# Call Me Maybe — Legal Documents (RGPD)

> Privacy Policy, Terms of Service, and Cookie Policy.
> Adapted for French market, RGPD-compliant.
> Review with a lawyer before publishing.

---

## 1. Privacy Policy / Politique de Confidentialité

**Last updated:** February 2026
**Data Controller:** Call Me Maybe SAS (in formation), Paris, France
**Contact:** privacy@callmemaybe.app / aaronbes2@gmail.com
**DPO (Data Protection Officer):** Aaron Besnainou

---

### 1.1 Data We Collect

| Data Category | Specific Data | Legal Basis | Retention |
|--------------|---------------|-------------|-----------|
| **Identity** | First name, email, phone number | Contract performance | Account lifetime + 3 years |
| **Profile** | Age, gender, weight, height, goal weight | Contract performance | Account lifetime + 1 year |
| **Voice Calls** | Call recordings, transcripts, call duration, timestamps | Legitimate interest (service improvement) + Consent | 90 days (recordings), 1 year (transcripts) |
| **Health Data** | Weight logs, food photos, meal descriptions, mood ratings, activity levels | Explicit consent (Art. 9 RGPD) | Account lifetime + 1 year |
| **Usage Data** | App interactions, streak data, feature usage, session times | Legitimate interest | 2 years |
| **Payment** | Stripe customer ID, subscription status, payment history | Contract performance | Legal obligation (10 years for invoices) |
| **Technical** | IP address, device type, OS version, app version | Legitimate interest (security) | 12 months |
| **Communication** | WhatsApp messages, support emails, Discord messages | Contract performance | 2 years |

### 1.2 How We Use Your Data

| Purpose | Data Used | Legal Basis |
|---------|-----------|-------------|
| Deliver daily AI coaching calls | Name, phone, profile, health data | Contract + Explicit consent |
| Personalize coaching (memory between calls) | Call transcripts, health data, goals | Explicit consent |
| Track streaks and progress | Usage data, weight logs | Contract |
| Process payments | Payment data | Contract |
| Send email communications | Email, name | Consent (marketing) / Contract (transactional) |
| Improve AI coaching quality | Anonymized call data | Legitimate interest |
| Analytics and reporting | Aggregated, anonymized data | Legitimate interest |
| Comply with legal obligations | All necessary data | Legal obligation |

### 1.3 Health Data — Special Category (Article 9 RGPD)

We process health-related data (weight, food intake, mood, physical activity) which constitutes **special category data** under RGPD Article 9.

**We process this data based on your explicit consent**, which you provide during onboarding. You can withdraw this consent at any time by contacting us — note that this will end your coaching service as it requires health data to function.

**Safeguards:**
- Health data is encrypted at rest and in transit (AES-256, TLS 1.3)
- Access restricted to automated AI systems only — no human reviews personal health data without consent
- Data is pseudonymized for analytics (your identity is separated from health records)
- Hosted exclusively in France (OVHcloud, Paris region)

### 1.4 Voice Call Recordings

- Calls are recorded for quality improvement and AI training purposes
- You are informed at the start of each call that it may be recorded
- Recordings are stored for **90 days maximum**, then automatically deleted
- Transcripts (text only, no audio) are retained for **1 year** to enable contextual coaching
- You can request deletion of all recordings at any time
- Recordings are never shared with third parties
- You can opt out of recording (the AI will still function but won't reference previous calls)

### 1.5 Food Photos

- Photos uploaded for food logging are processed by AI to provide nutritional feedback
- Photos are stored for **the duration of your subscription + 30 days**
- Photos are not used for any purpose other than your coaching
- Photos are deleted within 30 days of account closure
- Photos are never shared with third parties or used for AI training without explicit consent

### 1.6 Data Sharing

| Recipient | Data Shared | Purpose | Safeguard |
|-----------|------------|---------|-----------|
| **VAPI.ai** (USA) | Voice data during calls | AI voice processing | Standard Contractual Clauses (SCCs) |
| **Stripe** (USA) | Payment data | Payment processing | SCCs, PCI DSS certified |
| **Brevo** (France) | Email, name | Email communications | RGPD-compliant, French company |
| **OVHcloud** (France) | All hosted data | Infrastructure | RGPD-compliant, ISO 27001 |
| **PostHog** (EU) | Anonymized usage data | Analytics | EU-hosted, RGPD-compliant |
| **Supabase** (configurable) | Database records | Backend infrastructure | EU region selected |

**We never sell your personal data.**
**We never share identifiable health data with third parties.**

### 1.7 International Transfers

Some sub-processors (VAPI.ai, Stripe) are based in the United States. We ensure adequate protection through:
- EU Standard Contractual Clauses (SCCs)
- Supplementary security measures (encryption, pseudonymization)
- Assessment of US legislation impact on data protection

### 1.8 Your Rights (RGPD Articles 15-22)

| Right | How to Exercise | Response Time |
|-------|----------------|---------------|
| **Access** (Art. 15) | Email privacy@callmemaybe.app | 30 days |
| **Rectification** (Art. 16) | In-app settings or email | 30 days |
| **Erasure / Right to be Forgotten** (Art. 17) | Email with "DELETE MY DATA" subject | 30 days |
| **Restriction** (Art. 18) | Email with specific request | 30 days |
| **Data Portability** (Art. 20) | Email — we provide JSON/CSV export | 30 days |
| **Objection** (Art. 21) | Email or in-app settings | 30 days |
| **Withdraw Consent** (Art. 7) | In-app settings or email | Immediate |
| **Automated Decision-Making** (Art. 22) | Email — right to human review | 30 days |

### 1.9 Data Security

- All data encrypted at rest (AES-256) and in transit (TLS 1.3)
- Database hosted on OVHcloud in France (Paris region)
- Regular security audits and penetration testing
- Access controls: role-based, principle of least privilege
- Incident response plan: notification within 72 hours per RGPD Art. 33
- No employee accesses personal health data without written justification

### 1.10 Data Retention Summary

| Data | Active Account | After Account Closure |
|------|---------------|----------------------|
| Profile & identity | Retained | Deleted within 30 days |
| Health data | Retained | Deleted within 30 days |
| Call recordings | 90 days rolling | Deleted immediately |
| Call transcripts | 1 year rolling | Deleted within 30 days |
| Food photos | Retained | Deleted within 30 days |
| Payment records | Retained | 10 years (legal obligation) |
| Usage analytics | 2 years | Anonymized immediately |

### 1.11 Children

Call Me Maybe is not intended for users under 16 years of age. We do not knowingly collect data from minors. If we discover we have collected data from a user under 16, we will delete it immediately.

### 1.12 Complaints

If you believe your rights have been violated, you may lodge a complaint with:

**CNIL (Commission Nationale de l'Informatique et des Libertés)**
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
www.cnil.fr

---

## 2. Terms of Service / Conditions Générales d'Utilisation

**Effective date:** February 2026
**Company:** Call Me Maybe SAS (in formation)

### 2.1 Service Description

Call Me Maybe provides an AI-powered voice coaching service for weight loss and healthy habit formation. The service includes:
- Daily AI phone calls at user-selected times
- Personalized coaching based on user goals and history
- Streak tracking and gamification
- Optional food photo logging
- WhatsApp support (Pro plan)
- Community access (Discord)

**Call Me Maybe is NOT a medical service.** We do not provide medical advice, diagnose conditions, or prescribe treatments. Always consult a healthcare professional for medical concerns.

### 2.2 Subscription Plans

| Plan | Price | Includes |
|------|-------|----------|
| Starter | €9.90/month | 1 call/day, basic tracking, streak system |
| Pro | €14.90/month | 2 calls/day, WhatsApp support, food photo logging |
| Duo | €24.90/month | Shared plan for 2 people, all Pro features |

All prices include VAT (20% TVA).

### 2.3 Free Trial

- All plans include a **7-day free trial**
- No charge during the trial period
- You may cancel anytime during the trial at no cost
- After 7 days, your selected plan is automatically billed monthly
- You will receive a reminder email 24 hours before the trial ends

### 2.4 Billing and Payments

- Payments processed securely via Stripe
- Monthly billing cycle starts on the date of subscription
- Accepted methods: credit card, debit card (Visa, Mastercard, Amex)
- Invoices available in your account settings
- Prices may change with 30 days notice via email

### 2.5 Cancellation

- Cancel anytime from your account settings or by emailing support@callmemaybe.app
- Cancellation takes effect at the end of the current billing period
- No partial refunds for unused days in the current period
- Your data is retained for 30 days after cancellation, then deleted
- You can reactivate your account within 30 days without losing data

### 2.6 Refund Policy

- **During free trial:** No charge, cancel anytime
- **First 14 days after first payment:** Full refund on request (French consumer law, Art. L221-18 Code de la Consommation)
- **After 14 days:** No refund, but you can cancel for the next period
- Refund requests: email support@callmemaybe.app with subject "REFUND"

### 2.7 User Responsibilities

By using Call Me Maybe, you agree to:
- Provide accurate personal information
- Be at least 16 years of age
- Not use the service for any purpose other than personal health coaching
- Not share your account with others (except Duo plan partners)
- Not attempt to reverse-engineer, copy, or modify the AI coaching system
- Not record or redistribute call content

### 2.8 Service Availability

- We aim for 99.5% uptime for scheduled calls
- Calls may occasionally fail due to network issues — the AI will attempt a callback
- If a call cannot be completed, it does not break your streak (grace period of 2 hours)
- Planned maintenance will be announced 48 hours in advance
- We are not liable for missed calls due to user-side issues (phone off, no signal, declined call)

### 2.9 Limitation of Liability

- Call Me Maybe is a coaching tool, not a medical service
- We are not responsible for health outcomes, weight loss results, or dietary decisions
- We are not liable for indirect, incidental, or consequential damages
- Our total liability is limited to the amount paid in the 12 months preceding the claim
- We recommend consulting a healthcare professional before starting any weight loss program

### 2.10 Intellectual Property

- The CMM brand, AI coaching system, voice persona, and all content are owned by Call Me Maybe SAS
- Users retain ownership of their personal data, food photos, and call content
- We may use anonymized, aggregated data for research and improvement purposes

### 2.11 Governing Law

These Terms are governed by French law. Any disputes shall be submitted to the competent courts of Paris, France.

### 2.12 Modifications

We reserve the right to modify these Terms with 30 days notice via email. Continued use after the notice period constitutes acceptance. If you disagree, you may cancel your subscription.

---

## 3. Cookie Policy / Politique de Cookies

### 3.1 Cookies We Use

| Cookie | Type | Purpose | Duration |
|--------|------|---------|----------|
| `session_id` | Strictly necessary | User authentication | Session |
| `csrf_token` | Strictly necessary | Security (CSRF protection) | Session |
| `user_preferences` | Functional | Remember call time, language | 1 year |
| `ph_session` | Analytics (PostHog) | Anonymous usage analytics | 1 year |
| `stripe_mid` | Strictly necessary | Payment processing | Session |

### 3.2 No Advertising Cookies

We do **not** use advertising cookies, tracking pixels, or third-party marketing cookies. We do not participate in ad networks or sell data to advertisers.

### 3.3 Cookie Consent

- Strictly necessary cookies do not require consent
- Analytics cookies (PostHog) require consent — we ask on first visit
- You can modify your cookie preferences at any time via the cookie banner or by contacting us

### 3.4 How to Manage Cookies

You can delete or block cookies through your browser settings:
- Chrome: Settings > Privacy and Security > Cookies
- Safari: Preferences > Privacy > Cookies
- Firefox: Options > Privacy & Security > Cookies

Note: Blocking strictly necessary cookies may prevent the service from functioning properly.

---

## 4. Legal Notice / Mentions Légales

**Company:** Call Me Maybe SAS (in formation)
**Registered office:** Paris, France
**RCS:** (pending registration)
**SIRET:** (pending)
**TVA intracommunautaire:** (pending)
**Capital social:** (TBD)

**Directors:**
- Aaron Besnainou — Co-founder
- Ata — Co-founder

**Contact:**
- Email: aaronbes2@gmail.com
- Phone: +33 6 65 39 58 00
- WhatsApp: wa.me/33665395800

**Hosting:**
- Provider: OVHcloud
- Address: 2 rue Kellermann, 59100 Roubaix, France
- Website: ovhcloud.com
- RGPD-compliant, ISO 27001 certified

**CNIL Declaration:** (pending — register before processing health data)

---

## 5. Pre-Launch Compliance Checklist

### Before Collecting Any Data
- [ ] Register with CNIL (mandatory for health data processing)
- [ ] Appoint official DPO (can be internal for small company)
- [ ] Create Data Protection Impact Assessment (DPIA) — required for health data
- [ ] Sign Data Processing Agreements (DPAs) with all sub-processors (VAPI.ai, Stripe, Brevo, OVHcloud, PostHog, Supabase)
- [ ] Implement cookie consent banner on all web properties
- [ ] Add privacy policy link to app onboarding flow
- [ ] Set up data export mechanism (portability)
- [ ] Set up data deletion mechanism (right to erasure)
- [ ] Implement consent collection for health data (explicit, informed, specific)
- [ ] Set up breach notification process (72-hour CNIL notification)

### Before Processing Voice Data
- [ ] Add "this call may be recorded" notification at start of each call
- [ ] Implement opt-out mechanism for call recording
- [ ] Configure 90-day auto-deletion for voice recordings
- [ ] Ensure VAPI.ai DPA covers EU data protection requirements
- [ ] Verify Standard Contractual Clauses with VAPI.ai for US transfer

### Before Going Live
- [ ] Publish privacy policy on website
- [ ] Publish terms of service on website
- [ ] Publish cookie policy + consent banner
- [ ] Publish mentions légales
- [ ] Review all documents with a French data protection lawyer
- [ ] Test all data rights mechanisms (access, export, delete)
- [ ] Verify data retention auto-deletion is working
- [ ] Conduct internal security audit

---

## IMPORTANT DISCLAIMER

These documents are **templates** created for planning purposes. They must be reviewed and validated by a qualified French data protection lawyer before being published or used. Health data processing under RGPD has strict requirements, and non-compliance can result in fines up to €20M or 4% of annual global revenue.

**Recommended legal partners for French health tech startups:**
- DLA Piper (Paris office — health tech practice)
- August Debouzy (tech & data practice)
- Haas Avocats (RGPD specialists)
- CNIL helpdesk for startups (free initial guidance)