Privacy Policy

Introduction

This privacy policy describes how Ask Malo (hereinafter "the Application") collects, uses and protects your personal data, in accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Libertés).

Data controller

• Thomas Michaud — Sole proprietor
• Contact: contact form
• Address: Saint-Malo, France

Data collected

Via the mobile application

• Account data: if you create an account via "Sign in with Apple," we receive your anonymized Apple identifier, your name (if you choose to share it) and your email address (real or Apple relay). This data is stored securely on our servers.
• Conversation messages: the questions you ask Malo are sent to our servers to generate a response. They are associated with your account if you are signed in.
• Location data (optional): if you allow access to your location, it is used to contextualize responses (proximity, local tides) and for geolocated notifications (geofencing). Your location is processed locally on your device for geofencing and transmitted occasionally to our servers to contextualize responses. It is not stored permanently nor shared with third parties.
• Push notification token: if you accept notifications, a technical identifier (Expo Push Token) is generated and stored on our servers to send you notifications. This token does not allow us to personally identify you.
• Preferences: chosen language and usage preferences, stored locally on your device.

Via the website (askmalo.fr)

• Contact form: name, email, phone (optional), profile type and message. This data is transmitted by email and is not stored in a database.

Data not collected

Ask Malo does not collect:

• payment data (the application is free)
• advertising or tracking cookies
• data from your contacts, photos or files
• social media identifiers (other than Apple Sign In)
• advertising identifiers (IDFA)

Purposes of processing

• Provide relevant and contextualized responses
• Manage your user account and authentication
• Send relevant push notifications (deals, local alerts)
• Improve the quality of AI responses
• Respond to your inquiries via the contact form
• Ensure the proper technical operation of the Application

Legal basis

• Legitimate interest: service improvement and answering questions
• Consent: for geolocation and push notifications (system permissions)
• Contractual performance: provision of the tourist assistance service

Data retention period

• Account data: retained as long as your account is active. Deleted within 30 days of an account deletion request.
• Conversations: exchanges are retained for a maximum of 12 months for improvement purposes, then anonymized or deleted.
• Notification tokens: retained as long as your account is active, deleted upon unsubscription or account deletion.
• Contact form: data is retained for the time necessary to process your request, then deleted within 6 months.
• Local data: preferences are stored on your device and deleted upon uninstallation.

Data sharing

Your data may be processed by the following sub-processors:

• Anthropic (United States): AI model provider. Questions are transmitted to generate responses. No personally identifiable data is transmitted.
• Apple (United States): authentication via "Sign in with Apple" and push notification service (APNs).
• Expo / EAS (United States): push notification infrastructure and application updates.
• DeepL (Germany): automatic content translation. No personal data is transmitted.
• Server host: dedicated server in France (API and database)
• Vercel (United States): website hosting
• Resend (United States): sending emails from the contact form

No data is sold, rented or shared with third parties for commercial or advertising purposes.

Background location

If you allow it, Ask Malo may access your location in the background to send you contextual notifications when you are near points of interest (geofencing). This processing is performed locally on your device. You can revoke this permission at any time in your device settings.

Account deletion

You can delete your account directly from the application, in your profile settings. Deletion results in the permanent erasure of your personal data (identifier, email, conversation history, notification token) within 30 days.

Transfers outside the EU

Some sub-processors (Anthropic, Apple, Expo, Vercel, Resend) may process data in the United States. These transfers are governed by the European Commission's standard contractual clauses and/or the EU-US Data Privacy Framework. DeepL processes data in Germany (EU).

Your rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access: obtain a copy of your data
• Right of rectification: correct inaccurate data
• Right to erasure: request the deletion of your data
• Right to data portability: receive your data in a structured format
• Right to object: object to the processing of your data
• Right to restriction: restrict the processing

To exercise these rights, contact us via the contact form.

You may also file a complaint with the CNIL (French National Commission on Information Technology and Civil Liberties).

Security

We implement appropriate technical and organizational measures to protect your data: encrypted communications (HTTPS/TLS), restricted data access, regular security updates.

Children

Ask Malo does not knowingly collect personal data from children under 16 years of age. If you are a parent and believe your child has provided us with personal data, contact us via the contact form.

Changes

This policy may be updated. In the event of a substantial change, we will notify you via the Application or the website. The date of the last update is indicated at the top of this page.