The Programme · Document II Doc 26-PRV-1 · Page 1 of 1

Privacy policy

What we collect, what we don't, and what we will never do. We made the cinema free; we did not make you the product. This is the contract that keeps it that way.

Last revised 14 Apr 2026 · Effective 01 May 2026 · Version 2.4
No. I

Our promises front of house

If you only read one section, read this one. The rest of the document expands on what's here.

Promise 01

We don't sell your data

Not to advertisers. Not to data brokers. Not to anyone. The cinema is not the product; you are not the product.

Promise 02

You can watch anonymously

No account required to stream. No personalization profile is built unless you log in and opt in.

Promise 03

You can take it all back

Export your data, delete your account, opt out of personalization — any time, in two clicks, no email gauntlet.

Promise 04

We tell you when something changes

Material privacy changes get a banner and an email at least 14 days in advance. No silent updates.

No. II

What we collect

The shorter the list, the better. We've worked hard to keep it short.

Category What's in it Source
Account basics Email, display name, password hash, optional avatar. You give us
Investor identity Legal name, DOB, residential address, SSN/ITIN, accreditation status. Required by Reg CF. You give us
Payment details Bank account number, ACH routing, card last-4. Tokenized; we never store full PAN. Stripe / Plaid
Watch history Films you started, paused, finished. Tied to your account if logged in; otherwise device-local only. You generate
Device & session IP, user agent, screen size, network type, locale. Used for streaming quality and abuse prevention. Automatic
Communications Emails you send us, support tickets, comment posts. You give us
Creator uploads Films, metadata, thumbnails, tax info (W-9 / W-8BEN). You give us
In plain language

Watching gets you a watch history. Investing requires KYC. Uploading requires tax forms. Everything else is optional.

No. III

How we use it

We collect data to do six things — nothing more.

  • Run the cinema — stream films, store your watchlist, render your portfolio.
  • Pay people — distribute investor returns, pay creator royalties, file taxes.
  • Comply with law — Reg CF investor caps, AML/KYC, DMCA, tax reporting.
  • Make recommendations — suggest films you might like, based on what you've watched. Off by default for unauthenticated viewing.
  • Improve the product — aggregate analytics on what features get used, what films get watched. Always pseudonymized.
  • Email you — receipts, distribution statements, security alerts (always); product news (only if you opt in).

What we use AI for

We use machine learning for film recommendations, search ranking, automated content classification (NSFW detection, copyright matching), and abuse moderation. We don't train third-party AI models on your private data, and we don't use the contents of your private messages to train anything.

No. IV

Who we share with

Cinema is run by a small team and a short list of vendors who help us operate. We share data with them only when necessary, only the minimum, and only under contract.

Stripe
Card and ACH processing for investor purchases and creator payouts. Receives payment details. Subject to PCI-DSS.
Plaid
Bank account verification for investors. Receives account credentials transiently; we never see them.
Persona
Identity verification (KYC) for investors. Receives ID documents and selfie. Cinema receives a pass/fail and a hash.
AWS / Cloudflare
Hosting, video delivery, DDoS protection. Sees encrypted payloads in transit, encrypted-at-rest in storage.
Postmark
Transactional email delivery. Receives email addresses and message bodies for the emails we send you.
Funding portal
Our SEC-registered Reg CF partner. Receives investor identity and order details to operate the offering.
Tax authorities
The IRS and applicable state agencies, as required by law. 1099-DIV, 1099-NEC.
Law enforcement
When compelled by valid legal process. We push back where we can; we publish a transparency report annually.

We do not share data with advertisers, data brokers, or AI training data resellers.

No. V

What we will not do

A short list of things you might worry about, and our standing position on each.

  • We will not sell your personal data, watch history, or contact information.
  • We will not let advertisers track you across the web. There is no Cinema pixel on third-party sites.
  • We will not train AI on your private messages, your support tickets, or content marked private.
  • We will not require account creation to watch films.
  • We will not build a shadow profile of you if you choose not to log in.
  • We will not retain investor KYC documents longer than the law requires (5 years post-relationship).
  • We will not read your DMs, except where required to investigate a specific abuse report.
No. VI

How long we keep it

Different data ages out at different rates. Here's how each category behaves.

Watch history
Rolling. You can clear it any time.
2 years
Account profile
Until you delete the account, plus 30-day grace.
Indefinite
Investor records
SEC and IRS require this. We can't shorten it.
5 years
Payment data
Tax-record retention.
7 years
Support tickets
For follow-ups and quality review.
18 months
Server logs
For abuse triage and ops.
90 days
Deleted accounts
Hard-deleted from primary systems; backups age out at 30.
30 days
No. VII

Your rights

Wherever you are, these are available. If you live in California, the EU, the UK, Brazil, or any jurisdiction with a data-rights regime, the same controls apply — we don't run a separate menu by region.

i

Access

See everything we have on you, in a human-readable export.

Account → Privacy → Export
ii

Portability

Download your data as JSON or CSV, take it elsewhere.

Account → Privacy → Export
iii

Correction

Fix anything that's wrong. Most fields are editable in-app.

Account → Profile
iv

Deletion

Delete your account and the data we hold, subject to legal retention.

Account → Danger zone
v

Opt out

Of personalization, of marketing email, of analytics — independently.

Account → Privacy
vi

Object

To any processing you disagree with. Reply to any email; we read every one.

privacy@cinema.example
No. VIII

Cookies & tracking

We use the smallest set of cookies the law allows. None are advertising cookies.

Strictly necessary

Session cookies for keeping you signed in. CSRF tokens. These can't be disabled without breaking the site.

Functional

Player quality preference, last position, theme preference. Stored device-local. You can clear at will.

Analytics

First-party, self-hosted, IP-anonymized. Off by default for visitors who send a Global Privacy Control signal. We do not use Google Analytics.

Advertising

None. We don't run ad-tracking cookies.

No. IX

Minors

Cinema is not directed to children under 13. We don't knowingly collect data from anyone under 13. If you're a parent and believe we have your child's data, write to us at privacy@cinema.example and we'll delete it.

Account creation requires age 16+. Investing requires age 18+. Creator uploads require age 18+ and tax-form completion.

No. X

Outside the United States

Cinema is operated from the U.S. If you are outside the U.S., your data is processed in the U.S. We rely on Standard Contractual Clauses for transfers from the EEA, UK, and Switzerland, and on equivalent mechanisms for other jurisdictions.

Investing is currently U.S.-only. Watching is global.

No. XI

Security

We encrypt data in transit (TLS 1.3) and at rest (AES-256). Passwords are stored as Argon2id hashes. We run continuous vulnerability scanning and an external security audit annually. Two-factor authentication is available; we encourage you to enable it.

If we ever experience a breach affecting you, we will notify you within 72 hours of confirming impact, in plain language, with what was exposed and what we're doing about it.

Report vulnerabilities to security@cinema.example. We pay bounties for responsible disclosure.

No. XII

Changes to this policy

Material changes to this policy will be announced by email and a banner in the Service at least 14 days before they take effect. Minor edits (typos, clarifications) are made in place. The full version history is published at the bottom of this page on request.

No. XIII

Contact

Privacy questions go to a human, not a bot.

Privacy team
privacy@cinema.example · Replies within 5 business days.
Data Protection Officer
R. Alvarado · dpo@cinema.example
EU representative
Schenkenberg & Sahla, Berlin · cinema-eu@s-s-law.example
Mailing
Cinema Cooperative, Inc.
Privacy Office
2100 Mission Street, Suite 4
San Francisco, CA 94110
We're a small company. Privacy is something we'd like to be known for. If we get any of this wrong, please write — we'll fix it for the next revision and credit you in the changelog if you'd like.
R. Alvarado
Data Protection Officer · 14 Apr 2026