Privacy Policy

1. Data Controller

The data controller responsible for your personal data is Cinema Reels Studios S.L., a Spanish limited liability company registered under tax identification number B-87654321, with registered office at Calle de la Gran Vía 28, 4ª planta, 28013 Madrid, Spain. You can reach our privacy team at [email protected]. We have appointed an internal Data Protection Coordinator who can be contacted at the same address.

2. Categories of Personal Data We Process

We try to keep data collection to a strict minimum. The categories of personal data we may process include: (a) identification and contact data you voluntarily provide through the contact form, such as your name and email address; (b) communication content, meaning the message you choose to send us; (c) technical data automatically collected by the server, such as your IP address (anonymised after collection), browser type, operating system, referring page and timestamp of access; (d) preference data, such as your cookie consent choices and any in-game settings stored locally on your device; and (e) aggregated usage data such as the number of game sessions, average duration and pages visited, which is anonymised and cannot be linked back to you.

3. Purposes and Legal Basis for Processing

We process your data for clearly defined purposes, each supported by a legal basis under Article 6 GDPR: replying to your enquiries (legal basis: performance of pre-contractual measures and our legitimate interest in providing customer support); ensuring the security and integrity of the Service, preventing fraud and abuse (legal basis: our legitimate interest in protecting the platform and its users); analysing aggregated traffic to improve features and content (legal basis: your consent for analytics cookies, where applicable); complying with legal obligations such as responding to lawful requests from competent authorities (legal basis: compliance with a legal obligation).

4. Retention Periods

We keep personal data only for as long as necessary for the purposes for which it was collected: contact form messages and any related correspondence are kept for a maximum of twenty-four (24) months from the last interaction; server access logs are kept for ninety (90) days for security purposes and then deleted or fully anonymised; aggregated analytics data is kept for up to fourteen (14) months in anonymised form; cookie preferences are kept on your device until you withdraw consent or clear your browser storage.

5. Recipients of the Data

Your personal data is accessed only by authorised members of our staff who need it to perform their duties. We may share data with carefully selected service providers acting as data processors on our behalf — such as our hosting provider, our email service provider and our analytics provider — each bound by a written data processing agreement complying with Article 28 GDPR. We do not sell, rent or trade your personal data with any third party for marketing purposes.

6. International Data Transfers

Our infrastructure is hosted within the European Economic Area. Where any processor is located outside the EEA, we ensure that an adequate level of protection is in place by relying on European Commission adequacy decisions or, where these are not available, on Standard Contractual Clauses approved by the European Commission, complemented by additional technical and organisational measures where necessary.

7. Your Rights as a Data Subject

Under the GDPR and the LOPDGDD, you have the right to: (i) request access to the personal data we hold about you; (ii) request rectification of inaccurate or incomplete data; (iii) request erasure of your data ("right to be forgotten") in the cases provided for by law; (iv) request the restriction of processing in certain circumstances; (v) object to processing based on our legitimate interests; (vi) request the portability of the data you have provided to us in a structured, commonly used and machine-readable format; (vii) withdraw any consent you have given, at any time, without affecting the lawfulness of processing carried out before withdrawal.

You can exercise these rights free of charge by writing to [email protected], attaching a copy of an identification document where necessary to verify your identity. We will respond within thirty (30) days. If you consider that the processing of your data infringes the law, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos) at C/ Jorge Juan 6, 28001 Madrid, or via www.aepd.es.

8. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include encryption in transit (HTTPS/TLS), strict access controls based on the principle of least privilege, regular security reviews, secure development practices, written confidentiality undertakings for staff, and a documented incident response procedure.

9. Children's Privacy

The Service is not intended for, and may not be used by, persons under the age of eighteen (18). We do not knowingly collect data from minors. If we become aware that personal data of a minor has been collected without verifiable parental consent, we will take immediate steps to delete it.

10. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in the law or in our practices. The updated version will be published on this page with a new "Last updated" date. For substantial changes, we will provide a more prominent notice where appropriate.