Privacy Policy

01 — Who we are

refici is a web platform for film and commercial production professionals, enabling producers to source, curate, and share asset references with clients.

The service is operated by Valentin Moreau, an independent operator established in France, European Union.

As a data controller established in France, refici is subject to the General Data Protection Regulation (GDPR) and to French data protection law as enforced by the CNIL (Commission Nationale de l'Informatique et des Libertés).

02 — What data we collect

We collect only what is necessary to provide the service.

• Account data — email address, display name, password (hashed), and optional profile information provided at signup.
• Google account data — when you connect your Google account, we receive your name, email address, and profile picture from Google. If you grant Drive access, we store an OAuth refresh token to create and manage files in your Google Drive on your behalf.
• Project and item data — URLs, titles, prices, descriptions, images, and notes that you add to your projects. This data belongs to you.
• Usage data — pages visited, features used, and anonymised interaction events collected via PostHog (EU-hosted) for product improvement.
• Billing data — if you subscribe to a paid plan, payment is processed by Stripe. We do not store your card details. We retain your subscription status and billing history.
• Communications — emails sent via Loops (transactional and onboarding sequences) in response to your account activity.

03 — How we use your data

We use your data exclusively to:

• Create and maintain your account
• Provide the scraping, curation, and sharing features of the platform
• Write files to your Google Drive when you request an export
• Process payments and manage your subscription
• Send transactional emails (account confirmation, billing receipts, onboarding guidance)
• Understand how the product is used, in order to improve it
• Respond to your support requests

We do not sell your data. We do not use your data to train machine learning models. We do not display advertising.

04 — Google OAuth and Drive access

When you choose to connect your Google account, refici requests the following OAuth scopes:

• openid, email, profile — to identify your account and populate your profile.
• drive.file — to create, read, update, and delete files that refici itself has created in your Google Drive (export files and stored images). This scope does not allow access to any other files in your Drive.
• presentations — to create and update Google Slides export files.
• spreadsheets — to create and update Google Sheets export files.

All files created through refici are placed in a dedicated refici/ folder in your personal Drive. You retain full ownership and can delete or modify them at any time independently of the platform.

Your Google OAuth refresh token is stored securely in our database (Supabase, EU region) and is used exclusively to perform Drive, Slides, and Sheets operations initiated by you. You can revoke access at any time from your Google account security settings at myaccount.google.com/permissions.

refici's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

Google user data is shared only with the following sub-processors, solely to operate the service: [Supabase — database storage, EU region]. It is not shared with any other third party, not used for advertising, and not used to train models.

05 — Data storage and transfers

Your data is stored and processed within the European Union wherever possible:

• Supabase — database and authentication, EU region (Frankfurt)
• Vercel — frontend hosting, EU edge nodes used where available
• Railway — backend server, EU region
• PostHog — analytics, EU cloud instance (Frankfurt)
• Loops — email delivery, US-based (Amazon SES), operating under Standard Contractual Clauses
• Stripe — payment processing, US-based, operating under Standard Contractual Clauses and EU-US Data Privacy Framework

Where data is transferred outside the EU, we rely on appropriate safeguards as required by GDPR Article 46, including Standard Contractual Clauses.

06 — Data retention

We retain your data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within 30 days, except where retention is required by law (e.g. billing records, which are retained for 10 years as required under French accounting law).

Images stored in your Google Drive are never deleted by refici — you control them directly.

07 — Your rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of the data we hold about you
• Right of rectification — correct inaccurate data
• Right of erasure — request deletion of your account and associated data
• Right of portability — receive your data in a structured, machine-readable format
• Right to restriction — request that we limit how we process your data
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent

To exercise any of these rights, contact us at support@refici.com. We will respond within 30 days. You also have the right to lodge a complaint with the CNIL (cnil.fr).

08 — Cookies and tracking

refici uses a minimal set of cookies:

• Authentication cookies — set by Supabase to maintain your login session. Strictly necessary; no consent required.
• Analytics — PostHog collects anonymised product usage data. No cross-site tracking. No advertising profiles.

We do not use advertising cookies, social media pixels, or third-party tracking networks.

09 — Security

We apply industry-standard measures to protect your data: HTTPS everywhere, hashed passwords, row-level security on all database tables, and OAuth tokens stored encrypted. API keys are generated per-user and can be rotated from your profile settings.

No system is perfectly secure. If you discover a vulnerability, please report it to support@refici.com.

10 — Children

refici is a professional tool intended for adults. We do not knowingly collect personal data from anyone under the age of 16. If you believe a minor has created an account, contact us and we will delete it promptly.

11 — Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or by a notice in the platform. The date at the top of this page reflects the most recent update. Continued use of refici after the effective date constitutes acceptance of the revised policy.

12 — Contact