Privacy Policy

This Privacy Policy describes how MovieFinder ("we", "us") collects, processes and protects your personal data. It complies with GDPR (EU Regulation 2016/679), the Digital Services Act (DSA, EU 2022/2065), and the EU AI Act (EU Regulation 2024/1689).

Last updated: 15.04.2026. Applicable law: GDPR, DSA, EU AI Act 2024/1689.

1. Data Controller & Contact

  • Data Controller: MovieFinder, accessible at moviefinder.top.
  • Privacy email: [email protected].
  • Supervisory authority (EU/EEA users): The supervisory authority in your country of habitual residence. For Bulgarian users: CPDP (Commission for Personal Data Protection), www.cpdp.bg.
  • You have the right to lodge a complaint with your local supervisory authority at any time.

2. Data We Collect

  • Registration data: email address, username, and password (stored as a bcrypt hash only — we never see your plaintext password).
  • Session data: IP address, browser User-Agent, country of origin, and login timestamp — stored for security and audit purposes per active session.
  • Trusted devices: hashed IP address (SHA-256 + secret key) and User-Agent for devices you mark as trusted during two-factor authentication.
  • Verification codes: 6-digit one-time codes for login or password reset, stored hashed with a short validity window (10–15 min) and auto-deleted after use.
  • Chat messages: message text, user ID, category, timestamp — for moderation and history.
  • Watchlist: IDs of titles you save.
  • Usage data: pages visited, clicks, theme/language preferences — collected in anonymised/aggregated form.
  • Cookies: see our Cookie Policy.

3. Legal Basis for Processing (GDPR Art. 6)

  • Performance of contract (Art. 6(1)(b)): account registration, login, chat, watchlist.
  • Legitimate interest (Art. 6(1)(f)): session logging for security, abuse and fraud prevention, two-factor authentication.
  • Consent (Art. 6(1)(a)): analytics cookies and personalised recommendations based on viewing history. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): where processing is required under applicable law.

4. Recommendations & Automated Processing (EU AI Act Art. 50 / DSA Art. 27)

  • MovieFinder uses an algorithmic recommendation system based on your viewing history and genre preferences to suggest relevant content.
  • This is a "recommender system" under the DSA and a "limited-risk AI system" under the EU AI Act.
  • No decisions producing legal or similarly significant effects are made solely by automated means (GDPR Art. 22).
  • You can disable personalised recommendations in your profile settings ("Clear viewing history / Disable personalisation").
  • Non-personalised alternative: users without an account receive popularity- and genre-based recommendations with no profiling.

5. Who We Share Data With

  • TMDB API (The Movie Database, USA): movie and TV data. When your browser makes requests, your IP may reach their servers. TMDB is a third-country processor.
  • YouTube / Google LLC (USA): trailers load via an embedded YouTube player. Standard Contractual Clauses (SCCs) apply for US data transfers.
  • Email provider (SMTP): we use our own SMTP server (mail.moviefinder.top) for transactional emails — no data is shared with third-party email marketers.
  • Legal requests: data may be disclosed only if we have a legal obligation (e.g. court order) — to the minimum extent necessary.
  • We do not sell, rent, or trade your personal data.

6. International Transfers (GDPR Chapter V)

  • Data may be transferred to third countries (e.g. USA via TMDB and YouTube) under Standard Contractual Clauses (SCCs) adopted by the European Commission.
  • Should the legal framework change, we will update safeguards and inform you accordingly.

7. Security & Breach Notification

  • Passwords are hashed with bcrypt (12 rounds).
  • Sessions and trusted devices are identified via SHA-256 hash of the IP address + a secret key.
  • All traffic is secured by TLS/HTTPS.
  • In the event of a data breach we will notify the supervisory authority within 72 hours and affected users without undue delay (GDPR Art. 33–34).

8. Retention Periods

  • Account and profile data: until account deletion + 90 days for backups.
  • Session logs and IP addresses: 12 months.
  • Trusted device hashes: until trust is revoked or 30 days of inactivity.
  • Verification codes: auto-deleted after use or on expiry (10–15 min).
  • Chat messages: 30 days from sending or until deleted by the user.
  • Analytics data: in aggregated/anonymised form with no fixed expiry.

9. Your Rights (GDPR Art. 15–22)

  • Right of access: obtain a copy of the data processed about you.
  • Right to rectification: correct inaccurate data.
  • Right to erasure ("right to be forgotten"): request deletion when there is no lawful basis for continued storage.
  • Right to restriction: restrict processing while disputing accuracy or lawfulness.
  • Right to data portability: receive your data in a structured, machine-readable format.
  • Right to object: against processing based on legitimate interest or for direct marketing.
  • Right to withdraw consent: at any time, without affecting the lawfulness of prior processing.
  • Right not to be subject to automated decision-making: where a decision produces legal effects.
  • Exercise rights at: [email protected]. We respond within 1 month.

10. Children (Under 16)

  • The service is intended for users aged 16 and over. We do not knowingly collect data from children under 16.
  • If we become aware of data collected from a child under 16 without parental consent, we will delete it immediately.
  • Parents/guardians may report to [email protected].

11. Policy Changes

  • For material changes we will notify you via an on-site banner or email at least 14 days in advance.
  • Last updated: 15.04.2026.