Privacy Policy
Protection of your personal data — in accordance with the General Data Protection Regulation (GDPR, EU 2016/679).
1. Data controller
Name: ZEPRAUG & CO
Legal form: SASU with €1,000 share capital, RCS Paris 103 751 970
Registered office: 173 rue de Courcelles, 75017 Paris, France
Legal representative: Louis Langevin (President)
For any request related to your personal data, contact: contact@zepraug.com
2. Data collected
Identity and account data:
Full name, email address, password (encrypted).
Fitness profile data:
Sport goal, practice level, practice constraints (availability, equipment, preferences), weight, height, waist and hip measurements. These data are entered voluntarily by the user.
Conversations:
The full history of your exchanges with the AI assistant is saved so you can revisit your previous conversations.
Payment data:
Bank details are managed exclusively by Stripe. Zepraug stores no card number. Only a Stripe customer identifier is kept.
Connection data:
IP address, session data (via Supabase Auth).
3. Legal bases for processing (article 6 GDPR)
Performance of contract (Art. 6.1.b): delivery of the AI coaching service, account and subscription management.
Legitimate interest (Art. 6.1.f): service improvement, security, fraud prevention.
Consent (Art. 6.1.a): processing of fitness profile data (goal, level, practice constraints) for personalization of advice.
4. Subprocessors and recipients
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase | Authentication, database | USA (AWS) |
| Google (Gemini API) | AI response generation | USA |
| Stripe | Secure payment | USA |
| Resend | Email delivery | USA |
| Vercel | Front-end hosting | USA |
| RevenueCat | iOS / Android subscription management (In-App Purchase) | USA |
| Apple App Store | iOS in-app purchase processing (subscription billing) | USA |
| Google Play Billing | Android in-app purchase processing (subscription billing) | USA |
| Expo Push Service | Push notifications relay to APNs (iOS) and FCM (Android) | USA |
| AssemblyAI | Voice transcription (dictation) | USA |
Your data is never sold or shared for commercial purposes with third parties.
4-bis. Marketing consent and push notifications
The toggle « Coach communications » in your in-app Profile is the unique opt-in for both marketing emails and push notifications sent by the human coach. It is opt-in only (off by default) and timestamped at activation.
You can disable it at any time. Toggling it off stops all coach push and marketing emails immediately. Transactional notifications (rest day reminder, streak warning) are not gated by this consent and continue to work as long as push notifications are allowed at the OS level.
Push tokens (Expo Push Token) are stored per device in our database and removed when the device unregisters or when our system detects an invalid token (DeviceNotRegistered).
4-ter. Human coach data access (90-day TTL)
Premium + Coach subscribers explicitly grant the human coach access to their fitness data (programs, workout logs, body measurements, conversations) so that personalized advice can be provided. Per GDPR data minimization, this access automatically expires 90 days after activation. You can extend it by 90 days or revoke it at any time from your Profile.
Every access by the coach to your data is logged in an audit trail (action, timestamp) viewable on request via contact@zepraug.com.
5. International transfers
Some of our subprocessors are located in the United States. These transfers are governed by:
- ▸The EU-US Data Privacy Framework (DPF) for certified companies (Google, Stripe)
- ▸Standard Contractual Clauses (SCCs) of the European Commission
6. Retention period
Account data: kept for the duration of the subscription, then 3 years after closure (legal limitation).
Chat history: kept for the duration of the subscription. Deleted upon account closure on request.
Payment data: kept by Stripe according to its own retention policy.
Connection logs: 12 months maximum.
7. Your rights (articles 15 to 21 of the GDPR)
You have the following rights:
- ▸Right of access — obtain a copy of your personal data
- ▸Right to rectification — correct inaccurate data
- ▸Right to erasure — request deletion of your data
- ▸Right to portability — receive your data in a structured format
- ▸Right to object — object to the processing of your data
- ▸Right to restriction — restrict the processing of your data
To exercise your rights, contact us at: contact@zepraug.com
Response time: 30 days maximum.
In case of difficulty, you may file a complaint with the French data protection authority (CNIL): www.cnil.fr
8. Data security
Your data is protected by encryption in transit (TLS/SSL) and at rest (AES-256 via Supabase). Access to data is strictly restricted and subject to row-level security rules.
9. Note about health data
Zepraug does not collect health data within the meaning of article 9 of the GDPR. Fitness profile information (sport goal, level, practice constraints, weight, waist measurement, hip measurement) is wellness and physical condition data, not medical data. No diagnosis, BMI calculation or medical recommendation is performed.
On the iOS mobile application, Zepraug may read your weight from Apple Health (HealthKit) with your explicit consent, in order to pre-fill measurement tracking. This data is stored only in your Zepraug profile and is not shared with any third party. You can disable this synchronization at any time from your profile.
Zepraug is intended for healthy individuals. If you have a pathology, we invite you to consult your doctor before using the service.
10. Cookies
Zepraug uses the following cookies:
Strictly necessary cookies (consent-exempt — CNIL):
- ▸Authentication cookies (Supabase Auth)
- ▸Session cookies
Analytics and advertising cookies (Google Tag Manager):
Zepraug uses Google Tag Manager with Consent Mode v2. By default, all analytics and advertising cookies are refused (ad_storage, analytics_storage, ad_user_data, ad_personalization). Tags work in degraded mode (statistical modeling) without setting tracking cookies. A consent management banner (CookieYes) is in place to allow users to accept or refuse these cookies.
Last updated: April 2026 · Terms of Use · Terms of Sale · Legal Notice