Skip to main content
Léonard Sellem

Privacy policy

What I collect, what I don’t, and why.

Last updated: 22 April 2026.

I run a small practice. The site is static and the forms are mine; the goal is to keep the data footprint as close to zero as it can be while still letting you reach me. This page documents what I collect, where it lives, and how long it stays.

Who is the data controller?

Léonard Sellem — LS Ventures — 3 rue Villedo, 75001 Paris, France. You can contact me at leonard [at] sellem [dot] me with any privacy question.

Contact form

When you send a message through the contact form, I receive:

  • Your name and work email.
  • Optional: company name, rough annual revenue band, and preferred start timeline.
  • Required: a free-text description of the bottleneck you want help with.
  • A SHA-256 hash of the submitting IP address (for abuse detection only, not geolocation).
  • Your browser’s user-agent string.

How the data is handled

  • Persistence: rows land in a Supabase Postgres instance hosted in the European Union. Row-level security is enabled and only the server-side service-role key can read or write the table.
  • Notification: a copy of the message is emailed to me via Resend so I can reply. Resend receives the email body to deliver it; they don’t receive any metadata I haven’t also stored.
  • Retention: 24 months from submission. If we don’t end up working together, the row is deleted. If we do, the record merges into my client operational records, which have their own retention policies I will share if you ask.

I do not add contact-form senders to any marketing list. I do not share submissions with anyone.

Newsletter

If you subscribe to the newsletter, I store:

  • Your email address, lowercased.
  • The date you subscribed, the date you confirmed, and the date you unsubscribed (if you do).
  • The locale you signed up from (EN or FR).
  • A random confirmation token used for the double-opt-in email.

Unsubscribed rows are retained — the unsubscribed_at timestamp is kept so I can prove you asked to stop. Rows are never sold, shared, or used for anything other than sending the newsletter itself.

Anti-spam

I use Cloudflare Turnstile on the contact and newsletter forms. Turnstile’s server-side verification reads the token you receive from their widget and your IP address. Cloudflare’s privacy policy covers what they do with those signals; I don’t receive anything beyond a pass / fail.

Rate limiting

Per-IP rate limits protect the forms from abuse. The raw IP is never persisted — only a hash is stored, and only for records that actually reach the database.

Analytics

The site loads Google Tag Manager, and only after you grant consent via the cookie banner. If you refuse, nothing analytics-related loads. I only enable the following tags through GTM:

  • Google Analytics 4 — anonymized IP, EU-region data processing terms, no advertising personalisation.
  • No third-party trackers, no marketing pixels.

Your rights

You can ask me at any time to:

  • Access the data I hold about you.
  • Correct or update any inaccurate data.
  • Delete any or all of it.
  • Receive a machine-readable export.
  • Object to or restrict processing.

Write to leonard [at] sellem [dot] me. I acknowledge within three working days and complete the request within the window required by EU law (generally one month, extendable to three for complex cases with explicit notice).

If you feel the response is inadequate, you can lodge a complaint with the French data-protection authority (CNIL).

Changes to this policy

I update this page whenever the processors or retention rules change. The “last updated” date at the top of the page reflects the most recent substantive change. Purely typographic edits do not bump the date.