Histoply Privacy Policy

Last update: June 20, 2026  ·  Version: 2.3

This Privacy Policy (the "Policy") explains how Volvelle SASU ("we", "us", "our", "Histoply") collects, uses, stores, and shares your personal data when you use our histoply.app website and mobile application (collectively, the "Service").

We process your data in accordance with the European General Data Protection Regulation (GDPR, EU Regulation 2016/679), the French Data Protection Act (loi Informatique et Libertés), and — for users residing in the United States — with the California Consumer Privacy Act (CCPA/CPRA) and equivalent state laws (Virginia, Colorado, Connecticut, Utah, etc.).

Providing your email address and authenticating via Google Sign-In are required to create an account and use the Service. Without these, you will not be able to access it. Other data (advertising consent, subscription status) is collected on the basis of your consent or for performance of the contract.

1. Data Controller

The controller of your personal data is:

Given the size of our organization and the nature of our processing, we are not legally required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. The email address above is your single point of contact for any data protection matter.

2. Age Targeting and Minor Users

The Service is intended for users aged 13 and over. We do not knowingly collect personal data from children under 13. If you are a parent or legal guardian and believe a child has provided us with data without your consent, please contact us at contact@histoply.app and we will delete the relevant data as soon as possible.

In the European Union, Article 8 of the GDPR sets the digital age of consent at 15 years in France (16 in some other Member States). For EU users under 15, parental consent is required for certain processing activities (in particular the display of personalized advertising). Our advertising platform (Google AdMob) propagates this restriction via the UMP SDK.

In compliance with the U.S. Children's Online Privacy Protection Act (COPPA), we do not display behavioral advertising to users identified as being under 13, nor do we sell or share their personal information for targeted advertising purposes (CCPA § 1798.120(c)).

3. Age Verification and App Store Age Signals

Certain laws — such as the Texas App Store Accountability Act (SB 2420) and comparable laws in other U.S. states and countries — require app stores to verify users' age and obtain parental consent for minors, and require developers to act on that information.

Where applicable, the app store through which you obtain Histoply (Google Play, via the Play Age Signals API, or the Apple App Store, via the Declared Age Range API) may provide us with an age range (under 13, 13–15, 16–17, or 18 and over) and a verification or parental-consent status.

We use these signals solely to: (i) provide age-appropriate content and limit advertising to age-appropriate categories; (ii) prevent minors from completing in-app purchases without verified parental consent; and (iii) comply with applicable law and ensure the security of the Service.

These signals are processed in memory, on a transient and real-time basis only. We do not store or retain them on our servers or on your device, and we delete them as soon as the access or purchase decision has been made. They are never sold or shared with any third party, and are never used for advertising targeting, profiling, marketing, or analytics.

4. Data We Collect

This section covers both the pre-launch landing page (histoply.app) and the mobile application. Depending on the features you use, we collect the categories of data described below.

A. Pre-launch website — waitlist signup

Before the application launch, we only collect your email address via a form hosted by our processor Formspree, Inc. (United States). The form collects your explicit consent; your email is used exclusively to notify you of the launch. See the Formspree Privacy Policy.

B. Authentication — Google Sign-In

To create your account and sign in, we use Google Sign-In. When you grant OAuth consent, Google shares with us:

We never have access to your Google password.

C. Learning data generated by your use

The essence of the Service is tracking your learning. We collect:

D. Subscription data — RevenueCat

If you subscribe to a Histoply Premium plan, we use the services of RevenueCat, Inc. (United States) to manage billing, renewals, and cancellations. Payments are processed exclusively by Apple (App Store) or Google (Play Store) — we never have access to your payment card number.

RevenueCat processes the following on our behalf:

See the RevenueCat Privacy Policy.

E. Advertising data — Google AdMob and UMP SDK

The application displays ads provided by Google AdMob (Google Ireland Ltd for users in the EU/EEA/UK/Switzerland, Google LLC elsewhere), in particular rewarded video ads that grant you additional lives.

On first launch, a consent screen (generated by Google's User Messaging Platform — UMP SDK) asks for your consent to collect and share data for advertising purposes. The UMP SDK automatically applies the regulatory requirements of your jurisdiction:

Subject to your consent, AdMob and its partners may collect:

The exhaustive, up-to-date list of advertising partners (advertisers, measurement, bidding platforms) with which Google may share this data is available at: Google AdMob ad partners. For details on how Google uses received data, see policies.google.com/technologies/partner-sites.

Change your consent at any time: in the application, via Profile → "Advertising preferences", you can re-display the consent screen and change your choice. You can also limit targeted advertising at the device level:

F. Technical data, SDKs, and mobile identifiers

To ensure operation, security, and maintenance of the Service, we automatically collect certain technical information:

The histoply.app website uses no third-party cookies, no advertising trackers, and no analytics; fonts are self-hosted (no loading from Google Fonts or any other CDN). The analytics tools described in sections 4.G and 4.H run exclusively inside the mobile application, never on the landing-page website. See the SDK and cookie details in section 13.

G. Anonymous audience measurement — PostHog (mobile application only)

Inside the mobile application only, we use PostHog for anonymous audience measurement, to understand which features are used and to improve the Service. Data is stored in the European Union (PostHog EU Cloud).

PostHog processes on our behalf:

PostHog has no access to your mobile advertising identifier (Google Advertising ID), nor to any persistent Histoply identifier. Your IP address is never retained ("discard client IP" option enabled server-side). No person profile is created: the application never calls the identify method, and the personProfiles = identifiedOnly configuration guarantees that no persistent profile is built — only an anonymous distinct_id is transmitted, attached solely to statistical events that we explicitly trigger. PostHog's advanced features (session replay, click autocapture, heatmaps) are disabled. No data is used for profiling, personalized advertising or marketing, and no data is sold or shared with any third party. The app-store age signals (section 3) are never sent to PostHog. You retain your right to object.

Legal basis: legitimate interest (Art. 6(1)(f) GDPR). This audience measurement is configured to be eligible for the exemption set out in the CNIL guidelines on cookies and trackers (random identifier not tied to an account, IP not retained, no cross-referencing with other processing, strictly statistical purpose). This legal basis is strictly distinct from the advertising consent (UMP / Consent Mode v2) that governs Firebase Analytics and Google Ads described in section 4.H — PostHog is in no way covered by the UMP banner.

See the PostHog Privacy Policy.

H. Ad conversion measurement — Firebase Analytics and Google Ads (mobile application only)

Inside the mobile application only, we use Firebase Analytics (provided by Google) together with Google Ads to measure the effectiveness of our user-acquisition campaigns. Important distinction from section 4.E: 4.E covers the delivery of in-app ads via AdMob; this section 4.H covers only the measurement of installs and conversion events coming from our external campaigns (Google App Campaigns).

Subject to your consent, Google processes on our behalf:

Ad personalization is disabled on the Histoply side (allow_ad_personalization_signals = false): these signals are used solely for the measurement and optimization of our acquisition campaigns, and not to serve you behaviorally targeted ads based on your in-app behavior. On iOS, the application does not use the App Tracking Transparency (ATT) framework and does not collect the IDFA: iOS ads are non-personalized only and no cross-app advertising identifier is used. On Android, subject to your UMP consent, the Google Advertising ID (GAID) may be used for ad conversion measurement. The app-store age signals (section 3) are never sent to Firebase Analytics or Google Ads.

Legal basis: consent (Art. 6(1)(a) GDPR), collected via the Google UMP / AdMob banner described in section 4.E. Histoply uses Google Consent Mode v2, which ties signal transmission to your UMP choice: a refusal of advertising consent blocks the transmission of conversion-measurement data to Google. You may withdraw your consent at any time via Profile → "Advertising preferences".

International transfer: processing by Google LLC in the United States, under the EU-U.S. Data Privacy Framework and the Standard Contractual Clauses (see section 8). Retention: 14 months (Google Analytics 4 default retained by Histoply).

See the Google Privacy Policy and the Firebase Privacy and Security information.

5. Purposes and Legal Bases

We process your data on the following legal bases (Article 6 GDPR):

6. Recipients and Sub-processors

We do not sell your personal data. We only share it with the following sub-processors, who act on Volvelle SASU's written instructions and are bound by a Data Processing Agreement (DPA) compliant with Article 28 of the GDPR:

Sub-processor Location Role / Data processed
Supabase, Inc. United States (AWS infrastructure, EU and US regions) Database hosting, authentication, storage of learning and profile data.
Formspree, Inc. United States Pre-launch waitlist signup collection (email only).
Google Ireland Ltd / Google LLC Ireland (EU) / United States Google Sign-In authentication; AdMob advertising network; UMP consent SDK.
PostHog, Inc. European Union (PostHog EU Cloud) Anonymous audience measurement inside the mobile application. No advertising identifier, IP not retained, no person profile created, no third-party sharing.
Google LLC — Firebase Analytics + Google Ads United States (DPF + SCCs) Ad conversion measurement for our acquisition campaigns (signals transmitted only after UMP consent via Google Consent Mode v2; ad personalization disabled).
RevenueCat, Inc. United States Technical management of Premium subscriptions (purchases, renewals, cancellations).
Apple Inc. / Google LLC United States Payment processing via App Store / Play Store. We never have access to your payment data.

We may also disclose your information when required by law (judicial subpoena, accounting obligation) or to protect our rights and the security of the Service.

7. Compliance with Google API Services

Data obtained via Google APIs (Google Sign-In information) is used solely to provide authentication and profile personalization features. It is not transferred to third parties, sold, or used for advertising purposes.

8. International Data Transfers

Several of our sub-processors (Supabase, Formspree, RevenueCat, Google LLC) are established in the United States. These transfers are governed by the following transfer mechanisms, provided for in Articles 44 to 49 of the GDPR:

9. Security

We implement appropriate technical and organizational measures to protect your data: TLS 1.3 encryption in transit, encryption at rest on Supabase/AWS servers, environment separation, role-based access management, and logging of sensitive operations. As no system is foolproof, we cannot guarantee absolute security.

10. Retention Period

11. Your GDPR Rights

Under Articles 15 to 22 and 7 of the GDPR, you have the following rights:

To exercise these rights, contact us at contact@histoply.app. We will respond within the one-month period required by the GDPR (extendable to three months for complex requests). Proof of identity may be requested in case of reasonable doubt.

12. U.S. State Privacy Rights (CCPA / CPRA)

If you reside in California, Colorado, Connecticut, Utah, Virginia, or any other U.S. state with an equivalent data protection law, you benefit from the additional rights described below, in addition to those listed above.

A. Categories of personal information involved

Within the meaning of the CCPA (Cal. Civ. Code § 1798.140), we collect the following categories: identifiers (email, UUID, Google Advertising ID on Android only, Firebase App Instance ID, anonymous PostHog distinct_id — no IDFA is collected on iOS), commercial information (subscription purchase history), internet and application activity (interactions with lessons and ads, advertising conversion events), approximate geolocation (derived from IP), and inferences (learning preferences).

B. Your rights

C. "Do Not Sell or Share My Personal Information"

We do not sell your personal information for monetary consideration. On Android, subject to your UMP consent, sharing with our advertising partners (Google AdMob and its ecosystem) for cross-context behavioral advertising purposes may qualify as "sharing" under the CPRA; the signals transmitted to Firebase Analytics and Google Ads for ad conversion measurement (Google Advertising ID + conversion events, see section 4.H) may also qualify as sharing. On iOS, however, the application does not use App Tracking Transparency and does not collect any IDFA: the ads served are non-personalized only and no cross-app advertising identifier is transmitted; no "sharing" within the meaning of the CPRA takes place for behavioral advertising on iOS. You may exercise your opt-out right at any time:

D. Minors (CCPA § 1798.120(c))

We do not knowingly sell or share the personal information of users under 16 without their affirmative consent (or that of their parent or guardian for users under 13).

13. Cookies, SDKs, and Mobile Identifiers

Website histoply.app: no third-party cookies, no advertising trackers, no analytics. Fonts (Poppins and Lora) are self-hosted. Only strictly necessary technical elements (browser cache, security) may be stored. The PostHog and Firebase Analytics tools described below run only inside the mobile application, never on the landing-page website.

Mobile application: we integrate the following SDKs, which process data in accordance with this Policy:

The mobile advertising identifier Google Advertising ID (GAID) is used only on Android, subject to your consent collected via the UMP SDK. On iOS, the application does not use App Tracking Transparency and does not collect any advertising identifier (IDFA); iOS ads are non-personalized only. You may reset your Google Advertising ID at any time from your Android device settings (see section 4.E).

14. Changes to this Policy

We may update this Policy to reflect technical, legal, or Service-related changes. The "Last update" date and version number at the top of the page indicate the current revision. In case of material changes, we will notify you by email or via an in-app notification before the changes take effect.

15. Contact

For any question about this Policy or to exercise your rights, contact us at the email address above. You may also lodge a complaint with the French data protection authority CNIL (www.cnil.fr/fr/plaintes) if you believe your rights are not being respected.