— LEGAL DOCUMENTS —

Privacy policy

Your health data is sacred. Here is what we collect, why, where we store it, and how you take back control at any time. No resale. No profiling. No transfer outside the EU.

GDPR-COMPLIANT · COMPLIANT WITH FRENCH DATA PROTECTION ACT · LAST UPDATED MAY 22 2026
CONTENTS
  1. Preamble & commitments
  2. Data controller
  3. Data collected
  4. Processing purposes
  5. Legal bases
  6. Health data · HDS
  7. Sub-processors & recipients
  8. Retention periods
  9. Your rights
  10. Minors & vulnerable persons
  11. Technical security
  12. Cookies & trackers
  13. Data breaches
  14. Policy changes
  15. Data-protection contact

1. Preamble & commitments

Weave is a family and care coordination application centered on a fragile loved one living at home. By nature, the service handles particularly sensitive data: health information, family contacts, location data during emergencies. This privacy policy describes our commitments regarding this data, in accordance with Regulation (EU) 2016/679 (GDPR) and French Act n°78-17 of 6 January 1978, known as the "Data Protection Act".

Our four founding commitments. (1) No data resale, ever — neither anonymized nor aggregated. (2) No commercial profiling or targeted advertising. (3) No transfer outside the European Economic Area for health data. For essential services (payment, push notifications), residual transfers are framed by Standard Contractual Clauses and adherence to the Data Privacy Framework — see §7 for details. (4) Migration in progress towards an HDS-certified host (French health-data hosting standard); during this phase, health-data collection is limited to a closed beta under the reinforced technical safeguards detailed in §6.

2. Data controller

The data controller is schoenfg, a French sole trader (entrepreneur individuel), registered office in Grenoble 38000, France · SIRET 102 432 242 00018 · registered with the French National Business Register (RNE), Grenoble registry · Intra-EU VAT FR59102432242. Our data-protection contact is reachable at contact@schoenfg.com.

3. Data collected

We apply the principle of data minimization: only data strictly necessary for a given purpose is collected. Optional fields are flagged as such in the application.

CategoryDetails
IdentityFirst name, last name, email, bcrypt-hashed password (12 rounds), phone (optional), profile picture (optional), application-encrypted TOTP secret for administrative accounts.
Technical accountInternal UUID identifier, JWT sessions, creation date, last login, preferences (theme, notification language in IETF BCP 47 format), X25519 public key for notification encryption (the corresponding private key never leaves your device).
CircleCare recipient's name, family relationship, date of birth, picture (optional), member composition and roles.
Postal addressThe care recipient's address (useful for routing home-care requests), reusable across members to avoid duplication.
Health (HDS)Pathologies, chronic conditions, blood type, treatments, prescriptions, medication intakes, checkups, allergies.
CoordinationTasks, written and voice messages, sticky notes, memories (photos / videos), expenses, shared documents.
ProfessionalsContact details of caregivers attached to the circle (family doctor, physio, nurse).
PaymentStripe token (the card number is never handled by our servers), invoice history, French CESU certificates.
GeolocationThe responder's GPS coordinates only during a Phase 3 SOS, after explicit consent.
UsageAnonymized technical logs, audit events (creation / modification / deletion of sensitive records).

4. Processing purposes

  • Provide and operate the family-coordination service around the care recipient.
  • Authenticate users and secure sessions (anti-fraud, anti-bot).
  • Enable secure medical sharing with a designated healthcare professional via a signed, time-limited public page.
  • Trigger and route emergency requests (SOS) between circle members or, in Phase 3, to a partner home-care agency.
  • Manage Weave+ billing and issue legal certificates (CESU, tax certificates).
  • Improve the service through anonymized and aggregated statistics (usage rate, technical performance).
  • Comply with legal obligations (accounting, retention of medical documents).
No commercial profiling. No data is used for advertising targeting, scoring or resale. Weave's business model relies solely on Weave+ subscriptions and partner agency relationships.

6. Health data · HDS hosting

During the current closed-beta phase, the entire application infrastructure is hosted with OVHcloud SAS, on servers located in Roubaix (metropolitan France). Migration towards a provider certified under the French HDS framework (Health-Data Hosting, article L.1111-8 of the French Public Health Code) is in progress and will be completed before any extended commercial launch. The name of the chosen HDS provider and its certificate number will be published in this policy as soon as the migration is completed.

Encryption is already applied at several levels:

  • In transit: TLS 1.3 across all connections, HSTS preload, hardened security headers (Helmet, strict Content-Security-Policy).
  • At rest, application layer: every field containing health data (medications, request reasons, message contents, medical documents) is encrypted per field with AES-256-GCM before insertion in the database, using a versioned symmetric key (enc:v1 / enc:v2 format) rotatable without service interruption.
  • At rest, infrastructure layer: storage-volume encryption is enabled at the hosting provider (to be confirmed within the HDS scope after migration).
  • Backups: encrypted, kept for 30 days.
  • Push notifications: sensitive content is end-to-end encrypted (X25519 + libsodium sealed box) with your device's public key. Apple Push Notification and Firebase Cloud Messaging only see an opaque payload. This is the pattern used by Signal, WhatsApp, ProtonMail.

External medical sharing (a signed public page for an occasional caregiver) relies on a token with a short validity period (configurable TTL, 24 hours by default) and only exposes a subset explicitly chosen by the lead caregiver.

7. Sub-processors & recipients

ProviderRoleLocation
OVHcloud SASApplication hosting, database, object storage, marketing site, transactional email delivery (SMTP)France
HDS provider (to be published)Health-data hosting after migration (in progress, see §6)France
Stripe Payments Europe Ltd.Weave+ billing and partner-agency payment (Phase 3, upon activation)Ireland (EU)
Google Ireland Ltd. (Firebase Cloud Messaging)Push-notification delivery; sensitive content is never readable by the service (end-to-end encryption, see §6)Ireland (EU)
Apple Distribution International (Apple Push Notification)iOS push-notification delivery; same end-to-end encryptionIreland (EU)
Partner home-care agencies (Phase 3, upon activation)Home interventions on SOS request; act as joint controllers under article 26 of the GDPRFrance

All our sub-processors within the meaning of article 28 of the GDPR are bound by a signed Data Processing Agreement. Partner home-care agencies act as joint controllers under article 26, pursuant to a specific agreement signed with each agency before activation.

Residual transfers outside the European Union. Stripe Payments Europe Ltd (payment) and Google Ireland Ltd (Firebase Cloud Messaging) may, in certain limited technical operations, share data with their parent companies Stripe Inc. and Google LLC, located in the United States. These transfers are framed by the Standard Contractual Clauses approved by the European Commission (decision 2021/914) and by the U.S. entities' adherence to the Data Privacy Framework. No health data is concerned by these transfers: for Stripe, only tokenized payment metadata; for Firebase, only the notification token and a generic opaque title, the sensitive content being end-to-end encrypted on the device.

The list of sub-processors is kept up to date. Any substantial change is notified to users at least 30 days before taking effect.

8. Retention periods

  • Active account: as long as the user does not delete it.
  • Closed account: definitive deletion 30 days after the request, except for legal obligations.
  • Medical documents (HDS): 20 years after the last activity (article R.1112-7 of the French Public Health Code).
  • Invoices and accounting data: 10 years (article L.123-22 of the French Commercial Code).
  • Technical logs: 12 months maximum.
  • Analytics cookies: 13 months maximum (CNIL recommendation).
  • SOS geolocation points: auto-purge after 30 days following the end of the intervention.
  • Invitation and medical-sharing tokens: expire automatically after use or TTL.

9. Your rights

In accordance with articles 15 to 22 of the GDPR, you have the following rights:

  • Access (article 15) to all of your data — full export from your profile or by email to the DPO.
  • Rectification (article 16) of any inaccurate information, directly from the application.
  • Erasure (article 17, "right to be forgotten"), except where legal obligations apply; available from your profile. Erasure proceeds by anonymization: your personal identity is removed and your contributions to the circle are preserved under the identity "Deleted user", so other members keep a coherent history.
  • Restriction of processing (article 18): suspension of push notifications and non-transactional emails, prevention of enrolment in new circles, without data deletion. Activatable from your profile; reversible at any time.
  • Portability (article 20): full JSON export from the application, in one click.
  • Objection (article 21) to processing based on legitimate interest, in particular aggregated product-improvement statistics. Security audit traces cannot be disabled, in line with the exception in article 21 §1.
  • Withdrawal of consent at any time, without affecting the lawfulness of prior processing. Explicit health consent can be withdrawn from your profile; geolocation consent during an SOS can be revoked from the intervention screen.
  • Set post-mortem instructions on the fate of your data after death (French Act n°2016-1321).

To exercise your rights: contact@schoenfg.com or via your account settings. Reply within 30 days maximum (extendable to 60 days for complex requests, with a reasoned notification). In the event of disagreement, you may file a complaint with the French CNIL: cnil.fr/en/plaintes.

10. Minors & vulnerable persons

User-account creation is reserved for persons aged 15 or older, the French digital-consent threshold under article 7-1 of Act n°78-17 of 6 January 1978 as amended. Age is declared on first login and the timestamp of that confirmation is recorded.

The care recipient of a circle may be a minor or a person with reduced autonomy. Where the care recipient is a minor under 15, a circle can only be created with the explicit consent of a parent or legal representative; the identity of the person giving consent and the timestamp of that consent are recorded in the application.

Where the care recipient is under a legal protection measure (guardianship, curatorship, family empowerment, future-protection mandate), the type of measure and the identity of the legal representative authorized to give consent are recorded in the application. Consent procedures then follow the rules of the measure.

11. Technical security

  • Passwords hashed with bcrypt (12 rounds), in a dedicated table isolated from the public profile.
  • Sessions JWT signed HS256, access token valid for one hour, refresh token valid for 90 days, the latter stored as a SHA-256 hash in the database.
  • Multi-factor authentication via TOTP (RFC 6238) is mandatory for Weave super-administrator accounts and for partner-agency owner accounts; the secret is stored application-encrypted in the database.
  • Per-field application-level encryption of health data (AES-256-GCM, versioned enc:v1 / enc:v2 format, key rotation without service interruption).
  • End-to-end encryption of sensitive push-notification content (X25519 + libsodium sealed box), decrypted locally by a notification extension on the device (iOS Notification Service Extension, dedicated Android FCM service).
  • HTTP headers hardened via Helmet, strict Content-Security-Policy, HSTS preload, strict CORS, rate limiting on sensitive routes.
  • Systematic input validation via Zod at the entry of every route.
  • Strict isolation between circles: every access checks membership via the circle_memberships table.
  • Invitation and sharing tokens stored hashed (SHA-256), never in clear.
  • Cryptographic signature verification on Stripe webhooks.
  • Audit log of accesses to sensitive data, with differentiated retention: one (1) year for technical actions (login, navigation), five (5) years for medical actions and GDPR-rights evidence (erasure, portability, restriction).
  • External penetration test by an independent provider, scheduled before extended commercial launch, then annually.
  • Responsible-disclosure policy: contact@schoenfg.com.

12. Cookies & trackers

Weave only uses cookies that are strictly necessary for the service to operate (session, preferences) and, where applicable, anonymized audience-measurement cookies that are exempt from consent under CNIL recommendations.

Full details about these trackers, their lifetime and how to refuse them are available on our dedicated cookies page.

13. Data breaches

In the event of a breach likely to create a risk for your rights and freedoms, Weave notifies the French CNIL within 72 hours in accordance with article 33 of the GDPR, and informs you individually without delay where the risk is high (article 34).

Incident communications are notified to you in parallel: (1) by in-app message, available in your incident history with read-receipt acknowledgement; (2) by transactional email to the address attached to your account; (3) where the severity justifies it, by high-priority push notification. This communication is delivered even to users who have activated the restriction of processing (article 18), in line with the precedence of the legal duty to inform.

14. Policy changes

This policy may be updated to reflect changes to the service or to regulations. Any substantial change is notified to you by email and via an in-app banner at least 30 days before it comes into force. The last update date is shown at the top of this page.

15. Data-protection contact

Data-protection contact
Email: contact@schoenfg.com
Mail: schoenfg — Data protection, Grenoble 38000, France.

As a sole trader not required to designate a DPO under article 37 GDPR, schoenfg acts as the single point of contact for exercising your rights and for any question relating to the processing of your data.