This Privacy Policy explains how B65 Watch Faces ("we", "us") collects, uses, and protects your personal data when you purchase a watch face licence or interact with our website. It applies to all users including residents of the European Union (RGPD / GDPR).
1. Data Controller
The data controller responsible for your personal data is:
- Entity: B65 Watch Faces – Independent developer
- Country: France
- Website: pay.b65dev.com
- Contact: Contact form
2. Personal Data We Collect
We collect only the data strictly necessary for providing our services:
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Email address | Deliver your licence key; send order confirmation | Contract performance (Art. 6.1.b GDPR) | Duration of the licence + 3 years |
| Billing country (where available) | Invoice records and VAT compliance | Legal obligation / Legitimate interest (Art. 6.1.c & 6.1.f GDPR) | 10 years (French accounting law) |
| Transaction reference | Link invoice to payment, handle disputes | Legal obligation / Legitimate interest | 10 years |
| Device identifier (opaque ID generated by Garmin's SDK) | Licence activation & device limit enforcement | Contract performance (Art. 6.1.b GDPR) | Duration of the licence |
| IP address | Security, fraud prevention, server logs | Legitimate interest (Art. 6.1.f GDPR) | 60 days (rolling log rotation) |
| Contact form messages | Respond to support requests | Legitimate interest / Pre-contractual steps | 3 years after last interaction |
We do not collect payment card data directly. All payment processing is handled by Stripe, Inc., a certified PCI-DSS Level 1 processor. See their privacy policy at stripe.com/privacy.
3. How We Use Your Data
- Generate and deliver your licence key by email after purchase
- Activate and enforce the device limit for your licence
- Issue legally compliant invoices and credit notes
- Respond to support requests submitted via the contact form
- Detect and prevent fraud, abuse, and security incidents
- Comply with applicable legal obligations
We do not use your data for marketing or advertising purposes. We do not sell or rent your personal data to third parties.
The watch face application itself does not collect personal data. It only sends the licence key and a device identifier (an opaque ID generated by Garmin's SDK) to the licensing server. This identifier is not linked to your personal identity and is used solely to enforce the device limit on your licence.
4. Sub-processors
Your data may be processed by the following trusted sub-processors, each bound by data processing agreements:
| Sub-processor | Role | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | USA (EU Standard Contractual Clauses) |
5. Data Security
We apply technical and organisational measures to protect your data:
- Licence keys are stored as salted cryptographic hashes — the original key is never stored in plain text
- Device identifiers are opaque IDs generated by Garmin's SDK — they are not linked to personal identity
- All communications are encrypted using TLS / HTTPS
- Access to production systems is restricted and monitored
- Automated backups are encrypted and stored securely
6. Cookies
Our portfolio pages do not use tracking cookies, analytics cookies, or advertising cookies.
During the checkout process, Stripe may set cookies required to process the payment securely. These are strictly necessary cookies and are governed by Stripe's cookie policy.
7. Your Rights (GDPR / RGPD)
If you are located in the European Union or European Economic Area, you have the following rights regarding your personal data:
- Right of access (Art. 15) — Request a copy of the personal data we hold about you
- Right to rectification (Art. 16) — Request correction of inaccurate data
- Right to erasure (Art. 17) — Request deletion of your data, subject to legal retention obligations (e.g. invoices must be kept 10 years)
- Right to restriction (Art. 18) — Request that we limit processing of your data
- Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format
- Right to object (Art. 21) — Object to processing based on legitimate interest
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, please use our contact form. We will respond within 30 days as required by the GDPR. We may ask you to verify your identity before processing your request.
You also have the right to lodge a complaint with the French data protection authority:
- CNIL — Commission Nationale de l'Informatique et des Libertés — www.cnil.fr
8. International Data Transfers
Stripe, Inc. is based in the United States. Data transfers to Stripe are covered by EU Standard Contractual Clauses (SCC) as per Stripe's Data Processing Agreement, ensuring an adequate level of protection.
We do not otherwise transfer your personal data outside the European Economic Area.
9. Minors
Our services are not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us to request deletion.
10. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or applicable law. The "Last updated" date at the top of this page will be revised accordingly. Continued use of our services after the updated policy is posted constitutes acceptance.
11. Contact
For any questions about this Privacy Policy or to exercise your rights, please contact us via our contact form.
Version: 1.0
Effective date: February 27, 2026
Last modified: February 27, 2026