Privacy Policy — REFRESH labs

Language notice. This English version is provided for convenience. In case of any discrepancy or conflict between the English and the French versions, the French version available at refresh.mov-studio.com/confidentialite/ shall prevail. Consumers habitually residing in the European Union benefit from the mandatory consumer-protection provisions of their country of residence (Article 6, Rome I Regulation).

This Privacy Policy describes how Brice Loubeau, sole trader operating under the business name « Monde Ouvert Video », running the REFRESH Labs service available at https://refresh.mov-studio.com, collects, uses and protects users' personal data, in compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and French Act No. 78-17 of 6 January 1978, as amended (« Informatique et Libertés »).

REFRESH Labs redesigns individual web pages, not complete websites. This document applies exclusively to data processed in the context of that service.

1. Data controller

The controller of personal data is:

Brice Loubeau (sole trader / Entreprise Individuelle)

Business name: Monde Ouvert Video

Address: 36 rue Alexandre Ribot, 63000 Clermont-Ferrand — France

SIREN: 940 119 357

Email: contact@mov-studio.com

2. Data collected

We only collect data necessary for service operation and the contractual relationship:

Identification data

Email address (upon registration, subscription or via the email-capture modal).

Payment data

No banking data is stored by REFRESH Labs. Payments are processed by Stripe, which has its own PCI-DSS security measures. We only receive technical identifiers from Stripe (stripe_customer_id) and the payment status.

Technical data

IP address (for quota management, security and legal compliance).
Browser user-agent.
Usage logs (generation timestamps, URLs submitted for analysis).

Data submitted by the user

Website URLs provided for analysis and redesign.
Text content or parameters entered in the interface.

Cookies

Technical cookies strictly necessary for service operation (session, security, anti-bot via Cloudflare Turnstile). No marketing or advertising cookies are used at this time.

3. Legal bases for processing

In accordance with Article 6 GDPR, we process your data on the following legal bases:

Performance of a contract — to provide the REFRESH Labs service, manage your subscription and handle billing.
Legal obligation — retention of accounting and tax records, security logs.
Legitimate interest — fraud prevention, service security, product improvement.
Consent — for future newsletters or marketing communications (collected explicitly where applicable — not active at this time).

4. Retention periods

In line with the minimisation principle (Art. 5.1.c and 5.1.e GDPR), REFRESH Labs only retains data for the time strictly necessary to fulfil the relevant purpose. Four categories of data are distinguished:

Category	Retention period	Legal basis
1. AI generations & submitted URLs (transient technical data: URL provided, generation parameters, produced HTML)	1 hour maximum (Redis TTL 3600 s — automatic purge after delivery)	Performance of the contract (Art. 6.1.b GDPR)
2. Transactional data (invoices, billing identity, amounts, dates, Stripe identifiers)	10 years from the close of the accounting financial year	Legal obligation (Art. 6.1.c GDPR; Art. L.123-22 French Commercial Code)
3. Server logs (nginx, PM2, Stripe webhook, Postal logs; connection IP addresses)	12 months maximum (alignment with French CNIL 2021 recommendation)	Legitimate interest — service security (Art. 6.1.f GDPR)
4. FREE marketing emails (email address from the FREE form, send/open history, segmentation)	3 years from the last interaction (click, open, reply) — aligned with CNIL B2C/B2B prospection guidance	Legitimate interest & consent (Art. 6.1.f / 6.1.a GDPR)

The contractual non-retention commitment covering Category 1 (AI generations and submitted URLs) is set out in Article 18 of the Terms of Service. Upon expiry of the periods indicated above, data is deleted or irreversibly anonymised.

5. Data recipients

Your data is accessible only to:

Brice Loubeau (data controller);
the following technical sub-processors, acting on the controller's strict instructions:

▸ Stripe Payments Europe Ltd (Ireland) — payment processing
stripe.com/legal/privacy

▸ Cloudflare, Inc. (United States) — CDN, security, anti-bot (Turnstile)
cloudflare.com/privacypolicy

▸ Hostinger International Ltd (Cyprus) — server hosting
hostinger.com/privacy-policy

▸ SAS Maha Giri (France, Paris Trade Register 103427100) — technical gateway for access to the Claude AI model (API proxy) and host of the Postal email server used to deliver transactional emails (subdomain postal.giri-app.com). SAS Maha Giri acts as a second-tier sub-processor on strict instructions from the Provider, under a sub-processing agreement (art. 28 GDPR). No reuse, no commercial exploitation of the data.

▸ Anthropic PBC (United States) — provider of the Claude AI model, accessed through the SAS Maha Giri gateway. Submitted URLs and extracted content are transmitted to Anthropic for processing, in accordance with their privacy policy. Anthropic does not reuse API data to train its models.
anthropic.com/legal/privacy

▸ Postal (open-source email server software, self-hosted instance in France on SAS Maha Giri infrastructure) — delivery of transactional emails (access key, invoices, notifications)

No data is sold, rented or transferred to third parties for commercial purposes.

6. Data transfers outside the EU

Some sub-processors (Cloudflare and Anthropic in the United States; Stripe via its Irish subsidiary but with processing that may occur in the United States) may process data outside the European Union. Such transfers are governed by:

the Data Privacy Framework (DPF) for certified companies;
the Standard Contractual Clauses (SCC) approved by the European Commission;
appropriate technical and organisational measures.

7. Your rights

Under the GDPR, you have the following rights:

Right of access — obtain a copy of your personal data.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure (« right to be forgotten ») — request the deletion of your data, except where retention is legally required.
Right to restriction of processing — temporarily freeze the processing of your data.
Right to data portability — receive your data in a structured, reusable format.
Right to object — object to the processing of your data on legitimate grounds.
Right to withdraw consent at any time (for processing based on consent).
Right to define post-mortem directives concerning your data (French law).

To exercise these rights, contact: contact@mov-studio.com.

We will respond within a maximum of one month.

You are also entitled to lodge a complaint with the French data-protection authority (CNIL):

www.cnil.fr/en/plaintes

3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — France

If you are habitually resident in another EU Member State, you may also lodge a complaint with the data-protection authority of your country of residence.

8. Data security

We implement appropriate technical and organisational measures to protect your data:

HTTPS / TLS encryption across the entire site (valid Let's Encrypt certificate);
Secure storage on dedicated server (Hostinger);
Reinforced authentication for administrator access;
Regular monitoring of security logs;
Automatic daily backups;
Anti-bot measures (Cloudflare Turnstile).

However, no transmission of data over the Internet can be guaranteed 100% secure. We encourage you to choose a strong password and not to share your access key LABS-XXXX-XXXX-XXXX.

9. Cookies

The refresh.mov-studio.com site only uses cookies strictly necessary for service operation:

Session cookies (authentication, access-key management);
Security cookies (Cloudflare anti-bot — Turnstile);
refresh_lang cookie (memorisation of preferred language FR/EN, lifetime 1 year).

No advertising, marketing-tracking or profiling cookies are used. No prior consent is therefore required for these strictly necessary technical cookies, in line with the French CNIL's position.

For the full list of cookies used and management procedure, see the cookies policy. Should a marketing-cookie policy be introduced in the future, an explicit consent banner will be implemented.

10. Minors

The REFRESH Labs service is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors without parental consent. If you believe that a minor has provided us with data without authorisation, please contact contact@mov-studio.com immediately.

11. Policy changes

This Privacy Policy may be amended to reflect legal or technical developments. Any substantial change will be notified by email to subscribed users with a 30-day notice. The version in force is the one published at https://refresh.mov-studio.com/confidentialite/ (or its English counterpart), with the last-updated date stated.

12. Contact

For any question regarding this Privacy Policy or your personal data:

Email: contact@mov-studio.com

Postal address: Brice Loubeau, 36 rue Alexandre Ribot, 63000 Clermont-Ferrand — France

Version 2.0 — Last updated: 17 May 2026