • Subject to strict data processing agreements in accordance with the GDPR
  • Selected for its high standards of security and confidentiality
  • Regularly audited to ensure the protection of your data
  • Updated to incorporate best practices in cybersecurity

3.3 Data Processing by AI

  • Complete audio recordings from voice conversations are stored temporarily for service functionality
  • Voice data is processed in real-time for conversation generation
  • Audio recordings may be retained for quality improvement and service optimization
  • Voice characteristics are analyzed anonymously for service enhancement
  • Audio data is never used for biometric identification purposes
  • Your conversations are systematically anonymized before any analytical processing
  • User feedback and ratings are collected to refine our system performance, but conversation data is not used for model retraining
  • You can request human intervention for any automated decision
  • You can challenge any automated suggestion
  • You retain control over whether your feedback data is used for system improvement and effectiveness demonstration

3.4 Use of Artificial Intelligence API Services

Listen uses artificial intelligence API services provided by third parties to power certain features of the application. In this regard:

  • Full conversation data may pass through these AI API providers solely for real-time conversation generation
  • Audio data may be processed through our AI API providers for real-time voice conversation generation
  • Voice recordings are transmitted securely and encrypted during processing
  • Our AI API providers have confirmed they do not use voice data for training without explicit consent
  • Audio processing is limited to the minimum necessary for service functionality
  • We have strict contractual agreements in place with these providers to ensure the protection of your data
  • Communications with these providers are secure and encrypted
  • Data passing through these services is kept to the minimum necessary
  • We do not allow your conversation transcripts to be used for training AI models by API providers or for our internal model training
  • We conduct regular audits to verify compliance with these commitments

Your complete conversation transcripts are stored for service functionality. Your conversation data is never used to retrain AI models. We only use anonymized user feedback (such as performance ratings) to improve our service effectiveness, and you can control this in your settings. When we use third-party API services, we ensure that they comply with the principles of the GDPR and maintain appropriate security standards. We only work with providers who are contractually committed not to use customer data for training their models without explicit consent.

4. LEGAL BASIS FOR PROCESSING

We process your personal data on the following legal bases:

4.1 Performance of the Contract

The processing of your data is necessary for the performance of the contract between you and Cephalgo, in particular for:

  • Providing the Listen service
  • Managing your account and subscription
  • Ensuring the chat interface provides responsive and contextually relevant feedback

4.2 Consent

You choose how your information is used and what functionalities Listen provides you. We will only do the following with your explicit consent:

  • Using your conversation data for service improvement purposes
  • Send you marketing communications
  • Process certain categories of sensitive personal data
  • Share reports with third parties you have designated

You will be asked to explicitly opt-in to each of these uses during your first interaction with the app, and you can change your preferences at any time in your settings.

4.3 Legitimate interests

We may process certain data based on our legitimate interests, in particular to:

  • Ensure the security of our application
  • Prevent fraud
  • Improve and develop our services
  • Analyze the use of our services in an anonymized manner
  • Collect and process user feedback to improve our services

4.4 Legal obligation

We may process your data to comply with our legal obligations, including:

  • Responding to requests from competent authorities
  • Complying with tax and accounting obligations
  • Complying with consumer protection regulations

4.5 Special-category data

For any special-category data (e.g., health-related information in conversations), processing is based on your explicit consent (GDPR Art. 9(2)(a)). You can withdraw consent at any time in Settings; core features that require such processing will then be unavailable.

5. THIRD-PARTY SERVICES AND DATA PROCESSING

5.1 Categories of Subprocessors

We only share your data with:

  • Cloud services (AWS based in EU)
  • Analytics and technical service tools (based in the EU)
  • Authentication services (based in the EU)
  • Secure payment services

List of main processors:

  • AWS(EU): data hosting
  • Stripe (EU): payment processing

5.2 Protection Guarantees

Our subprocessors are primarily based in the EU. Where any processing or access occurs outside the EEA, we implement the European Commission’s Standard Contractual Clauses, rely on any applicable adequacy decisions, and apply supplementary measures as needed. All subprocessors are:

  • bound by GDPR-compliant data-processing agreements
  • subject to strict security standards and regular audits
  • required to apply appropriate technical and organisational measures.

5.3 Data Collected by Third-Party Services

Third-party services may collect:

  • Technical usage data
  • Device information
  • Performance data
  • Connection logs
  • Payment information (for payment services only)

5.4 International Data Transfers

We prefer partners and subcontractors established in the European Union. In the rare cases where data transfer outside the EU is necessary, we ensure that:

  • Appropriate safeguards are in place
  • The rights of the individuals concerned are preserved
  • Additional technical measures protect your data
  • You are informed of these transfers

Where we transfer data outside the EEA, we use Standard Contractual Clauses, any applicable adequacy decisions, and supplementary measures.

5.5 DATA SHARING AND THIRD PARTIES

We may share your personal information under the following circumstances:

Service Providers: With trusted third-party service providers who assist with the operation of Listen, such as:

  • Cloud hosting and data storage platforms (AWS EU)
  • AI and chatbot service providers
  • Audio processing and voice recognition services
  • Analytics and performance monitoring platforms
  • Authentication and security services
  • Payment processing services (Stripe EU)

These providers are obligated to protect your information and use it only for the purposes we specify.

Legal Compliance: If required by law or to protect our rights, we may disclose your information in response to:

  • A subpoena, court order, or other legal processes
  • Requests from competent authorities
  • Compliance with tax and accounting obligations
  • Consumer protection regulations
  • Prevention of fraud or illegal activities

Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction, subject to the applicable privacy policy.

Audio Data Specific Sharing:

  • Voice recordings may be shared with AI service providers for real-time processing
  • Audio data is shared only with EU-based service providers with GDPR compliance
  • Voice processing services are contractually bound not to use audio data for their own purposes
  • Audio data sharing is limited to the minimum necessary for service functionality

6. Cookies and Similar Technologies

We use cookies, device identifiers, and mobile SDKs. You can manage preferences via our in-app consent tool and device settings.

6.1 Types of Cookies Used

We use different types of cookies and similar technologies:

  • Essential cookies: necessary for the application to function
  • Performance cookies: to analyze the performance and use of the application
  • Functionality cookies: to personalize your experience
  • Targeting cookies: to offer you relevant content (only with your consent)

6.2 Cookie management

You can manage your cookie preferences:

  • Via the cookie preferences panel accessible in the application
  • Through your browser or mobile device settings
  • By contacting us directly

Some essential cookies cannot be disabled as they are necessary for the application to function.

7. DATA SECURITY

7.1 Technical Measures

  • Encryption in transit and at rest for conversations, voice recordings and audio data
  • Secure audio transmission protocols
  • Voice data isolation and secure storage
  • Audio processing access controls
  • Secure servers in Europe
  • Strict access controls
  • Continuous automated security monitoring systems
  • Advanced security protocols (HTTPS, TLS)
  • Intrusion detection systems
  • Regular security updates

7.2 Organizational Measures

  • Regular staff training
  • Security audits
  • Incident management procedures
  • Regular updates
  • Limited access to data by staff
  • Strict internal privacy policies
  • Rigorous verification process

7.3 Data Protection

  • Systematic anonymization
  • Data minimization
  • Secure deletion protocols
  • Encrypted backups
  • Data partitioning (chat data and user identifiable information are stored separately)
  • Least privilege principle for access
  • Periodic security checks

7.4 Personal Data Breach Notifications

  • In the event of a personal data breach, we will notify CNIL and affected users where required (GDPR Arts. 33–34)

8. DATA RETENTION

8.1 Retention Periods

Active User Accounts: We retain your personal data for as long as your account remains active and you wish to use our services, based on the following principles

Conversation Data:

  • Complete conversation transcripts: Retained for as long as you maintain an active account and choose not to delete them
  • User-configurable deletion: You can delete conversation history at any time through the application interface
  • Automatic review: We may prompt you annually to review and confirm retention of older conversations (older than 2 years)

Audio and Voice Data:

  • Voice recordings: Retained for as long as you maintain an active account and choose not to delete them
  • User-configurable audio deletion: You can delete voice recordings at any time through the application interface
  • Temporary audio processing: Real-time voice processing data deleted within 24 hours after session ends
  • Audio session metadata: Maximum 12 months for active accounts

Account and Profile Data:

  • Basic account information: Retained for the duration of your active account
  • User preferences and settings: Retained as long as your account is active
  • Payment history: Retained for active accounts plus 10 years as per legal obligation

Technical and Usage Data:

  • Recent technical data: Maximum 12 months for active accounts
  • Anonymized usage statistics: Unlimited duration as it no longer allows identification
  • Error logs and performance data: Maximum 6 months

Inactive Accounts:

  • Accounts inactive for 6 months: We will contact you to confirm continued retention
  • No response after additional 30 days: Data deletion process begins

Deleted Accounts:

  • Immediate deletion: Available upon user request
  • Standard deletion: Maximum 30 days after account deletion
  • Legal retention: Billing data retained for 10 years as required by law

8.2 Archiving and deletion

User Controls:

  • Granular deletion: Delete specific conversations, date ranges, or all conversation history
  • Export before deletion: Download your data before deletion
  • Retention preferences: Set automatic deletion schedules for conversations
  • Account deletion: Request immediate full account and data deletion

Our Obligations:

  • Annual retention review: We assess the necessity of data retention annually
  • User notification: We notify you of any retention policy changes
  • Secure deletion: Deleted data is removed from active systems immediately and from backups within 30 days.
  • Retention logs: We maintain records of data deletion for compliance
  • When you delete data, it is removed from active systems immediately and from backups within 30 days.

8.3 Retention Justification

Legal Basis for Extended Retention:

  • Contract performance: Data retention necessary for ongoing service provision
  • Legitimate interests: Long-term emotional wellbeing tracking requires historical data
  • User consent: You explicitly control retention through your account settings

Regular Review Process:

  • Annual assessment of data necessity and proportionality
  • User notification of retention reviews
  • Adjustment of retention periods based on usage patterns and regulatory guidance

9. YOUR GDPR RIGHTS

You have the following rights regarding your personal data:

9.1 Access Rights

  • Access your account information and settings
  • Access generated reports and summaries of your conversations
  • View usage statistics and progress data
  • Note: Access to raw conversation transcripts is available upon specific request to dpo@cephalgo.com

9.2 Correction Rights

  • Correct your account information (name, email, preferences)
  • Update your profile settings and preferences
    Note: Conversation data cannot be modified to preserve conversation integrity, but can be deleted if inaccurate

9.3 Deletion Rights

  • Delete specific conversations, date ranges, or all conversation history
  • Delete your entire account and all associated data
  • Request immediate deletion without waiting periods

9.4 Data Portability Rights

  • Export your generated reports and summaries in structured format
  • Export your account information and preferences
  • Export conversation summaries and progress data
  • We provide portable data to the extent required by GDPR Art. 20 (data you provided to us and, where feasible, observed data)
    Note: Raw conversation transcripts can be provided upon request in a portable format

9.5 Consent Withdrawal

  • Withdraw consent for marketing communications
  • Withdraw consent for service improvement data use
  • Withdraw consent for optional data processing features
    Note: Withdrawing consent for core service functionality will prevent app usage

9.6 Objection and Restriction Rights

  • Object to processing for marketing purposes (continues service access)
  • Object to processing for service improvement purposes (continues service access)
  • Object to core service processing (prevents continued app usage)
  • Restrict processing for specific purposes (may limit service functionality)

9.7 Automated Decision-Making Rights

Our automated features (such as conversation generation and emotional analysis) do not produce legal or similarly significant effects within the meaning of GDPR Art. 22.

  • You may request human review of any AI-generated response or suggestion.
  • You may challenge any automated recommendations or assessments.
  • You may opt out of non-essential automated emotional analysis; however, the core functionality of Listen relies on automated processing. Opting out of all automated processing will make the Service unavailable.

10. EXERCISING YOUR RIGHTS

10.1 How to exercise your rights

To exercise your rights:

  • Email: dpo@cephalgo.com
  • Post: Cephalgo SAS, 8 rue des Veaux, 67000 Strasbourg, France
  • Via the app: in your account settings

10.2 Processing process

  • Confirmation within 48 hours
  • Processing within 30 days (may be extended by 60 days in the event of a complex request)
  • Identity verification required
  • Free assistance
  • Detailed response provided
  • Possibility of appeal to the CNIL in case of dissatisfaction

11. CHANGES TO THE POLICY

We will inform you of any changes by:

  • Email
  • Notification in the application
  • Message on our website

Changes take effect 30 days after notification.

Reasons for changes may include:

  • Legal or regulatory developments
  • Changes in our data processing practices
  • Introduction of new features
  • Changes to our technical infrastructure
  • Recommendations from data protection authorities

12. PROTECTION OF MINORS

12.1 Minimum age

Listen is not intended for persons under the age of 18.

12.2 Protective Measures

If we learn that a user is under the age of 18, we will:

  • Immediately delete their account
  • Erase all personal data collected
  • Take measures to prevent re-registration

13. AUDIO DATA AND MICROPHONE ACCESS

13.1 Microphone permissions

Listen may request access to your device's microphone to enable voice-based features. You can:

  • Grant or deny microphone access at any time through device settings
  • Use the service without voice features if microphone access is denied
  • Modify audio permissions without affecting other service functionality

13.2 Voice data processing

  • Voice recordings are processed to enable conversational AI features
  • Audio data is encrypted during transmission and storage
  • Voice characteristics may be analyzed for service improvement (anonymized)
  • We do not use voice data for biometric identification or authentication
  • Audio processing occurs primarily on secure servers within the European Union

13.3 Audio data rights and controls

  • Delete individual voice recordings or all audio data
  • Export your voice data before deletion
  • Set automatic deletion schedules for audio content
  • Opt out of voice data use for service improvement
  • Request human review of any automated audio processing decisions

13.4 Third-party audio processing

When using voice features, audio data may be processed by:

  • AI service providers (with GDPR-compliant agreements)
  • Cloud hosting services (EU-based)
  • Audio processing services (with strict data protection requirements)

All third-party audio processing is governed by the same privacy protections as other personal data.

13.5 Assignment and Business Transfers

Cephalgo reserves the right to assign or transfer all or part of its rights and obligations under these Terms of Use to a third party. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

In the event of such business transfer:

  • Users will be notified of any change in data handling
  • The acquiring entity will be bound by the same privacy protections
  • Users retain all rights regarding their personal data including voice recordings
  • Users may request data deletion before the transfer is completed
  • The applicable privacy policy will continue to govern data use

The user may not assign or transfer their rights and obligations under these Terms of Use without the prior written consent of Cephalgo. For contractual assignment terms, see the ‘Assignment’ clause in our General Terms and Conditions of Use.

14. CONTACT

14.1 Contact

14.2 Data Protection Officer

Our Data Protection Officer (DPO) can be contacted at dpo@cephalgo.com

14.3 Supervisory Authority

Commission Nationale de l'Informatique et des Libertés (CNIL)

  • Website: www.cnil.fr
  • Telephone : 01 53 73 22 22
  • Address: 3 Place de Fontenoy, 75007 Paris, France

IMPORTANT

Listen is a wellness and support tool. It is not a medical device and does not replace a healthcare professional. In case of emergency, call 15, 3114, or 112.

About ListenPlansFAQContact UsBlog
Data protection in accordance with GDPR
In any critical situation, please contact the local emergency services on 15, 112, or 3114 as in France.
Privacy PolicyTerms and Conditions