Legal documentation · loupixa.com
Privacy Policy
Intro
Scope
This Privacy Policy governs the collection, use, storage, sharing, and protection of personal data by LoupiXa Agency in connection with: (i) use of loupixa.com; (ii) participation in the LoupiXa network as a Clipper (creator); (iii) engagement with LoupiXa as a Brand or prospective client; and (iv) all related communications. It applies to all individuals whose personal data LoupiXa processes as data controller, in compliance with the GDPR, the French Loi Informatique et Libertés, and CNIL guidelines.
Art. 1
Data Controller
| Data controller | LoupiXa Agency SAS |
| Legal form | Société par Actions Simplifiée (SAS) — France |
| Registered office | 47 rue Vivienne, 75002 Paris, France |
| SIREN | [XXX — en cours d'immatriculation] |
| Data protection contact | rights@loupixa.com |
| General contact | contact@loupixa.com |
| Supervisory authority | CNIL — Commission Nationale de l'Informatique et des Libertés — cnil.fr |
Art. 2
Data We Collect
2.1 — Website Visitors
Contact form: first name, last name, professional email address, company name, and message content.
Booking data: name, email, and scheduling preferences submitted via cal.com.
Navigation data: IP address, browser type, OS, pages visited, session duration, click paths, referral source.
Cookie data: see our Cookie Policy.
2.2 — Clippers (Creators in the LoupiXa Network)
Clippers provide a broader range of personal data, collected across four stages of the relationship.
Stage 1 — Onboarding application
Identity data: last name, first name, age, country of residence.
Contact data: Discord username, email address, phone number (optional).
Social media account data: platform (TikTok, Instagram, or YouTube), account username, and public account URL.
Content profile data: up to three content niches and content type (original / edited / AI-generated).
Audience statistics (self-declared): total views in last 30 days, audience breakdown, top countries.
Referral data: Discord ID of the referring creator, if applicable.
Terms acceptance: timestamped confirmation of acceptance of LoupiXa's Terms and Conditions.
⚠
The onboarding form includes a 13-17 age bracket in the audience statistics section. This refers exclusively to the audience of the Clipper's account, not to the Clipper themselves. LoupiXa does not recruit Clippers under 18. Where a Clipper's declared audience includes minors, this has implications for campaign targeting obligations under DSA Article 28.
Stage 2 — Identity verification and KYC documentation
Identity document: copy of a government-issued identity document — stored in a restricted Google Drive folder accessible only to authorised LoupiXa team members.
Fiscal information: tax identification number (TIN), VAT number where applicable, and self-declaration of professional status.
Stage 3 — Payment processing (Stripe Connect)
Bank details: IBAN and BIC/SWIFT — processed exclusively through Stripe Connect. LoupiXa does not store raw bank account details on its own systems.
Payment records: amount paid, campaign identifier, date, and payout status — maintained for accounting, audit, and DAC7 reporting.
Stage 4 — Campaign operations
Campaign compliance data: URLs of published videos, screenshot captures (including disclosure mention visibility), timestamps.
Performance metrics: view counts, engagement rates tracked via Shortimize (publicly available metrics only).
Incident and compliance records: reports, warnings, strikes, or sanctions applied.
Communication records: messages via Discord or email relating to campaign briefs, compliance queries, or disputes.
2.3 — Brands (Commercial Clients)
Contact and identity data: name, professional email, job title, company name, registration details, and billing address.
KYB data: company registration number, VAT number, and beneficial ownership information.
Commercial and contractual data: signed MSA, Campaign Orders, campaign objectives, budget, CCP assets, and delivery reports.
Payment and billing data: invoices, payment records, and transaction references — processed through Stripe.
Art. 3
Legal Bases for Processing
| Processing activity | Data subject | Legal basis (GDPR Art. 6) |
|---|---|---|
| Website contact form responses | Visitors | Legitimate interest — Art. 6(1)(f) |
| Appointment booking (cal.com) | Visitors / Brands | Pre-contractual steps — Art. 6(1)(b) |
| Website analytics and performance | Visitors | Legitimate interest — Art. 6(1)(f) |
| Non-essential cookies and trackers | Visitors | Consent — Art. 6(1)(a) |
| Clipper onboarding and KYC | Clippers | Legal obligation + Contract — Art. 6(1)(b)+(c) |
| Payment processing via Stripe Connect | Clippers / Brands | Contract — Art. 6(1)(b) |
| DAC7 tax reporting to DGFiP | Clippers | Legal obligation — Art. 6(1)(c) |
| Campaign compliance monitoring | Clippers | Contract + Legitimate interest — Art. 6(1)(b)+(f) |
| Campaign performance tracking (Shortimize) | Clippers (public data) | Legitimate interest — Art. 6(1)(f) |
| Incident records, strikes, and sanctions | Clippers | Legitimate interest + Contract — Art. 6(1)(f)+(b) |
| Brand KYB and commercial onboarding | Brands | Contract + Legal obligation — Art. 6(1)(b)+(c) |
| Direct marketing | Brands / Clippers | Legitimate interest / Consent — Art. 6(1)(f)/(a) |
| DSA content reporting and moderation records | All | Legal obligation — Art. 6(1)(c) |
| Security incident logging and fraud prevention | All | Legitimate interest — Art. 6(1)(f) |
Art. 4
Data Retention
| Data category | Data subject | Retention period |
|---|---|---|
| Website contact form submissions | Visitors | 3 years from last contact |
| Navigation and analytics data | Visitors | 13 months (CNIL standard) |
| Booking data (cal.com) | Visitors / Brands | Engagement duration + 1 year |
| Onboarding form data | Clippers | 5 years from end of relationship |
| KYC identity documents | Clippers | 5 years from end of relationship |
| Fiscal data and payment records | Clippers / Brands | 10 years |
| Stripe payment transaction data | Clippers / Brands | Per Stripe policy (typically 7-10 years) |
| DAC7 declarations | Clippers | 10 years from declaration date |
| Campaign records (briefs, CCPs, URLs, screenshots) | Clippers / Brands | 5 years from campaign end |
| Compliance incidents, strikes, sanctions | Clippers | 5 years from incident date |
| DSA content reports and moderation records | All | 6 years |
| Brand commercial contracts | Brands | 10 years from contract end |
| Communication records | Clippers / Brands | 3 years from last contact |
| Security and access logs | All | 12 months |
Art. 5
Sub-Processors
| Sub-processor | Country | Processing role |
|---|---|---|
| Framer Inc. | United States | Website hosting and technical infrastructure |
| cal.com Inc. | United States | Appointment scheduling |
| Stripe, Inc. / Stripe Connect | United States (EU data centre) | Payment processing, KYC/AML, disbursements |
| Google LLC (Forms) | United States (EU data centre available) | Clipper onboarding form — initial collection |
| Google LLC (Drive / Sheets) | United States (EU data centre available) | Internal data storage — Clipper and Brand records |
| Shortimize | [To confirm] | Campaign performance analytics via public URLs |
| Discord Inc. | United States | Communication platform — Clipper community and campaign coordination |
Art. 6
International Data Transfers
Several LoupiXa sub-processors are based in the United States. All such transfers are subject to appropriate safeguards in compliance with GDPR Chapter V.
| Recipient | Destination | Transfer mechanism |
|---|---|---|
| Framer Inc. | United States | SCCs — EU Commission Decision 2021/914 |
| cal.com Inc. | United States | SCCs + EU-US Data Privacy Framework (10 July 2023) |
| Stripe, Inc. | United States | SCCs + EU-US Data Privacy Framework |
| Google LLC | United States | SCCs + EU-US DPF + Google Workspace DPA |
| Discord Inc. | United States | SCCs (Discord DPA for business accounts) |
| Shortimize | [To confirm] | [To confirm before publication] |
Art. 7
Data Sharing
LoupiXa does not sell personal data to any third party and does not share data for advertising or profiling purposes outside the sub-processor relationships described in Article 5.
7.1 — With Brand Clients
LoupiXa may share aggregated and anonymised campaign performance data with Brand clients. Individual Clipper identity or personal contact details are not shared with Brands, unless the Clipper has expressly consented or it is strictly necessary to resolve a compliance dispute.
7.2 — With Legal and Regulatory Authorities
DGFiP (French tax authority): annual DAC7 declaration of Clipper earnings — mandatory under EU Directive 2011/16/EU as amended.
TRACFIN: declaration of suspicious transactions or activities as required under French AML legislation.
Courts and tribunals: in response to a legally binding court order or judicial instrument.
CNIL or other supervisory authorities: in the context of an investigation or official audit.
Art. 8
Security Measures
Encryption in transit: all data transmitted between users and LoupiXa systems is protected by TLS 1.2 or higher (HTTPS).
Encryption at rest: sensitive data in Google Drive and Stripe is encrypted at rest using AES-256 or equivalent.
Access control: access to personal data is restricted to authorised team members on a need-to-know basis.
Two-factor authentication (2FA): enabled on Google Workspace, Stripe, Discord, and Shortimize accounts.
Stripe security: payment and KYC data is handled under PCI-DSS Level 1 compliance.
Breach response: in the event of a breach likely to result in a risk to individuals, LoupiXa will notify the CNIL within 72 hours (GDPR Article 33).
Art. 9
Your Rights
| Right | GDPR ref. | What it means in practice |
|---|---|---|
| Right of access | Art. 15 | Obtain confirmation of whether your data is processed, and receive a copy with information on purposes, categories, and recipients. |
| Right to rectification | Art. 16 | Request correction of inaccurate or incomplete personal data without undue delay. |
| Right to erasure | Art. 17 | Request deletion where data is no longer necessary, consent is withdrawn, or you object. Subject to legal retention obligations. |
| Right to restriction | Art. 18 | Request that processing be suspended while contesting accuracy or while we assess an objection. |
| Right to portability | Art. 20 | Receive your data in a structured, machine-readable format (e.g. CSV/JSON). |
| Right to object | Art. 21 | Object at any time to processing based on legitimate interest, including for direct marketing. |
| Right to withdraw consent | Art. 7(3) | Where processing is consent-based, withdraw at any time. Withdrawal does not affect the lawfulness of prior processing. |
Send a written request to rights@loupixa.com. We will respond within one calendar month. You also have the right to lodge a complaint with the CNIL at any time: cnil.fr/fr/plaintes.
Art. 10
Minors
LoupiXa's services are intended exclusively for individuals aged 18 years or older. LoupiXa does not knowingly collect, process, or retain personal data from individuals under 18. Any individual found to be under 18 will be immediately removed from the network and their data deleted.
Art. 11
Contact
| Data protection contact | rights@loupixa.com |
| General contact | contact@loupixa.com |
| Postal address | 47 rue Vivienne, 75002 Paris, France |
| Response time | 30 calendar days (extendable to 3 months for complex requests) |
| CNIL complaint portal | cnil.fr/fr/plaintes |
This Privacy Policy may be updated at any time. In the event of a material change, LoupiXa will update the effective date and post a prominent notice on the Website. The most recent version is always available at loupixa.com/privacy.