Privacy Policy
Last updated: 2026-04-17
This Privacy Policy describes how TODO_PUBLISHER_NAME, publisher of El Engage, collects and processes personal data when you use the Service. It is addressed to users in the European Economic Area and complies with the General Data Protection Regulation (EU 2016/679, "GDPR") and the French Data Protection Act.
1. Who is the Data Controller?
The data controller is TODO_PUBLISHER_NAME, TODO_STREET, TODO_POSTCODE TODO_CITY, France. You can reach the team responsible for personal data at [email protected]. Where a Data Protection Officer has been appointed, they can be contacted at [email protected].
2. What Data We Collect
We collect the following categories of personal data:
- Account data — name, email address, encrypted password or OAuth identifier, account creation and update timestamps, consent to the Terms of Use.
- Profile data — native language, target languages, self-reported proficiency level, onboarding answers.
- Conversation data — audio streams (processed in real time, not stored), text transcripts of your voice conversations with the AI tutor, generated responses, metadata such as duration and topic.
- Usage and technical data — IP address, browser and device information, logs, request identifiers, session cookies, quota counters.
- Billing data — for paid plans: subscription tier, billing cycle, invoice history and a Stripe customer identifier. Card numbers are handled exclusively by Stripe and never reach our servers.
3. Why We Process Your Data (Legal Basis)
| Purpose | Legal basis |
|---|---|
| Provide the Service (auth, conversations, history) | Performance of the contract (art. 6(1)(b)) |
| Process subscriptions, send invoices | Performance of the contract and legal obligations |
| Route audio and transcripts to AI providers | Performance of the contract |
| Prevent fraud, abuse and quota bypass | Legitimate interest |
| Debug, maintain and secure the Service | Legitimate interest |
| Respond to your support requests | Legitimate interest and, where relevant, consent |
| Send product updates or marketing emails (if any) | Consent, with the right to withdraw at any time |
4. No AI Training on Your Data
We do not use your personal data — including your conversation transcripts and audio — to train any AI model. Every external AI provider we rely on is engaged under a contractual plan that disables training on customer-submitted data. The full list of providers, regions and data categories is available in our Data Processing Addendum.
5. How Long We Keep Your Data
- Account and profile data: for as long as your account exists, plus up to 30 days after deletion (to cover backup rotation).
- Conversation transcripts: for as long as your account exists or until you delete the conversation; deleted conversations are purged within 30 days.
- Audio streams: processed in real time and not stored.
- Invoices and accounting records: retained for 10 years, as required by the French Commercial Code.
- Security logs: retained for up to 12 months.
6. Who Has Access to Your Data
Access is limited to authorised staff of TODO_PUBLISHER_NAME on a need-to-know basis, and to a short list of vetted subprocessors (hosting, database, AI providers, payment processor). Each subprocessor is bound by a written contract containing confidentiality and data-protection obligations compliant with the GDPR. See the Data Processing Addendum for the full list.
7. International Transfers
Some of our providers are based outside the European Economic Area (notably in the United States). Transfers are framed by the Standard Contractual Clauses adopted by the European Commission and, where relevant, by supplementary technical and organisational measures.
8. Your Rights
Under the GDPR you have the following rights regarding your personal data:
- right of access
- right to rectification
- right to erasure ("right to be forgotten")
- right to restriction of processing
- right to data portability
- right to object to processing based on legitimate interest
- right to withdraw consent at any time
- right to define post-mortem instructions concerning your data
To exercise any of these rights, write to [email protected]. We may ask you to prove your identity. We respond within one month, extendable to three months for complex requests.
You also have the right to lodge a complaint with the French Data Protection Authority (CNIL, cnil.fr) or with the supervisory authority of your country of residence.
9. Security
We implement technical and organisational measures appropriate to the risk, including encryption of data in transit (TLS), encrypted storage, principle of least privilege, audit logs, short-lived handshake tokens for the voice-relay pipeline, and periodic dependency and vulnerability reviews.
10. Cookies
El Engage uses strictly necessary and functional cookies only — we do not currently run analytics or advertising cookies. Details and the full list of cookies we use are available in our Cookie Policy.
11. Children
El Engage is not intended for children under 15. If you believe that a minor under 15 has created an account without parental consent, contact us at [email protected] so we can close it.
12. Updates to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service or applicable law. When a change is material we will notify registered users by email or through the app before it takes effect.
13. Contact
Any question about this Privacy Policy can be sent to [email protected].