Privacy Policy | CoreProse

1. Definitions

Data controller: CoreProse, represented by Olivier Delafosse, sole proprietor, Chelles, France.

Personal data: any information relating to an identified or identifiable natural person.

Processing: any operation performed on personal data (collection, storage, use, deletion).

Sub-processor: a third party that processes data on our behalf.

2. Data Collected

Account data

Name, email address, encrypted password (bcrypt), language preferences, subscription plan.

AI-related data

Chat questions and conversations, generated articles, vector embeddings of your queries, memory episodes (preferences, context), entities extracted for the Knowledge Graph, feedback (thumbs up/down).

Usage data

Activated niches, configured agents, imported documents, activity logs, connected integrations.

Technical data

IP address (demo rate limiting), browser type, session data, pages visited.

Payment data

Processed exclusively by Stripe. We never store your credit card numbers.

3. How your data is used by AI

Your questions and conversations are sent to third-party AI providers (see Sub-processors section) to generate responses. We do not use your data to train our own AI models. Your generated content belongs to you.

CoreProse never sells, shares or uses your data to train artificial intelligence models.

The third-party AI providers (OpenAI) we use have their own retention policies. Data sent via API is not used for training their models (Zero Data Retention for API calls).

4. Legal basis for processing (Art. 6 GDPR)

Contract performance: providing the services you subscribed to (article generation, AI chat, KB).

Legitimate interest: improving our services, fraud prevention, platform security.

Consent: analytics cookies, marketing communications (withdrawable at any time).

Legal obligation: retention of billing data (10 years, French law).

5. Data sharing and sub-processors

We never sell your personal data.

We share your data only with carefully selected sub-processors, all bound by contractual data protection obligations. Our sub-processors fall into the following categories:

AI processing provider (USA) — Processes chat queries, article generation and content classification. Configured with Zero Data Retention (your data is not used for model training).

Payment processing provider (USA/EU) — Handles payment transactions securely. PCI-DSS Level 1 certified.

Search and indexing provider (EU, hosted in France) — Powers Knowledge Base search and content indexing.

Database provider (EU) — Stores application data (accounts, conversations, articles).

Content extraction provider (Germany) — Extracts web content for Knowledge Base enrichment.

Web search provider (USA) — Provides web search results for trends and content enrichment.

Email delivery provider (USA) — Sends transactional emails (verification, notifications).

A complete list of sub-processors with their identities is available upon request by contacting our DPO.

6. International data transfers

Some of our sub-processors are located in the United States. These transfers are safeguarded by:

The EU-US Data Privacy Framework (DPF) for certified sub-processors.

Standard Contractual Clauses (SCCs) approved by the European Commission.

Additional technical measures (encryption in transit and at rest).

7. Data retention periods

We retain your data for the following periods:

Data type	Duration
Account data	Duration of account + 30 days after deletion
Chat conversations	180 days (6 months)
Memory episodes (Brain Mode)	90 days
Demo data (IP, usage)	7 days
Response cache	24 hours
Billing data	10 years (French legal requirement)
Generated articles	Duration of account
Technical logs	30 days

8. Your rights (GDPR)

Under the GDPR, you have the following rights:

Right of access

Obtain a copy of all your personal data.

Right to rectification

Correct inaccurate or incomplete data.

Right to erasure

Delete your account and all your data (irreversible).

Right to data portability

Export your data in a structured format (JSON).

Right to object

Object to the processing of your data on legitimate grounds.

Right to restriction

Request suspension of processing of your data.

Withdraw consent

Withdraw your consent at any time (cookies, marketing).

You may also lodge a complaint with the CNIL (French Data Protection Authority): www.cnil.fr

To exercise your rights, contact us at [email protected]. We respond within 30 days.

9. Cookie policy

We use the following categories of cookies:

Essential

Authentication, session, security (CSRF). Cannot be disabled.

Functional

Language preferences, dark theme, sidebar state.

Analytics

Anonymized audience measurement to improve our services. Subject to your consent.

We do not use any advertising or third-party tracking cookies.

10. Children

CoreProse is not intended for persons under the age of 16. We do not knowingly collect data from minors. If you are a parent and believe your child has provided us with data, contact us for immediate deletion.

11. California-specific rights (CCPA)

If you reside in California, you have additional rights:

Right to know what data we collect and why.

Right to request deletion of your data.

Right to opt out of the sale of your data (we do not sell any data).

Right to non-discrimination for exercising your rights.

12. Security

HTTPS encryption (TLS 1.3) for all communications.

Passwords hashed with bcrypt (cost factor 12).

Encryption at rest for sensitive data.

JWT authentication with short expiration.

Data access restricted by strict multi-tenant isolation.

Access monitoring and logging.

13. Changes to this policy

We may update this policy. In case of material changes, we will notify you by email at least 30 days before they take effect. The last updated date is shown at the top of this page.

14. Contact

For any questions or to exercise your rights:

Data controller
Olivier Delafosse, sole proprietor
Trade name: CoreProse
Chelles, France
Email: contact{'@'}coreprose.com