Privacy Policy

🌐 English translation for convenience. The French version is the legally binding one.

⚠️ Document under legal review. This content is a working draft written by the Weloom team and is not enforceable until validated by legal counsel.

Last updated: June 2026

1. Controller identification

The controller of your personal data when using the Weloom.ai platform is:

  • Company: Weloom
  • Address: [To be completed]
  • GDPR / DPO contact: dpo@weloom.ai

For data processed by Weloom on behalf of a customer company (invited employees, onboarding journeys, etc.), Weloom acts as a processor within the meaning of the GDPR. The controller is then the customer company. The terms are governed by the Data Processing Agreement (DPA).

2. Data collected

2.1 Identification data

  • First name, last name, professional email
  • Role (HR Admin, manager, buddy, employee)
  • Profile picture (optional, SSO)
  • Language preference
  • Hire and end-of-contract dates (for new hires)

2.2 Onboarding journey data

  • Progress (completed modules)
  • Quiz scores
  • Composite score (progress, assessments, AI engagement)
  • 360° feedback (questionnaire responses)
  • Badges earned, gamification points
  • Offboarding status and validated items

2.3 AI conversation data

  • Messages exchanged with the AI Companion assistant
  • These messages are stored encrypted (AES-256-GCM with a per-company derived key, see Security)
  • Anonymization after account deletion is guaranteed (see § 6)

2.4 Technical data

  • IP address (extracted from x-forwarded-for, kept in the audit log)
  • User-Agent (browser, truncated to 255 characters)
  • Date and time of sensitive actions (account creation, alert resolved, etc.)

2.5 Billing data (HR customer only)

  • Stripe Customer ID
  • Subscription status, subscribed plan
  • No card data is stored at Weloom (PCI-DSS out of scope — Stripe Elements iframe).

3. Purposes and legal bases

| Purpose | Legal basis | |---|---| | Providing the onboarding service (account, journey, chat) | Performance of the contract (Art. 6.1.b) | | AI personalization via persona and knowledge base | Legitimate interest (Art. 6.1.f) — experience improvement | | Alert detection (delay, quiz failure, inactivity) | Legitimate interest of the controller (employer) | | Audit log of sensitive actions | Legal obligation + legitimate interest (security, evidence) | | Billing and fraud prevention | Performance of the contract + legal obligation | | Anonymized statistics for product improvement | Legitimate interest | | Transactional emails (invitation, manager alert, D-3 trial reminder) | Performance of the contract |

4. Recipients

Your data is accessible to:

  • Yourself and other users of your company according to their role (RM-07 tenant isolation).
  • The authorized Weloom team (technical support, operations), strictly on a justified-need basis.
  • Our technical subprocessors listed on the Subprocessors page, with whom we have signed a DPA.
  • Authorities upon judicial request.

No data is sold or used for advertising purposes.

5. Hosting and location

All data is hosted in the European Union:

  • Database and storage: Supabase (PostgreSQL + pgvector + buckets), EU Frankfurt region.
  • Web application: Vercel, EU West region.
  • Transactional emails: Resend (US transit, does not store the body of emails beyond the delivery log).

Some AI processing (journey generation, RAG embeddings, illustrations) involves a transfer outside the EU to our partners Anthropic and OpenAI (United States) on the basis of Standard Contractual Clauses (SCC) and additional technical measures (TLS 1.3 encryption in transit, no transfer of personally identifying data in the prompts).

6. Retention period

| Data | Period | |---|---| | Data of an active employee | Duration of the contract with the customer company | | Data of an employee who has left the company | 3 years after end of contract (RM-08), then automatic deletion | | Audit log of sensitive actions | 5 years (accounting and evidence obligations) | | Billing | 10 years (French accounting obligation) | | Data of an explicitly deleted account (GDPR Art. 17) | Immediate anonymization (see § 7.3); no restoration possible | | Aggregated anonymized statistics | Indefinitely (no identifying PII) |

7. Your rights

In accordance with Articles 15 to 22 of the GDPR, you have the following rights:

7.1 Right of access and portability (Art. 15 and Art. 20)

You can request a copy of your data in a structured format (JSON) from your HR Admin, who has a one-click export in their interface.

7.2 Right to rectification (Art. 16)

You can request the rectification of your data via your HR Admin or by email to dpo@weloom.ai.

7.3 Right to erasure (Art. 17)

You can request the deletion of your account. This request is handled by your HR Admin via their one-click interface. Deletion entails:

  • The immediate anonymization of your profile (email, first name, last name replaced by neutral values).
  • The impossibility of signing in to the account.
  • The anonymized retention of neighboring data needed for statistics (history of completed modules, aggregated scores, encrypted chat messages).
  • The preservation of the audit log in anonymous form (reference to your internal ID without attached PII).

7.4 Other rights

  • Restriction of processing (Art. 18)
  • Objection (Art. 21)
  • Automated decision-making (Art. 22) — the platform does not make automated decisions producing legal effects. The alerts generated by the engine are human decision support, never an automatic denial of rights.

7.5 Remedies

In the event of difficulty, you can lodge a complaint with the CNIL or the supervisory authority of your country of residence.

8. Cookies and trackers

Weloom uses a minimal number of cookies strictly necessary for the operation of the service:

  • Session cookie (next-auth.session-token, httpOnly): authentication, 30-day duration.
  • Theme preference (theme): light / dark / system.

No advertising cookie or third-party tracker for profiling purposes is placed without explicit consent. The platform does not use Google Analytics or equivalent to date.

9. Security

The technical measures in place are detailed on the Security page. In summary:

  • Per-company data isolation via PostgreSQL Row Level Security.
  • Application-level encryption of conversations (AES-256-GCM, per-tenant derived key).
  • Native AES-256 encryption at rest by the host.
  • Mandatory TLS 1.3.
  • Immutable audit log.
  • Rate limiting.

10. Changes to this policy

This policy may be amended to reflect legal or technical developments. Material changes are notified by email to the tenant's HR Admin users.

11. Contact

For any request regarding your personal data: dpo@weloom.ai.