Privacy policy.
This GDPR skeleton is not final legal advice. It marks the required policy surface for the launch site and references the operational controls described on the trust page.
Controller
BleedWatch SASU is the controller for contact, booking, newsletter, and qualification data processed through labs.bleedwatch.com. Engagement data is governed by the signed contract and any applicable data-processing terms.
Lawful basis
We process inquiry data to respond to requests, prepare engagements, fulfill contracts, comply with legal obligations, and protect legitimate security interests.
Retention
Inquiry records are retained only as long as needed for the request and business records. Engagement evidence follows the retention period agreed in contract, with the default deletion window described on /trust.
Sub-processors
Current sub-processors are listed on /trust#sub-processors. They include booking, email, invoicing, and sanitized LLM compute providers.
International transfers
Transfers outside the EU require appropriate safeguards, including standard contractual clauses where applicable. Founder and counsel must confirm final provider posture before launch.
Your rights
Data subject requests can be sent to [email protected]. Access, rectification, erasure, restriction, portability, and objection requests are handled within 30 days.
Cookies and analytics
labs.bleedwatch.com runs Umami self-hosted at analytics.bleedwatch.com — cookieless, no PII, no cross-site tracking, no third-party processor. We do not deploy Google Analytics, Hotjar, FullStory, or any cookie-setting marketing tool. Aggregate page views and event analytics stay on BleedWatch infrastructure in the EU. Because the analytics baseline is cookieless, no GDPR consent banner is required for this surface; if cookie-setting tools are introduced later we will surface a consent UI before activation.