Aller au contenu principalSkip to main content
🇫🇷Lire en français
Legal

Privacy Policy

Last updated 2026-05-17

Data Controller

BEPITE SAS (“HelloFrench”), 14 Rue Ernest Psichari, 75007 Paris, France, is the controller of your personal data.

For questions about data protection, contact boutique@hellofrench.com.

This policy has been prepared in accordance with Regulation (EU) 2016/679 (the GDPR) and the amended French Data Protection Act of January 6, 1978.

Data We Collect

Account data: first name, last name, email address, hashed password, language, country (optional), and Google ID if you sign in with Google.

Payment data: cardholder name, billing address, card fingerprint and last four digits, and transaction history. Full card numbers never pass through our servers and are stored exclusively by Stripe.

Usage data: course progress, exercise answers, saved vocabulary, journal entries, and assessed level.

Voice data: audio recordings and transcripts when you use pronunciation exercises or speak with Jean.

Technical data: IP address, device type, browser, pages viewed, UTM parameters, error logs, and a device identifier used to prevent free-trial fraud.

Data required to perform the contract, including your email address, identity, and payment information, is mandatory. Other data is optional.

Purposes and Legal Bases

Performance of a contract (Article 6(1)(b) GDPR): account management, course access, progress tracking, payments, invoices, transactional emails, and support.

Legitimate interests (Article 6(1)(f)): improving the Services, audience measurement, fraud prevention, and security.

Consent (Article 6(1)(a)): nonessential cookies, newsletters, and voice recording and processing. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Legal obligations (Article 6(1)(c)): retaining invoices for 10 years as required by the French Commercial Code and responding to requests from public authorities.

AI and Voice Processing

When you use Jean, the voice assistant, or a pronunciation exercise, your voice is sent to AI service providers for transcription and response generation: OpenAI (Whisper, GPT-4o Transcribe, and Realtime), Anthropic (Claude), ElevenLabs (voice synthesis), and Mistral (Voxtral). Written feedback is also generated by Anthropic Claude.

Raw audio recordings are not retained after processing. Transcripts are stored with your account.

Our agreements with these service providers prohibit them from using your data to train their models.

None of this processing produces a decision with legal or similarly significant effects about you within the meaning of Article 22 GDPR. You may stop using voice and AI features at any time.

Retention Periods

- Account data: for the life of the account, then for 3 years after the last login. - Invoices and accounting data: 10 years (Article L123-22 of the French Commercial Code). - Voice recordings: temporarily retained for processing and delivery through your account, then deleted no later than when your account is deleted. - Transcripts and conversations with Jean: for the life of the account. - Technical logs: 30 to 90 days. - Audience-measurement cookies: up to 13 months, in line with CNIL recommendations. - Newsletter data: until you withdraw your consent or 3 years after our last contact.

- Antifraud identifier after account deletion: after your account is deleted, we retain a limited technical identifier derived from your email address solely to prevent fraud and abuse of free trials. The legal basis is our legitimate interest under Article 6(1)(f) GDPR. We retain this identifier only for as long as necessary for that purpose.

After these periods, the data is deleted or irreversibly anonymized.

Cookies

We use strictly necessary cookies for sessions, authentication, and the shopping cart. With your consent, we also use cookies for audience measurement (Google Analytics 4, with anonymized IP addresses), advertising (Google Ads), and behavioral analytics (Microsoft Clarity heatmaps and session recordings).

On your first visit, a banner allows you to accept or reject nonessential cookies. You can change this choice at any time through your browser settings.

Recipients and Service Providers

Your data is available to authorized BEPITE SAS personnel and to the following service providers. Each provider is bound by an agreement that complies with Article 28 GDPR:

- Stripe (payments) - https://stripe.com/privacy - Supabase (database and authentication) - https://supabase.com/privacy - Vercel (hosting) - https://vercel.com/legal/privacy-policy - Cloudflare (CDN and Turnstile bot protection) - https://www.cloudflare.com/privacypolicy/ - Brevo (email and newsletters) - https://www.brevo.com/legal/privacypolicy/ - Zoho (invoicing) - https://www.zoho.com/privacy.html - OpenAI, Anthropic, ElevenLabs, and Mistral (voice and educational AI features) - Google (OAuth, Analytics 4, and Ads) - https://policies.google.com/privacy - Microsoft Clarity (behavioral analytics) - https://privacy.microsoft.com/privacystatement - Sentry (technical error monitoring) - https://sentry.io/privacy/

We do not sell your data or share it with commercial partners for marketing purposes.

Transfers Outside the European Union

Some service providers are located outside the European Union, primarily in the United States. These transfers are protected by the safeguards set out in Chapter V of the GDPR: the EU-U.S. Data Privacy Framework (adequacy decision 2023/1795) when the provider is certified, or otherwise the Standard Contractual Clauses (decision 2021/914).

You may request a copy of these safeguards by emailing boutique@hellofrench.com.

Security

We use appropriate technical and organizational safeguards, including encryption in transit (TLS), hashed passwords, PostgreSQL Row-Level Security, regular backups, access restricted to authorized personnel, and data processing agreements (DPAs).

If a data breach is likely to create a risk to your rights and freedoms, we will notify the CNIL within 72 hours under Article 33 GDPR and, where required, notify you directly under Article 34.

Your Rights

Under the GDPR, you have the following rights: access (Article 15), correction (Article 16), deletion (Article 17), restriction of processing (Article 18), data portability (Article 20), objection (Article 21), withdrawal of consent at any time (Article 7), and the right to provide instructions regarding your data after death under Article 85 of the French Data Protection Act.

To exercise these rights, email boutique@hellofrench.com. We will respond within one month as required by Article 12(3) GDPR. You can also manage your email address, password, newsletter subscription, and account deletion directly from your profile.

When you delete your account from your profile, we delete your account, progress, conversations, and voice recordings, and unsubscribe you from all mailing lists. We retain only the invoices that we are legally required to keep (see “Retention Periods”) and the antifraud identifier described above. Account deletion is permanent and irreversible. If you have an active paid subscription, you may choose either to stop renewal only or to delete your account immediately and give up the remaining access without a refund.

If you believe your rights have not been respected, you may file a complaint with the CNIL: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France, https://www.cnil.fr.

Contact

BEPITE SAS, 14 Rue Ernest Psichari, 75007 Paris, France. Email: boutique@hellofrench.com.

Effective date: January 26, 2023. Last updated: May 17, 2026.