Privacy policy
How Cobalt collects, uses and protects your personal data.
Last updated: 14 July 2026
1. Who is responsible for your data?
The controller of your personal data is: AS Dehaut — 1070 rue Albert Riquier, 59310 Beuvry-la-Forêt — contact@cobalt-app.com.
For any question about your data, or to exercise your rights, write to us at this address.
2. What data do we collect?
Account data (Cobalt site): email address (login identifier, password reset, service-related communications); first and last name (personalisation); date of birth (verifying the minimum age of 16 and calculating physiological needs); sex (calculating physiological needs); password (hashed, never stored in clear text).
Cobalt Coach usage data, depending on your use:
- your sports goals, level and constraints;
- your body data (height, weight) and its evolution;
- your generated training programmes and completed sessions;
- your nutrition data;
- the content of your exchanges with the coaching AI.
Technical data: strictly necessary cookies (session, keeping you signed in); anonymous audience measurement (see section 5).
We collect no banking data. If payments are introduced, they will be handled by a specialised provider (Stripe) which never passes your bank details to us.
3. Why do we process this data? (legal bases)
- Create and manage your account — performance of the contract.
- Provide Cobalt services and personalise recommendations — performance of the contract.
- Verify the required minimum age — legal obligation.
- Secure the service, prevent abuse — legitimate interest.
- Measure audience anonymously — legitimate interest.
4. Who has access to your data?
Your data is neither sold, rented nor transferred to third parties for commercial purposes. It is accessible to the publisher and to the technical subprocessors strictly necessary for the operation of the service.
DeepSeek (AI model provider) — important: to generate our AIs' answers, the content of your exchanges and the necessary context information (goals, relevant profile data) are transmitted to DeepSeek, our artificial intelligence model provider, operated by Hangzhou DeepSeek Artificial Intelligence Co., Ltd., whose registered office is in the People's Republic of China.
Data location and transfer — important point of attention. According to DeepSeek's privacy policy, your data is collected, processed and stored directly in China. This constitutes a transfer of personal data outside the European Union, to a country that does not benefit from an adequacy decision by the European Commission. As of today, DeepSeek does not provide verified standard contractual clauses (SCCs) framing this transfer in a GDPR-compliant manner.
This matter is the subject of active regulatory scrutiny in several countries, including France, during 2026, notably regarding the conditions of data transfers to China.
Consequently, we recommend that you never enter, in your exchanges with our AIs, information that you would not want processed outside the European Union (precise health data, sensitive information, minors' data beyond what is strictly necessary for the service).
In practice, this means: do not write sensitive or confidential information in your conversations with our AIs.
Hosting provider: Hetzner Online GmbH hosts the site and the database. It does not access the content of your data.
5. Cookies and audience measurement
We use only strictly necessary cookies (keeping your session, the “stay signed in” option, security). They do not require your consent and cannot be disabled without making the site unusable.
Anonymous audience measurement: we use [Plausible / Matomo], a statistics tool that sets no cookies and collects no identifying personal data.
If a tool that sets cookies (Google Analytics, advertising, remarketing) were ever chosen, a compliant consent banner would become mandatory, with refusal as easy as acceptance.
6. How long do we keep your data?
- Account and associated data: as long as your account is active.
- After account deletion: erased within 30 days.
- Inactive account: deleted after 3 years without login, after prior notice by email.
- Password reset tokens: expire within 1 hour, single use.
- Anonymous audience statistics: aggregated, not attributable to a person.
7. Your rights
In accordance with the GDPR, you have the following rights:
- Access — obtain a copy of the data we hold about you;
- Rectification — correct inaccurate data;
- Erasure — request the deletion of your data;
- Portability — retrieve your data in a readable format;
- Objection — object to certain processing;
- Restriction — request the freezing of a processing operation.
To exercise these rights: write to contact@cobalt-app.com. We respond within one month at most.
An account deletion feature is directly available from your “My account” area. It results in the erasure of your data.
If you believe your rights are not being respected, you can refer the matter to the CNIL: www.cnil.fr — 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.
8. Security
We implement technical measures to protect your data: encryption of communications (HTTPS), password hashing, access control, backups.
As no system is infallible, we cannot guarantee absolute security. In the event of a data breach presenting a risk to your rights, you will be informed in accordance with the regulations.
9. Minors
Our services are reserved for people aged 16 or over. We do not knowingly collect data from younger people. If we find that an account has been created by a person under 16, it will be deleted.
10. Changes
This policy may change. In the event of a substantial change, you will be informed by email or by a notice on the site.