Privacy Policy
Last updated: March 2026
Cobalt, operated by SKILLFORGE APP, SAS with capital of 1,000 euros, registered with the RCS of Versailles under number 993 554 203, whose registered office is located in Coignières (78310), France (hereinafter "Cobalt", "we", "our" or "us"), is committed to protecting the privacy of users of its platform and website www.cobalt-ia.com (hereinafter the "Service").
This privacy policy describes how we collect, use, store and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act.
1. Data Controller and Contact
Data Controller:
- SKILLFORGE APP
- Coignières (78310)
- France
Contact for questions regarding personal data: Gregory Hissiger, President & CEO Email: privacy@cobalt-ia.com
2. Personal Data Collected
2.1 Data You Provide Directly
| Category | Data Collected | Purpose |
|---|---|---|
| Identification Data | Name, first name, email address, phone number | Account creation and management |
| Professional Data | Company name, position, industry sector | Service personalization |
| Billing Data | Billing address, payment information (processed by Stripe) | Subscription and billing management |
| User Content | Imported candidate/prospect data, notes, generated documents | Service provision |
2.2 Automatically Collected Data
| Category | Data Collected | Purpose |
|---|---|---|
| Technical Data | IP address, browser type, operating system, device identifiers | Security and Service operation |
| Usage Data | Pages viewed, features used, timestamps, session duration | Service improvement and analytics |
| Cookies | See section 8 below | Operation and analysis |
2.3 Data Obtained from Third Parties
In the context of our data enrichment features, we may obtain public professional information (professional emails, phone numbers) via our partners FullEnrich and Clado. This data is collected from publicly accessible sources.
2.4 Data Obtained via Google Workspace APIs
When you connect your Google account to Cobalt, our application may access the following data via Google Workspace APIs, only with your explicit consent through an OAuth flow:
| Google Scope | Accessible Data | Use in Cobalt |
|---|---|---|
| gmail.send | Sending emails from your Gmail account | Allow recruiters to send outreach emails and personalized messages to candidates directly from their professional Gmail email address. Cobalt does not access the content of your inbox. |
| auth/calendar | Events from your Google Calendar | Create interview events with participants and automatic Google Meet link generation, check availability to avoid scheduling conflicts, modify events when details change, and delete events when interviews are cancelled. |
| userinfo.email | Email address of your Google account | Identify your account during OAuth connection |
| userinfo.profile | Name and public profile information | Display your identity in the Cobalt interface |
| openid | Authentication | Establish a secure connection with your Google account |
Specific Commitments Regarding Google Data
Cobalt's use of data received via Google Workspace APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Accordingly, Cobalt commits that Google data: • Will only be used to provide and improve user-facing features within the Cobalt platform. • Will never be transferred to third parties, unless necessary to provide or improve application features, to comply with a legal obligation, or in the context of a corporate transaction (merger, acquisition) with the explicit consent of the user. • Will never be used for targeted, personalized, or interest-based advertising. • Will never be sold to data brokers or information resellers. • Will never be used to determine creditworthiness, for lending purposes, or to build independent databases. • Will never be used to train or improve generalized artificial intelligence or machine learning models. Cobalt's AI features (Mistral AI) neither receive nor process raw data obtained via Google APIs. • Will only be subject to human access in strictly necessary cases: security, legal compliance, or upon explicit user request for technical support.
3. Legal Bases and Processing Purposes
| Purpose | Legal Basis (Art. 6 GDPR) |
|---|---|
| Service execution (account management, features) | Contract performance |
| Billing and subscription management | Contract performance |
| Customer support | Contract performance |
| Service improvement and optimization | Legitimate interest |
| Analytics and usage statistics | Legitimate interest |
| Marketing communications (newsletters, updates) | Consent |
| Legal and tax compliance | Legal obligation |
| Security and fraud prevention | Legitimate interest |
4. Data Processing on Behalf of Our Clients (Processing)
When you use Cobalt to manage candidate or prospect data, you are the data controller of this data and Cobalt acts as a processor within the meaning of Article 28 of the GDPR.
As such, we undertake to:
- Process data only on your documented instructions
- Ensure the confidentiality of processed data
- Implement appropriate security measures
- Assist you in complying with your GDPR obligations
- Delete or return data at the end of the contract
- Make available the information necessary to demonstrate compliance with our obligations
A Data Processing Agreement (DPA) is available upon request for clients who wish it. Contact us at privacy@cobalt-ia.com.
5. Recipients and Processors
We share your data only with the following categories of recipients, in strict compliance with our confidentiality obligations:
5.1 Our Technical Processors
| Processor | Purpose | Data Location |
|---|---|---|
| Scaleway | Database hosting | Paris, France (EU) |
| Vercel | Server and CDN hosting | Paris, France (EU) |
| Stripe | Payment processing | EU / US (DPF certified) |
| Mistral AI | Artificial intelligence features | France (EU) |
| Resend | Transactional email sending | United States (SCCs + DPF certified) |
| PostHog | Product analytics | Frankfurt, Germany (EU) |
| Dash0 | Monitoring and observability | AWS EU (eu-west-1) |
| FullEnrich | Data enrichment | United States (SCCs) |
| Clado | Data enrichment | United States (SCCs) |
| Gladia | Audio transcription | France (EU) |
| MeetingBaas | Recording and meeting bots | France (EU) |
| ZeroEntropy | Indexing and vector search | United States (SCCs) |
5.2 Other Recipients
- Competent authorities : in case of legal obligation
- Professional advisors : lawyers, accountants (under confidentiality obligation)
We never sell your personal data to third parties. Google API Services User Data Policy Compliance: Cobalt's use of information received via Google Workspace APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Data obtained via Google APIs is not shared with any of the processors listed above except those strictly necessary to provide the Service (Scaleway for secure data hosting).
6. Data Transfers Outside the European Union
Our main data is hosted in France and the European Union (Scaleway, Vercel, Mistral AI, PostHog EU, Dash0 EU).
Some of our processors are based in the United States. For these transfers, we rely on:
- The Data Privacy Framework (DPF) : Resend and Stripe are certified under the EU-US Data Privacy Framework, recognized by the European Commission as providing an adequate level of protection
- Standard Contractual Clauses (SCCs) : For FullEnrich and Clado, we use the standard contractual clauses approved by the European Commission (Decision 2021/914)
These mechanisms ensure that your data benefits from a level of protection equivalent to that offered by the GDPR.
7. Retention Periods
| Data Type | Retention Period |
|---|---|
| Active account data | For the entire duration of your subscription |
| Data after account deletion | 30 days (recovery period), then permanent deletion |
| Billing data | 10 years (French legal obligation) |
| Candidate/prospect data | Deleted upon your request or upon account deletion |
| Technical and security logs | 12 months |
| Analytics data (anonymized) | 24 months |
| Cookies | See section 8 |
At the end of these periods, data is deleted or irreversibly anonymized.
8. Cookies and Similar Technologies
8.1 Types of Cookies Used
| Type | Purpose | Duration | Legal Basis |
|---|---|---|---|
| Strictly necessary cookies | Authentication, security, operation | Session | Legitimate interest |
| Performance cookies | Analytics (PostHog) | 12 months | Consent |
| Functional cookies | User preferences | 12 months | Consent |
8.2 Managing Your Preferences
You can manage your cookie preferences at any time via the consent banner on our site or in your browser settings.
9. Your Rights
In accordance with the GDPR, you have the following rights regarding your personal data:
How to Exercise Your Rights
| Right | Description |
|---|---|
| Access | Obtain a copy of your personal data |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Request deletion of your data |
| Restriction | Temporarily restrict processing |
| Portability | Receive your data in a structured format |
| Objection | Object to processing based on legitimate interest |
| Withdrawal of consent | Withdraw your consent at any time |
Complaint to the Supervisory Authority
- By email : privacy@cobalt-ia.com
- In the application : Settings > Privacy > Export/Delete my data
We will respond to your request within one month of receipt. This period may be extended by two months in case of a complex request, in which case we will inform you. Google Access Revocation You can revoke Cobalt's access to your Google data at any time in two ways: • From Cobalt: Settings > Integrations > Disconnect your Google account • From your Google account: Go to myaccount.google.com/permissions and remove access granted to Cobalt Revocation results in the immediate cessation of all Cobalt interaction with your Google data. Emails already sent via Gmail and events already created in Google Calendar are not deleted, but Cobalt will no longer be able to send or create new ones. OAuth authentication tokens are deleted from our servers upon disconnection.
If you believe that the processing of your data constitutes a violation of the GDPR, you have the right to lodge a complaint with the CNIL: Commission Nationale de l'Informatique et des Libertés (CNIL) 3 Place de Fontenoy, TSA 80715 75334 Paris Cedex 07 www.cnil.fr
10. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption : Data encrypted in transit (TLS 1.3) and at rest
- Access control : Strong authentication, principle of least privilege
- Secure infrastructure : ISO 27001 certified hosting (Scaleway)
- Monitoring : Continuous monitoring and anomaly detection
- Backups : Regular backups with restoration testing
- Training : Awareness of our team on data protection
In case of a data breach likely to pose a risk to your rights and freedoms, we will inform you as soon as possible in accordance with our legal obligations.
11. Use of Artificial Intelligence
Cobalt uses artificial intelligence technologies (Mistral AI) for certain features:
- Candidate search and matching
- Document generation
- Meeting transcription and analysis
Important : - No fully automated decision is made without human intervention - Data processed by AI is not used to train third-party models - You retain control over the use of these features - Data obtained via Google Workspace APIs (Gmail, Google Calendar) is neither transmitted to AI models nor used to train, improve or feed any machine learning or artificial intelligence model, whether generalized or personalized.
12. Modifications to This Policy
We may update this policy to reflect legal, technical or organizational changes.
In case of substantial modification:
- We will inform you by email or via a notification in the application
- The new version will be published on this page with its update date
Your continued use of the Service after modification constitutes acceptance of the updated policy.
13. Contact
For any questions regarding this privacy policy or the processing of your data:
- Email : privacy@cobalt-ia.com
- Address : SKILLFORGE APP, Coignières (78310), France
We strive to respond to all requests within 5 business days.
This privacy policy is written in French. In case of translation, the French version prevails.
For any questions regarding this policy, contact us at: privacy@cobalt-ia.com