Privacy Policy
Last updated: 4 June 2026
Effective date: 4 June 2026
This Privacy Policy explains how Gaston Media SAS (RCS Strasbourg 884 076 027, registered office 18 Rue de Copenhague, 67610 La Wantzenau, France) ("BulkTier", "we"), as data controller for account and billing data, processes personal data in connection with the BulkTier service (the "Service"). It is written to comply with the EU General Data Protection Regulation (GDPR) and French data-protection law.
For personal data that you store inside your buckets, you are the controller and we act as your processor. We process such data only on your documented instructions and only for the purpose of delivering the Service.
1. Data we process (as controller)
| Category | Examples | Source |
|---|---|---|
| Account data | name, email, company name | provided by you |
| Billing data | billing address, VAT number, payment status | you / Stripe |
| Technical & usage data | IP address, access logs, quota usage | automatically |
| Support data | content of emails you send us | provided by you |
We do not collect payment card numbers (handled directly by Stripe), and we do not access, scan or analyse the contents of your buckets except as strictly required to operate the Service or to comply with a binding legal order.
2. Purposes and legal bases
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing and operating the Service | Performance of a contract (6(1)(b)) |
| Billing, invoicing, accounting | Contract + legal obligation (6(1)(b),(c)) |
| Security, abuse prevention, logging | Legitimate interests (6(1)(f)) |
| Service-related communications | Contract (6(1)(b)) |
| Responding to legal requests | Legal obligation (6(1)(c)) |
3. Subprocessors and recipients
As required under GDPR Art. 28, we share personal data only with service providers acting on our behalf. The current subprocessors are:
| Subprocessor | Role | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting / infrastructure | Germany, Finland (EU) |
| Stripe Payments Europe / Stripe, Inc. | Payment processing | Ireland (EU) / USA |
| OVHcloud (OVH SAS) | Domain and DNS | France (EU) |
| Tally Forms B.V. | Waitlist form processing | Netherlands (EU) |
| Google Ireland Ltd. | Advertising measurement (consent-based) | Ireland (EU) |
Transfers to the USA (Stripe, Inc. only) are governed by the EU Standard Contractual Clauses and complementary technical safeguards. We will give you reasonable notice of any addition or replacement of a subprocessor.
4. Data location and international transfers
Account, billing and stored bucket data are hosted in the European Union (Germany / Finland). The only routine transfer outside the EU concerns payment data processed by Stripe Inc. (USA), governed by Standard Contractual Clauses.
5. Retention
- Account data: for the duration of the contract.
- Stored bucket data: retained for 30 days after termination, then permanently deleted; immediate deletion available on request.
- Invoices / accounting records: retained for 10 years as required by French commercial law.
- Access logs: up to 12 months for security purposes.
- Waitlist submissions: retained until you request deletion or until we determine the waitlist is no longer active.
6. Your rights (GDPR)
You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, and to withdraw consent where processing is based on consent. To exercise these rights, contact hello@bulktier.com.
You may also lodge a complaint with the French supervisory authority, the CNIL (www.cnil.fr), or your local EU supervisory authority.
7. Deletion process
On request to hello@bulktier.com, or automatically 30 days after termination, we completely delete your stored data and associated access keys. Deletion is irreversible. Operational backups containing the data are rotated out within their retention window (14 days). Legally required records (e.g. invoices) are retained as stated in §5.
8. Cookies (website)
The BulkTier website (bulktier.com) uses strictly necessary cookies plus, only after your explicit consent via the cookie banner, advertising and analytics measurement cookies (Google Ads / Google Analytics). We operate under Google Consent Mode v2 with all non-essential storage denied by default. Declining has no impact on your use of the website.
9. Security
We implement encryption at rest using industry-standard AES-256 algorithms, encryption in transit (TLS 1.2+), least-privilege access controls, per-tenant credential isolation, and EU-only data residency. Operational access to systems is restricted to a limited set of authorised personnel under confidentiality obligations.
10. Changes
We may update this Policy; material changes will be notified by email or via the Service at least 30 days before they take effect.
11. Contact
Data controller: Gaston Media SAS, 18 Rue de Copenhague, 67610 La Wantzenau, France — hello@bulktier.com.