Privacy Policy

Language notice. This English version is provided for convenience. In case of any discrepancy or conflict between the English and the French versions, the French version available at refresh.mov-studio.com/confidentialite/ shall prevail. Consumers habitually residing in the European Union benefit from the mandatory consumer-protection provisions of their country of residence (Article 6, Rome I Regulation).

This Privacy Policy describes how Brice Loubeau, sole trader operating under the business name « Monde Ouvert Video », running the REFRESH Labs service available at https://refresh.mov-studio.com, collects, uses and protects users' personal data, in compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and French Act No. 78-17 of 6 January 1978, as amended (« Informatique et Libertés »).

REFRESH Labs redesigns individual web pages, not complete websites. This document applies exclusively to data processed in the context of that service.

1. Data controller

The controller of personal data is:

2. Data collected

We only collect data necessary for service operation and the contractual relationship:

Identification data

• Email address (upon registration, subscription or via the email-capture modal).

Payment data

• No banking data is stored by REFRESH Labs. Payments are processed by Stripe, which has its own PCI-DSS security measures. We only receive technical identifiers from Stripe (stripe_customer_id) and the payment status.

Technical data

• IP address (for quota management, security and legal compliance).
• Browser user-agent.
• Usage logs (generation timestamps, URLs submitted for analysis).

Data submitted by the user

• Website URLs provided for analysis and redesign.
• Text content or parameters entered in the interface.

Cookies

• Technical cookies strictly necessary for service operation (session, security, anti-bot via Cloudflare Turnstile). No marketing or advertising cookies are used at this time.

3. Legal bases for processing

In accordance with Article 6 GDPR, we process your data on the following legal bases:

• Performance of a contract — to provide the REFRESH Labs service, manage your subscription and handle billing.
• Legal obligation — retention of accounting and tax records, security logs.
• Legitimate interest — fraud prevention, service security, product improvement.
• Consent — for future newsletters or marketing communications (collected explicitly where applicable — not active at this time).

4. Retention periods

In line with the minimisation principle (Art. 5.1.c and 5.1.e GDPR), REFRESH Labs only retains data for the time strictly necessary to fulfil the relevant purpose. Four categories of data are distinguished:

The contractual non-retention commitment covering Category 1 (AI generations and submitted URLs) is set out in Article 18 of the Terms of Service. Upon expiry of the periods indicated above, data is deleted or irreversibly anonymised.

5. Data recipients

Your data is accessible only to:

• Brice Loubeau (data controller);
• the following technical sub-processors, acting on the controller's strict instructions:

No data is sold, rented or transferred to third parties for commercial purposes.

6. Data transfers outside the EU

Some sub-processors (Cloudflare, Anthropic and Resend in the United States; Stripe via its Irish subsidiary but with processing that may occur in the United States) may process data outside the European Union. Such transfers are governed by:

• the Data Privacy Framework (DPF) for certified companies;
• the Standard Contractual Clauses (SCC) approved by the European Commission;
• appropriate technical and organisational measures.

Transfer Impact Assessment (TIA). In addition to the Standard Contractual Clauses and in line with the Schrems II judgment (CJEU, C-311/18) and the EDPB 01/2020 recommendations, the Provider carried out a Transfer Impact Assessment in May 2026 covering its US-based processors (Anthropic, Cloudflare, Resend, Stripe US). The assessment concludes that the transfers are accompanied by sufficient supplementary measures:

• systematic encryption in transit (TLS 1.2 or higher) on all flows;
• no sensitive data, health data, or minors' data transmitted as part of the Service;
• written contractual instructions prohibiting the reuse of data for the training of third-party models (Anthropic) or for prospecting (Resend, Cloudflare);
• minimal retention: scraped content sent to the AI is not durably stored by REFRESH Labs (cf. Article 18 of the Terms — non-retention of generations);
• immediate right of objection exercisable by the Customer at rgpd@mov-studio.com;
• TIA reassessment at least every twelve (12) months or upon a substantial change in the legal framework of the relevant processors.

The full TIA report is available upon written request to rgpd@mov-studio.com.

7. Your rights

Under the GDPR, you have the following rights:

• Right of access — obtain a copy of your personal data.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure (« right to be forgotten ») — request the deletion of your data, except where retention is legally required.
• Right to restriction of processing — temporarily freeze the processing of your data.
• Right to data portability — receive your data in a structured, reusable format.
• Right to object — object to the processing of your data on legitimate grounds.
• Right to withdraw consent at any time (for processing based on consent).
• Right to define post-mortem directives concerning your data (French law).

To exercise these rights, please use rgpd@mov-studio.com (dedicated GDPR channel) or contact@mov-studio.com.

We will respond within a maximum of one month.

You are also entitled to lodge a complaint with the French data-protection authority (CNIL):

If you are habitually resident in another EU Member State, you may also lodge a complaint with the data-protection authority of your country of residence.

8. Data security

We implement appropriate technical and organisational measures to protect your data:

• HTTPS / TLS encryption across the entire site (valid Let's Encrypt certificate);
• Secure storage on dedicated server (Hostinger);
• Reinforced authentication for administrator access;
• Regular monitoring of security logs;
• Automatic daily backups;
• Anti-bot measures (Cloudflare Turnstile).

However, no transmission of data over the Internet can be guaranteed 100% secure. We encourage you to choose a strong password and not to share your access key LABS-XXXX-XXXX-XXXX.

9. Cookies

The refresh.mov-studio.com site only uses cookies strictly necessary for service operation:

• Session cookies (authentication, access-key management);
• Security cookies (Cloudflare anti-bot — Turnstile);
• refresh_lang cookie (memorisation of preferred language FR/EN, lifetime 1 year).

No advertising, marketing-tracking or profiling cookies are used. No prior consent is therefore required for these strictly necessary technical cookies, in line with the French CNIL's position.

For the full list of cookies used and management procedure, see the cookies policy. Should a marketing-cookie policy be introduced in the future, an explicit consent banner will be implemented.

10. Minors

The REFRESH Labs service is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors without parental consent. If you believe that a minor has provided us with data without authorisation, please contact contact@mov-studio.com immediately.

11. Policy changes

This Privacy Policy may be amended to reflect legal or technical developments. Any substantial change will be notified by email to subscribed users with a 30-day notice. The version in force is the one published at https://refresh.mov-studio.com/confidentialite/ (or its English counterpart), with the last-updated date stated.

12. Contact

For any question regarding this Privacy Policy or your personal data:

Version 2.0 — Last updated: 17 May 2026