Privacy Policy
BloopLab is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the French Data Protection Act.
1. Data controller
The data controller for personal information collected through this site is BloopLab. Any question regarding personal data — including requests related to your GDPR rights — can be sent to hello@blooplab.com.
2. Data collected
We collect and process the following data:
- Authentication data: email address and Google OAuth identifier, provided when creating an account.
- Subscription data: selected plan, remaining tokens, renewal date, Stripe Customer and Subscription IDs.
- Payment data: no banking data (card number, CVC) is stored by BloopLab. Payments are processed directly by Stripe Inc., which acts as a sub-processor.
- Technical data: IP address, browser type, request timestamps — automatically collected by Vercel for security and abuse prevention. Retained for a maximum of 30 days.
3. Purposes and legal bases
| Purpose | Legal basis |
|---|---|
| Account creation and management | Contract performance (GDPR art. 6.1.b) |
| Payment and subscription processing | Contract performance |
| Token quota and tier enforcement | Contract performance |
| Security and fraud prevention | Legitimate interest (GDPR art. 6.1.f) |
| Legal and accounting obligations (invoices) | Legal obligation (GDPR art. 6.1.c) |
4. Sub-processors and recipients
Your data is shared only with the providers necessary for the Service to operate, strictly within what is needed:
- Supabase Inc. (Singapore; database and authentication hosting, data stored in EU regions) — GDPR data-processing agreement signed.
- Vercel Inc. (USA; site hosting) — non-EU transfer covered by the EU Standard Contractual Clauses.
- Google LLC (USA; OAuth authentication provider) — non-EU transfer covered by the EU-US Data Privacy Framework.
- Stripe Inc. (USA, with EU operations in Ireland; payment processor) — PCI DSS Level 1 certified; non-EU transfer covered by Standard Contractual Clauses.
No data is sold, rented, or transmitted to third parties for advertising or marketing purposes.
5. Retention
- Account data: retained while the account is active. Deleted within 30 days of a deletion request.
- Billing data: retained for 10 years from the invoice issue date, in accordance with article L123-22 of the French Commercial Code.
- Technical logs: 30 days.
6. Your rights
Under the GDPR you have, at any time, the following rights:
- Right of access to your data;
- Right to rectification;
- Right to erasure ("right to be forgotten"), subject to legal retention obligations;
- Right to data portability;
- Right to restrict processing;
- Right to object to processing based on legitimate interest;
- Right to lodge a complaint with the French Data Protection Authority — CNIL (www.cnil.fr) or your local supervisory authority.
To exercise these rights, write to hello@blooplab.com. We will reply within one month.
7. Cookies
BloopLab uses only strictly necessary cookies:
- Supabase session cookies: keep your authenticated session active. Lifetime: 30 days, sliding.
No advertising cookie, third-party tracker, or analytics tool is currently used. No consent is required for strictly necessary cookies (article 82 of the French Data Protection Act and CNIL guidelines).
8. Security
Passwords are never stored (authentication is delegated to Google). Communications are encrypted via HTTPS (TLS 1.3). User authentication tokens are stored in HttpOnly, Secure, SameSite cookies. API keys are protected by Supabase Row Level Security policies.
9. Changes to this policy
This policy may be updated. Any substantive change will be notified to you. The "last updated" date appears at the top of this page.
10. Contact
For any question regarding your personal data: hello@blooplab.com.