Privacy Policy
Effective as of April 17, 2026.
1. Who we are
Chocom is a SaaS service that generates social media content for professionals based on instructions provided by the user. Any reference to "we", "our" or "Chocom" in this document refers to the publisher of the service.
2. Data we collect
- Account: email, name, Clerk identifier, OAuth authentication details (when used).
- Brand profile: brand name, industry, tone of voice, country, language, goals, target platforms, optional logo.
- Generated content: posts (text + image), approval / rejection history, platforms you publish to.
- Billing: handled by Stripe. We only store the Stripe customer ID — never card data.
- Technical logs: API requests, error codes, performance metrics. No long-lived IP storage beyond a session.
3. Why we process it
- To provide the service (contract performance).
- To improve content suggestions through our preference-learning models (legitimate interest, data anonymized per tenant).
- To bill the subscription (contractual obligation via Stripe).
- To detect and prevent abuse (legitimate interest).
4. Sub-processors
We rely on specialized providers to operate Chocom. Each is bound by a Data Processing Agreement and processes data in a GDPR-compliant manner. The full list of sub-processors, with legal names and locations, is disclosed on written request to [email protected].
Categories of sub-processors currently in use:
- Authentication — user account and session management (United States, Standard Contractual Clauses).
- Billing & payments — subscription processing and card storage (United States / European Union).
- AI text generation — large language model provider for generating the content of your posts (European Union).
- AI image generation — visual model provider for the illustrations attached to your posts (United States).
- Transactional email — delivery of notifications such as payment failures and trial reminders (United States).
- Media storage — storage of generated images and uploaded brand assets (European Union).
- Application hosting — runtime for the backend that your mobile app talks to (United States).
- Error tracking (optional) — monitoring of backend errors to help us fix issues faster (United States).
5. Retention
- Active account: as long as you use the service.
- Deleted account: complete deletion within 30 days, except for legal obligations (invoices kept for 10 years).
- Technical logs: 30 days in hot storage, aggregated afterwards.
6. Your rights (GDPR)
You can request at any time to access, rectify, delete, port or restrict the processing of your data. Email us at [email protected]. We reply within 30 days.
You also have the right to lodge a complaint with the CNIL (or the data protection authority of your country of residence).
7. Security
Communications are encrypted via TLS. Application secrets are isolated. Access is limited to personnel strictly required to operate the service.
8. Changes
We may update this policy. The effective date at the top of the page will be updated and, for material changes, we will notify you by email.
9. Contact
Questions, requests to exercise your rights: [email protected].