Discus
PricingAboutBlog

Privacy Policy

Latest update : April 23, 2026

1. About this policy

This privacy policy describes how Amaury Lavoine (Discus), a Canadian sole proprietorship based in Ontario (hereinafter "Discus", "we", "our"), collects, uses, retains, and shares the personal data of users of the website discus.app and the mobile application Discus (hereinafter "the Service").

Postal address: [ADRESSE À COMPLÉTER].
Dedicated contact for privacy inquiries:contact@discussapp.com.

This policy covers the entire Service: marketing website, mobile application Discus (iOS and Android), and associated services (support, transactional communication).

2. Data we collect

2.1 When using the website

  • Server logs: IP address, user-agent, URL accessed, referrer, timestamp. This data is collected automatically for security and diagnostic purposes.
  • Strictly necessary cookie: a language preference cookie (NEXT_LOCALE) to serve the site in the chosen language.
  • Analytics (optional): anonymized traffic measurements via Vercel Analytics, activated only if you consent.

2.2 When using the Discus application

  • Account data: email address, first name, language learned, declared level.
  • Learning activity: words added to the lexicon, responses to conjugation and dictation exercises, spaced repetition progress (SRS), history of conversations with the tutoring AI.
  • Audio: audio transmitted for voice recognition and pronunciation assessment. By default, this audio is processed on the fly and is not retained.
  • Device identifiers: technical identifiers necessary for the operation of the application and for aggregated analytics (no advertising fingerprinting).
  • Subscription status: transmitted by Apple App Store or Google Play. We do not receive or store payment methods.

3. Legal bases for processing (EU / UK users)

In accordance with Article 6 of the General Data Protection Regulation (GDPR), we process personal data on the following legal bases:

  • Contract execution (art. 6.1.b): to provide the Service as defined in our Terms of Use.
  • Legitimate interest (art. 6.1.f): security, fraud prevention, aggregated product improvement.
  • Consent (art. 6.1.a): optional analytics, audio processing to improve our speech recognition models, marketing communications.
  • Legal obligation (art. 6.1.c): retention of certain data for accounting or regulatory purposes.

4. Purposes of processing

  • To provide, maintain, and secure the Service.
  • To personalize learning sessions based on level and progress.
  • To improve the pedagogical method of Discus.
  • To produce aggregated usage statistics.
  • To ensure customer support.
  • To manage billing via the App Store and Google Play.
  • To communicate important developments regarding the Service.

5. Retention period

  • Active accounts: for the entire duration of the account's life, then 90 days after deletion to manage any residual requests (billing, support).
  • Server logs: up to 12 months.
  • Audio: not retained, processed on-the-fly for speech recognition, unless explicit and revocable consent is given to contribute to the improvement of our models.
  • Accounting data: retained for the duration mandated by law (generally 6 to 10 years depending on the jurisdiction).

For any data not explicitly listed, we apply the principle of necessary duration for processing, with a reasonable ceiling.

6. Sharing with third parties

We do not sell personal data. We share certain data with subcontractors strictly necessary for the operation of the Service:

  • Hosting: Vercel Inc. (USA).
  • Backend and database: Supabase Inc.
  • Conversational AI: OpenAI and Anthropic, for processing interactions with the AI tutor.
  • Sending transactional emails: Resend.
  • Distribution and billing: Apple App Store (Apple Inc.) and Google Play (Google LLC).
  • Analytics: Vercel Analytics (anonymized).
  • CMS (planned in phase 2): Sanity, for publishing blog articles and legal documents.

Each of these subcontractors is bound by a Data Processing Agreement (DPA) that complies with the requirements of the GDPR, PIPEDA, and equivalent frameworks.

7. Transfers outside the European Economic Area

Some of our subcontractors are based in the United States or other non-EU jurisdictions. These transfers are governed by standard contractual clauses (SCCs) adopted by the European Commission, as well as, where applicable, by the Data Privacy Framework (DPF) for certified U.S. providers.

You are informed that U.S. legislation (notably theCLOUD Act) may allow public authorities access to data hosted by U.S. providers. We select our subcontractors to minimize this exposure and only transmit strictly necessary data.

8. Your rights (GDPR — EU / UK)

If you reside in the EU or the UK, you have:

  • the right to access your data;
  • the right to rectification;
  • the right to erasure (“right to be forgotten”);
  • the right to restriction of processing;
  • the right to data portability;
  • the right to object;
  • the right to withdraw your consent at any time;
  • the right to lodge a complaint with the competent supervisory authority (CNIL in France, ICO in the United Kingdom, or the authority in your country of residence).

To exercise these rights, write tocontact@discussapp.com. We will respond within a maximum of one month.

9. Rights of Canadian Users (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have:

  • the right to access your personal information;
  • the right to request the correction of this information;
  • the right to file a complaint with theOffice of the Privacy Commissioner of Canada(priv.gc.ca).

Since Amaury Lavoine (Discus) is established in Ontario, no provincial law equivalent to Quebec's Bill 25 applies to the Ontario private sector; federal PIPEDA remains the reference framework.

10. Rights of California Residents (CCPA / CPRA)

If you are a resident of the State of California, theCalifornia Consumer Privacy Act (CCPA) amended by theCalifornia Privacy Rights Act (CPRA) guarantees you:

  • the right to know what data is collected;
  • the right to request the deletion of your data;
  • the right to request the correction of your data;
  • the right to restrict the use of sensitive information;
  • the right not to be discriminated against for exercising these rights.

Discus does not sellof personal data as defined by the CCPA and does not share data for inter-contextual behavioral advertising purposes.

11. Security

We implement appropriate technical and organizational measures to protect your data:

  • encryption in transit (TLS) and at rest;
  • least privilege access control;
  • regular security reviews;
  • incident notification to the competent authorities within 72 hours of discovery, in accordance with Article 33 of the GDPR and equivalent obligations under PIPEDA.

12. Protection of Minors

The Service is intended for users aged at least13 years. In the European Union, the age of digital consent may be raised to 16 years according to the legislation of the member state of residence; in this case, consent from a holder of parental authority is required.

We do not knowingly collect data from children below this threshold. If you believe that a child has provided us with data, please contact us for immediate deletion.

13. Cookies

Details of the cookies used are available in ourCookie Policy.

14. Automated Decision-Making

The conversational AI of Discus provides corrections and educational suggestions. It does not make any decisions that produce legal effects or significantly affect you. You always retain control over your learning journey.

15. Changes

We may evolve this policy. In the event of significant changes, we will post an information banner on the website and the app, and send an email to registered users.

16. Contact

Amaury Lavoine (Discus)
NE: 733742472 RT0001
[ADDRESS TO COMPLETE]
Ontario, Canada
Email:contact@discussapp.com

Given the size of the organization, no Data Protection Officer (DPO) is formally designated. The above contact is responsible for handling privacy-related requests.