Privacy Policy

Last updated: March 27, 2026

This Privacy Policy describes how Disket France SAS ("we", "us", "our") collects, uses, and protects your personal data when you use the voila application and website (collectively, the "Service").

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés), and all applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

Disket France SAS
67 rue d'Aboukir
75002 Paris, France
Email: js@disket.app

2. Data We Collect

We collect and process the following categories of personal data:

Data	Purpose	Legal Basis	Retention
Apple ID, name, email	Account creation and authentication	Contract performance	Duration of account + 5 years archived
Message content and metadata	Core messaging aggregation service	Contract performance	Duration of service use
Message content sent to AI	AI-powered reply suggestions and rewriting	Contract performance	Not stored after processing
OAuth tokens (WhatsApp, Instagram)	Connecting your messaging accounts	Contract performance	Until connector is disconnected
Device token	Push notifications	Consent	Until consent is withdrawn
Usage data, crash logs	Service improvement and debugging	Legitimate interest	2 years
Support communications	Customer support	Legitimate interest	Duration of resolution + 5 years

3. How We Handle Your Messages

Because voila is a messaging aggregator, we want to be transparent about how your messages are handled:

What we access: Message content, sender and recipient information, timestamps, and delivery status from your connected WhatsApp and Instagram accounts via their official Business APIs.
Encryption: All data is encrypted in transit (TLS). Connector credentials (OAuth tokens) are encrypted at rest using AES-256-GCM.
AI processing: When you use AI features (reply suggestions, message rewriting), message content is sent to our third-party AI provider for processing. This data is not stored after processing and is not used to train AI models.
What we do not do: We do not sell your message data, use it for advertising, or share message content with third parties beyond what is strictly necessary to provide the Service.

4. Third-Party Service Providers

We use the following third-party services to operate voila:

Supabase — Authentication and database hosting
Meta (WhatsApp Business API, Instagram Graph API) — Message delivery and retrieval
AI provider — Processing message content for AI features
Apple — Sign In with Apple, push notifications, in-app purchases
Railway — Backend infrastructure hosting
RevenueCat — Subscription management

Each provider processes data only as necessary to deliver its service and under appropriate data protection agreements.

5. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). When data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

6. Your Rights

Under the GDPR and French data protection law, you have the following rights:

Access — Request a copy of your personal data
Rectification — Correct inaccurate or incomplete data
Erasure — Request deletion of your data ("right to be forgotten")
Restriction — Restrict processing of your data
Portability — Receive your data in a structured, machine-readable format
Objection — Object to processing based on legitimate interest
Withdraw consent — Where processing is based on consent, withdraw it at any time
Post-mortem rights — Under French law, you may define directives regarding the fate of your personal data after your death

To exercise any of these rights, contact us at js@disket.app. We will respond within one month. This period may be extended by two additional months for complex requests.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

TLS encryption for all data in transit
AES-256-GCM encryption for stored credentials
JWT-based authentication with secure token verification
Role-based access controls
Regular security reviews

8. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

9. Cookies

Our website uses only essential cookies required for the website to function. We do not use tracking cookies or third-party advertising cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the app or by email. The "Last updated" date at the top indicates when this policy was last revised.

11. Supervisory Authority

If you believe that our processing of your personal data violates data protection law, you have the right to lodge a complaint with the French data protection authority:

CNIL (Commission Nationale de l'Informatique et des Libertés)
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
Website: www.cnil.fr

12. Contact Us

For any questions about this Privacy Policy or your personal data, contact us at:

Disket France SAS
67 rue d'Aboukir
75002 Paris, France
Email: js@disket.app