Last updated: May 24, 2026

Privacy policy

This page describes how Bizleen collects, processes and protects your personal data. We comply with the General Data Protection Regulation (GDPR, EU 2016/679) and the amended French Loi Informatique et Libertes. The French version is the legal reference.

1. Data controller

MindVision Studio — Sole trader (auto-entrepreneur), SIRET 83515065700012.
137 Rue des Landes, 78400 Chatou, France.
Contact: contact@bizleen.com
Institutional site: mindvisionstudio.com

2. Data we collect

2.1 Account data

Email — to identify you, communicate (verification, password reset), send a sign-up confirmation.
Password — stored as an argon2id hash with a salt and a server pepper; we can never read your password in plain text.
Email verification status (verified / unverified).
Account creation date.

2.2 Card data (published at your URL `/@your-handle`)

First name, last name, title, company, tagline, monogram, card number.
Phone, contact email, website, location.
Social links (LinkedIn, GitHub, X, Instagram) if you provide them.
Profile photo (optional, stored on Cloudflare R2).
Custom background (gradient, curated video, or image you upload).
Visual theme chosen and accent color.
If bilingual is enabled: English translations of editable fields (title, company, tagline, location).

These data are public by design: your card is accessible to anyone who knows the URL. That's the purpose of the service. Do not enter sensitive data.

2.3 Technical data

IP address — collected only to rate-limit sign-in / sign-up attempts (anti-bruteforce), kept for 24h max in the login_attempts table, then purged.
Session identifier — SHA-256 hash of your session token, kept in the mvc_session cookie and the sessions table. Duration: 30 sliding days from last activity.
Language preference — non-sensitive mvc_locale cookie (value: fr or en), kept 1 year, to remember your manual choice via the FR/EN switcher.

3. Cookies

Two cookies are set:

Name	Purpose	Duration	Type
`mvc_session`	Keep your session open after sign-in	30 sliding days	Strictly necessary (HttpOnly, Secure, SameSite=Lax)
`mvc_locale`	Remember your chosen language (FR or EN)	1 year	Preference (non-sensitive)

We use no advertising cookies, no tracker, no third-party analytics pixel (no Google Analytics, no Meta Pixel, etc.). The cookie banner you see is purely informational.

4. Sub-processors

Cloudflare (Cloudflare Inc., USA / Cloudflare Switzerland GmbH, CH) — hosting (Workers), database (D1), image storage (R2), DNS, DDoS protection. Cloudflare policy. Data processed in the EU / globally based on the nearest edge.
Resend (Resend Inc., USA) — sending transactional emails (email verification, password reset). Receives: your email address + message content. Resend policy.

No data is sold, shared for advertising purposes, or transferred to a third party outside these sub-processors strictly necessary for the service.

5. Retention period

Account + card: as long as your account is active. Immediate deletion on request (see section 6).
Sessions: 30 days of inactivity then automatic deletion.
Sign-in attempts (IP): 24h max, automatically purged.
Email tokens (verification, reset): 24h (verification) or 1h (reset) then deleted.
Backups: Cloudflare maintains operational backups (D1) per their cycles, not directly accessible.

6. Your rights

Under GDPR (articles 15-22) and French Loi Informatique et Libertes, you have the following rights:

Access and portability: download a complete JSON export of your data from your Account page ("Download my JSON export" button).
Rectification: modify your data at any time in your dashboard.
Erasure (right to be forgotten): delete your account instantly from your Account page (Danger zone). Cascade deletion: account, card, photo, background, sessions. Your handle becomes available again.
Objection: deleting the account is equivalent.
Restriction: to restrict without deleting, contact us.
Complaint: you can file a complaint with the CNIL (cnil.fr) — the French data protection authority.

7. Security

Passwords hashed with argon2id (state of the art) with salt + server pepper.
All communications in HTTPS (TLS 1.3) with HSTS.
Session cookies: HttpOnly (inaccessible to JavaScript), Secure (HTTPS only), SameSite=Lax (anti-CSRF).
Sign-in attempt rate-limit (5 failures / 15 min per email).
Sign-up rate-limit (3 per hour per IP).
Strict upload validation (magic bytes, max 2 MB, allowed types: JPEG/PNG/WEBP).

8. Minors

The service is not intended for minors under 16. If you are a parent or guardian and a minor has created an account, contact us for immediate deletion.

9. Changes

This policy may be updated. The last update date is shown at the top of the page. For substantial changes, we will notify you by email.

10. Contact

For any question about your personal data: contact@bizleen.com.