Rakoono logo
Rakoono

Privacy policy – Rakoono

Effective Date: 3 November 2025

Your data is yours. We will never sell it.

The information we collect (your profile, your conversations with the AI) is used solely to personalise your learning journey and improve our service. Your employer is the Data Controller for your data. You have rights over this data, and the methods for exercising them are detailed in Article 8. The security of your information is our top priority.

Preamble: Our role and your employer's role

This privacy policy is intended for our Clients (the companies that subscribe to our services) and their employees, our Users.

In the context of providing our services, it is essential to distinguish the roles of each party under the GDPR:

  • Your employer is the Data Controller: They determine the purposes and means of processing your data (your professional training). They are your main point of contact for managing your account and exercising your rights.

  • Rakoono acts as a Data Processor: We process your personal data on behalf of and in accordance with the documented instructions of your employer, in compliance with Article 28 of the GDPR and our contractual agreement.

Exception for service improvement:

For the specific and limited purpose of improving the performance, security, and features of our conversational agent, Rakoono acts as a Data Controller. This processing, detailed in Article 3, is based on our legitimate interest and is carried out exclusively on pseudonymised and aggregated data.

Article 1: Contact and legal information

Contact us

For any questions regarding this privacy policy or to exercise your rights, you can contact our data protection contact:

Publisher information

The Rakoono platform is a service published and operated by the company Dataed Technologies, registered in France under SIRET number 984 056 366 00011.

  • Registered office: 58 Rue de Monceau, CS 48756, 75008 Paris, France.

Article 2: The data we process

We collect and process the following categories of data, which are strictly necessary to personalise your learning experience:

  1. Identification Data:

    • Information provided during account creation: First name, professional email address.

    • System-generated information: Unique User ID (UUID), role.

  2. Professional Personalisation Data:

    • Information about your profile: Job title, industry, seniority.

    • Information about your goals and preferences: AI maturity level, training objectives, learning preferences (tone, frequency, etc.).

  3. Learning and Progress Data:

    • Data related to your activity: Modules completed, scores, time spent, exercise answers, skill mastery levels, experience points (XP).

  4. AI Agent Conversation Data:

    • The content of messages you exchange with our conversational agent, as well as your feedback (likes or dislikes).

  5. Optional Data (with your explicit consent):

    • If you choose this option, the URL of your LinkedIn profile to automatically pre-fill your professional profile.

Important: We ask that you never share sensitive data (e.g., health information, political opinions, trade secrets, passwords) in your conversations. While we have technical filters in place to detect and limit the processing of such information, your own vigilance remains crucial.

Article 3: Why we process your data (Purposes and legal bases)

We process your data for the following purposes, based on the legal grounds provided by the GDPR:

PurposeData InvolvedLegal BasisWho is the Data Controller?
Provide and manage your access to the platformIdentification Data.Performance of a contractYour employer (Client)
Personalise your learning journeyPersonalisation, Learning and Conversation Data.Performance of a contractYour employer (Client)
Track your progress and keep you engagedLearning and Identification Data.Performance of a contractYour employer (Client)
Improve the relevance of our serviceConversation and Learning Data (pseudonymised and aggregated).Our legitimate interest*Rakoono
Pre-fill your profile via LinkedInOptional Data (LinkedIn profile URL).Your consentYour employer (Client)
Analyse platform usage (statistics)Technical and Usage Data (via PostHog).Your consent (via cookie banner)Your employer (Client)
  • Our legitimate interest is to improve the quality and performance of our AI agent. We conduct a balancing test to ensure this interest does not override the rights and freedoms of our Users, notably by using advanced pseudonymisation techniques. You can object to this processing as described in Article 8.

Article 4: Who has access to your data? (Recipients and sub-processors)

We never sell or rent your personal data. It is shared only with the sub-processors essential for providing our service:

Sub-processorPurposeStorage Location
VercelApplication hostingEurope (AWS infrastructure)
SupabaseDatabase, authenticationEurope (AWS infrastructure)
BrevoSending transactional emailsEurope
PostHogProduct usage analysisEurope
GoogleConversational agent (Gemini API)Multi-region
OpenAIConversational agent (GPT API)United States

Article 5: Data transfers outside the European Union

Most of your data is hosted and processed within the European Union. However, the operation of our conversational agent requires the use of providers based in the United States. These transfers are governed by strict legal and technical safeguards:

  • Google (United States): The transfer is covered by Google's certification to the EU-U.S. Data Privacy Framework, the validity of which we periodically verify.

  • OpenAI (United States): The transfer is governed by the European Commission's Standard Contractual Clauses (SCCs). In line with GDPR requirements, we have supplemented these SCCs with additional measures, including enhanced pseudonymisation and encryption of transmitted data.

In both cases, only pseudonymised conversation and professional profile data are transmitted, without direct identifiers such as your name or email address.

Article 6: Data retention period

We only retain your data for the period strictly necessary for the purposes for which it was collected:

  • User Account Data: Retained for as long as your account is active. If your account is deleted, this data is immediately deleted from our production databases.

  • Technical and Security Logs: Connection and event logs, used to ensure the security of the platform, are kept for a rolling period of 12 months.

  • Backups: Our databases are backed up daily. These backups are kept for 30 days for disaster recovery purposes. Therefore, following a deletion request, your data will be permanently purged from all our systems after this period.

Article 7: Data security

The security of your data is our priority. We implement robust technical and organisational measures, including:

  • Encryption of data in transit (HTTPS/TLS 1.3) and at rest (AES-256).

  • Data isolation using a security architecture (Row Level Security) that ensures users can only access their own data.

  • Strong authentication and secure password management.

  • Restricted access to data for our staff, based on the principle of least privilege.

Additionally, we are committed to conducting regular internal security audits and maintaining our compliance with recognised standards, such as our SOC 2 certification. In the event of a data breach, we will notify our Client (the Data Controller) without undue delay and no later than 48 hours after becoming aware of it.

Article 8: Your rights over your data

In accordance with the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15): The right to obtain confirmation that your data is being processed and to receive a copy of it.

  • Right to rectification (Art. 16): The right to correct any inaccurate information about you.

  • Right to erasure ('right to be forgotten') (Art. 17): The right to request the deletion of your data, under certain conditions.

  • Right to restriction of processing (Art. 18): The right to request that the use of your data be "frozen" in certain situations, for example, if you contest its accuracy or object to its processing.

  • Right to data portability (Art. 20): The right to receive the data you have provided to us in a structured, commonly used, and machine-readable format (JSON/CSV).

  • Right to object (Art. 21): The right to object at any time to the processing of your data based on our legitimate interest.

How to exercise your rights:

Your first point of contact is your employer (the Client), who is the Data Controller. However, Rakoono makes it easy for you to exercise some of these rights directly:

  1. To access and rectify your data:

    • You can modify your personalisation data (objectives, preferences) directly from your profile settings.

    • To change your identification data (first name, email), please contact your employer.

  2. To request erasure, restriction, or portability of your data:

    • Send your request by email to privacy@rakoono.com. We will verify your identity via a confirmation link sent to your professional email address.

    • Erasure/Restriction Procedure: In line with our obligations as a data processor, we will inform your employer of your request and act upon their instructions.

    • We will process your request within a maximum of one month.

  3. To exercise your right to object:

    • The processing for service improvement is based on our legitimate interest (see Article 3). You have the right to object to this at any time.

    • To do so, please contact us at privacy@rakoono.com. Following your request, we will cease this specific processing of your data unless we can demonstrate compelling legitimate grounds for the processing which override your rights and freedoms. In our case, this will mean excluding your future contributions from our analysis processes.

You also have the right to lodge a complaint with a competent supervisory authority, such as the ICO in the UK or the CNIL in France.

Article 9: Management of cookies and trackers

We use one tracker (PostHog) to measure audience and understand feature usage in order to improve our service. The use of this tracker is subject to your consent, which is collected via an information banner on your first visit. Your choice is valid for a maximum of 13 months.

Article 10: Changes to this policy

We may update this privacy policy from time to time. In the event of a material change, we will inform you by email or via a notification on the platform and, where necessary, we will seek your consent again.

Politique de confidentialité | Privacy Policy | Rakoono - Rakoono