Privacy Policy — Repono
DRAFT — template, not legal advice. Review with a lawyer and fill all
[PLACEHOLDERS]before publishing.
Effective date: [EFFECTIVE_DATE]
1. Who we are
Repono is operated by [LEGAL_ENTITY], [ENTITY_ADDRESS], [COUNTRY] (“we”, “us”). We are the data controller for the personal data described in this policy. Contact for privacy questions: [CONTACT_EMAIL].
2. What this service is
Repono is a personal media organizer. It helps you organize your own media library (items, folders, favorites, tags, watch status, notes) and enrich entries with metadata from licensed sources. We do not provide, host, stream, or sell any films, series, channels, or subscriptions. You are responsible for the content and sources you add.
3. Data we collect
Account data — email address and password (handled by our authentication provider), and an optional display name and avatar.
Library content you create — media items you add (titles, release years, poster URLs you provide, your personal notes, your ratings, watch status and watched dates), folders, favorites, watchlist entries, and tags. This is content you choose to enter.
Settings — your preferences (theme, default view, language).
Metadata cache — when you look up a title, we may store returned metadata (title, overview, poster URL, cast, genres) in a shared cache. This is descriptive data about media, not about you.
Technical & security data — standard server logs and, for administrative actions, an audit log (who did what, when) used for security and support.
We do not store video streams, and we minimize the personal data we keep.
4. Why we use it, and our legal bases (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Create and run your account; provide the service | Performance of a contract |
| Store and sync your library, folders, settings | Performance of a contract |
| Security, abuse prevention, audit logging | Legitimate interests |
| Respond to support and legal requests | Legitimate interests / legal obligation |
| Optional analytics or marketing (only if introduced) | Consent |
5. Subprocessors
We use the following providers to run the service. Verify and keep this list current.
| Provider | Role | Location | Notes |
|---|---|---|---|
| Supabase | Authentication & database | EU (eu-west-1, Ireland) | Stores account and library data |
| Vercel | Application hosting | US (functions pinned to Frankfurt where available) | See international transfers below |
| TMDb | Metadata lookups | US | Receives title queries; used under its API terms with attribution |
If we add an email or analytics provider, we will update this list.
6. International transfers
Your account and library data are stored in the EU. Some providers (e.g. our hosting provider) may process data outside the EU. Where that happens, transfers rely on an appropriate safeguard such as EU Standard Contractual Clauses or the EU–US Data Privacy Framework. [Confirm the current mechanism with your provider.]
7. How long we keep data
| Data | Retention |
|---|---|
| Account & library data | Until you delete the item or your account |
| Watch history / notes | Under your control; deletable |
| Server logs | Short-term, for operations and security |
| Admin audit logs | Retained for security (typically 180–365 days) |
| Deleted-account data | Deleted or anonymized per our deletion process |
8. Your rights
Under the GDPR you can request: access, rectification, erasure, restriction, portability, and objection to certain processing. You can also delete your account at any time. To exercise a right, contact [CONTACT_EMAIL]. You have the right to lodge a complaint with your supervisory authority (in the Netherlands, the Autoriteit Persoonsgegevens).
9. Security
We apply access controls (row-level security so you can only access your own data), encrypted connections, least-privilege access, and audit logging for administrative actions. No system is perfectly secure, but we work to protect your data.
10. Cookies
We use only essential cookies required to keep you signed in. We do not use advertising cookies. If we introduce optional analytics, we will ask for consent first.
11. Children
The service is not directed at children under the age required for valid consent in your country, and we do not knowingly collect their data.
12. Changes
We may update this policy. We will change the effective date and, for material changes, notify you.
13. Contact
Questions or requests: [CONTACT_EMAIL].