LegalUpdated on

Privacy Policy

What data we process, why, and how you can control it.

1. Data controller

The controller for personal data is YOM AKAKPO EI, 60 Rue François 1er, 75008 Paris, France. Contact: contact@leandre.io.

Given the size of the organization, no Data Protection Officer (DPO) has been formally appointed; requests are handled directly by the controller.

2. Data collected and purposes

Cocorico collects the following categories of data, for the purposes indicated:

  • Account identifiers (email, hashed password, name if provided) — purpose: enabling access and identification. Legal basis: performance of the contract (GDPR Art. 6(1)(b)).
  • Learning progress (completed lessons, answers, time spent, streaks, XP) — purpose: delivering the service, recommendations, insights. Legal basis: performance of the contract.
  • User preferences (interface language, subtitles, target exam date) — purpose: personalization. Legal basis: performance of the contract.
  • Payment data (handled exclusively by Stripe; no card data passes through our servers) — purpose: billing. Legal basis: performance of the contract + legal obligation (accounting).
  • Technical logs (server logs, IP address, user-agent) — purpose: security, debugging. Legal basis: legitimate interest (GDPR Art. 6(1)(f)).
  • Aggregated usage data (anonymized statistics) — purpose: service improvement. Legal basis: legitimate interest.

3. Retention periods

  • Account and progress data: as long as the account exists, then 30 days after deletion.
  • Invoices and accounting data: 10 years (French legal obligation).
  • Technical logs: 12 months maximum.
  • Anonymized and aggregated data: indefinite duration (no longer allows identification).

4. Recipients and processors

We use the following processors, which process your personal data on our behalf in compliance with the GDPR:

  • OVH SAS (Roubaix, France) — hosting of the application and the PostgreSQL database.
  • Stripe Payments Europe Ltd. (Dublin, Ireland) — payment processing and billing. See the Stripe data processing addendum.
  • Zoho Corporation B.V. (Amsterdam, Netherlands) — Zoho Mail EU (smtp.zoho.eu) for sending transactional emails: address verification, password reset, invoices. Data hosted within the European Union. See the Zoho data processing addendum.

No personal data is sold or transferred to third parties for commercial purposes.

Note on internal tools. Cocorico also uses voice-synthesis services (Microsoft Azure Speech, ElevenLabs) to pre-render the question audio, and a container registry (GitHub Container Registry) for deployment. These services receive no user data — they only process the civic content and application code that we provide them. They are therefore not processors within the meaning of the GDPR.

5. Transfers outside the EU

The entire application hosting, database, and transactional emails remain within the European Union (OVH France for the application and database, Zoho Mail EU in the Netherlands for emails).

Only Stripe Payments Europe Ltd. (Ireland), although established in the EU, may transfer some data to its affiliated companies in the United States for the purposes of payment processing. These transfers are governed by the EU-US Data Privacy Framework (Stripe Inc. is certified) and by the Standard Contractual Clauses adopted by the European Commission.

6. Your rights (GDPR)

Pursuant to Articles 15 to 22 of the GDPR, you have the following rights:

  • Right of access — obtain a copy of the data we hold about you.
  • Right to rectification — correct inaccurate data.
  • Right to erasure — delete your data ("right to be forgotten").
  • Right to restriction — freeze processing in certain cases.
  • Right to portability — receive your data in a structured format (JSON).
  • Right to object — oppose processing on legitimate grounds.
  • Right to set post-mortem directives — Article 85 of the French Data Protection Act.

To exercise these rights, write to contact@leandre.io specifying your request and attaching proof of identity if identification is uncertain. We respond within a maximum of one month.

7. Remedies

If you believe your rights are not being respected, you may lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL): cnil.fr/en/plaints.

8. Security

We implement appropriate technical and organizational measures: TLS encryption of communications, password hashing via bcrypt, separation of development and production environments, encrypted backups, principle of least privilege on administrator access.

9. Cookies

The use of cookies is detailed in our Cookie Policy.

10. Changes to this policy

This policy may be updated to reflect legal or technical changes. The date of the last update appears at the top of the document. Material changes are notified by email to active Users.

Back to legal notices