Privacy Policy
bitli.st — Last updated: June 7, 2026
1. Introduction
bitli.st ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what data we collect, why we collect it, how we store it, and your rights under the General Data Protection Regulation (GDPR) and applicable French law.
This policy applies to:
- Clients — builders and entrepreneurs who create a bitli.st account and deploy a waitlist page.
- Visitors — end users who interact with a Client's waitlist page.
Note for Visitors: If you submitted your email or made a payment on a waitlist page powered by bitli.st, the owner of that page (the Client) is the data controller for your data. bitli.st stores and processes that data on their behalf as a data processor. To exercise your rights (access, deletion, etc.), contact the Client directly — or contact bitli.st at lrzalexandre@gmail.com if you cannot identify them.
2. Data We Collect
2.1 — From Clients (Account Holders)
When you create and use a bitli.st account, we may collect:
| Data | Purpose |
|---|---|
| Email address | Account creation, transactional emails |
| Payment information | Processed via Stripe — we do not store card data |
| Usage data (page views, signups count) | Analytics dashboard |
| Custom page content (title, description, color) | Page rendering |
2.2 — From Visitors (via Client Waitlist Pages)
When a Visitor interacts with a Client's waitlist page, the following is collected on behalf of the Client:
| Data | Purpose |
|---|---|
| Email address | Waitlist registration |
| Payment details | Pre-order / founding member checkout (via Stripe) |
| Bot-check signal | Spam protection via Cloudflare Turnstile |
bitli.st processes this data strictly as a data processor on behalf of the Client, who is the data controller. bitli.st does not use Visitor data for its own purposes, does not sell it, and does not share it with third parties outside of the sub-processors listed below.
What Clients can do with Visitor data:
- View their leads in their dashboard.
- Export their leads as a CSV or JSON file.
Clients cannot modify or delete individual Visitor records directly. Deletion requests must be routed through bitli.st (see Section 7).
3. Infrastructure & Sub-processors
We use the following trusted sub-processors to operate the Service:
| Provider | Role | Data Processed | Location |
|---|---|---|---|
| Cloudflare R2 | Object storage for lead data | Visitor emails | USA (Standard Contractual Clauses apply) |
| Cloudflare Turnstile | Bot & spam protection | Behavioral signals (ephemeral, no personal data stored) | USA (SCC apply) |
| Supabase | Database for Client and Visitor data | Emails, page config, account data | EU region |
| Stripe / Stripe Connect | Payment processing | Payment details, payout info | USA / EU (SCC apply) |
We do not sell your data to third parties. We do not use your data for advertising.
4. Legal Basis for Processing (GDPR)
We process personal data on the following legal bases:
- Contract performance (Art. 6.1.b): Processing Client account data to provide the Service.
- Legitimate interest (Art. 6.1.f): Fraud prevention, security, and abuse detection.
- Consent (Art. 6.1.a): Where Visitors explicitly consent on a Client's page.
- Legal obligation (Art. 6.1.c): Compliance with French and EU law.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Client account data | Until account deletion + 30 days |
| Visitor emails (on behalf of Clients) | Until deletion is requested or Client account is terminated + 30 days |
| Stripe payment records | 5 years (French accounting law obligation) |
| Cloudflare Turnstile signals | Not retained (ephemeral by design) |
| Analytics data (views, conversion rates) | Rolling 12 months |
6. Cloudflare Turnstile — Bot Protection
Waitlist pages use Cloudflare Turnstile to prevent automated spam submissions. Turnstile is a privacy-preserving CAPTCHA alternative:
- It does not use cookies or store personal data.
- It does not fingerprint users.
- It processes behavioral signals ephemerally to verify requests are human.
For more information, see Cloudflare's Privacy Policy.
7. Visitor Data Deletion Requests
Visitors have the right to request deletion of their personal data at any time. To do so:
- Contact the Client who owns the waitlist page, or
- Contact bitli.st directly at lrzalexandre@gmail.com with the subject line "Data Deletion Request" and the email address to be removed.
bitli.st will process all deletion requests within 30 days of receipt, removing the relevant data from Cloudflare R2 and Supabase. Note that Stripe payment records are retained for 5 years as required by French accounting law and cannot be deleted on request.
8. Payments — Stripe Connect
When a Visitor makes a payment on a Client's page, the transaction is processed via Stripe Direct Charges. This means:
- The payment goes directly into the Client's Stripe account — bitli.st never holds or touches the funds.
- The Client is the merchant of record and is solely responsible for the transaction, refunds, and any obligations toward the Visitor.
- bitli.st does not store card numbers, CVV codes, bank details, or any raw payment credentials.
- Stripe's data practices are governed by Stripe's Privacy Policy.
What bitli.st does store (on behalf of the Client, for dashboard display only):
| Field | Purpose |
|---|---|
| Visitor email address | Identify the buyer in the Client's dashboard |
| Stripe Checkout Session ID | Reference for support and reconciliation |
| Amount paid & currency | Display in the Client's lead list |
| Payment status | Confirm successful transactions |
This data is stored in bitli.st's database solely to allow the Client to view their payment leads. It is never used for any other purpose, never sold, and never shared outside of the sub-processors listed in Section 3.
9. International Data Transfers
bitli.st serves Clients worldwide. Some sub-processors (Cloudflare, Stripe) operate in the United States. Data transfers to these providers are protected by Standard Contractual Clauses (SCCs) as approved by the European Commission, ensuring an adequate level of data protection regardless of where the Client or their Visitors are located.
10. Cookies
bitli.st uses a minimal set of cookies:
| Cookie | Type | Purpose |
|---|---|---|
| Session cookie | Essential | Keeps you logged into your account |
| Stripe cookies | Essential | Required for payment processing |
We do not use advertising cookies, tracking pixels, or third-party analytics cookies that require consent banners.
11. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — Request a copy of the data we hold about you.
- Rectification — Ask us to correct inaccurate data.
- Erasure — Ask us to delete your data (see Section 7 for Visitors).
- Portability — Receive your data in a structured, machine-readable format.
- Restriction — Ask us to limit processing of your data.
- Objection — Object to processing based on legitimate interest.
- Withdraw consent — Where processing is based on consent, withdraw it at any time.
These rights apply under GDPR (EU/EEA), CCPA (California), LGPD (Brazil), PIPEDA (Canada), and equivalent frameworks worldwide. To exercise any right, contact us at lrzalexandre@gmail.com. We will respond within 30 days.
EU/EEA residents also have the right to lodge a complaint with the CNIL: 🌐 https://www.cnil.fr
12. Security
We take reasonable technical and organizational measures to protect your data:
- Data at rest encrypted via Cloudflare R2 and Supabase.
- HTTPS enforced on all pages (SSL via Cloudflare).
- Access to production data restricted to authorized personnel only.
- API keys and secrets stored in environment variables, never exposed client-side.
In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.
13. Children
bitli.st is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data through our platform, please contact us immediately.
14. Changes to This Policy
We may update this Privacy Policy periodically. We will notify Clients of material changes via email or a notice on the Service. The "Last updated" date at the top reflects the most recent revision.
15. Contact & Data Controller
bitli.st Data Controller (for Client account data) Data Processor (for Visitor data collected via Client pages) France 📧 lrzalexandre@gmail.com
For Visitor data collected via Client pages, the data controller is the Client who operates that page. Contact them directly, or contact us if you cannot identify them.