Privacy Policy - Cohorte

This Privacy Policy explains how Cohorte SAS collects, uses, stores, shares, and protects your personal data when you read our Newsletter, attend a free workshop, buy a digital Course, subscribe to the Engine Room, enroll in the Bootcamp, book a coaching session, or otherwise interact with us.

It is written to satisfy our information duties under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the French Data Protection Act (Loi Informatique et Libertes), the ePrivacy Directive (Directive 2002/58/EC), the UK GDPR and Data Protection Act 2018, and equivalent rules in other jurisdictions where you may be located.

This Policy is incorporated into our Terms of Service by reference. Capitalized terms have the meaning given in those Terms.

1. Who we are

The data controller responsible for processing your personal data is:

Cohorte SAS, a French societe par actions simplifiee.
Registered office: 60 rue Francois 1er, 75008 Paris, France.
RCS Paris: 919 008 060.
Intra-community VAT: FR79919008060.
Contact: [email protected].

We have not appointed a Data Protection Officer because we are not required to do so under Article 37 GDPR (we do not carry out large-scale processing of special categories of data and we are not a public authority). The contact for all data-protection matters is [email protected]; requests are routed to Charafeddine Mouzouni or to an authorized member of the team.

As Cohorte SAS is established in the European Union, the appointment of an EU representative under Article 27 GDPR is not required.

The lead supervisory authority for our processing is the French Commission Nationale de l'Informatique et des Libertes (CNIL), www.cnil.fr.

2. Scope and definitions

This Privacy Policy applies to all personal data we process in connection with our products and services (the "Services"), including the Newsletter, free workshops, Digital Courses, the Engine Room, the AI OS Bootcamp, coaching sessions, and any add-on or related service. It also applies to your use of our website at cohorte.co.

This Privacy Policy does not apply to personal data we process on behalf of a corporate client in the context of a Team Engagement. In that context, your employer is the data controller and we act as data processor under a separate Data Processing Agreement signed with your employer (see Section 5.7).

"You" and "your" refer to the natural person whose personal data we process. "Personal data," "controller," "processor," "processing," and other capitalized terms used in a privacy sense have the meanings given in Article 4 GDPR.

3. Personal data we collect

Depending on how you interact with us, we may process the following categories of personal data:

Identity data: first and last name, username, display name, profile photo, date of birth (where age verification is needed), and unique user identifiers assigned by our platforms.
Contact data: email address, postal address, phone number, professional social-media handles where you provide them.
Account data: login credentials (passwords are stored only as salted hashes), account preferences, notification settings, membership tier, language preference.
Professional context data: employer or company name, job title, role, the systems or projects you ship, the problem you are working on, the type of peer who would help you. This is data you provide voluntarily in scoping calls, applications, the Day 30 community profile, or the Bootcamp scoping intensive.
Transaction data: purchase history, order amounts, billing address, payment method type (we do not store full card numbers), invoice records, refund and chargeback history. Where you choose Klarna at checkout, additional data may be collected by Klarna under its own controllership (see Section 9).
Service-usage data: Course progress and completion, lesson views, exercise submissions, mentor 1:1 attendance, capstone deliverables, scholarship application content, attendance at live sessions, Premium Question submissions, Helpdesk questions and answers, posts and comments in the Engine Room and in cohort channels, files you upload, reactions and votes.
Communications data: records of your correspondence with us, including email exchanges, support requests, survey responses, and any audio or video recordings of live sessions in which you appear (see Section 12).
Technical data: IP address, browser type and version, operating system, device type, screen resolution, time zone, referring URL, server logs.
Marketing data: your preferences and history regarding our Newsletter and any promotional communications (open and click events generated by Beehiiv tracking technologies).

Special categories of data. We do not deliberately collect special categories of personal data within the meaning of Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). If you voluntarily share such data in a community post, an application, or a coaching session, we treat it under additional safeguards and you may at any time request its erasure (see Section 16).

Criminal-conviction data. We do not process data relating to criminal convictions or offences within the meaning of Article 10 GDPR.

4. Where the data comes from

We collect personal data through three channels:

Direct submission. You provide data when you create an account, fill out a form, subscribe to the Newsletter, register for a workshop, apply to the Bootcamp or to the Engine Room, purchase a Service, post in our community, contact our support, book a coaching session, or otherwise communicate with us.
Automatic collection. When you visit our website or use our platforms, certain data is collected automatically through server logs and through strictly necessary cookies for site operation (see Section 8). When you participate in a live session over Zoom, attendance, audio, video, and chat metadata are collected by Zoom and made available to us as session host.
Third-party sources. We may receive data from our payment processor Stripe regarding the outcome of a transaction (including which payment method was used, such as a card or Klarna). When you choose Klarna at Stripe Checkout, your financing relationship is established directly between you and Klarna; Klarna does not normally communicate the details of that relationship to us. We may also receive information you choose to share with us (such as a LinkedIn profile URL you include in your application). We do not scrape or visit external profiles you have not shared with us directly.

Where you sign in to a Service using a third-party identity provider (such as a single-sign-on with a Google or LinkedIn account), we receive only the profile information you authorize that provider to share with us, typically your name, email address, profile picture, and a unique user identifier.

5. How we use your personal data, by Service

The personal data we process, the purpose, and the legal basis depend on which Service you use. The breakdown below is the operational truth; Section 6 summarizes the legal bases.

5.1 The Newsletter (The AI OS)

What we process: your email address, the date and source of your signup, and the open and click events generated by Beehiiv when you receive our Newsletter. If you optionally provide additional information at signup (such as country or language preference), we process that too.

Purpose: to deliver the Newsletter; to measure delivery, opens, and clicks for the purpose of editorial improvement; to send you occasional service-related emails about Cohorte products that are directly related to the Newsletter (such as a quarterly published-work cadence, a free workshop announcement, or a Bootcamp scholarship cycle); and, if you opt in separately, to send you dedicated cohort marketing campaigns.

Legal basis: consent (you signed up for the Newsletter) and our legitimate interest in measuring engagement with our editorial content. You may unsubscribe at any time using the unsubscribe link in every Newsletter.

Where it is stored: Beehiiv (United States; see Section 9).

5.2 Free workshops and public events

What we process: your name, email address, registration time, attendance, optionally any question you submit by chat, and (if you turn on your camera or microphone) your image, voice, and any spoken or written input during the live session.

Purpose: to register you, to send you the joining link and reminders, to operate the live session, to make a replay available for a defined period, and to produce curated content from the recording (clips, articles, social-media posts) where consent rules in our Terms of Service Section 23 are met.

Legal basis: performance of pre-contractual steps at your request (for the registration), our legitimate interest in providing a replay and improving content (for the recording, balanced against your right to opt out by keeping camera and microphone off), and consent (for any subsequent use of your identifiable image, voice, or words in curated content published outside the live event).

Where it is stored: Zoom for the recording, Beehiiv or Google Workspace for the registration data, Cloudflare for the website-side registration form (see Section 9).

5.3 Digital Courses

What we process: your account data (name, email, password hash), Course-progress data (lessons opened, modules completed, time spent, exercises submitted), and any feedback you provide in Course-related forms.

Purpose: to grant and maintain your lifetime access to purchased Courses, to track your progress for your own benefit (you can see what you have completed), to support quality improvement, and to inform you of updates to a Course you have purchased.

Legal basis: performance of the contract (you bought the Course; we deliver it) and our legitimate interest in maintaining and improving Course content.

Where it is stored: Circle (United States; see Section 9).

5.4 The Engine Room (paid community)

What we process: your account data; your Engine Room application answers (the three questions described in our Terms of Service Section 10.3); your member profile (display name, profile picture, bio, country, role); your posts, comments, reactions, files, and direct messages within the community; your Helpdesk questions and answers, including Premium Question submissions; your Day 30 profile (what you ship, hardest unsolved problem, peer-type that would help, and your opt-in to 1:1 matching); your attendance at live sessions and Build Teardowns; and the data needed to operate your subscription (billing address, subscription status, billing history).

Purpose: to admit you to the community, to operate the community surfaces (posts, comments, Helpdesk, live sessions), to deliver Premium Question answers and the resulting permanent Helpdesk asset, to operate the quarterly 1:1 matching system (where you opt in), to send you the Monday Digest email and other community communications, to manage your subscription, to moderate the community in line with our Terms of Service Section 22, and to compile aggregated community-health metrics.

Legal basis: performance of the contract (you subscribed; we deliver the Service), consent (for the matching opt-in and for promotional emails not directly related to your subscription), and our legitimate interests (community moderation, aggregated metrics, sub-processor security).

Where it is stored: Circle for the community surfaces; Stripe for billing; Beehiiv or Google Workspace for the Monday Digest email and lifecycle messages (see Section 9).

Visibility note. Content you post in a community space is visible to other members of the space. The Helpdesk is searchable by all members and your questions and answers may remain visible for the operational life of the community, subject to your right of erasure under Section 16.

5.5 The AI OS Bootcamp

What we process: your application data (including any information you provide in the application form or scholarship form, such as employer, role, project, motivation, and prior experience); your account data; your scoping-call notes; your enrollment and payment data; your cohort-schedule data (attendance, session participation); your exercise submissions, written assignments, and capstone deliverables; mentor-call recordings (audio, video, chat) of 1:1 sessions held over Zoom; you will be informed at the start of each session that it is being recorded, and you may opt out of appearing in the recording by keeping your camera and microphone off, in line with Section 12; your final certificate status and credential data on the verification page at cohorte.co/verify; and the data needed to operate your payment plan where applicable.

Purpose: to evaluate your application; to enroll you in a cohort; to deliver the 12-week program (live sessions, mentor 1:1s, exercise reviews, capstone evaluation, demo day); to issue your certificate and operate the verification page; to manage your payment plan; to produce the post-cohort survey and ship-rate measurement; and to invite you to alumni programming (alumni office hours, included Engine Room access).

Legal basis: performance of pre-contractual steps at your request (for the application phase), performance of the contract (for delivery), and our legitimate interests (alumni follow-up, ship-rate measurement, quality improvement).

Where it is stored: Circle for the cohort surface and the course library; Zoom for live sessions and mentor 1:1s (with raw recordings retained per Section 12); Stripe for payments; Google Workspace for cohort communications; Notion for selected internal program-management documents.

Capstone IP. You retain full ownership of the work product you create during the Bootcamp (per Section 11.7 of our Terms of Service). We retain copies of submitted deliverables for the operational life of the program archive, subject to your right of erasure.

Application data of unsuccessful applicants. See Section 11 (data retention).

5.6 Coaching sessions and add-ons

What we process: your booking data (name, email, time chosen, topic), the coach's notes from the session, and (if the session is recorded with your consent) the recording.

Purpose: to schedule and deliver the session, to allow you and the coach to refer back to the discussion, and (where you choose) to share the recording with you for your own reference.

Legal basis: performance of the contract.

Where it is stored: Calendly or equivalent for the booking, Zoom for any recording, Google Workspace for the coach's notes (see Section 9).

5.7 Team and enterprise engagements (Cohorte as processor)

When you participate in a Team Engagement (Curriculum License, Team Bootcamp, AI Readiness Program) as an employee of a corporate client, your employer is the data controller and Cohorte SAS acts as data processor under the Data Processing Agreement signed with your employer.

In that context, the categories of data we process, the retention periods, the sub-processors involved, and the international-transfer mechanisms are governed by that Data Processing Agreement, not by this Privacy Policy. To exercise your rights regarding personal data processed in a Team Engagement, please contact your employer's designated privacy contact in the first instance. We will of course assist your employer in responding to your request, in accordance with Article 28 GDPR.

Where you also use a consumer-facing Service in your personal capacity (for example, you separately subscribe to the Engine Room with a personal email), this Privacy Policy applies to that use, with Cohorte SAS as the controller.

6. Legal bases for processing

The legal bases on which we process your personal data, summarized:

Legal basis (Article 6 GDPR)	What we use it for
Performance of contract (Art. 6(1)(b))	Delivering Courses, the Engine Room, the Bootcamp, coaching, and any other paid Service to which you are subscribed; processing your payments; managing your subscription; issuing certificates.
Pre-contractual steps (Art. 6(1)(b))	Reviewing your application to the Bootcamp or to the Engine Room; running discovery and scoping calls.
Consent (Art. 6(1)(a))	Subscribing to the Newsletter; opting into 1:1 matching in the Engine Room; receiving promotional emails for Services other than those you have purchased; recording your appearance in any session for use in curated public content.
Legitimate interest (Art. 6(1)(f))	Editorial measurement of Newsletter engagement; community moderation; aggregated community-health metrics; ship-rate measurement; alumni follow-up; security monitoring; fraud prevention; defending legal claims; soft-opt-in marketing of similar Services to existing customers, with easy unsubscribe.
Legal obligation (Art. 6(1)(c))	Tax and accounting record-keeping; responding to lawful requests from public authorities; complying with consumer-protection law including the right of withdrawal.

Where we rely on legitimate interest, we have carried out a balancing test to ensure that our interest is not overridden by your rights and freedoms. You may obtain a copy of the balancing-test summary by contacting us at [email protected].

Where we rely on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

7. Marketing communications

We send four categories of email, with different rules for each:

The Newsletter (sent to people who signed up for the Newsletter): legal basis is consent. You can unsubscribe at any time using the link at the bottom of every issue.
Service-related emails (account confirmations, enrollment details, session reminders, payment receipts, security notifications, end-of-included-period notices): these are not marketing; they are necessary to deliver a Service you have purchased. You will receive these as long as you hold an active Service.
Cross-product promotional emails to existing customers (for example, an email to a Course buyer about a related Course or about the Engine Room): legal basis is our legitimate interest, qualified by the ePrivacy Directive Article 13(2) "soft opt-in" for similar products. We always include an easy opt-out, and you can opt out without affecting your existing Services.
Dedicated marketing campaigns to non-customers (for example, a paid LinkedIn-ad funnel where you opt in to a sequence of promotional emails): legal basis is consent. You can opt in at the moment of data collection and unsubscribe at any time.

You can update your marketing preferences by emailing [email protected] at any time.

8. Cookies and similar technologies

We currently use the following categories of cookies and similar technologies on cohorte.co:

Strictly necessary cookies: required for site operation (authentication where applicable, session management, security, and load balancing). These do not require your consent under the ePrivacy Directive.

We do not use Google Analytics, advertising cookies, or any cookie-based tracking. We use Cloudflare Web Analytics to measure aggregate website traffic (page views and referrers). Cloudflare Web Analytics does not set any cookies, does not store an identifier in your browser, and does not collect personal data: IP addresses are processed at the edge and discarded, and visitor signals are aggregated using daily-rotating hashes that cannot be linked back to you. Because no personal data is processed and no identifier is stored on your device, no prior consent is required under GDPR or the ePrivacy Directive. Further information is published by Cloudflare at cloudflare.com/web-analytics.

Third-party platforms we use to deliver some Services (Circle, Beehiiv, Stripe, Zoom) may set their own cookies on your device when you interact with their interfaces. Their cookie practices are governed by their own policies, listed in Section 9.

Emails we send may contain tracking technologies (pixels, redirect URLs) that allow us to measure delivery, opens, and clicks. For the Newsletter, this is operated by Beehiiv and is essential to assess content performance. You can disable image loading in your email client to limit pixel tracking.

9. Sub-processors and recipients

We share your personal data with the following sub-processors and recipients in order to deliver the Services. Each provider processes data on our behalf and is bound by a written contract that requires them to use the data only for the purposes we specify and to maintain appropriate security measures, in accordance with Article 28 GDPR.

Provider	Purpose	Country	Transfer mechanism	Privacy policy
Stripe (Stripe Payments Europe Ltd / Stripe, Inc.)	Payment processing, subscription management, invoicing, fraud detection.	Ireland (EU) and United States.	Within EEA: no transfer issue. To US: EU-US Data Privacy Framework (Stripe is DPF-certified).	stripe.com/privacy
Klarna (Klarna Bank AB)	Third-party financing offered at Stripe Checkout. Klarna acts as an independent controller of your data for the purposes of credit assessment and financing, not as our sub-processor.	Sweden (EU).	Within EEA: no transfer issue.	klarna.com/privacy
Circle.so (Circle Internet Services, Inc.)	Hosting of the Engine Room community, Course library, and Bootcamp delivery surface.	United States.	EU-US Data Privacy Framework where applicable, otherwise Standard Contractual Clauses (Decision 2021/914) plus a Transfer Impact Assessment.	circle.so/privacy
Beehiiv (Beehiiv, Inc.)	Distribution of the Newsletter, lifecycle emails, subscriber management, email-engagement analytics.	United States.	Standard Contractual Clauses (Decision 2021/914) plus a Transfer Impact Assessment.	beehiiv.com/privacy
Zoom (Zoom Video Communications, Inc.)	Live sessions, mentor 1:1 calls, workshops, webinars, recordings, transcripts.	United States.	EU-US Data Privacy Framework (Zoom is DPF-certified).	zoom.us/privacy
Cloudflare (Cloudflare, Inc.)	Website hosting (Cloudflare Pages), edge routing, DDoS mitigation, IP-level security.	United States (with global edge presence).	EU-US Data Privacy Framework (Cloudflare is DPF-certified).	cloudflare.com/privacy
Google Workspace (Google Ireland Limited)	Internal email, document collaboration, calendar, mentor email addresses.	Ireland (EU) and United States.	Within EEA: no transfer issue. To US: EU-US Data Privacy Framework (Google is DPF-certified).	policies.google.com/privacy
Cloudflare Web Analytics (Cloudflare, Inc.)	Aggregate website-traffic measurement (page views and referrers). Cookieless. No personal data stored; visitor signals are aggregated using daily-rotating hashes processed at the edge.	Global edge network; reporting infrastructure in the United States.	EU-US Data Privacy Framework (Cloudflare is DPF-certified). No personal data is transferred in any case because the service does not collect identifiers.	cloudflare.com/privacypolicy
Calendly (Calendly, LLC)	Appointment scheduling for coaching, mentor calls, discovery calls.	United States.	Standard Contractual Clauses (Decision 2021/914) plus a Transfer Impact Assessment.	calendly.com/privacy
Notion (Notion Labs, Inc.)	Internal documents, templates, shared resources. Limited user-facing data exposure.	United States.	EU-US Data Privacy Framework (Notion is DPF-certified).	notion.so/privacy
Loom (Loom, Inc., an Atlassian company)	Asynchronous video feedback, internal walkthroughs, occasional product communications.	United States.	Standard Contractual Clauses (Decision 2021/914) plus a Transfer Impact Assessment.	loom.com/privacy
Workflow automation (Zapier, Inc., or self-hosted n8n)	Operational integrations between our internal platforms.	Zapier: United States. n8n: where self-hosted (typically EU).	Zapier: Standard Contractual Clauses plus Transfer Impact Assessment. n8n: no transfer issue when self-hosted in EU.	zapier.com/privacy

We may engage additional sub-processors as our needs evolve. Where the change materially affects the processing of your personal data, we will update this list and (for ongoing Services) inform you in advance of the new sub-processor in accordance with Article 28(2) GDPR.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We may disclose your data if required by law, in response to a valid request from a public authority, or where necessary to defend our rights or the safety of our users.

10. International transfers

Several of our sub-processors operate in the United States or in other countries outside the European Economic Area. When personal data is transferred outside the EEA to a country that has not received an adequacy decision from the European Commission, we rely on the following safeguards:

Adequacy decisions. For countries the European Commission has determined provide an adequate level of protection, transfers are made on the basis of the adequacy decision. The current relevant decision for the United States is the EU-US Data Privacy Framework adequacy decision (Decision 2023/1795). Where the recipient is DPF-certified, the transfer is covered by that decision.
Standard Contractual Clauses. Where the recipient is not covered by an adequacy decision, we use the European Commission's Standard Contractual Clauses (Decision 2021/914), supplemented by additional technical and organizational safeguards based on a Transfer Impact Assessment carried out in light of the Schrems II case-law.
UK transfers. For transfers from the United Kingdom, we rely on the UK International Data Transfer Addendum to the EU SCCs.

You may obtain a copy of the safeguards in place for any specific transfer, and a copy of our Transfer Impact Assessment, by emailing [email protected].

11. Data retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, to comply with our legal obligations, to resolve disputes, and to enforce our agreements.

Data category	Retention period
Newsletter subscription data (email, opt-in date, opens and clicks)	Until you unsubscribe, plus a short suppression period to ensure your preference is respected.
Free workshop registration data	Up to 24 months from the event date, then deleted.
Account data (Course buyer, Engine Room member, Bootcamp graduate)	For the duration of your account. We will not close an account that holds an unexpired access right to a paid Service (in particular, a Course with lifetime access). After you request account closure, your account is deactivated immediately. Basic identifiers are moved to intermediate archive for 12 months to handle any post-termination dispute or fraud-detection need, then deleted.
Course content access	Lifetime access to purchased Courses, for as long as we operate the platform on which the Course is hosted (see Section 9.3 of our Terms of Service).
Engine Room community content (posts, comments, Helpdesk questions and answers, Premium Question submissions)	Retained for the operational life of the community as a searchable archive. On request, we replace your author identifier with a generic label and remove identifying content from the post itself, in line with your right of erasure under Section 16.
Bootcamp deliverables and capstone work submitted to us	Retained for as long as we operate the Bootcamp program archive, subject to your right of erasure.
Application data of unsuccessful applicants (Bootcamp, Engine Room, scholarship)	Up to 24 months for the purpose of contacting you about future cohorts (subject to your separate marketing opt-in), then deleted.
Live session recordings (raw)	Maximum 12 months from the date of the session, then automatically deleted from our recording host and from any internal storage. Chat transcripts and Q&A logs follow the same rule.
Curated content derived from recordings (clips, highlights, public-facing artifacts)	Indefinite, where every visible or identifiable participant has given explicit prior written consent. Withdrawn on request, in line with the consent rules in Section 12.
Coaching session bookings and notes	Retained for 24 months from the session date, then deleted, unless extended by your account activity (for example, a follow-up booking).
Transaction and financial records (invoices, payment history, refunds, chargebacks)	10 years from the end of the financial year, in accordance with Article L123-22 of the French Commercial Code.
Marketing data and preferences	Until you withdraw consent or unsubscribe, plus a short suppression period.
Server logs and security data	Up to 12 months for technical and security purposes, then deleted or anonymized.
Cloudflare Web Analytics data	Aggregate page-view counts only. No user-level data is collected, so there is no user-level retention to apply. Cloudflare retains the aggregate reports per its own policy.
Support correspondence	Up to 36 months from the last interaction, then deleted, unless retained longer to defend a legal claim.
Backup copies of any data above	Typically up to 90 days, in line with our standard backup policy.

When personal data is no longer needed for the purposes for which it was collected and we have no legal obligation to retain it, we either delete it or irreversibly anonymize it.

12. Recordings, retention, and erasure

Live sessions in our Services may be recorded for the purposes of providing a replay archive, supporting quality improvement, and producing curated content. Recordings may include the names, voices, faces, and shared screens of participants who choose to appear. Chat transcripts and Q&A logs from live sessions are treated as part of the recording.

We operate two retention tracks, mirrored in Section 23 of our Terms of Service:

Raw recordings: retained for a maximum of 12 months from the date of the session, then automatically deleted.
Curated content: indefinite retention, only with the explicit prior written consent of every participant who appears or is identifiable. Refusals are honored without negotiation.

Legal basis. For paid Services, the legal basis for recording is performance of the contract: recordings are part of the Service we deliver. For free workshops, the legal basis is our legitimate interest in providing a replay and improving content, balanced against your right not to appear (which you can exercise by keeping your camera and microphone off). For any subsequent use of identifiable image, voice, or words in curated content published outside the live event, the legal basis is your separate explicit consent.

Right to early erasure. You may request the erasure of any recording in which you appear, in accordance with Article 17 GDPR. We will action your request within 30 days, including by removing the relevant recording from active access or, where technically feasible without disproportionate effort, by editing your appearance out of the recording. Where the recording has been incorporated into a curated public-facing artifact, we will, at minimum, take down the artifact in accordance with the consent rules above.

13. AI used by Cohorte

We use AI tools internally to support our operations, in particular to: assist with content production; provide rubric-based feedback and grading suggestions to mentors; transcribe and summarize recordings; automate parts of our customer-support and analytics workflows. Personal data may be processed by these AI tools (for example, transcription of a live session you attended).

The legal basis is our legitimate interest in operating the Services efficiently, balanced against your rights. Outputs of AI tools are reviewed by humans before publication or before any decision affecting you is taken. We do not auto-publish AI-generated content under our brand without human review. We do not train any AI model, third-party or our own, on your personal data.

We do not deploy AI systems classified as "high-risk" under the EU AI Act in connection with the Services covered by this Privacy Policy. If we begin to do so in the future, we will update this Privacy Policy and our Terms of Service and inform affected users.

Our team members receive AI-literacy guidance in line with our obligations under Article 4 of the EU AI Act.

14. Automated decision-making

We do not make decisions concerning you that produce legal effects or similarly significantly affect you based solely on automated processing, within the meaning of Article 22 GDPR.

Application decisions (for the Bootcamp, for the Engine Room, for scholarships) are reviewed by a human member of our team. The quarterly 1:1 matching system in the Engine Room is hand-curated by our Community & Experience Coordinator from your Day 30 profile and your opt-in.

Payment-fraud detection operated by Stripe involves automated processing under Stripe's own controllership; the consequences of a fraud-detection decision (such as a declined transaction) can be challenged with Stripe directly, and we will assist where reasonable.

15. Security

We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and unauthorized access, in accordance with Article 32 GDPR. These measures include:

Encryption. Data is encrypted in transit using TLS and, where appropriate, at rest using industry-standard encryption algorithms by our sub-processors.
Access controls. Access to personal data is restricted to authorized personnel who require it for their job functions, on a least-privilege basis. Multi-factor authentication is enforced on administrative accounts.
Backup and recovery. Backups are taken on a routine cadence and stored with encryption at rest. Backup retention is typically up to 90 days.
Sub-processor diligence. Sub-processors are selected for their security posture, which is reviewed at the contracting stage and on a periodic basis.
Training. Our team members receive guidance on data protection and information security on joining and on a periodic basis.
Incident response. We maintain an incident-response procedure to address personal-data breaches promptly. In the event of a breach that poses a risk to your rights and freedoms, we will notify the CNIL within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR, and will inform you without undue delay where the breach is likely to result in a high risk to your rights and freedoms, in accordance with Article 34 GDPR.

While we take all reasonable precautions, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your data.

Payments and PCI compliance. All card payments are processed by Stripe, certified PCI DSS Level 1 Service Provider. Card details are transmitted directly to Stripe's secure servers and are not stored on our own systems.

16. Your rights

Under the GDPR and equivalent applicable laws, you have the following rights regarding your personal data:

Right of access (Article 15 GDPR): obtain confirmation of whether we process your personal data and, if so, request a copy together with the information set out in Article 15.
Right to rectification (Article 16 GDPR): request correction of inaccurate personal data and completion of incomplete personal data.
Right to erasure (Article 17 GDPR, "right to be forgotten"): request deletion of your personal data in the cases described in Article 17, including when the data is no longer needed, when you withdraw consent, when you object successfully, or when the data has been unlawfully processed.
Right to restriction of processing (Article 18 GDPR): request that we limit the processing of your data in the cases described in Article 18.
Right to data portability (Article 20 GDPR): receive the personal data you provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller where technically feasible.
Right to object (Article 21 GDPR): object to processing based on our legitimate interests on grounds relating to your particular situation; and object at any time to processing for direct-marketing purposes, in which case we will stop the marketing without delay.
Right to withdraw consent (Article 7(3) GDPR): where processing is based on your consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint (Article 77 GDPR): lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, please contact us at [email protected]. We will respond within one month of receipt, in accordance with Article 12(3) GDPR. Where the request is complex or numerous, we may extend this period by up to two further months and will inform you within the first month, with reasons. We may need to verify your identity before processing your request.

17. Children

Our Services are not directed to children. The minimum age to subscribe to the Newsletter or to register for a free workshop is 16. The minimum age to purchase any paid Service or to enter into a payment plan is 18. The full age rules are set out in Section 4.1 of our Terms of Service.

Where the processing of personal data of a child is involved in the context of an information-society service, the digital-consent age set by the country of residence under Article 8 GDPR applies (between 13 and 16 in the European Union; 15 in France), and parental consent is required by law in addition to our contractual rules.

If we become aware that we have collected personal data from a child without the appropriate consent, we will take steps to delete that data promptly. If you are a parent or legal guardian and believe that a minor in your care has provided personal data to us without the appropriate consent, contact us at [email protected] and we will close the account.

18. Region-specific provisions

18.1 European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, the UK, or Switzerland, this Privacy Policy applies in full. Cohorte SAS is the data controller. The supervisory authorities are the CNIL (France, lead authority) and the supervisory authority of your country of residence. For UK residents, the lead supervisory authority for matters concerning UK GDPR is the Information Commissioner's Office (ICO), ico.org.uk. For Swiss residents, complaints may be addressed to the Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch.

18.2 California

Cohorte SAS does not currently meet the applicability thresholds of the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"). Nevertheless, as a goodwill commitment to California residents, we extend the substantive rights of the CCPA on request.

If you are a California resident, you may request that we disclose the categories and specific pieces of personal information we have collected, the categories of sources from which the information was collected, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it. You may also request deletion of your personal information.

We do not "sell" or "share" personal information as those terms are defined under the CCPA. We will not discriminate against you for exercising any of your privacy rights. To submit a request, contact us at [email protected].

18.3 France: post-mortem directives

Under Article 85 of the French Data Protection Act, you have the right to give general or specific directives concerning the conservation, deletion, and communication of your personal data after your death. Specific directives applying to our Services may be communicated to us at [email protected]. General directives may be given to a digital trusted third party certified by the CNIL. In the absence of directives, your heirs may exercise certain rights regarding your personal data after your death.

19. Whether providing data is required

Providing certain personal data to us is required for us to deliver our Services. In particular, providing your name, contact details, and payment information at checkout is a contractual requirement; without it, we cannot deliver the Service you are purchasing.

Providing other data is voluntary. Optional fields in our forms (for example, your professional context, the systems you ship, your peer-type preference for matching, optional survey responses, marketing-email opt-in) are clearly identified and have no consequence on your existing Services if you choose not to provide them.

20. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, sub-processors, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through a prominent notice on our website at least 30 days before the change takes effect. We encourage you to review this page periodically.

21. Language

This Privacy Policy is originally drafted in English. Any translation we provide is for convenience only; the English version prevails in case of discrepancy, except for users in jurisdictions where local law requires the local-language version to be binding.

22. Contact and complaints

If you have any questions, concerns, or requests regarding this Privacy Policy or our data-protection practices, please contact us:

Email: [email protected]
Postal address: Cohorte SAS, 60 rue Francois 1er, 75008 Paris, France

We will acknowledge receipt of your request within five business days and provide a substantive reply within one month, in accordance with Article 12(3) GDPR.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for our processing is the CNIL, accessible at www.cnil.fr. You may also lodge a complaint with the supervisory authority in your country of residence.