← Back to Home

Privacy Policy

Last updated: March 13, 2026

1. Introduction

This Privacy Policy describes how BLACKFILE, operated by Tom Viseur EI — Entrepreneur Individuel (SIRET 989 333 117 00038), collects, uses, and protects your personal data when you use our Service at blackfile.co. We are committed to protecting your privacy in compliance with the EU General Data Protection Regulation ("GDPR"), the French Data Protection Act (Loi Informatique et Libertés), the California Consumer Privacy Act ("CCPA"), and other applicable data protection laws.

  • Data Controller: Tom Viseur EI, 15 allée des Pris Pris, 92320 Châtillon, France
  • Contact: tomviseur7@gmail.com
  • Data Protection Officer: No DPO has been designated, as the conditions of Article 37 of the GDPR are not met (no large-scale processing of special categories of data as a core activity). For all data protection inquiries, contact: tomviseur7@gmail.com

2. Data We Collect

2.1 Data you provide directly

  • Assessment responses: free-text answers to our psychological questionnaire (approximately 20–25 open-ended questions);
  • Payment information: processed directly by Stripe — we do not store credit card numbers, CVVs, or full card details on our servers;
  • Email address: if voluntarily provided for Dossier delivery or communication;
  • Support requests: any information you share when contacting us.

2.2 Data collected automatically

  • Device and browser information (user agent, screen resolution, operating system);
  • IP address (anonymized for analytics);
  • Pages visited, session duration, and interaction data;
  • Cookies and similar technologies (see our Cookie Policy).

3. Legal Basis for Processing

3.1 Standard personal data (GDPR, Art. 6)

  • Contract performance (Art. 6(1)(b)): processing your assessment responses to generate and deliver your Dossier, and processing payment;
  • Legitimate interest (Art. 6(1)(f)): improving our Service, fraud prevention, and basic analytics;
  • Consent (Art. 6(1)(a)): for non-essential cookies, marketing communications, and any optional data processing;
  • Legal obligation (Art. 6(1)(c)): compliance with tax, accounting, and legal requirements.

3.2 Special category data (GDPR, Art. 9)

Your free-text assessment responses may incidentally reveal information about your psychological state, beliefs, health, or personal characteristics that could constitute special category data under Article 9 of the GDPR.

While the primary legal basis for processing your responses is contract performance (Art. 6(1)(b)), the processing of any special category data incidentally revealed is based on your explicit consent (Art. 9(2)(a)), which you provide when you submit your assessment. This dual basis reflects the distinction between processing your responses as text (contractual) and processing any sensitive information they may contain (consent-based).

You may withdraw consent for the processing of special category data at any time by contacting tomviseur7@gmail.com. Withdrawal will not affect the lawfulness of processing carried out prior to withdrawal, but will result in the deletion of your raw assessment responses.

4. How We Use Your Data

  • Generate your personalized Dossier from your assessment responses;
  • Process your payment via Stripe;
  • Deliver your Dossier to you;
  • Respond to support inquiries;
  • Improve our algorithms and Service quality (using anonymized, aggregated data only — your raw responses are never used for training without separate consent);
  • Comply with legal and regulatory obligations.

5. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the following categories of processors, under appropriate data processing agreements (DPAs):

  • Stripe Inc. (San Francisco, USA): payment processing;
  • Supabase Inc. (San Francisco, USA): database hosting and encrypted storage;
  • Anthropic PBC (San Francisco, USA): AI processing for Dossier generation;
  • Netlify, Inc. (San Francisco, USA): website hosting.

International transfers: Our processors are located in the United States. These transfers are carried out under appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914), and/or the EU-US Data Privacy Framework where the processor is certified.

6. Data Retention

  • Assessment responses: encrypted (AES) and retained for the duration necessary to generate your Dossier. Raw responses are anonymized within 90 days of Dossier delivery, unless you request earlier deletion;
  • Generated Dossier: stored and accessible to you for up to 12 months after purchase;
  • Payment records: retained for the legally required period (10 years in France for accounting purposes, Article L.123-22 of the Commercial Code);
  • Analytics data: anonymized and aggregated upon collection, retained indefinitely for Service improvement.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • AES encryption of assessment responses at rest (client-side encryption before transmission);
  • TLS 1.3 encryption for all data in transit;
  • Access controls and authentication for our database systems (Supabase Row Level Security);
  • Regular security reviews and monitoring.

No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security.

8. Record of Processing Activities

In accordance with Article 30 of the GDPR, we maintain a record of processing activities, given that our processing may involve special category data. This record is available to the CNIL upon request.

9. Your Rights

9.1 Under GDPR (EU/EEA residents)

  • Right of access to your personal data (Art. 15);
  • Right to rectification of inaccurate data (Art. 16);
  • Right to erasure / "right to be forgotten" (Art. 17);
  • Right to restriction of processing (Art. 18);
  • Right to data portability (Art. 20);
  • Right to object to processing based on legitimate interest (Art. 21);
  • Right to withdraw consent at any time (Art. 7(3));
  • Right to lodge a complaint with the CNIL (www.cnil.fr) or your local data protection authority.

9.2 Under CCPA (California residents)

  • Right to know what personal data is collected, used, and shared;
  • Right to delete personal data held about you;
  • Right to opt out of the sale of personal data — we do not sell personal data;
  • Right to non-discrimination for exercising your rights.

To exercise any of these rights, contact us at tomviseur7@gmail.com. We will respond within one (1) month for GDPR requests (extendable by two months for complex requests, per Art. 12(3)) and within 45 days for CCPA requests.

10. Children's Privacy

The Service is not directed at and is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that data has been collected from a person under 18, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated "Last updated" date. For changes that materially affect the processing of your data, we will make reasonable efforts to provide advance notice.

12. Contact

  • Email: tomviseur7@gmail.com
  • Data Controller: Tom Viseur EI — Entrepreneur Individuel
  • SIRET: 989 333 117 00038
  • Address: 15 allée des Pris Pris, 92320 Châtillon, France
  • Supervisory Authority: CNIL — 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr

Psychological Intelligence Division