Vimoz — dev · not production
ENPT

Vimoz — Privacy notice

This notice is drafted for transparency towards users in the European Economic Area, the United Kingdom, and Switzerland, in line with Articles 13–14 of Regulation (EU) 2016/679 (GDPR). Replace every placeholder in square brackets with your organisation’s details and have qualified counsel confirm the text for your actual processing activities, contracts, and jurisdictions.

Data controller and contact

The data controller responsible for the “Vimoz” website and online service is: [insert your company’s full legal name], [insert trade register or company number if applicable], with its registered office at [insert full postal address].

For questions about this privacy notice and for exercising your data protection rights, you can contact us at: [insert privacy contact e-mail]. If applicable law requires us to designate a Data Protection Officer, you can reach them at: [insert DPO contact details, or write “Not applicable”].

Purposes and legal bases for processing

We process personal data only for specific, explicit, and legitimate purposes. The main purposes and legal bases under Article 6 GDPR are:

Providing and operating your user account and the Vimoz features you request, including authentication, synchronising your library, wishlist, watching status, buddy features where you use them, and notifications (performance of a contract, Article 6(1)(b) GDPR).

Maintaining the security and integrity of the service, preventing fraud and misuse, rate limiting, logging security events, troubleshooting, and improving reliability and performance (legitimate interests, Article 6(1)(f) GDPR; where required, we balance those interests against your rights and you may have a right to object).

Complying with legal obligations to which we are subject, for example responding to lawful requests from courts or authorities (Article 6(1)(c) GDPR).

Where we introduce processing that requires consent under EU law (for example certain marketing communications or non-essential cookies or similar technologies), we will rely on consent (Article 6(1)(a) GDPR), obtain it separately, and you may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Categories of personal data

Depending on how you use Vimoz, we may process: account and identity data (e-mail address, username, first and last name as you provide at registration); security and authentication data (password hashes, recovery-code data you configure, session tokens, CSRF tokens, timestamps of logins and security events); usage and content data you generate (ratings, watched titles, wishlist entries, “currently watching” entries, free-text suggestions you submit, buddy relationships and consent or status fields where applicable, in-app notifications); and technical and connection data (IP address, user agent, request paths, error identifiers, and similar metadata in server and application logs).

We do not intend to collect special categories of personal data within the meaning of Article 9 GDPR (such as data revealing racial or ethnic origin, political opinions, health, etc.). Please do not submit such information unless a feature clearly requires it and we have informed you of a specific lawful basis.

Cookies and similar technologies

We use only first-party cookies and similar storage that are technically necessary to deliver the website or, where applicable, to remember a choice you have made:

auth_tok — HttpOnly, Secure session cookie used to keep you signed in after authentication.

csrf_tok — cookie used together with anti-CSRF tokens in forms to reduce cross-site request forgery.

vimoz_lang — cookie used to remember your selected interface language.

Session cookies expire after a limited period or when you log out. If we add analytics, advertising pixels, or other non-essential technologies, we will update this notice and, where required under Directive 2002/58/EC as implemented in EU Member States (“ePrivacy”) and related rules, obtain your prior consent before using such tools.

Recipients and processors

Personal data is accessed by our authorised personnel and, on a strict “need to know” basis, by IT service providers that host or operate parts of the infrastructure for us as processors (for example cloud hosting providers such as Amazon Web Services in the configuration we use). Those providers may only process data on our documented instructions and must implement appropriate security measures. We do not sell your personal data. An up-to-date list of main subprocessors, or a link to such a list, is available on request from [insert privacy contact e-mail].

Transfers of personal data outside the EEA

If personal data is transferred from the European Economic Area to countries that have not been subject to an adequacy decision by the European Commission, we implement appropriate safeguards under Chapter V GDPR — typically the European Commission’s standard contractual clauses for transfers to processors — together with supplementary technical or organisational measures where appropriate. You may request further information or a copy of the relevant safeguards by contacting [insert privacy contact e-mail].

Storage periods

We retain personal data only for as long as necessary for the purposes set out above. Account data is generally kept for the lifetime of your account and for a limited grace period afterwards for backup, dispute handling, and statutory limitation periods, unless a longer period is required by law. Technical logs are usually kept for a rolling period of [insert number] months unless a longer retention is necessary for security investigations or legal claims. When retention ends, we delete or irreversibly anonymise data in accordance with our internal policies.

Security of processing

We implement appropriate technical and organisational measures under Article 32 GDPR, including TLS encryption for data in transit, salted password hashing, access controls, separation of roles where feasible, and monitoring. No internet transmission or storage system is completely secure; you should use a strong password, protect recovery codes, and inform us promptly if you suspect unauthorised access to your account.

Your rights

Where GDPR applies, you have the right to: obtain confirmation as to whether we process your personal data and receive a copy (access, Article 15); obtain rectification of inaccurate data (Article 16); obtain erasure in certain cases (Article 17); obtain restriction of processing in certain cases (Article 18); receive your data in a structured, commonly used, machine-readable format and transmit it to another controller where technically feasible (data portability, Article 20); object to processing based on legitimate interests or for direct marketing (Article 21); and, where processing is based on consent, withdraw consent at any time (without affecting the lawfulness of processing before withdrawal).

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. EU supervisory authorities are listed, for example, via the European Data Protection Board.

To exercise your rights, please contact [insert privacy contact e-mail]. We will respond without undue delay and within one month of receipt where legally required (extensions may apply in complex cases). We may need to verify your identity before fulfilling certain requests.

Automated individual decision-making, including profiling

We do not make decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR. In-service recommendations or rankings are intended to help you discover content and do not replace human judgment on matters with legal or similarly significant effects.

Children

The service is not directed at children below the age at which they may lawfully provide consent to information-society services in their Member State (often 16, or a lower age not below 13 where national law permits). If you are younger, please do not register. If you believe we hold personal data relating to a child without an appropriate legal basis, please contact us at [insert privacy contact e-mail] and we will investigate and take appropriate action.

Contact for data subjects

For any request relating to this privacy notice or the processing of your personal data, including requests to exercise your GDPR rights, please use: [insert privacy contact e-mail] and, if relevant, [insert postal address]. [Optional: add URL of a dedicated web form.]

Changes to this notice

We may update this privacy notice to reflect changes in our processing operations, features, or legal requirements. The current version will always be published on this page. Please review the notice periodically. Where a change materially affects you and stricter rules apply, we will provide additional information or obtain consent as required by law.

Vimoz v0.3.0