1. Data controller
The data controller responsible for processing your personal data is Paratore Group, a SASU registered at 329 chemin du Gay, 38500 La Buisse, France, SIREN 992 066 357, SIRET 992 066 357 00011 ("LaunchLoop", "we", "us").
You can reach us at contact@paratoregroup.com.
We have not appointed a Data Protection Officer (DPO) as we are not required to under Article 37 GDPR. Privacy enquiries should be sent to the address above.
2. Scope
This policy applies to the LaunchLoop website, applications, APIs, emails and related services (the "Service"). It does not apply to third-party websites linked from LaunchLoop, including the websites of products listed by Makers, which have their own privacy policies. We encourage you to review the privacy practices of any third-party website before providing your personal data.
3. Data we collect
3.1. Data you provide directly
- (a) Account data: name, display name, email address, hashed password or OAuth identifier (Google), profile picture, bio, social media links and website links.
- (b) Maker data: product name, description, logo, screenshots, pricing, category, links, and any other content you submit when launching a product.
- (c) Reviewer and community data: reviews, comments, votes, reactions, reports and follows.
- (d) Communications: emails or messages you send us (support, abuse reports, feedback).
- (e) Payment data: billing name, billing address, country, VAT number (if any), and the last four digits and brand of your payment card. Full card details are collected and stored exclusively by our payment provider Stripe Payments Europe, Ltd. and are never stored by LaunchLoop.
3.2. Data collected automatically
- (a) Usage data: pages viewed, features used, search queries, referrers, time on page and click events.
- (b) Device and technical data: IP address, approximate location derived from IP (city and country level), browser type, operating system, device type, language and screen size.
- (c) Cookies and similar technologies: see our Cookie Policy for full details.
- (d) Security and anti-abuse logs: sign-in attempts, suspicious activity and rate-limit hits.
3.3. Data from third parties
- (a) OAuth providers (Google) when you choose "Sign in with Google": email, name, profile picture and provider identifier.
- (b) Payment provider (Stripe): payment status, fraud signals and dispute information.
3.4. Special categories
We do not knowingly collect special categories of data within the meaning of Article 9 GDPR (racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, etc.). Please do not submit such data through the Service.
4. Why we use your data and legal bases (Article 6 GDPR)
4.1. Provide the Service (account creation and management, launches, reviews, Credits, boosts, leaderboards): performance of a contract, Article 6(1)(b).
4.2. Process payments and prevent fraud: performance of a contract and legitimate interest in detecting and preventing fraud, Article 6(1)(b) and Article 6(1)(f).
4.3. Comply with legal obligations (accounting, tax, responding to lawful requests from authorities, DSA notice-and-action obligations): Article 6(1)(c).
4.4. Improve and secure the Service (analytics, debugging, security monitoring, performance optimisation): legitimate interest, Article 6(1)(f). You can object at any time: see Section 8.
4.5. Send transactional emails (sign-up confirmation, launch approved or rejected, password reset, billing receipts, credit usage notifications): Article 6(1)(b).
4.6. Send marketing emails and newsletters: consent, Article 6(1)(a), or legitimate interest under the soft opt-in for existing customers (Article L34-5 of the Code des postes et des communications électroniques), with an unsubscribe link in every email. You may withdraw your consent or unsubscribe at any time.
4.7. Use non-essential cookies and analytics tools: consent, Article 6(1)(a) and Article 82 of the Loi Informatique et Libertés (transposing Article 5(3) of the ePrivacy Directive). See our Cookie Policy.
5. Who we share data with
We share personal data only with vetted service providers acting as processors on our behalf, under a Data Processing Agreement compliant with Article 28 GDPR:
- (a) Hosting and database: Supabase, Inc. (US, with EU data processing options) and Amazon Web Services EMEA SARL (Luxembourg).
- (b) Payments: Stripe Payments Europe, Ltd. (Ireland).
- (c) Transactional and marketing email: Resend, Inc. (US).
- (d) Analytics: PostHog, Inc. (US), configured with IP anonymisation and no cross-site tracking.
- (e) Error monitoring: Sentry (Functional Software, Inc., US), with PII scrubbing enabled.
- (f) Authentication: Google Ireland Limited (only if you choose "Sign in with Google").
- (g) Domain and DNS: Cloudflare, Inc. (US).
We may also disclose data to:
- (h) Law enforcement, courts or regulators when required by law or to protect rights, safety and the integrity of the Service.
- (i) A successor entity in case of merger, acquisition, reorganisation or sale of all or substantially all of the assets of Paratore Group, subject to confidentiality obligations and prior notice to you where practicable.
We do not sell or rent your personal data. We do not share your personal data with advertisers. We do not use your personal data for profiling for the purpose of targeted advertising by third parties.
6. International transfers
Some of our processors are located outside the European Economic Area, notably in the United States. Where this is the case, we rely on appropriate safeguards under Chapter V GDPR, in particular:
- (a) The EU–US Data Privacy Framework for certified US recipients (European Commission adequacy decision of 10 July 2023).
- (b) The Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), supplemented by appropriate technical and organisational measures (encryption in transit and at rest, access controls, pseudonymisation where feasible).
- (c) A transfer impact assessment where required under Schrems II (CJEU, Case C-311/18).
You may request a copy of the safeguards in place by emailing contact@paratoregroup.com.
7. How long we keep your data
- (a) Account data: for as long as your account is active, then deleted within 30 days of an account deletion request, except for data we are required to keep longer under applicable law.
- (b) Public content (launches, reviews) submitted before account deletion: may remain visible in anonymised form to preserve the integrity of the platform.
- (c) Billing and tax records: 10 years from the end of the financial year in which the transaction occurred (Article L123-22 of the French Code de commerce and Article L102 B of the Livre des procédures fiscales).
- (d) Anti-fraud and security logs: up to 12 months.
- (e) Technical logs (server logs, error logs): up to 6 months.
- (f) Backups: rotated and permanently deleted within 90 days.
- (g) Marketing consent records: 3 years from the last interaction (in line with CNIL guidance).
- (h) Cookie consent records: 6 months (in line with CNIL recommendations).
8. Your rights
Subject to legal conditions and verification of your identity, you have the following rights:
- (a) Access (Article 15 GDPR): obtain a copy of the personal data we hold about you.
- (b) Rectification (Article 16 GDPR): correct inaccurate or incomplete personal data.
- (c) Erasure (Article 17 GDPR): request deletion of your personal data when it is no longer needed for the purposes for which it was collected, or when you withdraw your consent.
- (d) Restriction (Article 18 GDPR): request that we limit the processing of your personal data in certain circumstances.
- (e) Portability (Article 20 GDPR): receive your personal data in a structured, commonly used and machine-readable format, and transmit it to another controller.
- (f) Object (Article 21 GDPR): object to processing based on legitimate interest, including profiling for direct marketing purposes. Where you object to direct marketing, we will stop processing without delay.
- (g) Withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
- (h) Define post-mortem instructions regarding the storage, erasure and communication of your data after your death (Article 85 of the Loi Informatique et Libertés).
- (i) Lodge a complaint with a supervisory authority. For France, the relevant authority is the Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France, www.cnil.fr.
To exercise any of these rights, email contact@paratoregroup.com with sufficient information to verify your identity. We will respond within 30 days (extendable by two months for complex requests, in accordance with Article 12(3) GDPR).
California residents (CCPA/CPRA): you have additional rights, including the right to know the categories of personal information collected, the right to delete, the right to correct, the right to limit use of sensitive personal information, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as defined by the CPRA. To exercise your rights, contact us at contact@paratoregroup.com.
9. Automated decision-making and AI
9.1. We use automated systems to: rank and recommend launches in Explore and leaderboards, detect spam, fraud and review manipulation, and personalise notifications and emails.
9.2. These automated processes do not produce legal effects or similarly significant effects on you within the meaning of Article 22 GDPR. No automated decision is made regarding your access to the Service, your account status or your ability to submit content without human oversight.
9.3. You can contest any moderation decision by emailing contact@paratoregroup.com.
9.4. We do not use your private content or personal data to train machine-learning models without your explicit prior consent.
10. Children
The Service is not intended for children under 16 years of age (or the age of digital consent in your country, e.g. 15 in France under Article 7-1 of the Loi Informatique et Libertés). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at contact@paratoregroup.com and we will delete it promptly.
11. Security
11.1. We implement technical and organisational measures appropriate to the risk, in accordance with Article 32 GDPR, including:
- (a) Encryption in transit (TLS 1.2 or higher) for all communications between your browser and our servers.
- (b) Encryption at rest for the database and backups.
- (c) Hashed passwords using bcrypt or a stronger algorithm; we never store passwords in plaintext.
- (d) Principle of least privilege for production access: only authorised personnel can access personal data.
- (e) Multi-factor authentication for staff accounts with access to production systems.
- (f) Security monitoring, intrusion detection and regular dependency updates.
- (g) Regular review and testing of security measures.
11.2. No system is 100% secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours (Article 33 GDPR) and inform you without undue delay where the breach is likely to result in a high risk (Article 34 GDPR).
12. Cookies
For detailed information on cookies and similar technologies used by the Service, including how to accept, refuse or manage your preferences, see our Cookie Policy.
13. Changes to this policy
We may update this policy from time to time. The date at the top of this page reflects the date of the last update. Material changes will be communicated through the Service or by email at least 15 days before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
14. Contact
For any privacy question or to exercise your rights, contact us at contact@paratoregroup.com.