Privacy Policy

Collected data:

• Email address
• Username (optional)
• Display name (optional)
• Profile image URL (optional)
• Passkey/WebAuthn metadata such as credential ID, public key, device type, and transports
• Language, region, streaming providers, notification settings, and display preferences

Purpose: Provide and manage your account.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance).

Storage duration: Until account deletion.

Collected data:

• Watched shows and episodes
• Show status (Watching, Completed, Dropped)
• Ratings and notes
• Timestamps of activity
• Watch groups, invitations, memberships, and shared lists
• Public list, calendar, or share links if you actively create them
• API/OAuth/browser integration data, scrobble events, and imported or exported files

Purpose: Tracking your progress, statistics, and recommendations.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance).

Storage duration: Until account deletion or deletion of individual entries.

Collected data: Email address, login tokens, session data, passkey/WebAuthn challenges, and technical security data.

Purpose: Magic-link login, passkey login, session management, and abuse prevention.

Legal basis: Art. 6 para. 1 lit. b GDPR (account access) and Art. 6 para. 1 lit. f GDPR (security).

Email provider: Resend, Inc., USA - delivery of login, system, and notification emails based on appropriate safeguards.

Storage duration: Login links and security challenges are short-lived; sessions remain valid until logout or session expiry.

Collected data: Email address, delivery status, optional web push endpoint, push keys, preferred language, and notification settings.

Purpose: Sending magic links, system emails, watch and group notifications, and optional push notifications.

Legal basis: Art. 6 para. 1 lit. b GDPR for required account communication, Art. 6 para. 1 lit. a GDPR for optional notifications.

Storage duration: Until the notification is disabled, the account is deleted, or technical delivery logs expire.

Purpose: Retrieving show metadata (titles, descriptions, images).

Transmitted data: Only TMDB IDs (no personal data).

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest).

Privacy policy: TMDB privacy policy

Provider: Vercel Inc., USA

Purpose: Hosting of the website, APIs, serverless functions, and delivery of static assets.

Collected data: Server and function logs, IP address, timestamp, user agent, requested URL, referrer, and technical error data.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest).

Privacy policy: Vercel privacy policy

Provider: PostgreSQL database with Prisma Client and Prisma Data Platform components

Location: Primarily according to deployment configuration; the database provider is described neutrally as a PostgreSQL/Prisma setup.

Purpose: Store account, usage, integration, list, group, notification, and admin data.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance).

Provider: Prisma Data Platform (USA/Global)

Purpose: Connection pooling, database access, and performance optimization.

Collected data: Encrypted database connections, technical query metadata, and temporary caches.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest).

Provider: Functional Software Inc., USA

Purpose: Error analysis, performance monitoring, sampled Session Replay, and user feedback.

Collected data: Error and performance data, stack traces, browser and device data, request URLs, referrers, console messages, replay metadata, feedback content, screenshots, and user context such as user ID and email where present in the account. Default IP collection is disabled.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest).

Privacy policy: Sentry privacy policy

Provider: Vercel Web Analytics, Vercel Speed Insights, and the app's own Web Vitals API

Purpose: Product and performance measurement, technical stability, and prioritizing improvements.

Collected data: Page URL, referrer, query parameters, browser, device, geo, and performance data, plus Web Vitals metrics; the implementation does not use marketing cookies for this.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in operation and improvement).

Privacy policy: Vercel Analytics privacy information

Provider: Cloudflare, Inc., USA

Purpose: Protect login and resend flows from automated abuse.

Collected data: Browser and device signals, challenge result, technical usage data, and token for server-side validation.

Legal basis: Art. 6 para. 1 lit. f GDPR (security and abuse prevention).

Privacy policy: Cloudflare Turnstile documentation

Provider: Resend, Inc., USA

Purpose: Delivery of magic links, system emails, group invitations, form forwards, and episode notifications.

Transmitted data: Email address, name/display name where present, message content, template metadata, sending status, and delivery status.

Legal basis: Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f GDPR; Art. 6 para. 1 lit. a GDPR for optional mailings.

Privacy policy: Resend privacy policy

Provider: Upstash, Inc.

Purpose: Rate limiting, session versions, scrobble nonce checks, and technical abuse prevention.

Collected data: Short-lived technical identifiers, hashes, timestamps, counters, and nonces.

Legal basis: Art. 6 para. 1 lit. f GDPR (security and stability).

Provider: Vercel Inc., USA

Purpose: Providing data exports and storing generated media such as animated posters.

Collected data: Export files, generated media files, file paths, technical metadata, and access URLs.

Legal basis: Art. 6 para. 1 lit. b GDPR for user exports and Art. 6 para. 1 lit. f GDPR for technical media management.

Privacy policy: Vercel Blob documentation

Provider: Vercel Inc., USA

Purpose: Providing feature flags, rate-limit configuration, and operational parameters.

Collected data: Usually no user content; technical configuration values and status information.

Legal basis: Art. 6 para. 1 lit. f GDPR (operation and security).

Purpose: Optional browser push notifications for new episodes or tests.

Collected data: Push subscription endpoint, public keys, notification settings, and technical delivery information.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent).

Purpose: Connecting browser extensions, OAuth clients, WebMCP/browser flows, and external scrobble sources.

Collected data: OAuth client data, API tokens, signatures, nonces, IP/timestamps for abuse protection, and submitted show, season, and episode data.

Legal basis: Art. 6 para. 1 lit. b GDPR for actively used integrations and Art. 6 para. 1 lit. f GDPR for security.

Provider: Google Search Console, Bing Webmaster Tools, and IndexNow

Purpose: Submitting and monitoring public pages, sitemaps, and indexing status.

Transmitted data: Public URLs, sitemap data, technical crawling and indexing data; no private watch data.

Legal basis: Art. 6 para. 1 lit. f GDPR (discoverability of public content and operation).

Provider: Spotify AB

Purpose: Retrieving album and soundtrack metadata for shows.

Transmitted data: Search terms, album IDs, and public Spotify metadata; no user Spotify account data.

Legal basis: Art. 6 para. 1 lit. f GDPR (providing media metadata).

AI features are used for recommendations, summaries, editorial helpers, universe/changelog text, and administratively triggered media features. Only show, metadata, and preference data required for the relevant purpose is transmitted.

GitHub Actions

Purpose: Automated background tasks (metadata updates, notifications, statistics calculation).

Transmitted data: No personal data transmitted to GitHub, only internal API calls.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract performance).

Auth.js/NextAuth session cookies: Maintain the login session, e.g. __Secure-next-auth.session-token in production.

Legal basis: Art. 6 para. 1 lit. f GDPR (technically required).

Storage duration: Until logout or session expiry.

Theme, language, and UI settings: Store light/dark mode, theme variant, content and UI language, and cookie preferences.

Legal basis: Art. 6 para. 1 lit. a GDPR (consent).

Storage duration: 1 year.

Vercel Analytics, Speed Insights, and Web Vitals: Cookie-less product and performance telemetry with technical page, device, referrer, geo, and performance data.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest).

You have the following rights at any time:

• Right of access: Request a copy of your stored data.
• Right to rectification: Correct inaccurate data.
• Right to erasure: Request deletion of your data.
• Right to restriction: Request restriction of processing.
• Right to data portability: Export your data in a structured format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Withdraw consent at any time.

How to exercise your rights:

• Delete account via settings.
• Export data via settings.
• Other requests by email.

You may complain to a supervisory authority.

Supervisory authority:
Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna, Austria
+43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/

We apply technical and organizational measures to protect your data.

• HTTPS encryption
• Passwordless authentication with magic links and passkeys
• Regular security updates
• Database backups