Introduction
In accordance with Article 30 of the General Data Protection Regulation (GDPR), CoVœur keeps a record of processing activities. This record lists all personal data processing carried out as part of the CoVœur Service.
Data controller: NOproBS, SASU with share capital of €1,000, Paris Trade Register 984 241 075, registered office in Paris, France — contact form
Processing of personal data
1. User management and onboarding
| Purpose | Creating and managing the user profile during the first interaction with CoVœur |
| Legal basis | Performance of a contract (Art. 6(1)(b) GDPR) |
| Data processed | WhatsApp phone number, first name, relationship status (single / in a relationship) |
| Data subjects | Users of the CoVœur Service |
| Retention period | Duration of use of the Service + 12 months |
| Recipients | CoVœur team, Meta (WhatsApp Business API), Microsoft Azure (hosting) |
| Transfers outside the EU | None |
2. Individual relational assessment (individual assessment)
| Purpose | Collecting responses to the relational self-assessment questionnaire and generating the personalized Relational Profile by AI |
| Legal basis | Performance of a contract (Art. 6(1)(b) GDPR) |
| Data processed | Questionnaire responses (15 questions), first name, generated Relational Profile |
| Data subjects | Users who completed the individual questionnaire |
| Retention period | Duration of use of the Service + 12 months |
| Recipients | CoVœur team, Microsoft Azure OpenAI (AI processing — EU hosting), Microsoft Azure (hosting) |
| Transfers outside the EU | None |
3. Combined Couple Assessment
| Purpose | Connecting two partners, collecting relationship context, generating the personalized Couple Assessment by AI |
| Legal basis | Performance of a contract (Art. 6(1)(b) GDPR) + consent for sharing with the partner (Art. 6(1)(a) GDPR) |
| Data processed | Relational Profiles of both partners, relationship context, relationship duration and status, combined assessment generated |
| Data subjects | Users who initiated or accepted a Couple Assessment |
| Retention period | Duration of use of the Service + 12 months |
| Recipients | CoVœur team, Microsoft Azure OpenAI (AI processing — EU hosting), Microsoft Azure (hosting) |
| Transfers outside the EU | None |
4. Analysis of WhatsApp conversations
| Purpose | Optional analysis of a WhatsApp conversation exported by both partners, with prior anonymization, to enrich the Couple Assessment |
| Legal basis | Explicit consent from both partners (Art. 6(1)(a) GDPR) |
| Data processed | Exported WhatsApp conversation. Anonymization is performed in RAM (memory) on our servers — first names, addresses, and phone numbers are replaced with neutral identifiers (Partner A / Partner B, [CITY], [NUMBER]…) before transmission to the AI model. The raw (non-anonymized) version is not stored persistently; only the anonymized version may be retained for analysis purposes. |
| Data subjects | Users who consented to the analysis of their WhatsApp conversation (bilateral consent required) |
| Retention period | Raw data: deleted after analysis. Analysis results: up to 12 months. |
| Recipients | CoVœur team, Microsoft Azure OpenAI (AI processing — anonymized data only — EU hosting), Microsoft Azure (hosting) |
| Transfers outside the EU | None |
5. Coaching programs and follow-up
| Purpose | Sending personalized programs, exercises, reminders, and follow-ups via WhatsApp for personal and couple development |
| Legal basis | Performance of a contract (Art. 6(1)(b) GDPR) |
| Data processed | WhatsApp number, history of programs taken, progress, responses to exercises |
| Data subjects | Users subscribed to a coaching program |
| Retention period | Program duration + 12 months |
| Recipients | CoVœur team, Meta (WhatsApp Business API), Microsoft Azure (hosting) |
| Transfers outside the EU | None |
6. Security and technical logs
| Purpose | Service security, abuse detection, and technical maintenance |
| Legal basis | Legitimate interest (Art. 6(1)(f) GDPR) |
| Data processed | Server logs (IP addresses, timestamps, requests) |
| Data subjects | All users of the Service |
| Retention period | 3 months |
| Recipients | CoVœur technical team, Microsoft Azure (hosting) |
| Transfers outside the EU | None |
7. Open conversation
| Purpose | Personalized support through open conversations with CoVœur’s AI (coaching, emotional support, relational exercises) |
| Legal basis | Performance of a contract (Art. 6(1)(b) GDPR) |
| Data processed | WhatsApp number, history of coaching conversations, detected topics, weekly summaries |
| Data subjects | Users with access to conversational coaching (free tier limited to 10 exchanges, then subscription) |
| Retention period | Rolling 12 months (messages older than 12 months are deleted automatically) |
| Recipients | CoVœur team, Microsoft Azure OpenAI (AI processing — EU hosting), Microsoft Azure (hosting) |
| Transfers outside the EU | None |
8. Therapist records (notes and follow-up summaries)
| Purpose | Creating psychological follow-up notes and summaries for partner professionals (therapists, coaches) to support users |
| Legal basis | Performance of a contract (Art. 6(1)(b) GDPR) + legitimate interest in improving the quality of support (Art. 6(1)(f) GDPR) |
| Data processed | Synthesized summaries of conversations and assessments, Relational Profile, notes from partner professionals |
| Data subjects | Users who completed an individual or couple assessment |
| Retention period | Duration of use of the Service + 12 months, then deletion on request |
| Recipients | CoVœur team, authorized partner professionals, Microsoft Azure (hosting) |
| Transfers outside the EU | None |
Sub-processors
CoVœur uses the following sub-processors as part of its processing activities:
| Sub-processor |
Role |
Location |
GDPR safeguards |
| Microsoft Azure OpenAI |
Generation of AI analyses, reports, and conversations (GPT-4o / GPT-5) |
France (GPT-4o) and Switzerland (GPT-5) — European Union / EEA |
GDPR-compliant DPA — data hosted within the EU |
| Meta (WhatsApp Business API) |
WhatsApp messaging infrastructure |
Ireland — European Union |
GDPR-compliant DPA — data hosted in Europe |
| Microsoft Azure |
Backend hosting, database, storage |
France (France Central region) |
GDPR-compliant DPA — data hosted in France |
| Stripe |
Payment processing (subscriptions and one-off purchases) |
Ireland — European Union |
GDPR-compliant DPA |
Your rights
Under the GDPR, you have rights over your personal data (access, rectification, erasure, portability, objection, restriction). To exercise these rights, see our Privacy Policy or contact us via our contact form.
You can also lodge a complaint with the CNIL: www.cnil.fr.
