Privacy Policy
Brick River Lab SAS — Blind Valet Effective Date: 2026-05-04
1. About This Privacy Policy
This Privacy Policy describes how Brick River Lab SAS ("Brick River Lab," "we," "us," "our") collects, uses, and shares personal data when you visit blindvalet.com and app.blindvalet.com or use the Blind Valet service (together, the "Service").
This Policy is intended to comply with the EU General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique et Libertés), and the California Consumer Privacy Act (CCPA) for California residents.
It complements but does not replace our Terms and Conditions. Our Terms govern your contractual relationship with us; this Policy describes our handling of your personal data.
2. Who We Are (Data Controller)
For personal data covered by this Policy, the data controller is:
Brick River Lab SAS 14 Avenue des Tourterelles, 44100 Nantes, France RCS 811 820 794 Nantes Email: support@blindvalet.com
We have not appointed a Data Protection Officer (DPO), as we are not required to do so under Article 37 of the GDPR. For any privacy-related question, contact us at the address above.
3. Scope of This Policy
This Policy applies to personal data we process as a controller — that is, personal data of our users, visitors, and prospective customers, processed for our own purposes (account management, billing, support, security, analytics, marketing).
It does not apply to personal data that you, as a Subscriber, enter into the Service about other people (such as players, club members, or league participants). For that data, you are the controller and we act as your processor. The terms of that processing are governed by our Data Processing Agreement (DPA), incorporated by reference into our Terms and available on request.
4. Personal Data We Collect
We collect the following categories of personal data:
Account data. Email address, full name, country, preferred language, password (stored hashed). When you sign in via a social provider (e.g., Google, Apple), we receive your name, email, and profile identifier from that provider.
Subscription and billing data. Subscription tier, plan, currency, billing country, invoice history. Payment card details are collected and stored directly by Stripe — we never see or store your full card number, expiry, or CVC. We retain a card reference (last four digits, brand, expiry month/year) provided by Stripe for display in your account.
Usage data. Tournament configurations, club memberships, league rankings, settings, and other content you create within the Service. Where this content includes personal data about other people, you act as controller (see §3).
Support communications. Messages you send us by email or through in-app chat, including any personal data you choose to include.
Technical data. IP address, browser type and version, operating system, device identifiers, language preference, time zone, and approximate location derived from IP. Logs of your interactions with the Service (page views, feature usage, errors).
Cookie and tracking data. See §10 below.
Marketing data. If you opt in to receive marketing emails or newsletters, we record your consent and engagement (open, click).
5. How We Use Your Data and Legal Basis
We process your personal data for the following purposes, on the following legal bases (GDPR Article 6):
| Purpose | Legal Basis |
|---|---|
| Provide the Service to you (account, tournaments, clubs) | Performance of contract (Art. 6(1)(b)) |
| Bill, invoice, and process subscription payments | Performance of contract; legal obligation (accounting) (Art. 6(1)(b), (c)) |
| Respond to support requests and communicate about your account | Performance of contract (Art. 6(1)(b)) |
| Maintain Service security, prevent fraud and abuse | Legitimate interests (Art. 6(1)(f)) |
| Analyse Service usage to improve features and reliability | Legitimate interests; consent for non-essential cookies (Art. 6(1)(f), (a)) |
| Send transactional emails (renewal notices, password resets, billing) | Performance of contract; legal obligation (Art. 6(1)(b), (c)) |
| Send marketing emails and newsletters | Consent (Art. 6(1)(a)); you may withdraw at any time |
| Comply with legal obligations (tax, regulatory requests, court orders) | Legal obligation (Art. 6(1)(c)) |
| Establish, exercise, or defend legal claims | Legitimate interests (Art. 6(1)(f)) |
We do not use your personal data for purposes incompatible with the above without your explicit consent.
6. How We Share Your Data (Sub-processors)
We share personal data with the following categories of recipients:
Sub-processors that help us deliver the Service. We have contractual agreements with each requiring GDPR-equivalent protection:
| Sub-processor | Role | Location |
|---|---|---|
| Stripe Payments Europe Ltd | Payment processing, subscription billing | Ireland / United States |
| Google LLC / Google Cloud / Firebase | Hosting, authentication, database (Realtime Database), file storage, Cloud Functions | United States (Google Cloud us-central1 region) |
| Sentry (Functional Software Inc.) | Application error monitoring | United States |
| Mailgun Technologies Inc. | Transactional email delivery | United States / EU |
| Anthropic PBC | LLM services for content translation (system phrases only) | United States |
| OpenAI, L.L.C. | LLM services for content translation (system phrases only) | United States |
| Netlify Inc. | Hosting and CDN for the marketing site (blindvalet.com), the application (app.blindvalet.com), and the admin interface | United States |
We do not sell your personal data to anyone, and we do not share it for cross-context behavioural advertising.
Other recipients. We may disclose your personal data:
- To professional advisors (lawyers, accountants, auditors) bound by confidentiality;
- To competent authorities (tax, regulators, law enforcement) where required by law or in response to valid legal process;
- To a successor entity in the event of merger, acquisition, or sale of all or substantially all of our assets;
- Where you have given us explicit consent to do so.
7. International Data Transfers
The primary infrastructure for the Service — including the Realtime Database where account, tournament, and club data is stored, and the Cloud Functions that process it — is hosted in the United States (Google Cloud us-central1 region). Several other sub-processors are also located in the United States.
When we transfer your personal data outside the European Economic Area (EEA), we rely on one or more of the following safeguards required by GDPR Articles 44–49:
- Adequacy decisions (e.g., the EU–U.S. Data Privacy Framework, where the recipient is certified);
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Supplementary measures as required (encryption in transit and at rest, access controls).
You may request a copy of the safeguards in place for a specific transfer by contacting us at support@blindvalet.com.
8. How Long We Keep Your Data
| Data category | Retention |
|---|---|
| Account data (profile, settings, tournaments, clubs) | Duration of your subscription, plus a minimum of 3 years after cancellation, to allow restoration if you re-subscribe |
| Billing records (invoices, payment history) | 10 years from the end of the financial year, as required by French commercial law (Article L123-22 of the Code de commerce) |
| Support tickets and communications | 3 years from last contact |
| Server and security logs | Up to 12 months |
| Marketing consent records | Until withdrawal of consent + 3 years (for proof of consent) |
| Cookie consent records | 13 months (CNIL guideline) |
| Anonymised / aggregated analytics | Indefinitely (no longer personal data) |
After the applicable retention period, we delete or anonymise the data. You may request earlier deletion at any time (see §9), subject to retention obligations we cannot waive (e.g., billing records under tax law).
9. Your Rights
Under GDPR (Articles 15–22), you have the following rights with respect to your personal data:
- Right of access — to obtain a copy of the personal data we hold about you;
- Right of rectification — to correct inaccurate or incomplete data;
- Right to erasure ("right to be forgotten") — to request deletion of your data;
- Right to restriction of processing in certain circumstances;
- Right to data portability — to receive your data in a structured, commonly used, machine-readable format and to have it transmitted to another controller;
- Right to object to processing based on legitimate interests, including profiling;
- Right to withdraw consent at any time, where processing is based on consent (this does not affect the lawfulness of processing before withdrawal);
- Right not to be subject to a decision based solely on automated processing with legal effects (we do not engage in such processing — see §12).
To exercise any of these rights, contact us at support@blindvalet.com. We will respond within one (1) month, with a possible two-month extension for complex requests (Article 12(3)). We may need to verify your identity before acting.
You may also export your tournament and club data at any time from within the Service. Account deletion can be requested at https://blindvalet.com/data.
Right to lodge a complaint. If you believe we have not handled your personal data properly, you may lodge a complaint with the French data protection authority:
Commission Nationale de l'Informatique et des Libertés (CNIL) 3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07, France www.cnil.fr
10. Cookies and Similar Technologies
We use cookies and similar technologies (local storage, session storage) only for the following purposes:
Strictly necessary cookies — required for the Service to function: authentication, session management, security, and CSRF protection. These are exempt from consent under the ePrivacy Directive and CNIL guidance.
Functional cookies — remember preferences you have set, such as language and display settings. These are limited in scope and exempt from consent under CNIL guidance.
No advertising cookies. We do not use cookies for advertising, profiling, or cross-context behavioural targeting.
No analytics cookies at present. We do not currently run third-party analytics or tracking cookies.
In practice, we use browser storage to keep you signed in, remember your preferences (such as language and theme), and cache application data such as the pricing catalogue for performance. None of this storage contains advertising identifiers or third-party trackers.
When you first visit the Service, a cookie banner asks you to accept or refuse any non-essential cookies before they are set. Strictly necessary and functional cookies described above are not affected by this choice, as they are exempt from consent. You can withdraw or change your consent at any time by clearing cookies in your browser, which will cause the banner to be shown again on your next visit.
11. Children
Consistent with our Terms and Conditions, the Service is not directed at children. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has created an account or provided us with personal data, contact us at support@blindvalet.com and we will delete it.
If you, as a Subscriber, enter personal data about minors into the Service (for example, junior players in a club or league), you act as the Controller for that data and are responsible for establishing the appropriate lawful basis, including parental consent where required.
12. Automated Decision-Making
We do not make decisions based solely on automated processing that produce legal effects concerning you or significantly affect you, within the meaning of Article 22 of the GDPR.
13. Security
We implement reasonable technical and organisational measures to protect your personal data, including encryption in transit (TLS), authentication and access controls, the use of established infrastructure providers with their own industry-recognised security standards, and incident response procedures. No system is fully secure; we cannot guarantee against all unauthorised access.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours (Article 33) and, where the risk is high, notify affected individuals without undue delay (Article 34).
You are responsible for safeguarding your account credentials and for promptly notifying us of any suspected compromise.
14. California Residents (CCPA)
If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights, in addition to those listed in §9:
- Right to know what categories and specific pieces of personal information we collect, the sources, the purposes, and the categories of third parties we share it with (this Policy provides that information);
- Right to delete personal information we have collected from you;
- Right to correct inaccurate personal information;
- Right to opt out of the "sale" or "sharing" of your personal information. We do not sell personal information and we do not share it for cross-context behavioural advertising.
- Right to limit the use of sensitive personal information — we do not collect sensitive personal information for purposes beyond providing the Service;
- Right to non-discrimination for exercising your rights.
To exercise these rights, contact us at support@blindvalet.com. We will respond within 45 days, with a possible 45-day extension.
15. Changes to This Policy
We may update this Policy from time to time. Material changes will be notified by email or in-app notice at least thirty (30) days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
The current version is identified by the Effective Date at the top of this Policy.
16. Contact Us
For any question, request, or complaint regarding this Policy or our handling of your personal data:
Brick River Lab SAS 14 Avenue des Tourterelles, 44100 Nantes, France Email: support@blindvalet.com