Cliché — Privacy Policy
Cliché is a live photo album you build with the friend right next to you. There is no public feed and no map. The photos in a moment are visible only to the people who were paired in that moment. The one place we differ from a "we collect nothing" policy: like most apps, we use a small set of analytics and attribution tools to understand how the app is used and which channels bring new people in. This page tells you exactly what that means.
The things we promise
- No public feed. Your albums are not browsable by strangers. The only people who see a moment's photos are the friends who were paired in it.
- No map, no location. Cliché never requests your GPS location and never broadcasts where you are. Bluetooth tells us "two phones are close", never where.
- Photos stay between the people in the moment. A shared album is visible only to the friends paired during that session — never on a public surface, never to anyone else.
- No ads in the app. Cliché shows you no advertising.
- No AI training on your content. We do not use your photos, albums or messages to train AI models, ours or anyone else's.
- No sale of your data. Ever.
- Analytics & attribution, disclosed. We use Amplitude (product analytics) and Adjust (install attribution). Section 8 explains exactly what they receive and how to opt out.
1. Who is responsible
Disket France, the company behind Cliché.
The data controller for the personal information described in this policy is Disket France, a French simplified joint-stock company (société par actions simplifiée) with share capital of €1,000, registered with the Paris Trade and Companies Register (RCS Paris) under number 944 134 329, with registered office at 67 rue d'Aboukir, 75002 Paris, France. Disket France is the controller under the EU and UK General Data Protection Regulation. You can reach us at hello@disket.app.
2. The data model
Exactly the fields Cliché has, what each one is for, and who can see it.
This is everything Cliché stores about you. If a category isn't on this list, we don't have it.
| Field | What it is | Visible to |
|---|---|---|
| Apple ID or Google account | Used to sign you in (Sign in with Apple or Google). We receive an account identifier and, if you allow it, your email. | You and us |
| Username | Your unique handle — how friends recognise you. Cliché is username-first. | Friends you pair with |
| Profile picture (optional) | One image of your choosing. | Friends you pair with |
| Pairing list | The set of users you have paired with. | You only |
| Moments (co-presence sessions) | Bluetooth-detected sessions between you and the friend(s) you pair with. Stored as start time, participant identifiers, and a duration. | The people in the moment |
| Shared photos | Photos taken during a live session that are added to the moment's shared album and stored on our servers. See section 3. | The people in the moment |
| Device + diagnostics | Device model, OS version, app version, language, crash logs. | Us, in aggregate |
| Usage analytics | In-app events (e.g. screen opened, pairing started, photo shared) tied to a pseudonymous identifier, via Amplitude. See section 8. | Us, in aggregate |
| Attribution data | Install and basic event signals via Adjust, used to understand which channel a new user came from. See section 8. | Us, in aggregate |
3. How a moment and its album work
Bluetooth detects a friend nearby; you pair; the photos you take together fill a shared album live.
3.1 Bluetooth proximity & pairing
While Cliché is running (including in the background, if you have granted Bluetooth permission), your device advertises a rotating Cliché identifier and listens for the identifiers of others. When a friend is detected nearby, you can pair with them in one tap, which opens a time-boxed co-presence session (about 30 minutes). We store the participant identifiers, the start time and the session duration. We do not store the latitude, longitude, address, venue name or any other location data.
3.2 The live shared album
While you are in a live session with a paired friend, photos you take with the camera are automatically added to that session's shared album and uploaded to our servers, so both of you see the moment fill in instantly — without sending anything by hand. This auto-sync only happens (a) while a live session is active and (b) for photos taken during that session's time window; it requires full Photo Library access. Screenshots and photos taken outside a session are not included. The album is visible only to the friends paired in that moment.
4. What we never collect
A short list of things people often assume social apps collect. We don't.
- Your precise GPS location. Cliché does not request the iOS location permission and does not read your coordinates.
- Your camera roll beyond the photos auto-shared during an active session and any photo you explicitly pick for your profile.
- Your biometric data. No faceprint, no voiceprint.
- The content of your messages or browsing in other apps. Cliché has no embedded web tracking pixels reading your activity elsewhere.
5. How we use the data
To make Cliché work, keep it safe, measure it, and improve it.
- Operate the Service: detect nearby friends, run pairing sessions, build and sync shared albums, render your profile, send the notifications you opted into.
- Authenticate you and protect your account.
- Prevent abuse, fraud and harm to you, to other users, and to the Service.
- Understand and improve the product using aggregated analytics (Amplitude) and crash reports.
- Measure acquisition — which channel a new user came from — using attribution (Adjust). See section 8.
- Comply with the law when we have a valid legal obligation.
6. Legal bases (EEA / UK users)
For each kind of processing, the legal basis we rely on.
- Performance of a contract for everything required to deliver Cliché (account, pairing, moments, shared albums).
- Legitimate interests for security, anti-abuse, diagnostics and product analytics, balanced against your rights.
- Consent for optional device permissions (Bluetooth, Photos, Notifications), and — where required — for attribution and tracking, which we ask for through Apple's App Tracking Transparency prompt. You can withdraw consent at any time in iOS Settings or in the app.
- Legal obligation when we have to retain or disclose information in response to a valid legal request.
7. What other Cliché users can see about you
Your profile, and the photos on the moments you were paired in. Nothing more.
- Your profile fields (username, optional profile picture), visible to users you pair with.
- The fact, time and duration of a moment you were paired in, visible to the people in that moment.
- The photos in a shared album, visible to the people paired in that moment.
That is the complete list. Your pairing list and your moments with other people are not exposed to any other user. There is no public feed and no friends-of-friends visibility.
8. Analytics, attribution & measurement
The honest part: the third-party tools we use to understand and grow the app, and how to opt out.
Like most apps, Cliché uses a small set of measurement tools. We use them in aggregate to understand how the product is used and works — never to build advertising profiles inside Cliché (there are no ads in the app).
- Amplitude — product analytics. Receives pseudonymous in-app event data (e.g. "onboarding completed", "pairing started", "photo shared"), tied to a random analytics identifier and basic device/app metadata. It does not receive your photos or the content of your albums.
- Adjust — install attribution. Helps us understand which channel (e.g. a link or campaign) a new install came from, and basic conversion events. On iOS, where this involves tracking as Apple defines it, we ask for your permission first through the App Tracking Transparency prompt; if you decline, attribution runs in a privacy-preserving, non-tracking mode.
- Google — used for Sign in with Google (if you choose it) and on-device conversion measurement for advertising campaigns we run to promote the app. On-device conversion is designed by Google to measure ad performance without exposing your identity to us.
You can turn off tracking at any time in iOS Settings → Privacy & Security → Tracking, and limit diagnostics sharing in iOS Settings.
9. The infrastructure we use
A small number of providers, each bound by a data-processing agreement.
| Provider | What they do | Region |
|---|---|---|
| Supabase | Hosts our database, authentication and photo storage. | EU |
| Cloudflare | Edge networking and DDoS protection. | Global edge |
| Apple Inc. | App Store distribution, push notifications (APNs), Sign in with Apple. | USA / global |
| Amplitude | Product analytics (aggregated in-app events). | USA |
| Adjust | Install attribution and conversion measurement. | EU |
| Google LLC | Sign in with Google and on-device ad conversion measurement. | USA / global |
If we ever add another provider that handles personal data, we will update this list before we start using them.
10. International transfers
Your core data is stored in the EU. Some measurement providers process limited data in the US under standard safeguards.
Disket France is a French company and your account data, moments and photos are stored in the European Union (Supabase, EU region). Transfers outside the EEA occur through some of the sub-processors listed in section 9 — Apple, Amplitude and Google process a limited amount of metadata in the United States, and Cloudflare's global edge may route traffic through the data centre nearest you. Each transfer is covered by the Standard Contractual Clauses approved by the European Commission, complemented by additional technical safeguards (encryption in transit and at rest, scoped access controls, least-privilege engineering).
11. Retention and deletion
We keep your data while your account is active. Delete the account, and the data goes with it.
We retain your account information, moments and photos for as long as your account is active. You can delete your account at any time from Settings → Log out / account options inside the app. When you do:
- Your profile, pairing list, moments and photos are deleted from our live systems within 30 days.
- Encrypted backups containing your data roll over and are overwritten within 90 days.
- Aggregated, non-identifying analytics that can no longer be linked to you may be retained.
- A minimal record may be retained where we are legally required to do so. This record is access-controlled and not used for any other purpose.
Friends you shared a moment with keep the photos they themselves took in that moment; the photos you contributed, your username and your profile photo are removed.
12. Security
Standard industry safeguards. Nothing is unbreakable.
We protect your data with transport encryption (TLS), encryption at rest, scoped access controls, audit logging, automated dependency scanning and least-privilege engineering practices. No system is perfectly secure, and you remain responsible for keeping your device and your Apple or Google account secure. If we ever suffer a data breach affecting your personal information, we will notify you and the competent supervisory authority within the deadlines required by applicable law.
13. Your rights
Access, correct, delete, port, object, complain.
Depending on where you live, you may have some or all of the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Deletion — ask us to delete your data (you can also do this yourself in the app).
- Restriction — ask us to limit how we use it.
- Objection — object to processing based on our legitimate interests.
- Portability — receive your data in a portable, machine-readable format.
- Withdraw consent — for processing based on consent, at any time, without affecting prior processing.
- Complain to your local data-protection authority. In France that's the CNIL (cnil.fr); in other EEA countries, the equivalent national regulator.
To exercise any of these rights, write to hello@disket.app. We will respond within one month (EEA/UK) or as required by your local law.
13.1 Notice to California residents
Under the California Consumer Privacy Act (CCPA), you have the right to know the categories of personal information we collect, the purposes for which we use it, the categories of third parties with whom we share it, and to request access, deletion and correction. We do not "sell" your personal information and we do not "share" it for cross-context behavioural advertising as those terms are defined under California law. You may exercise your CCPA rights by writing to hello@disket.app.
14. iOS permissions
Each permission Cliché asks for, and why.
| Permission | Why we ask for it | What happens if you deny |
|---|---|---|
| Bluetooth | Detect when a Cliché friend is right next to you, and run the pairing session. This is the core function. | You can't pair or build shared albums. |
| Photos | Add the photos you take during a live session to the shared album. Full access is needed to see photos taken just now. | You can use the rest of Cliché; photos won't auto-share. |
| Notifications | Tell you about pairing requests and when a friend adds a photo. | You'll only see those events when you open the app. |
| Tracking (ATT) | Allow attribution (Adjust) to measure which channel brought you to Cliché. | Attribution runs in a privacy-preserving, non-tracking mode. Everything else works the same. |
You can grant or revoke any of these at any time in iOS Settings.
15. Children
Cliché is for 17 and older.
Cliché is not directed to children under 17 and we do not knowingly collect personal information from anyone under that age. If we learn that we have inadvertently collected data from a child under 17, we will delete it without delay. Parents or guardians who believe their child has provided us with personal information can write to hello@disket.app.
16. Changes to this policy
If we change something material, we tell you in the app before it takes effect.
We may update this Privacy Policy from time to time. When we make a material change — such as adding a new provider that handles your data, or expanding what we collect — we will notify you inside the app at least fourteen days before the change takes effect. The "Last updated" date at the top of this page indicates when the current version was published.
17. Contact
One email for everything.
Disket France
67 rue d'Aboukir
75002 Paris, France
hello@disket.app