Privacy Policy

1. Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws is:

We are currently not legally required to appoint a dedicated Data Protection Officer (DPO). For any privacy concerns, please contact the controller directly at the email above.

2. General Information on Data Processing

2.1 Scope of Processing

We generally only collect and use personal data of our users insofar as this is necessary to provide a functional website, our apps, and our content and services (VoD Portal). The collection and use of personal data of our users regularly take place only with the user's consent. An exception applies in cases where obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by statutory regulations.

2.2 Legal Basis for Processing

In accordance with Art. 13 GDPR, we inform you of the legal basis for our data processing operations:

• Consent (Art. 6(1)(a) GDPR): If we obtain the consent of the data subject for processing operations.
• Performance of a Contract (Art. 6(1)(b) GDPR): If processing is necessary for the performance of a contract to which the data subject is party (e.g., Subscription, Streaming). This also applies to pre-contractual measures.
• Legal Obligation (Art. 6(1)(c) GDPR): If processing is necessary for compliance with a legal obligation to which our company is subject (e.g., Tax laws, Age Verification).
• Vital Interests (Art. 6(1)(d) GDPR): If vital interests of the data subject or another natural person require processing.
• Legitimate Interests (Art. 6(1)(f) GDPR): If processing is necessary to safeguard the legitimate interests of our company or a third party, and the interests, fundamental rights and freedoms of the data subject do not override the first-mentioned interest.

2.3 Data Deletion and Storage Duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws, or other provisions to which the controller is subject. Blocking or deletion of the data also takes place when a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

2.4 Security (SSL/TLS)

This site uses SSL or TLS encryption for security reasons. You can recognize an encrypted connection by the "https://" line in your browser address bar.

2.5 Obligation to Provide Data

In the context of our business relationship (Registration, Subscription), you must provide those personal data that are required for the execution of the contract (e.g., Email, Country, Birthday). Without this data, we cannot create an account or provide the service.

2.6 Transfer to Third Countries

Due to technical or licensing requirements, personal data may be transferred to and processed by third parties commissioned by us who are located outside the European Union (e.g., in the USA). In such cases, Kinoora will ensure that the transfer of your personal data is carried out in accordance with applicable data protection laws. Specifically, we rely on the EU-U.S. Data Privacy Framework (DPF) or the EU Commission's Standard Contractual Clauses (SCCs) to ensure adequate protection.

3. Hosting and Server Log Files

We use external service providers to host our website and provide technical infrastructure. These providers act as processors on our behalf. All data collected on this website is stored on the servers of these providers.

Providers Used:

• AWS (Amazon Web Services): Backend & Database Hosting (Luxembourg/Germany regions). Privacy Policy
• Cloudflare: Content Delivery Network & Security (USA). Privacy Policy

Purpose & Legal Basis

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. The data is also stored in log files to ensure the functionality of the website, optimize our systems, and ensure the security of our information technology systems. An evaluation of this data for marketing purposes does not take place in this context.
Legal Basis: Art. 6(1)(f) GDPR (Legitimate Interest).

Duration of Storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of data storage in log files, this is generally the case after 7 days at the latest.

Possibility of Objection

The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

4. Registration and Subscription

To use Kinoora, you must create an account. The data collected depends on your user role.

Purpose: To manage your account, verify your ability to contract, and display your public profile (if applicable).
Legal Basis: Art. 6(1)(b) GDPR (Performance of a Contract) for mandatory fields. Art. 6(1)(a) GDPR (Consent) for optional fields.

5. Streaming, Licensing & Device Data

When you use our services to stream films or series, we process technical and contract-related data. This is mandatory to verify your subscription, enforce licenses, and ensure playback quality.

Purpose: Geo-Blocking & Anti-Piracy

1. Regional Licenses: The IP address is collected to determine if you are accessing the VoD portal from a permitted region (e.g., DACH) in accordance with filmmaker licenses.
2. VPN Detection: We analyze the IP address to detect the use of unauthorized VPN or Proxy services that attempt to bypass these licensing restrictions.

Mux Video

We use Mux (Mux, Inc., USA) for video encoding and streaming delivery. Mux processes viewing data (Quality of Service) to optimize the stream (e.g., Adaptive Bitrate).Privacy Policy

Legal Basis:
Art. 6(1)(b) GDPR (Contract performance: Delivering the movie you paid for).
Art. 6(1)(f) GDPR (Legitimate interest: Enforcing territorial licenses and preventing fraud/piracy).

6. Age Verification (Jugendschutz)

6.1 Description and Purpose

To access age-restricted content (films rated FSK 16 or FSK 18), we are legally required under the German Interstate Treaty on the Protection of Minors in the Media (JMStV) to verify that you are of legal age.

6.2 Service Provider

We use the external service VerifyMy (VerifyMyAge Limited, 20-22 Wenlock Road, London, N1 7GU, UK). The UK is recognized by the EU as having an adequate level of data protection. VerifyMy acts as a separate data controller for the verification process.Privacy Policy

6.3 Verification Methods & Data Flow

You can choose between different verification methods. Depending on your choice, data is processed as follows:

• Facial Age Estimation: You scan your face using your device's camera. VerifyMy uses AI to estimate your age.
  Note: This involves the processing of biometric data. The image is deleted by VerifyMy immediately after the estimation is complete.
• ID Check: You upload a photo of your ID document. VerifyMy extracts the date of birth to confirm your age.

Kinoora does not receive or store your ID documents, face scans, or biometric data. We only receive a secure token confirming the result (Pass/Fail).

6.4 Storage Duration

Kinoora only stores the positive verification result ("Age Verified: Yes") in your user profile for the duration of your contract, so you do not have to repeat the check every time. VerifyMy deletes the verification data in accordance with their own retention policies (typically immediately after the check).

6.5 Automated Decision Making

The verification process involves automated decision-making. If the system cannot verify your age, access to restricted content is automatically blocked. You have the right to contact us to contest the decision manually.
Legal Basis: Art. 6(1)(c) GDPR (Legal Obligation) and Art. 9(2)(a) GDPR (Explicit Consent for Biometric Processing via VerifyMy).

7. Payment Processing

7.1 Scope and Purpose

We process payment data to handle your subscription or individual purchases and to calculate the correct VAT/Sales Tax based on your location. The exact data collected depends on the payment method you select.

7.2 Stripe (Primary Processor)

Our main payment gateway is Stripe Payments Europe, Ltd. (Ireland).Privacy Policy

a) Credit Card Payments

If you pay by credit card, your data (Card Number, Expiry, CVC) is sent directly to Stripe. Kinoora never stores full credit card numbers. We only store a "Payment Method Token" (a reference ID) to allow recurring subscription charges.

b) SEPA Direct Debit

For SEPA Direct Debit, Stripe collects your IBAN and the account holder's name. By accepting the mandate, you authorize Stripe to collect payments from your bank account.

c) Other Stripe Methods (iDEAL, Bancontact, etc.)

For local payment methods, you are typically redirected to your bank's environment. Stripe receives a confirmation of successful payment.

7.3 Digital Wallets & Third Parties

If you use a digital wallet, data is transmitted to the provider acting as an independent controller. These providers have their own privacy policies:

• PayPal: PayPal (Europe) S.à.r.l. et Cie, S.C.A., Luxembourg. Privacy Policy
• Apple Pay: Apple Distribution International Ltd., Ireland. Privacy Policy
• Google Pay: Google Ireland Limited, Ireland. Privacy Policy
• Amazon Pay: Amazon Payments Europe s.c.a., Luxembourg. Privacy Policy
• MobilePay: Vipps MobilePay AS, Norway. Privacy Policy

7.4 Automatic Tax Calculation (Stripe Tax)

We use "Stripe Tax" to automatically calculate the applicable tax rate for your subscription based on your location. For this purpose, Stripe compares your IP address, the issuing country of your payment card, and your billing address. This data is stored to comply with international tax regulations (e.g., EU VAT OSS, UK VAT) and to prove your location to tax authorities.

Legal Basis: Art. 6(1)(b) GDPR (Performance of a contract), Art. 6(1)(c) GDPR (Compliance with a legal obligation) for tax calculation and retention of tax-relevant data and Art. 6(1)(f) GDPR (Legitimate interest in fraud prevention via Stripe Radar).

8. Filmmaker Monetization & Payouts

If you choose to monetize your work on kinoora, we collect additional information necessary to process your earnings and comply with international tax and financial regulations.

7.1 Data We Collect for Payouts

To facilitate payments, we require the following from Filmmakers:

• Banking Information: Account Holder Name, Bank account details including Account number/IBAN, Sort Code/BIC.
• Legal Address: Your full legal residential address for tax residency verification and invoicing.
• Tax Information (Optional/As applicable): VAT ID (for businesses).

8.2 Purpose and Legal Basis for Processing

We process this sensitive data under the following legal grounds:

• Performance of a Contract (Art. 6(1)(b) GDPR): We cannot pay you for your work without your banking details and legal identity.
• Legal Obligation (Art. 6(1)(c) GDPR): We are legally required to maintain financial records for tax authorities and to comply with Anti-Money Laundering (AML) and "Know Your Customer" (KYC) regulations.

8.3 Data Retention for Financial Records

Please note that even if you delete your Kinoora account, we are required by law to retain your transaction history, legal address, and payout details for a minimum of 10 years to comply with tax and audit requirements.

8.4 Financial Institutions & Payment Partners

We share necessary payout information (such as your name and IBAN) with our professional banking providers solely to execute the payment of your earnings. These institutions process your data as independent controllers in accordance with their own regulatory obligations.

9. Email Communication, Newsletter & CRM

8.1 Transactional Emails (Required)

For the reliable delivery of system-relevant emails (e.g., Registration Confirmation, Password Reset, 2FA codes, Payment Receipts), we use the service provider SendGrid (Twilio Inc., USA).

This processing is technically necessary to provide the platform functionality and fulfill our contract with you. SendGrid is certified under the EU-U.S. Data Privacy Framework (DPF).
Legal Basis: Art. 6(1)(b) GDPR (Performance of a Contract).
Privacy Policy: https://www.twilio.com/legal/privacy

8.2 Newsletter & Marketing (Brevo)

We use Brevo (formerly Sendinblue), a service provided by Sendinblue SAS, 106 boulevard Haussmann, 75008 Paris, France, to manage our waitlists, send newsletters, and run email marketing campaigns.

If you subscribe to our newsletter, your data (Email, Name, Interaction data like opens/clicks) is stored on Brevo’s servers in the EU. We use this data to send you updates about new films and features and to optimize our content.
Legal Basis: Art. 6(1)(a) GDPR (Consent).
Privacy Policy: https://www.brevo.com/legal/privacypolicy/

8.3 CRM & Contact Management (HubSpot)

We also use HubSpot (HubSpot, Inc., USA) as a Customer Relationship Management (CRM) system. We use HubSpot to organize contact data, manage user inquiries, and maintain business relationships. If you have previously signed up via HubSpot forms, your data may continue to be processed here.
Legal Basis: Art. 6(1)(f) GDPR (Legitimate Interest in efficient customer management) or Art. 6(1)(a) GDPR (Consent).
Privacy Policy: https://legal.hubspot.com/privacy-policy

8.4 Unsubscribe Rights

You can unsubscribe from the newsletter or marketing emails at any time via the "Unsubscribe" link at the bottom of every email. Please note that Transactional emails (8.1) (e.g., invoices, password resets) cannot be unsubscribed from, as they are vital for the operation of your account.

10. General Contact Requests (Email)

9.1 Description and Purpose

If you contact us via email (e.g., hello@kinoora.com), the personal data transmitted with the email will be stored. This includes your email address and any personal data contained in the message body or attachments.

The data is used exclusively for processing the conversation and your request. There is no disclosure of this data to third parties, except for our technical processors (e.g., HubSpot/Microsoft 365) who help us manage our inbox.

9.2 Legal Basis

The legal basis for processing the data transmitted in the course of sending an email is Art. 6(1)(f) GDPR (Legitimate Interest in effective communication). If the email contact aims at the conclusion of a contract (e.g., a filmmaker applying for distribution), the additional legal basis is Art. 6(1)(b) GDPR.

9.3 Storage Duration

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For personal data sent by email, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the facts in question have been finally clarified.

11. Cookies & Analytics

10.1 General Information on Cookies

We adhere to the principle of data minimization. We use cookies to ensure the functionality of our website and apps. Cookies are small text files that are saved on your device by your browser.

We distinguish between two categories:

• Technically Necessary Cookies: These are essential for the operation of the site (e.g., saving your login status, processing payments via Stripe, saving your cookie preferences via Cookiebot). You cannot opt-out of these.
• Analytics/Marketing Cookies: These help us understand how you use the site (Google Analytics). These are only set if you give your explicit consent.

10.2 Technically Necessary Cookies

For these cookies, the legal basis is Art. 6(1)(f) GDPR (Legitimate Interest). Our legitimate interest lies in the smooth and secure operation of the login and payment process.

10.3 Google Analytics (Marketing/Statistics)

This website uses functions of the web analysis service Google Analytics (Google Ireland Limited). Google Analytics enables us to analyze the behavior of website visitors. The website operator receives various usage data, such as page views, length of stay, operating systems used, and origin of the user.

Legal Basis: The use of Google Analytics occurs exclusively on the basis of your consent (Art. 6(1)(a) GDPR and § 25 (1) TDDDG). You can revoke this consent at any time via the Cookie Settings.

10.4 Cookiebot (Consent Management)

We use the consent management service Cookiebot (Usercentrics A/S, Denmark). This tool allows you to grant or deny consent for specific cookie categories. It stores your choice in a cookie so that you are not asked again on every page visit.Privacy Policy

Legal Basis: Art. 6(1)(c) GDPR (Legal Obligation to obtain proof of consent).

12. Social Media Profiles

Our website includes simple external links to our social media profiles. No data is transmitted to these platforms upon loading our page. Data is only transferred when you actively click on a logo. The data protection policies of the respective platform operator then apply.

• Facebook & Instagram: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Privacy Policy
• LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Privacy Policy
• YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy Policy
• TikTok: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. Privacy Policy

13. Your Rights as a Data Subject

If personal data concerning you is processed, you are a data subject within the meaning of the GDPR and you have the following rights against the controller: