‍Privacy Policy

1. Introduction

CEPHALGO SAS (we, our, or us) operates the CEPHALGO Voice Collection iOS application (the App). This Privacy Policy explains what personal data the App collects, why it is collected, how it is used and stored, and what rights you have over it.

The App is used to collect voice recordings for scientific research studies on speech and cognitive health. Voice recordings are classified as biometric data under applicable data protection law. Please read this policy carefully before participating.

2. Data Controller and Data Protection Officer

The entity responsible for your personal data is:

CEPHALGO SAS

8 Rue des Veaux, 67000 Strasbourg, France

SIRET: 90444732300018

Email: privacy@cephalgo.com

Our designated Data Protection Officer (DPO) can be contacted at the address above or at privacy@cephalgo.com.

3. Information We Collect

3.1 Information You Provide

Demographics

During your session you will be asked to provide demographic information, which may include:

  • Age range
  • Sex
  • Handedness (left, right, or ambidextrous)
  • Native language and language(s) spoken at home
  • Country and region of residence
  • Level of education
  • Self-reported hearing status

Demographic fields vary by study. You will only be asked for information relevant to the research study you are participating in.

Screening Responses

Before proceeding to voice tasks, you will answer eligibility screening questions to determine whether you meet the inclusion criteria for the study you are enrolled in (for example, absence of neurological conditions affecting speech, and no current upper respiratory infection). Screening responses are retained as part of your participation record.

3.2 Voice Recordings (Biometric Data)

The primary data collected by the App is your voice. Voice recordings are classified as biometric data under GDPR Article 9(1) and as biometric identifiers under applicable law in other jurisdictions. Depending on the study you are participating in, recordings may include any or all of the following speech tasks:

  • Sustained vowel phonation
  • Diadochokinetic rate (rapid syllable repetition)
  • Maximum phonation time
  • Reading passage
  • Sentence repetition
  • Picture description
  • Verbal fluency
  • Story retelling
  • Counting and number sequences
  • Prompted spontaneous speech
  • Other spoken tasks as defined by the specific research protocol

Recordings are captured in uncompressed WAV format at 44,100 Hz, 16-bit, mono. Each recording is encrypted and transmitted to our secure cloud servers upon task completion. Audio is not retained in the App beyond successful transmission.

3.3 Session and Technical Data

  • Session identifier: A unique anonymous code linked to your participation record. This identifier does not contain your name or contact details.
  • Device information: iPhone or iPad model, iOS version, and App version number.
  • Session timestamps: Date and time of session start, individual task completion times, and session end time.
  • Task completion status: Whether each voice task was completed, skipped, or left incomplete.
  • Upload logs: Records confirming that each audio file was successfully transmitted to our servers.

3.4 Automatically Collected Data

  • Microphone environment check: Before voice tasks begin, the App measures the ambient noise level of your environment using a brief, non-transmitted microphone sample. This measurement is used solely to verify that your recording environment is suitable. It is not stored as audio.
  • Error and crash logs: Technical data generated if the App encounters an error, used solely for debugging and App stability. These logs are anonymised and do not contain audio.
  • Anonymised analytics: Aggregated, anonymised usage statistics such as task completion rates and average task duration. These cannot be linked to individual participants.

3.5 Data We Do NOT Collect

  • We do not collect precise or approximate location data.
  • We do not access contact lists, calendars, photos, or files on your device.
  • We do not use advertising identifiers (IDFA) or track you across other apps or websites.
  • We do not collect data from Apple Health or HealthKit.
  • We do not collect financial information.

4. Microphone and Device Permissions

4.1 Microphone Access (Required)

The App requires access to your device microphone to collect voice recordings. When you first reach the voice task section, iOS will display a system permission prompt. The reason presented will be:

"This app requires microphone access to record your voice for CEPHALGO research studies. Recordings are used solely for scientific research purposes."

  • Microphone access is requested only when you actively reach the voice task section of the App.
  • The App does not record audio outside of explicitly initiated voice tasks.
  • You may revoke microphone permission at any time in iOS Settings > Privacy & Security > Microphone. Doing so will prevent completion of voice tasks but will not affect data already submitted.
  • The App disables device-side audio processing (noise suppression, echo cancellation, automatic gain control) to ensure research-quality recordings that capture your natural voice accurately.
  • Audio is not processed by any third-party voice recognition, speaker identification, or artificial intelligence service unless separately disclosed to you.

4.2 No Other Device Permissions

The App does not request access to your camera, contacts, location, photos, health data, or any other device capability beyond the microphone.

5. Legal Basis for Processing

  • Explicit consent (GDPR Art. 6(1)(a) and Art. 9(2)(a)): You provide written informed consent before accessing the App. For voice recordings, which constitute biometric data, we rely on your explicit consent obtained through the informed consent process administered prior to your session being issued.
  • Scientific research (GDPR Art. 9(2)(j) and Art. 89): Processing is carried out for archiving in the public interest, scientific research, and statistical analysis, subject to appropriate technical and organisational safeguards.
  • Legitimate interests (GDPR Art. 6(1)(f)): For technical data such as error logs and session metadata, we rely on our legitimate interest in operating a secure and reliable research platform.

Where we rely on consent, you may withdraw it at any time (see Section 10). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6. How We Use Your Information

6.1 Research Purposes

  • Collecting voice data for speech and cognitive health research studies.
  • Studying acoustic and linguistic features of speech.
  • Training and validating research models for voice-based analysis.
  • Publishing anonymised, aggregated findings in academic journals and conference proceedings.

6.2 App Operation

  • Validating your session and eligibility to participate.
  • Presenting voice tasks in the correct language and sequence for your study.
  • Transmitting and confirming receipt of your voice recordings.
  • Saving your session progress to allow resumption if your session is interrupted.

6.3 Quality Assurance

  • Automated quality checks on audio files for clipping, excessive background noise, insufficient duration, and incorrect sample rate.
  • Manual review of flagged recordings by authorised research staff.

6.4 Study Administration

  • Scheduling any required follow-up sessions where applicable to your study protocol.
  • Contacting you if there is a technical issue with your submission.

7. Apple App Store — Privacy Nutrition Label Summary

In accordance with Apple App Store requirements, the following summarises data collected by this App:

Data Used to Track You

None. This App does not track you across other companies' apps or websites.

Data Linked to You

  • Voice recordings: Linked to your anonymous participation record for research purposes.
  • Demographic information: Linked to your participation record for research purposes.
  • Identifiers: Your anonymous session identifier is linked to your recordings.

Data Not Linked to You

  • Crash data: Anonymised error logs used for App stability. Not linked to your identity.
  • Usage data: Anonymised, aggregated statistics. Not linked to your identity.

8. Data Sharing and Disclosure

8.1 Research Collaborators

Anonymised or pseudonymised voice data may be shared with academic institutions, research hospitals, and university departments collaborating on studies conducted through this App. Shared data will not include your name, email address, or any other directly identifying information. Data sharing agreements are in place with all collaborating institutions.

8.2 Service Providers

  • Cloud storage: Voice recordings and session data are stored on Amazon Web Services (AWS) infrastructure in the European Union (eu-central-1, Frankfurt, Germany).
  • Session platform: Riverside.fm provides underlying recording infrastructure for studies conducted through this App.
  • Recruitment partners: Recruitment vendors receive only the information necessary to issue your participation link and manage scheduling. They do not receive your voice recordings.

8.3 Legal Disclosure

We may disclose your information where required by law, court order, or regulatory obligation, or to protect the rights, property, or safety of CEPHALGO, participants, or the public.

8.4 We Will Never

  • Sell your personal data to any third party.
  • Share your voice recordings or identifiable data with commercial advertisers.
  • Use your voice data to identify you in contexts outside the research study you consented to.
  • Transfer your data outside the EEA without adequate safeguards in place.

9. Data Security

  • All data is encrypted in transit using TLS 1.2 or higher.
  • Voice recordings and session data are encrypted at rest using AES-256.
  • Access to participant data is restricted to authorised research personnel through role-based access controls.
  • Our cloud infrastructure undergoes regular security assessments.
  • In the event of a data breach posing a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected participants without undue delay.

10. Data Retention

  • Voice recordings: Retained for the duration of the relevant research programme and for up to ten years thereafter in pseudonymised form to support longitudinal research and replication studies, unless you withdraw consent.
  • Session and demographic data: Retained for the same period as voice recordings.
  • Technical and error logs: Deleted within 12 months.
  • Anonymised research data: Anonymised, aggregated data derived from your recordings may be retained indefinitely and included in public research datasets.

Retention periods may be extended where required by applicable law or research ethics obligations.

11. Your Rights

Depending on your country of residence, you have the following rights regarding your personal data:

11.1 Right of Access

You may request a copy of the personal data we hold about you.

11.2 Right to Rectification

You may request correction of inaccurate personal data.

11.3 Right to Erasure

You may request deletion of your personal data. Where voice recordings have already been anonymised and incorporated into aggregated research datasets, individual-level erasure may not be technically feasible. We will inform you if this is the case.

11.4 Right to Withdraw Consent

You may withdraw your consent at any time by contacting privacy@cephalgo.com. Withdrawal will not affect processing carried out before withdrawal. Data already incorporated into published research outputs cannot be retracted from those outputs.

11.5 Right to Restrict Processing

You may request that we restrict processing of your data while a complaint or query is being resolved.

11.6 Right to Object

You may object to processing carried out on the basis of legitimate interests.

11.7 Right to Data Portability

Where processing is based on consent, you may request your data in a portable, machine-readable format.

To exercise any of these rights, contact privacy@cephalgo.com. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority. In France: Commission Nationale de l'Informatique et des Libertes (CNIL), www.cnil.fr.

12. International Data Transfers

Your data is stored within the European Economic Area (AWS eu-central-1, Frankfurt, Germany). Where any transfer outside the EEA is required, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission. You may request details of any such transfers by contacting our DPO.

13. Children's Privacy

This App is intended for adults aged 18 and over. We do not knowingly collect personal data from individuals under 18. If we become aware that a minor has submitted data, we will delete it promptly.

14. Third-Party SDKs and Services

This App does not integrate any third-party advertising SDKs, cross-app tracking SDKs, or social media SDKs. Any third-party service used for App operation is described in Section 8.2 and is subject to contractual data processing obligations consistent with this policy.

15. Changes to This Privacy Policy

We may update this policy from time to time. Where changes are material, we will notify you through your recruitment contact or through an in-app notice before the change takes effect. The effective date at the top of this document will be updated accordingly.

16. Contact Us

For questions, data requests, or concerns about this Privacy Policy:

Data Protection Officer

CEPHALGO SAS

8 Rue des Veaux, 67000 Strasbourg, France

Email: privacy@cephalgo.com

EU participants may also contact the CNIL (Commission Nationale de l'Informatique et des Libertes) at www.cnil.fr with unresolved concerns.

Last Updated: April 1, 2026