FR | EN

Histoply Privacy Policy

Last update: May 6, 2026 · Version: 2.0

This Privacy Policy (the "Policy") explains how Volvelle SASU ("we", "us", "our", "Histoply") collects, uses, stores, and shares your personal data when you use our histoply.app website and mobile application (collectively, the "Service").

We process your data in accordance with the European General Data Protection Regulation (GDPR, EU Regulation 2016/679), the French Data Protection Act (loi Informatique et Libertés), and — for users residing in the United States — with the California Consumer Privacy Act (CCPA/CPRA) and equivalent state laws (Virginia, Colorado, Connecticut, Utah, etc.).

Providing your email address and authenticating via Google Sign-In are required to create an account and use the Service. Without these, you will not be able to access it. Other data (advertising consent, subscription status) is collected on the basis of your consent or for performance of the contract.

1. Data Controller

The controller of your personal data is:

Volvelle SASU — a French Simplified Joint-Stock Company (SASU)

Registered office: 58 rue de Monceau, 75008 Paris, France

SIREN: 100 705 136 — Trade Register: Paris

Data protection contact: contact@histoply.app

Given the size of our organization and the nature of our processing, we are not legally required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR. The email address above is your single point of contact for any data protection matter.

2. Age Targeting and Minor Users

The Service is intended for users aged 13 and over. We do not knowingly collect personal data from children under 13. If you are a parent or legal guardian and believe a child has provided us with data without your consent, please contact us at contact@histoply.app and we will delete the relevant data as soon as possible.

In the European Union, Article 8 of the GDPR sets the digital age of consent at 15 years in France (16 in some other Member States). For EU users under 15, parental consent is required for certain processing activities (in particular the display of personalized advertising). Our advertising platform (Google AdMob) propagates this restriction via the UMP SDK.

In compliance with the U.S. Children's Online Privacy Protection Act (COPPA), we do not display behavioral advertising to users identified as being under 13, nor do we sell or share their personal information for targeted advertising purposes (CCPA § 1798.120(c)).

3. Data We Collect

This section covers both the pre-launch landing page (histoply.app) and the mobile application. Depending on the features you use, we collect the categories of data described below.

A. Pre-launch website — waitlist signup

Before the application launch, we only collect your email address via a form hosted by our processor Formspree, Inc. (United States). The form collects your explicit consent; your email is used exclusively to notify you of the launch. See the Formspree Privacy Policy.

B. Authentication — Google Sign-In

To create your account and sign in, we use Google Sign-In. When you grant OAuth consent, Google shares with us:

Your first and last name
Your email address
Your unique Google account identifier
Your profile picture URL (optional)

We never have access to your Google password.

C. Learning data generated by your use

The essence of the Service is tracking your learning. We collect:

Your progress through the history lessons (chapters read, atoms discovered).
Your quiz answers (correct or incorrect).
Your experience points (XP), levels reached, and unlocked achievements.
Metadata for our spaced repetition algorithm (SM-2): last review date, memorization status of each atom, scheduling of upcoming reviews.
Your high scores in the Chrono Challenge mini-game.
Your preferences (depth level 1-5, language, display options).

D. Subscription data — RevenueCat

If you subscribe to a Histoply Premium plan, we use the services of RevenueCat, Inc. (United States) to manage billing, renewals, and cancellations. Payments are processed exclusively by Apple (App Store) or Google (Play Store) — we never have access to your payment card number.

RevenueCat processes the following on our behalf:

Your unique user identifier (Histoply / Supabase UUID).
Purchase events: initial purchase, renewal, cancellation, refund, plan change.
Technical device metadata (operating system, version, model).
Your IP address (used to determine the applicable currency).

See the RevenueCat Privacy Policy.

E. Advertising data — Google AdMob and UMP SDK

The application displays ads provided by Google AdMob (Google Ireland Ltd for users in the EU/EEA/UK/Switzerland, Google LLC elsewhere), in particular rewarded video ads that grant you additional lives.

On first launch, a consent screen (generated by Google's User Messaging Platform — UMP SDK) asks for your consent to collect and share data for advertising purposes. The UMP SDK automatically applies the regulatory requirements of your jurisdiction:

EU/EEA/UK/Switzerland users: a screen compliant with the GDPR and IAB Europe TCF v2.2 framework (explicit consent, refusal possible).
U.S. users: a screen compliant with state laws (CCPA/CPRA in California, and equivalent laws in Virginia, Colorado, Connecticut, Utah and other applicable states) — a Do Not Sell or Share option is provided.

Subject to your consent, AdMob and its partners may collect:

Your mobile advertising identifier (Google Advertising ID on Android, IDFA on iOS where applicable).
Your IP address, network type, and device technical attributes (model, OS, language, time zone).
Your interactions with ads (impressions, clicks).
Approximate location derived from IP.

The exhaustive, up-to-date list of advertising partners (advertisers, measurement, bidding platforms) with which Google may share this data is available at: Google AdMob ad partners. For details on how Google uses received data, see policies.google.com/technologies/partner-sites.

Change your consent at any time: in the application, via Profile → "Advertising preferences", you can re-display the consent screen and change your choice. You can also limit targeted advertising at the device level:

Android: Settings → Privacy → Ads → "Delete advertising ID".
iOS: Settings → Privacy & Security → Tracking → disable "Allow apps to request to track".

F. Technical data, SDKs, and mobile identifiers

To ensure operation, security, and maintenance of the Service, we automatically collect certain technical information:

IP address, browser or mobile client type, operating system, application version.
Error and diagnostic logs.
Persistent mobile identifiers necessary for Service operation (internal UUID, session tokens).

The histoply.app website does not use any third-party cookies or advertising trackers; fonts are self-hosted (no loading from Google Fonts or any other CDN). See the SDK and cookie details in section 12.

4. Purposes and Legal Bases

We process your data on the following legal bases (Article 6 GDPR):

Performance of the contract (Art. 6(1)(b)): providing, operating, and maintaining the Service; authenticating you; synchronizing your progress; running the SRS algorithm; managing your Premium subscription.
Consent (Art. 6(1)(a)): serving personalized ads (collected via the UMP SDK); pre-launch waitlist signup.
Legitimate interest (Art. 6(1)(f)): improving the Service's usability and content; ensuring platform security; preventing fraud; responding to support requests. You may object to these processing activities (see section 10).
Legal obligation (Art. 6(1)(c)): retention of invoices and accounting records related to subscriptions (period set by the French Commercial Code and General Tax Code).

5. Recipients and Sub-processors

We do not sell your personal data. We only share it with the following sub-processors, who act on Volvelle SASU's written instructions and are bound by a Data Processing Agreement (DPA) compliant with Article 28 of the GDPR:

Sub-processor	Location	Role / Data processed
Supabase, Inc.	United States (AWS infrastructure, EU and US regions)	Database hosting, authentication, storage of learning and profile data.
Formspree, Inc.	United States	Pre-launch waitlist signup collection (email only).
Google Ireland Ltd / Google LLC	Ireland (EU) / United States	Google Sign-In authentication; AdMob advertising network; UMP consent SDK.
RevenueCat, Inc.	United States	Technical management of Premium subscriptions (purchases, renewals, cancellations).
Apple Inc. / Google LLC	United States	Payment processing via App Store / Play Store. We never have access to your payment data.

We may also disclose your information when required by law (judicial subpoena, accounting obligation) or to protect our rights and the security of the Service.

6. Compliance with Google API Services

Notwithstanding anything else in this Policy, Histoply's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Data obtained via Google APIs (Google Sign-In information) is used solely to provide authentication and profile personalization features. It is not transferred to third parties, sold, or used for advertising purposes.

7. International Data Transfers

Several of our sub-processors (Supabase, Formspree, RevenueCat, Google LLC) are established in the United States. These transfers are governed by the following transfer mechanisms, provided for in Articles 44 to 49 of the GDPR:

Primary mechanism — EU-U.S. Data Privacy Framework (DPF): Supabase, Google, and RevenueCat are certified under the DPF, a mechanism recognized by the European Commission (adequacy decision of July 10, 2023) as providing an adequate level of protection.
Secondary mechanism — Standard Contractual Clauses (SCCs): in addition, we have entered into SCCs (model approved by the European Commission) with all our U.S. sub-processors.

8. Security

We implement appropriate technical and organizational measures to protect your data: TLS 1.3 encryption in transit, encryption at rest on Supabase/AWS servers, environment separation, role-based access management, and logging of sensitive operations. As no system is foolproof, we cannot guarantee absolute security.

9. Retention Period

Account and learning data: retained as long as your account is active.
Account deletion: upon a deletion request (see the dedicated page), your personal data is erased or anonymized within a maximum of 30 days.
Pre-launch waitlist: email retained up to 24 months after launch, or until your removal request.
Billing data: retained for the legally required period (10 years for accounting, 6 years for tax obligations under French law).
Technical and security logs: 12 months maximum.

10. Your GDPR Rights

Under Articles 15 to 22 and 7 of the GDPR, you have the following rights:

Right of access (Art. 15) — obtain a copy of the data we hold about you.
Right to rectification (Art. 16) — correct inaccurate or incomplete data.
Right to erasure (Art. 17, "right to be forgotten") — request the deletion of your account and data.
Right to restriction of processing (Art. 18).
Right to data portability (Art. 20) — receive your data in a structured format (JSON).
Right to object (Art. 21) — object to processing based on legitimate interest.
Right to withdraw consent at any time (Art. 7(3)) — without affecting the lawfulness of prior processing.
Right to issue post-mortem instructions regarding your data after death (Art. 85, French Data Protection Act).
Right to lodge a complaint with the CNIL (the French data protection authority): www.cnil.fr/fr/plaintes.

To exercise these rights, contact us at contact@histoply.app. We will respond within the one-month period required by the GDPR (extendable to three months for complex requests). Proof of identity may be requested in case of reasonable doubt.

11. U.S. State Privacy Rights (CCPA / CPRA)

If you reside in California, Colorado, Connecticut, Utah, Virginia, or any other U.S. state with an equivalent data protection law, you benefit from the additional rights described below, in addition to those listed above.

A. Categories of personal information involved

Within the meaning of the CCPA (Cal. Civ. Code § 1798.140), we collect the following categories: identifiers (email, UUID, GAID/IDFA), commercial information (subscription purchase history), internet and application activity (interactions with lessons and ads), approximate geolocation (derived from IP), and inferences (learning preferences).

B. Your rights

Right to Know — know the categories and specific pieces of personal information we collect, use, and share.
Right to Delete — request deletion of your personal information.
Right to Correct — request correction of inaccurate information.
Right to Opt-Out of Sale or Sharing — opt out of the "selling" or "sharing" of your information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information.
Right to Non-Discrimination — not be subject to adverse treatment for exercising any of these rights.

C. "Do Not Sell or Share My Personal Information"

We do not sell your personal information for monetary consideration. However, sharing with our advertising partners (Google AdMob and its ecosystem) for cross-context behavioral advertising purposes may qualify as "sharing" under the CPRA. You may opt out at any time:

In the application: Profile → "Advertising preferences" → reject personalized advertising.
At the device level: enable a Global Privacy Control (GPC) signal in your browser, or delete/reset your mobile advertising identifier.
By email: send a request to contact@histoply.app with the subject "CCPA Opt-Out".

D. Minors (CCPA § 1798.120(c))

We do not knowingly sell or share the personal information of users under 16 without their affirmative consent (or that of their parent or guardian for users under 13).

12. Cookies, SDKs, and Mobile Identifiers

Website histoply.app: no third-party cookies, no advertising trackers, no analytics. Fonts (Poppins and Lora) are self-hosted. Only strictly necessary technical elements (browser cache, security) may be stored.

Mobile application: we integrate the following SDKs, which process data in accordance with this Policy:

Supabase (auth + database) — essential operation.
Google Sign-In — authentication.
Google AdMob + UMP SDK — advertising delivery and consent collection.
RevenueCat — subscription management.

Mobile advertising identifiers (Google Advertising ID on Android, IDFA on iOS where applicable) are used only with your consent, collected via the UMP SDK. You may reset or disable them at any time from your device settings (see section 3.E).

13. Changes to this Policy

We may update this Policy to reflect technical, legal, or Service-related changes. The "Last update" date and version number at the top of the page indicate the current revision. In case of material changes, we will notify you by email or via an in-app notification before the changes take effect.

14. Contact

Volvelle SASU

58 rue de Monceau, 75008 Paris, France

Email: contact@histoply.app

SIREN: 100 705 136 — RCS Paris

For any question about this Policy or to exercise your rights, contact us at the email address above. You may also lodge a complaint with the French data protection authority CNIL (www.cnil.fr/fr/plaintes) if you believe your rights are not being respected.