Privacy Policy

Last updated: 19 May 2026

This policy explains how Hegemy collects and processes personal data of the parent or legal guardian who creates an account, as well as the very limited information (first name, age) about children under their responsibility. Hegemy is an app designed for families: the primary user is the adult, the child listens via the session opened by their parent.

1. Data controller

Hegemy is a side project run by an independent developer (no legal entity at this time).
Contact: linkedin.com/in/jeremyjodeau

2. Data we collect

Parent data (account)

• Email address (authentication);
• Apple or Google identifier if the parent uses these sign-in methods;
• Sign-up date, last login date.

Children data (provided by the parent)

• First name (or nickname) and age of the child, voluntarily provided by the parent to tailor stories;
• No other personal data about the child is requested or collected (no photo, no email, no biometric identifier, no precise geolocation).

Usage data

• Destinations added, themes chosen;
• Stories generated and listened to, playback progress, listening duration;
• Feedback (thumbs up/down) on stories;
• Pseudonymized analytics events (PostHog): screen views, taps, errors.

Technical data

• Server logs (IP address, timestamp, device type) — kept for security and debugging;
• JWT session token (stored locally on the device, never transmitted outside the authentication flow).

3. Purposes of processing

Your data is used exclusively to:

• provide the Service (authenticate the parent, generate age-appropriate stories, deliver audio);
• improve content quality (analyzing feedback and generation errors);
• ensure account security (abuse detection, anti-fraud);
• communicate with the parent about the Service (important updates, security, billing).

We do not serve advertising and we do no commercial profiling, neither toward parents nor toward children.

4. Legal basis (GDPR)

• Performance of the contract: processing needed to provide the Service subscribed to by the parent (account, story generation);
• Parental consent: for data about the child (first name + age), voluntarily provided by the parent on behalf of their child;
• Legitimate interest: Service security, fraud prevention, pseudonymized analytics;
• Legal obligation: retention of billing data where applicable.

5. Sub-processors and transfers

To operate, Hegemy relies on technical providers acting as sub-processors under the GDPR:

• Supabase (Ireland/EU) — database, authentication, audio file storage;
• Vercel (USA, global CDN) — landing page hosting;
• Anthropic, OpenAI, Google (Gemini), Mistral — AI models used to generate stories and voices. Requests sent contain: the child's first name and age, the chosen destination and theme. No email or account identifier is transmitted to these services. Depending on the provider, some data may transit outside the EU (mainly USA) under standard contractual safeguards;
• Apple Sign-in / Google Sign-in — only for login, subject to their own policies;
• PostHog (EU) — pseudonymized product analytics, hosted on European servers;
• Apple App Store / Google Play / RevenueCat — subscription and payment management (where applicable).

We select sub-processors that provide a level of protection compliant with the GDPR and we update this list in case of significant changes.

6. Enhanced protection for children

Hegemy applies strict principles for the protection of minors' data:

• No child account: only the parent has credentials;
• Minimization: first name and age only, no sensitive data (health, biometrics, religion…);
• No targeted advertising and no marketing profiling;
• No data sale to third parties;
• Automated moderation of generated content to keep it suitable for children;
• Compliance with French CNIL recommendations for services aimed at minors and with applicable equivalent regulations (COPPA-like, UK Children's Code).

The parent can delete a child profile at any time from the app — all associated data (stories, progress, feedback) is then erased within 30 days.

7. Retention

• Parent account and child profiles: kept as long as the account is active;
• After account deletion: erased within 30 days, except for legal obligations (billing: 10 years);
• Technical logs: 12 months maximum;
• PostHog analytics: 24 months maximum.

8. Your rights

Under the GDPR, you have the following rights regarding your data and your children's data at any time:

• Access — obtain a copy of the data we hold about you;
• Rectification — correct inaccurate data;
• Erasure — request deletion of all or part of your data;
• Portability — receive your data in a structured format;
• Objection — object to processing based on legitimate interest;
• Withdrawal of consent — for consent-based processing, at any time and without retroactive effect.

To exercise these rights, contact me on LinkedIn, mentioning the email address linked to the account. Response within 30 days maximum.

You also have the right to lodge a complaint with the French data protection authority CNIL (www.cnil.fr) or your local supervisory authority if you consider that your rights have not been respected.

9. Cookies and trackers

The hegemy.com website uses cookies that are technically necessary for its operation and a pseudonymized analytics tool (PostHog). The mobile app does not set cookies but uses a local device identifier for the analytics SDK. No advertising cookie is used.

10. Changes

This policy may evolve. In case of significant change (new purpose, new major sub-processor), users will be informed by email and/or in-app notification at least 30 days before the change takes effect.

11. Contact

For any question regarding your data, contact me on LinkedIn.