Privacy policy
Last updated: 22 April 2026
Our commitment
Protecting your personal data is a priority. This policy clearly and transparently describes the data we collect, why we collect it, how long we retain it, and the rights you hold.
We comply with the General Data Protection Regulation (GDPR) and the French Data Protection Act (loi Informatique et Libertés).
Data controller
The data controller is:
Rafael Janosevic
13 Quai de la Garonne, 75019 Paris
SIRET: 911 230 746 00016
Email: rafael@obv.studio
Data collected
The data we collect depends on how you interact with the Site.
At account creation
- Email address
During the welcome survey
- First name
- Date of birth
- City (name, postcode, department, region)
- Professional situation and experience
- Family situation
- Main modes of transport
- Cultural interests
- Information sources
- How often you go out
- Profile photo (optional)
During surveys
- Your answers to questions (anonymised in published reports)
- Date and time of participation
Upon winning a prize draw
- Postal address (for delivery purposes only, deleted once the prize has been dispatched)
Technical data
- Session cookies (strictly necessary for the Site to function)
- Server logs (IP address, user agent, pages visited) for security purposes
Purposes and legal basis
| Purpose | Legal basis |
|---|---|
| Account creation and management | Performance of contract |
| Targeting surveys according to your profile | Performance of contract |
| Sending transactional emails (welcome, survey notification, winner) | Performance of contract |
| Producing anonymised cultural studies | Legitimate interest |
| Site security and fraud prevention | Legitimate interest |
| Compliance with legal obligations (tax, accounting) | Legal obligation |
Recipients and sub-processors
Your personal data is never sold. It is only accessible to Rafael Janosevic (data controller) and a limited number of technical sub-processors who act on instructions and under GDPR-compliant contracts.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting and authentication system | European Union (Frankfurt) |
| Vercel Inc. | Website hosting | United States (EU standard contractual clauses) |
| Brevo (Sendinblue SAS) | Sending transactional emails | France |
Transfers outside the European Union (Vercel) are governed by standard contractual clauses approved by the European Commission, ensuring a level of protection equivalent to the GDPR.
Retention periods
- Active account: your data is retained for as long as your account is active.
- Inactive account: after 24 months of inactivity, we will contact you before any potential deletion.
- Deleted account: your data is erased within 30 days.
- Survey responses: retained in anonymised form for study purposes, even after account deletion.
- Postal address (prize won): deleted within 30 days of dispatch.
- Security logs: retained for 12 months.
Cookies
The Site uses only cookies that are strictly necessary for its operation (maintaining your authenticated session). These cookies do not require your prior consent.
No advertising or third-party tracking cookies are placed. If we add analytics or audience measurement cookies in the future, we will request your consent via a dedicated banner.
Your rights
Under the GDPR, you have the following rights:
- Right of access: obtain a copy of your data
- Right to rectification: correct inaccurate data
- Right to erasure: delete your data (right to be forgotten)
- Right to restriction: limit the processing of your data
- Right to data portability: retrieve your data in a structured format
- Right to object: object to processing on legitimate grounds
- Right to withdraw consent: at any time, without retroactive effect
To exercise these rights, contact us at rafael@obv.studio. We undertake to respond within a maximum of one month.
If you believe the processing of your data does not comply with regulations, you may lodge a complaint with the CNIL: www.cnil.fr
Security
We implement appropriate technical and organisational measures to protect your data: encrypted transmissions (HTTPS), secure storage, strict access controls on databases, regular backups.
In the event of a data breach likely to create a risk to your rights and freedoms, you will be informed without delay, in accordance with Article 34 of the GDPR.
Policy updates
This policy may be updated to reflect changes to the Site or applicable regulations. The date of the last update appears at the top of this page. Material changes will be notified to you by email.
Contact
For any question about this policy or the processing of your data: rafael@obv.studio