Name: Cobalt
Author: Cobalt

1. Data Controller and Contact

Data Controller:

SKILLFORGE APP
Coignières (78310)
France

Contact for questions regarding personal data: Gregory Hissiger, President & CEO Email: privacy@cobalt-ia.com

2. Personal Data Collected

2.1 Data You Provide Directly

Category	Data Collected	Purpose
Identification Data	Name, first name, email address, phone number	Account creation and management
Professional Data	Company name, position, industry sector	Service personalization
Billing Data	Billing address, payment information (processed by Stripe)	Subscription and billing management
User Content	Imported candidate/prospect data, notes, generated documents	Service provision

2.2 Automatically Collected Data

Category	Data Collected	Purpose
Technical Data	IP address, browser type, operating system, device identifiers	Security and Service operation
Usage Data	Pages viewed, features used, timestamps, session duration	Service improvement and analytics
Cookies	See section 8 below	Operation and analysis

2.3 Data Obtained from Third Parties

In the context of our data enrichment features, we may obtain public professional information (professional emails, phone numbers) via our partners FullEnrich and Clado. This data is collected from publicly accessible sources.

3. Legal Bases and Processing Purposes

Purpose	Legal Basis (Art. 6 GDPR)
Service execution (account management, features)	Contract performance
Billing and subscription management	Contract performance
Customer support	Contract performance
Service improvement and optimization	Legitimate interest
Analytics and usage statistics	Legitimate interest
Marketing communications (newsletters, updates)	Consent
Legal and tax compliance	Legal obligation
Security and fraud prevention	Legitimate interest

4. Data Processing on Behalf of Our Clients (Processing)

When you use Cobalt to manage candidate or prospect data, you are the data controller of this data and Cobalt acts as a processor within the meaning of Article 28 of the GDPR.

As such, we undertake to:

Process data only on your documented instructions
Ensure the confidentiality of processed data
Implement appropriate security measures
Assist you in complying with your GDPR obligations
Delete or return data at the end of the contract
Make available the information necessary to demonstrate compliance with our obligations

A Data Processing Agreement (DPA) is available upon request for clients who wish it. Contact us at privacy@cobalt-ia.com.

5. Recipients and Processors

We share your data only with the following categories of recipients, in strict compliance with our confidentiality obligations:

5.1 Our Technical Processors

Processor	Purpose	Data Location
Scaleway	Database hosting	Paris, France (EU)
Vercel	Server and CDN hosting	Paris, France (EU)
Stripe	Payment processing	EU / US (DPF certified)
Mistral AI	Artificial intelligence features	France (EU)
Resend	Transactional email sending	United States (SCCs + DPF certified)
PostHog	Product analytics	Frankfurt, Germany (EU)
Dash0	Monitoring and observability	AWS EU (eu-west-1)
FullEnrich	Data enrichment	United States (SCCs)
Clado	Data enrichment	United States (SCCs)
Gladia	Audio transcription	France (EU)
MeetingBaas	Recording and meeting bots	France (EU)
ZeroEntropy	Indexing and vector search	United States (SCCs)

5.2 Other Recipients

Competent authorities : in case of legal obligation
Professional advisors : lawyers, accountants (under confidentiality obligation)

We never sell your personal data to third parties.

6. Data Transfers Outside the European Union

Our main data is hosted in France and the European Union (Scaleway, Vercel, Mistral AI, PostHog EU, Dash0 EU).

Some of our processors are based in the United States. For these transfers, we rely on:

The Data Privacy Framework (DPF) : Resend and Stripe are certified under the EU-US Data Privacy Framework, recognized by the European Commission as providing an adequate level of protection
Standard Contractual Clauses (SCCs) : For FullEnrich and Clado, we use the standard contractual clauses approved by the European Commission (Decision 2021/914)

These mechanisms ensure that your data benefits from a level of protection equivalent to that offered by the GDPR.

7. Retention Periods

Data Type	Retention Period
Active account data	For the entire duration of your subscription
Data after account deletion	30 days (recovery period), then permanent deletion
Billing data	10 years (French legal obligation)
Candidate/prospect data	Deleted upon your request or upon account deletion
Technical and security logs	12 months
Analytics data (anonymized)	24 months
Cookies	See section 8

At the end of these periods, data is deleted or irreversibly anonymized.

8. Cookies and Similar Technologies

8.1 Types of Cookies Used

Type	Purpose	Duration	Legal Basis
Strictly necessary cookies	Authentication, security, operation	Session	Legitimate interest
Performance cookies	Analytics (PostHog)	12 months	Consent
Functional cookies	User preferences	12 months	Consent

8.2 Managing Your Preferences

You can manage your cookie preferences at any time via the consent banner on our site or in your browser settings.

9. Your Rights

In accordance with the GDPR, you have the following rights regarding your personal data:

How to Exercise Your Rights

Right	Description
Access	Obtain a copy of your personal data
Rectification	Correct inaccurate or incomplete data
Erasure	Request deletion of your data
Restriction	Temporarily restrict processing
Portability	Receive your data in a structured format
Objection	Object to processing based on legitimate interest
Withdrawal of consent	Withdraw your consent at any time

Complaint to the Supervisory Authority

By email : privacy@cobalt-ia.com
In the application : Settings > Privacy > Export/Delete my data

We will respond to your request within one month of receipt. This period may be extended by two months in case of a complex request, in which case we will inform you.

If you believe that the processing of your data constitutes a violation of the GDPR, you have the right to lodge a complaint with the CNIL: Commission Nationale de l'Informatique et des Libertés (CNIL) 3 Place de Fontenoy, TSA 80715 75334 Paris Cedex 07 www.cnil.fr

10. Data Security

We implement appropriate technical and organizational measures to protect your data:

Encryption : Data encrypted in transit (TLS 1.3) and at rest
Access control : Strong authentication, principle of least privilege
Secure infrastructure : ISO 27001 certified hosting (Scaleway)
Monitoring : Continuous monitoring and anomaly detection
Backups : Regular backups with restoration testing
Training : Awareness of our team on data protection

In case of a data breach likely to pose a risk to your rights and freedoms, we will inform you as soon as possible in accordance with our legal obligations.

11. Use of Artificial Intelligence

Cobalt uses artificial intelligence technologies (Mistral AI) for certain features:

Candidate search and matching
Document generation
Meeting transcription and analysis

Important : - No fully automated decision is made without human intervention - Data processed by AI is not used to train third-party models - You retain control over the use of these features

12. Modifications to This Policy

We may update this policy to reflect legal, technical or organizational changes.

In case of substantial modification:

We will inform you by email or via a notification in the application
The new version will be published on this page with its update date

Your continued use of the Service after modification constitutes acceptance of the updated policy.

13. Contact

For any questions regarding this privacy policy or the processing of your data:

Email : privacy@cobalt-ia.com
Address : SKILLFORGE APP, Coignières (78310), France

We strive to respond to all requests within 5 business days.

This privacy policy is written in French. In case of translation, the French version prevails.

Privacy Policy