Privacy Policy — CoupleUp
Last updated 14 June 2026
Version: 1.1
Effective date: 15 May 2026
This English translation is provided for convenience. In the event of any discrepancy, the French version prevails.
1. Identity of the data controller
Personal data collected through the CoupleUp Application is processed by the publisher of CoupleUp (hereinafter “the Publisher”, “we” or “the Data Controller”).
Contact (data protection): support@coupleup.store
For any question regarding the processing of your data, or to exercise your rights, you may write to us at this address. The full contact details of the Data Controller will be provided on this page as soon as the entity operating CoupleUp is registered.
2. Data we collect
2.1 Data provided directly by the User
| Category | Data | Purpose |
|---|---|---|
| Account | Email address, first name (optional), profile picture (optional) | Creation and management of the Account |
| Journal | Free-form text entries, answers to guided questions | Operation of the journal feature |
| Conflicts | Messages entered in the conflict protocol, answers at each step | Operation of the conflict protocol |
| Quizzes | Answers to couple questionnaires | Generation of results and insights |
| Therapy | Session notes, appointment dates, therapist’s name (optional) | Personalized therapy tracking |
| Moods | Emotional state data entered daily | Dashboards and trends |
| Couple | Partnership link (partner identifier), shared history | Collaborative features |
| Profile | Gender, year of birth, relationship start date (all optional) | Personalization of AI advice (inclusive pronouns, calibration by relationship length) |
2.2 Data collected automatically
| Category | Data | Purpose |
|---|---|---|
| Authentication | Session tokens, Firebase identifier | Securing access |
| Notifications | FCM token (Firebase Cloud Messaging) | Sending push notifications |
| Usage | Anonymized usage events (features used, frequency) | Usage behavior analysis (PostHog) |
| Technical errors | Anonymized error traces, device type, OS version | Debugging and improvement (Sentry) |
2.3 What we do NOT collect
We do not collect:
- precise geolocation data;
- biometric data;
- the content of communications between partners outside the Application;
- data from other applications present on the device;
- data for advertising or commercial profiling purposes.
3. Purposes and legal bases of processing
| Processing | Data concerned | Legal basis (GDPR Art. 6) | Legal basis (special categories, Art. 9) |
|---|---|---|---|
| Creation and management of the Account | Email address, identifiers | Performance of the contract (Art. 6(1)(b)) | — |
| Provision of the features (journal, conflicts, quizzes, therapy) | Content data | Performance of the contract (Art. 6(1)(b)) | Explicit consent (Art. 9(2)(a)) — data potentially revealing private life |
| Use of the AI features | Text submitted to the AI | Consent (Art. 6(1)(a)) — collected separately | Explicit consent (Art. 9(2)(a)) |
| AI personalization via the enriched profile | Gender, year of birth, relationship length | Consent (Art. 6(1)(a)) — optional collection | — |
| Sending push notifications | FCM token | Consent (Art. 6(1)(a)) | — |
| Anonymized usage analytics | Usage events | Legitimate interest (Art. 6(1)(f)) — improvement of the Service | — |
| Technical monitoring and debugging | Anonymized error traces | Legitimate interest (Art. 6(1)(f)) — security and reliability | — |
| Sending transactional emails | Email address | Performance of the contract (Art. 6(1)(b)) | — |
| Sending marketing communications (newsletter) | Email address | Consent (Art. 6(1)(a)) | — |
Note on sensitive data: journal entries, conflict data and mood data may reveal information about Users’ emotional and relationship life. They are processed on the basis of the explicit consent collected when the Terms of Use are accepted and, for the AI features, of a separate consent.
4. Retention periods
| Data | Retention period |
|---|---|
| Active Account (profile data, content) | For as long as the Account is active |
| Data after Account deletion (soft delete) | 30 days after the deletion request, then permanent purge |
| Technical logs (Sentry) | 90 days |
| Anonymized usage data (PostHog) | 24 months |
| Transactional emails | 3 years from the last interaction |
| Billing data (where applicable) | 10 years (statutory accounting obligation) |
After these periods, the data is irreversibly deleted or anonymized.
5. Recipients and processors
We use the following processors to operate the Service. Each processor is bound by a GDPR-compliant data processing agreement (DPA).
| Processor | Role | Location | Safeguards |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, storage | European Union (eu-west-1) | Supabase DPA · Data hosted in the EU |
| Google LLC (Firebase) | OAuth authentication, push notifications (FCM) | United States | Google DPA · Standard Contractual Clauses (SCCs) |
| OpenAI, LLC | AI processing (rephrasing, summarization, coaching) | United States | OpenAI DPA · Standard Contractual Clauses (SCCs) |
| Functional Software (Sentry) | Error monitoring | United States | Sentry DPA · SCCs |
| PostHog, Inc. | Anonymized usage analytics | European Union (EU Cloud) | PostHog DPA · Data hosted in the EU |
| Resend, Inc. | Transactional emails | United States | Resend DPA · SCCs |
We never sell, rent or transfer personal data to third parties for commercial or advertising purposes.
6. Transfers outside the European Union
Some of our processors are established in the United States (Google/Firebase, OpenAI, Sentry, Resend). These transfers are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, in accordance with Article 46 of the GDPR.
Regarding OpenAI in particular: text submitted to the AI features is transmitted to OpenAI only when the User explicitly activates these features and with the User’s prior consent.
7. Data security
The Publisher implements appropriate technical and organizational measures to protect personal data against any loss, destruction, alteration or unauthorized access:
- Encryption in transit: HTTPS/TLS on all communications;
- Encryption at rest: data encrypted at the level of the Supabase infrastructure;
- Row-Level Security (RLS): each User can only access their own data in the database;
- Secure authentication: session management via Firebase Auth with time-limited tokens;
- Restricted access: only the Publisher has access to the data, on a read-only basis for technical support purposes.
In the event of a data breach likely to result in a risk to the rights and freedoms of individuals, the Publisher will notify the CNIL (the French data protection authority) within 72 hours and, where the risk is high, the affected Users as soon as possible.
8. Data subject rights
In accordance with the GDPR (Articles 15 to 22), you have the following rights over your personal data:
| Right | Description |
|---|---|
| Right of access (Art. 15) | Obtain a copy of your personal data being processed |
| Right to rectification (Art. 16) | Correct inaccurate or incomplete data |
| Right to erasure (Art. 17) | Request the deletion of your data (“right to be forgotten”) |
| Right to data portability (Art. 20) | Receive your data in a structured, machine-readable format |
| Right to object (Art. 21) | Object to processing based on legitimate interest |
| Right to restriction of processing (Art. 18) | Request the temporary suspension of a processing operation |
| Right to withdraw consent (Art. 7(3)) | Withdraw, at any time, any consent you have given (AI, notifications, marketing) |
How to exercise your rights
By email: support@coupleup.store
In-app: from “Settings → Privacy”
We undertake to respond within one month of receiving your request (this period may be extended to 3 months for complex requests, in which case you will be informed beforehand).
We may ask you to provide proof of your identity in order to process your request.
Right to lodge a complaint
If you believe that the processing of your data does not comply with the applicable regulations, you may lodge a complaint with the CNIL (Commission Nationale de l’Informatique et des Libertés):
- Website: www.cnil.fr (in French)
- Post: CNIL, 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07
9. Account deletion and portability
Deletion
From “Settings → Delete my account”, you can request the deletion of your Account. This action results in:
- The immediate deactivation of your Account;
- The purge of all of your personal data within 30 days;
- The dissolution of your shared Couple space (your partner retains their own data).
Some data may be kept beyond this period where a legal obligation so requires (e.g. billing data).
Portability
Upon request to support@coupleup.store, you can obtain an export of your data (journal entries, conflict history, quizzes) in JSON or CSV format within one month.
10. Cookies and trackers
The mobile Application does not place cookies on your device in the traditional sense of the term. It uses technical identifiers (Firebase session tokens, anonymized PostHog identifiers) that are strictly necessary for the operation of the Service.
If a website accompanies the Application (coupleup.store), a dedicated cookie policy will be published on that site.
11. Minors
The Service is intended exclusively for adults (18 years of age and over). The Publisher does not knowingly collect personal data from minors. If the Publisher became aware that a minor had created an Account, it would delete it without delay.
12. Changes to this policy
The Publisher reserves the right to amend this Privacy Policy at any time to reflect changes in the Service or in the applicable regulations. Any substantial change will be notified in-app or by email at least 15 days before it takes effect.
The version in force is always available from the Application and the coupleup.store website.
13. Contact
For any question regarding this Privacy Policy or the exercise of your rights:
Email: support@coupleup.store
CoupleUp — Privacy Policy v1.1
14 June 2026