SculptOps/Legal
← Back to site

Privacy policy

Translated from the French original — only the French text is binding.

Français

For any question or request relating to this policy, please contact us at contact@refacto.eu.

This Privacy Policy informs anyone using the sculptops.io website and associated services (“You” or “Your”) about:

  • how Refacto (“REFACTO”) collects, stores and processes Your personal data in connection with its services;
  • who is responsible for processing the personal data collected;
  • who receives this personal data;
  • the rights You have regarding this data;
  • the site’s cookie policy.

This policy supplements the Legal Notice, the Terms of Use, and, where applicable, the Terms of Sale.

Art. 1Scope

This policy applies to all personal data processing carried out by REFACTO in connection with the sculptops.io website and associated services (community library, OAuth-based community token issuance, documentation), in accordance with Regulation (EU) 2016/679 (GDPR), effective since 25 May 2018.

Personal data” means any information relating to an identified or identifiable natural person — directly or indirectly — particularly by reference to a name, an identifier, location data, an online identifier or other characteristic elements of that person’s identity (hereafter, the “Data”).

REFACTO is committed to protecting Your privacy by ensuring the protection, confidentiality and security of Your Data in connection with the services offered (the “Services”), in particular when:

  • You browse the sculptops.io website;
  • You authenticate via GitHub or GitLab to obtain a community token (at /connect);
  • You browse or contribute to the community library;
  • You contact us by email or any other support channel.

Art. 2Data processing

2.1Processing when You contact us

If You contact us by email, the following Data may be collected:

  • Your email address (mandatory);
  • Any other information You choose to share with us.

This information is used to handle Your request, respond to it and improve our services. Processing is based on REFACTO’s legitimate interest in managing user relationships, under Article 6.1.f GDPR.

2.2Authentication via a third-party provider (GitHub, GitLab)

When You use /connect to obtain a community token, REFACTO redirects You to the OAuth provider of Your choice (GitHub or GitLab). After authentication, the provider transmits the following information to REFACTO:

  • Your provider handle (GitHub “login” or GitLab “username”);
  • Your unique numeric identifier at the provider;
  • Your avatar URL;
  • Your public profile URL;
  • Your public organisation list (GitHub only), to allow the token to be associated with an organisational identity.

This Data is necessary for the performance of the contract between You and the community service (Article 6.1.b GDPR): without it, issuing a community token is impossible. It is then transmitted to the community service (operated by REFACTO), which creates a verified author record.

2.3Technical browsing data

When You browse the site, certain technical data is automatically collected to ensure security, stability and optimisation of the user experience:

  • Your IP address;
  • Browser type, operating system and display resolution;
  • Date and time of access;
  • Pages visited and session duration.

This data is processed to ensure the site’s security and technical administration, on the basis of REFACTO’s legitimate interest (Article 6.1.f GDPR).

2.4Retention period

REFACTO retains Data for the time necessary to meet the purposes described above, in accordance with applicable law:

  • Active community account: Data retained for the duration of token usage and up to five (5) years from last use;
  • Inactive community account (no use for 2 years): deletion after two (2) years of inactivity, with prior warning by email if a contact address is available;
  • Technical logs (article 2.3): maximum twelve (12) months;
  • Email queries (article 2.1): maximum three (3) years from last contact.

2.5Transfers and recipients

REFACTO will not process, host or transfer collected Data to a country outside the European Union, or recognised as “not adequate” by the European Commission, without prior notice to the user.

When You authenticate via GitHub or GitLab, Your Data passes through these providers’ servers. GitHub Inc. is a US-incorporated company, which involves a transfer outside the EU governed by the Standard Contractual Clauses adopted by the European Commission. GitLab Inc. is subject to a similar framework. REFACTO has no control over the processing carried out by these providers; their respective policies apply independently.

Data may be processed by REFACTO’s technical subcontractors (hosting, monitoring providers), selected on the basis of their GDPR compliance. Data is only disclosed to third parties in the following cases:

  • if You have given Your explicit consent;
  • if disclosure is necessary to enforce our rights or to comply with a legal obligation;
  • if it is essential for the performance of a contract with You.

Art. 3Data controller

All Data collected through Your use of the site and Services is managed by REFACTO.

The data controller can be contacted:

  • By post at REFACTO’s registered office: 6 Rue Guynemer — 57970 Yutz — France;
  • By phone at +33 7 72 36 20 31;
  • By email at contact@refacto.eu.

Art. 4Cookie policy

The sculptops.io site uses only strictly necessary cookies to operate. No analytics, advertising or audience measurement cookies are set.

The strictly necessary cookies used are:

  • wab.session-token — session token after OAuth authentication;
  • wab.csrf-token — CSRF attack protection;
  • wab.callback-url — stores the originating page after authentication;
  • wab.pkce-code-verifier, wab.state, wab.nonce — OAuth protocol parameters (lifetime: 15 minutes).

Under the ePrivacy directive and CNIL guidance, these cookies are exempt from prior consent because they are strictly necessary for the provision of the service requested by the user. You may nonetheless delete them via Your browser settings, at the risk of disabling authentication.

Art. 5Your rights

Under Regulation (EU) 2016/679 and the French Data Protection Act (Loi 78-17 of 6 January 1978), You have the following rights:

  • right to access, rectify and erase Data;
  • right to Data portability;
  • right to restrict and object to Data processing;
  • right not to be subject to a decision based solely on automated processing;
  • right to determine the fate of Data after Your death;
  • right to lodge a complaint with the competent supervisory authority.

To exercise Your rights, send Your request to contact@refacto.eu. So that the data controller can act on Your request, You may be required to provide certain information such as Your first name, surname, and email address.

If, after contacting us, You consider that Your rights are not respected, You may file a complaint with the CNIL:

  • CNIL — Service des plaintes
  • 3, place de Fontenoy — TSA 80715
  • 75334 PARIS CEDEX 07 — France

Art. 6Changes to this Privacy Policy

This policy may be amended or supplemented at any time, in particular in the event of legislative changes or improvements to our services. Any substantial change will be flagged on the site and, if necessary, by email to active community-token holders.

We invite You to review this page periodically to stay informed of any updates.

Last updated: 8 June 2026.