Privacy Policy
1. Data Controller
The controller for personal data collected through the Ascelyo mobile application and website https://ascelyo.app is:
- Company: Mansour Habibou Hamani (Ascelyo Software)
- Legal form: Entrepreneur Individuel (EI), exerçant sous le nom commercial « Ascelyo Software »
- Registered office: 2 boulevard Georges Méliès, 94360 Bry-sur-Marne, France
- Registration number: SIRET 10438683400014 — Code APE 5829C (édition de logiciels applicatifs)
- Email: contact@ascelyo.app
For any data protection questions, contact our Data Protection Officer (DPO) at: contact@ascelyo.app.
2. Data We Collect
We collect only the data strictly necessary to operate the service.
2.1 Data you provide directly
- Account: email address, name, password (bcrypt-hashed, never stored in plaintext)
- Profile: timezone, language, birth year, gender, country, education level, profession, family situation, fitness level, motivation style, communication preference (optional, gathered during onboarding)
- Goals and milestones: free-text descriptions of your ambitions, daily actions, and chosen life domains
- Journal: text entries and voice recordings (automatically transcribed)
- Mood: scores 1–5 and optional free-text notes
- Subscription: payment details processed directly by Apple via the App Store and managed by RevenueCat — we never store card data
2.2 Automatically collected data
- Push token: Expo notification identifier, used only for reminders you configure
- Technical logs: IP address, user-agent, request timestamps — retained for security and debugging
- Aggregated usage data: streaks, completion rates, momentum score — computed server-side, never shared with third parties for advertising
2.3 Data we do not collect
- Precise geolocation
- Phone contacts
- Photos or videos (beyond voice recordings you explicitly submit)
- External web browsing history
- Biometric data
3. Purposes and Legal Bases (Art. 6 GDPR)
| Purpose | Legal basis | Details |
|---|---|---|
| Service delivery (AI assistance, goals, journal) | Contract — Art. 6.1.b | Necessary to perform the subscription contract |
| Account authentication and security | Contract — Art. 6.1.b | JWT token management, suspicious-access detection |
| Billing and subscription management | Contract — Art. 6.1.b | Payment processing via App Store (Apple) + RevenueCat |
| Sending reminder notifications | Contract — Art. 6.1.b | Notifications only according to your configured preferences |
| Product improvement and aggregated analytics | Legitimate interest — Art. 6.1.f | Anonymised usage statistics; no individual profiling for commercial purposes |
| Technical error monitoring (Sentry) | Legitimate interest — Art. 6.1.f | Service stability; traces minimised, no user content in error payloads |
| Marketing communications (newsletters, offers) | Consent — Art. 6.1.a | Only with your explicit consent; withdrawable at any time |
| Legal obligations | Legal obligation — Art. 6.1.c | Billing record retention per French tax law |
4. Retention Periods
| Data category | Duration | Justification |
|---|---|---|
| Account data (email, name, profile) | Duration of account + 30 days after deletion | Grace window allowing reactivation before permanent purge |
| Journal, goals, mood | Duration of account + 30 days | Automatic purge via BullMQ job triggered at D+30 after account deletion |
| Billing data and receipts | 10 years | Legal obligation (French Commercial Code, Art. L123-22) |
| Server logs (IP, user-agent) | 12 months | CNIL-recommended retention for connection logs |
| Password reset tokens | 1 hour after issuance | Security — automatic invalidation |
| Push notification tokens | Duration of account | Deleted upon revocation or account deletion |
| AI assistance session metadata (log) | 90 days | Performance analysis; no user content in metadata |
Account deletion
When you delete your account via Settings → Data & Privacy → Delete my account, your account is immediately soft-deleted. You have a 30-day window to change your mind by contacting support. After this period, an automated job purges all your personal data from our servers and databases.
You may also initiate deletion via the API endpoint DELETE /api/v1/users/me.
5. AI and Content Processing
Important notice: some of your data (goals, journal entries, AI assistant responses) is transmitted to AI providers to generate your personalised recommendations. Please read this section carefully.
5.1 What data is sent to AI models
- Text from your goals, milestones and actions (to generate decompositions and weekly plans)
- Content of your journal entries (decrypted at processing time, for sentiment analysis and tagging)
- Transcriptions of your voice recordings (generated by Whisper, then analysed by the assistance model)
- Your aggregated assistance profile (communication style, patterns, strengths — without raw content from other sessions)
5.2 What we do not do
- We do not use your content to train our own models
- We do not share your data across users
- AI providers (OpenAI and Anthropic) accessed via their professional APIs contractually commit to not using API data to train their models, per their API terms of service in effect at the date of publication of this document
- We do not feed targeted advertising systems with your content
5.3 Journal encryption
All journal entries are encrypted at rest using AES-256-GCM (authenticated encryption). The key is derived via HKDF with a unique random salt per user. Decryption only occurs upon your legitimate access or AI processing you initiate. Plaintext is never included in API responses or logs.
5.4 Right to object
You may disable AI analysis of your journal entries at any time by contacting support. The assistance service will continue to function with reduced capabilities.
6. Sub-processors and International Transfers
We engage the following sub-processors to operate the service. All have been selected for their GDPR compliance or the safeguards they provide for transfers outside the EU.
| Sub-processor | Role | Location | Transfer outside EU | Safeguard |
|---|---|---|---|---|
| Hetzner Online GmbH | Server hosting (VPS, database, Redis) | Germany (EU) | No | Processing exclusively in the EU |
| Apple Inc. / App Store | Payment processing (in-app purchases) | Ireland (EU) + USA | Yes (USA) | Standard Contractual Clauses (SCCs) + Apple DPA |
| RevenueCat, Inc. | Subscription management and event state machine | USA | Yes (USA) | Standard Contractual Clauses (SCCs) + RevenueCat DPA |
| OpenAI, Inc. | Language models (AI assistance, journal analysis, Whisper voice transcription) | USA | Yes (USA) | SCCs + OpenAI Data Processing Agreement (API) |
| Anthropic, PBC | Language models (synthesis, plan generation) | USA | Yes (USA) | SCCs + Anthropic Data Processing Agreement (API) |
| Sentry (Functional Software, Inc.) | Technical error tracking | USA | Yes (USA) | SCCs + Sentry DPA |
| Expo (Expo Technology, Inc.) | Push notifications | USA | Yes (USA) | Anonymised token — no user content |
Transfers to the United States are governed by data processing agreements incorporating the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914). You may obtain a copy of these safeguards by contacting contact@ascelyo.app.
California residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know, the right to delete, and the right to opt out of the sale of personal information. We do not sell your personal information. To exercise your CCPA rights, contact us at contact@ascelyo.app.
8. Minors
Ascelyo is intended for individuals aged at least 16 years (or the minimum age applicable in your country of residence, per GDPR Article 8). We do not knowingly collect personal data from children under 16.
If you believe a minor has provided us with data without parental authorisation, please contact us immediately at contact@ascelyo.app. We will delete such data promptly.
9. Your Rights
Under the GDPR (EU Regulation 2016/679), you have the following rights over your personal data:
Right of access (Art. 15)
You may obtain a complete copy of all data we hold about you.
How to exercise it: Settings → Data & Privacy → Export my data, or GET /api/v1/users/me/export. Immediate JSON response.
Right of rectification (Art. 16)
You may correct inaccurate or incomplete data via your in-app profile (Settings → Edit profile).
Right to erasure / right to be forgotten (Art. 17)
You may request deletion of all your data.
How to exercise it: Settings → Data & Privacy → Delete my account. Deletion is effective after a 30-day grace period. See Section 4 for details.
Right to data portability (Art. 20)
You may retrieve your data in a structured, commonly used, machine-readable format (JSON). Use the export function described above.
Right to object (Art. 21)
You may object to processing based on our legitimate interests (e.g. aggregated usage analytics). Contact contact@ascelyo.app.
Right to restriction of processing (Art. 18)
You may request that we restrict processing during a contest or review. Contact contact@ascelyo.app.
Withdrawal of consent
Where processing is based on consent (e.g. marketing communications), you may withdraw it at any time without affecting the lawfulness of prior processing.
Response time
We respond to all requests within one month of receipt. This may be extended by two additional months for complex requests.
Right to lodge a complaint
If you believe our processing does not comply with GDPR, you have the right to lodge a complaint with the CNIL (France's data protection authority): www.cnil.fr, 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07. You may also contact the supervisory authority of your country of residence.
10. Security
We implement appropriate technical and organisational measures to protect your data:
- TLS 1.3 encryption for all communications in transit
- AES-256-GCM encryption of journal entries at rest (HKDF-derived key per user)
- Passwords hashed with bcrypt (adaptive cost factor)
- Short-lived JWT access tokens (15 min) with refresh token rotation
- Per-endpoint rate limiting to prevent brute-force attacks
- Admin actions logged in an audit table (AdminAuditLog)
- Environment secrets managed outside the code repository
- Real-time error monitoring via Sentry
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify you within the timeframes required by GDPR (72 hours to the CNIL, individual notification for high-risk breaches).
11. Contact and DPO
To exercise your rights or for any questions about this policy:
- DPO email: contact@ascelyo.app
- General contact: contact@ascelyo.app
- Postal address: Mansour Habibou Hamani (Ascelyo Software), 2 boulevard Georges Méliès, 94360 Bry-sur-Marne, France
Please include your name, account email and the precise nature of your request. Proof of identity may be requested to verify your identity.
12. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or applicable regulations. For material changes, we will notify you by email or in-app notification at least 30 days before the new version takes effect.
A historical version of this policy is available on request at contact@ascelyo.app.
Continued use of the service after the effective date constitutes acceptance of the revised policy.