Privacy Policy
Last updated: March 3, 2026
Introduction
This privacy policy describes how Haloon (hereinafter "Haloon", "we", "our") collects, uses, stores and protects your personal data when you use the Haloon platform and its associated services (hereinafter "the Service").
We are committed to protecting your privacy in accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act.
1. Data Controller
The controller of your personal data is:
Haloon
- Legal form: SASU
- Share capital: 100,00 euros
- Registered office: 60 rue François 1er 75008 Paris
- SIREN: 101708717
- RCS: 814 428 785
- Email: contact@haloon.ai
2. Contact for Personal Data
For any questions regarding the protection of your personal data, you can contact us:
- Email: dpo@haloon.ai
- Address: 60 rue François 1er 75008 Paris
3. Personal Data Collected
The Service is reserved for persons aged 18 or over. We do not knowingly collect data from minors.
3.1 Data You Provide
Account Data
| Category | Examples | Purpose |
|---|---|---|
| Identification data | Name, surname, profile photo | Identification, personalization |
| Contact data | Email, phone number | Communication, 2FA authentication, support |
| Login data | Password (hashed), OAuth identifiers | Authentication |
| Demographic data | Date of birth, timezone, country | Age verification, personalization |
Billing Data
| Category | Examples | Purpose |
|---|---|---|
| Billing details | Postal address, city, postal code, country | Billing, tax obligations |
| Payment information | Payment method (via Stripe) | Payment processing |
Data Specific to Professional Users (B2B)
| Category | Examples |
|---|---|
| Organization data | Company name, VAT number, billing address |
3.2 Service Usage Data
| Category | Description |
|---|---|
| User content | Prompts, conversations, uploaded documents and files (PDF, CSV, images, etc.), generated images |
| Preferences and settings | Language, theme, preferred AI model, communication preferences, custom AI instructions, and other personalization settings |
| API data | Access keys, request logs, usage metadata |
3.3 Automatically Collected Data
| Category | Examples | Purpose |
|---|---|---|
| Technical data | IP address, browser type, operating system, screen resolution | Compatibility, security |
| Navigation data | Pages visited, timestamp, session duration | Service improvement |
| Logs and audit | Actions performed, execution time, session identifiers | Security, debugging, legal compliance |
| Derived data | Inferred timezone, approximate location (country/region) | Personalization |
Cookies and Trackers
See section 8 below.
3.4 Sensitive Data
The Service is not designed to process special categories of personal data within the meaning of Article 9 of the GDPR (health data, political opinions, religious beliefs, sexual orientation, etc.).
We recommend that you do not submit such data in your conversations unless strictly necessary for your use. If you do, you acknowledge doing so at your own responsibility.
4. Purposes and Legal Bases of Processing
| Purpose | Legal basis (Art. 6 GDPR) | Data concerned |
|---|---|---|
| Creation and management of your account | Contract performance | Account data |
| Service provision (chat, generation, analysis) | Contract performance | Conversations, documents, images |
| Payment processing | Contract performance | Billing data |
| Two-factor authentication (2FA) | Contract performance, legitimate interest (security) | Phone number |
| Customer support | Contract performance | Account data, conversations |
| Sending transactional emails (confirmation, notifications) | Contract performance | |
| Sending newsletters and marketing communications | Consent | Email, marketing preferences |
| Interface personalization | Contract performance | User preferences, profile photo |
| Service security and fraud prevention | Legitimate interest | Technical data, audit logs |
| Service improvement | Legitimate interest | Anonymized usage data |
| Compliance with legal obligations | Legal obligation | Billing data, logs |
| Statistics and analytics | Legitimate interest | Anonymized technical data |
| Technical monitoring and error detection | Legitimate interest | Technical data |
5. Usage Data and Service Improvement
5.1 Definition
"Usage Data" means technical and statistical information automatically collected during your use of the Service: frequency of use, features used, response times, errors encountered, request volumes.
Usage Data does NOT include the content of your conversations.
5.2 Purposes
We use Usage Data to:
- Ensure the security and stability of the Service
- Monitor and optimize performance
- Improve existing features
- Develop new features
- Perform statistical analyses
5.3 Legal Basis
This processing is based on our legitimate interest (Article 6.1.f GDPR) in improving and securing our services.
5.4 Aggregated and Anonymized Data
We may create aggregated and anonymized data from Usage Data. Once anonymized, this data is no longer personal data and may be used or shared without restriction.
5.5 Right to Object
You may object to the use of your Usage Data for improvement purposes (excluding security and technical operation) by contacting dpo@haloon.ai
5.6 Retention
| Type | Duration |
|---|---|
| Raw usage data | 13 months |
| Aggregated/anonymized data | Without limitation |
6. Data Recipients
6.1 AI Model Providers
To provide the Service, your prompts and uploaded files are transmitted to the following AI model providers:
| Provider | Data transmitted | Location | Safeguards |
|---|---|---|---|
| OpenAI | Prompts, uploaded files | United States | DPA, Data Privacy Framework |
| Anthropic | Prompts, uploaded files | United States | DPA, SCCs |
| Google (Gemini) | Prompts, uploaded files | United States | DPA, Data Privacy Framework |
| Mistral AI | Prompts, uploaded files | France | GDPR applicable |
| OpenRouter | Prompts, uploaded files | Variable by model | DPA |
Important:
- We use "zero data retention" options when available
- These providers are NOT authorized to use your data to train their models
- You can choose which models to use and thus control which providers your data is transmitted to
6.2 Main Subcontractors
The main subcontractors we use are:
| Subcontractor | Service | Data concerned | Location |
|---|---|---|---|
| Clever Cloud | Hosting (servers, database, storage) | All data | France |
| Brevo | Transactional and marketing emails | Email, name, surname | France |
| Stripe | Payment | Billing data, email | United States (Data Privacy Framework) |
| Sentry | Technical monitoring, error detection | Technical data, error logs | United States (Data Privacy Framework) |
| Google Analytics | Analytics | Anonymized navigation data | United States (Data Privacy Framework) |
This list may change. The current version is available on this page.
6.3 Other Recipients
Your data may also be communicated:
- To competent authorities in case of legal obligation or judicial requisition
- To third parties in case of conversation sharing initiated by you
7. Data Transfers Outside the European Union
Some of our subcontractors are located outside the European Union. These transfers are governed by the following safeguards:
7.1 Transfers to the United States
| Mechanism | Description |
|---|---|
| EU-US Data Privacy Framework | Our American subcontractors (Stripe, OpenAI, Google, Sentry) are certified under the Data Privacy Framework, recognized as providing adequate protection by the European Commission (decision of July 10, 2023). |
| Standard Contractual Clauses (SCCs) | We have concluded data processing agreements (DPA) including SCCs adopted by the European Commission. |
7.2 Your Rights Regarding Transfers
You can obtain a copy of the appropriate safeguards by contacting us at dpo@haloon.ai.
8. Cookies and Trackers
8.1 What is a Cookie?
A cookie is a small text file placed on your device when visiting a website. It allows information about your browsing to be stored.
8.2 Cookies Used by Haloon
Strictly Necessary Cookies (exempt from consent)
| Cookie | Purpose | Duration |
|---|---|---|
| Session | Maintaining your connection | Session |
| Authentication | Secure identification | 30 days |
These cookies are essential for the operation of the Service. They cannot be disabled.
Analytics Cookies (subject to consent)
| Cookie | Provider | Purpose | Duration |
|---|---|---|---|
| Google Analytics | Audience measurement, traffic statistics | 13 months |
These cookies allow us to understand how you use the Service in order to improve it. They are only placed with your consent.
Technical/Monitoring Cookies
| Cookie/Tracker | Provider | Purpose | Duration |
|---|---|---|---|
| Sentry | Sentry.io | Detection and correction of technical errors | Session |
These cookies are used to ensure the stability and security of the Service.
8.3 Managing Your Preferences
You can change your cookie preferences at any time:
- Via our consent banner accessible at the bottom of the page
- Via your browser settings
Refusing analytics cookies does not affect your use of the Service.
9. Data Retention
9.1 Retention Periods
| Type of data | Retention period |
|---|---|
| Account data | Duration of contractual relationship + 3 years after account deletion |
| Conversation history | Until deleted by user or account deletion |
| Uploaded documents and images | Until deleted by user or account deletion |
| Generated images | Until deleted by user or account deletion |
| User preferences | Duration of contractual relationship |
| Billing data | 10 years (legal accounting and tax obligation) |
| Audit logs (IP, connections) | 1 year |
| Technical logs | 1 year |
9.2 Data Deletion
Upon deletion of your account:
- Your personal data will be deleted or anonymized within 30 days
- Billing data will be retained in accordance with legal obligations
- Backups will be purged according to our backup cycles (maximum 90 days)
10. Data Security
We implement appropriate technical and organizational measures to protect your personal data:
10.1 Technical Measures
| Measure | Description |
|---|---|
| Encryption in transit | All communications are encrypted via HTTPS/TLS |
| Encryption at rest | Stored data is encrypted |
| Password hashing | Passwords are hashed with secure algorithms (non-reversible) |
| 2FA Authentication | Available to secure your account |
| Secure hosting | Infrastructure hosted at Clever Cloud (France), ISO 27001 certified |
10.2 Organizational Measures
- Data access limited to authorized persons
- Team awareness of data protection
- Security incident management procedures
10.3 Breach Notification
In case of a personal data breach likely to result in a risk to your rights and freedoms, we will inform you as soon as possible, in accordance with Article 34 of the GDPR.
11. Your Rights
In accordance with the GDPR, you have the following rights over your personal data:
| Right | Description |
|---|---|
| Right of access | Obtain confirmation that data concerning you is being processed and receive a copy |
| Right to rectification | Have inaccurate data corrected or incomplete data completed |
| Right to erasure | Request deletion of your data in certain cases |
| Right to restriction | Request restriction of processing of your data in certain cases |
| Right to portability | Receive your data in a structured, machine-readable format (CSV) |
| Right to object | Object to the processing of your data on legitimate grounds |
| Right to withdraw consent | At any time, for processing based on consent (marketing, analytics cookies) |
| Right to define post-mortem directives | Define directives regarding the fate of your data after your death |
11.1 How to Exercise Your Rights
You can exercise your rights:
- By email: dpo@haloon.ai
- By mail: 60 rue François 1er 75008 Paris, to the attention of the personal data manager
We will respond to your request within one month. This period may be extended by two months depending on the complexity or number of requests.
11.2 Identity Verification
To protect your data, we may ask you to verify your identity before acting on your request.
12. Marketing and Communications
12.1 Transactional Emails
We send you emails necessary for the operation of the Service:
- Registration confirmation
- Security notifications (login, password change)
- Invoices and payment confirmations
- Important changes to the Service or terms
These emails are sent on the basis of contract performance and do not require your consent.
12.2 Marketing Emails and Newsletter
We send you communications about product news only if you have consented during registration or subsequently.
You can unsubscribe at any time:
- By clicking on the unsubscribe link in each email
- Via Settings > Notifications in your account
13. Policy Modifications
We may modify this policy at any time. The "last updated" date at the top of the document will be updated with each modification.
In case of substantial modification significantly affecting the processing of your data, we will inform you by email or notification in the application.
Your continued use of the Service after publication of the modifications constitutes acceptance of the modified policy. If you do not accept the modifications, you may delete your account.
14. Complaint to the CNIL
If you believe that the processing of your personal data constitutes a violation of the GDPR, you have the right to lodge a complaint with the CNIL:
Commission Nationale de l'Informatique et des Libertés (CNIL)
- Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
- Website: https://www.cnil.fr
- Phone: 01 53 73 22 22
We encourage you to contact us first so that we can try to resolve your issue.
This privacy policy is effective as of March 3, 2026.