Version 1.0 · Published on 18 March 2026
Privacy Policy / Politique de confidentialité
Version : 1.0 Effective date : March 17, 2026 Platform : TIMELESS — timeless.film Data Controller : TIMELESS CINEMA — SAS, SIREN 992 965 392
TIMELESS CINEMA ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, how long we retain it, and what rights you have under applicable data protection law — in particular the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the French Data Protection Act (Loi Informatique et Libertés).
This Policy applies to all Users of the TIMELESS platform (timeless.film, app.timeless.film), whether acting on behalf of an Exhibitor or a Rights Holder Account.
By accepting these terms at registration, you acknowledge having read and understood this Privacy Policy.
TIMELESS CINEMA Société par Actions Simplifiée (SAS) SIREN : 992 965 392 | SIRET : 992 965 392 00010 46 Rue Rouget de Lisle, 92800 Puteaux, France Publication Director : Leslie Vuchot
Contact for privacy matters: hello@timeless.film
| Category | Data | Collected when |
|---|---|---|
| Identity | First name, last name | User registration |
| Contact | Email address | User registration |
| Authentication | Password (hashed — bcrypt), MFA/TOTP secret (encrypted) | Registration / MFA activation |
| Language preference | Preferred locale (en or fr) | Profile settings (used for email communications) |
| Organisation | Company name, country, address, city, postal code, VAT number | Account onboarding |
| Professional context | Cinema type, contact email, contact phone | Account settings |
| Cinema details | Cinema name, address, room capacity, projection type | Exhibitor onboarding and account management |
| Financial (Rights Holders) | Bank account details, identity documents via Stripe Connect KYC | Stripe Connect onboarding |
| Communications | Notes on screening requests, support messages | Platform use |
| Category | Data | Collected when |
|---|---|---|
| Technical | IP address, browser User-Agent, device type | Each authenticated request |
| Consent records | Terms of Service / Terms of Sale acceptance: timestamp (UTC), IP, User-Agent, document version | Each acceptance event |
| Session | Session tokens, active account cookie, authentication state | Login and navigation |
| Usage | Pages visited, actions taken (cart additions, request submissions, validations), search queries | Platform use |
| API usage | API token last-used timestamp, endpoint accessed | API calls |
| Source | Data | Purpose |
|---|---|---|
| Stripe | Payment status, charge ID, transfer ID, KYC verification status (Rights Holders), payout history | Payment processing and financial operations |
| Stripe Tax | Tax calculation, applicable VAT rate per transaction | Tax compliance |
| TMDB (The Movie Database) | Film metadata, posters, cast and crew information | Catalogue enrichment — no personal data is sent to TMDB |
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| User account creation and authentication | Identity, contact, authentication data | Performance of contract (Art. 6.1.b) |
| Account organisation management (members, roles, invitations) | Identity, contact, role | Performance of contract (Art. 6.1.b) |
| Exhibitor onboarding (cinema and room data) | Organisation, cinema details | Performance of contract (Art. 6.1.b) |
| Rights Holder onboarding (Stripe Connect KYC) | Identity, financial data | Legal obligation + performance of contract (Art. 6.1.b, 6.1.c) |
| Processing Transactions (Screening Requests, payments, payouts) | Identity, organisation, financial, request data | Performance of contract (Art. 6.1.b) |
| DCP/KDM delivery coordination | Identity, cinema details, order data | Performance of contract (Art. 6.1.b) |
| Sending transactional emails | Email, identity, transaction data, preferred locale | Performance of contract (Art. 6.1.b) |
| Sending tokenised validation emails to Rights Holders | Email, preferred locale, JWT token containing request ID and user ID | Performance of contract (Art. 6.1.b) |
| Recording Terms acceptance (proof of consent) | Consent records (IP, User-Agent, timestamp, version) | Legal obligation (Art. 6.1.c) |
| VAT calculation and invoicing | Identity, organisation, VAT number, transaction data | Legal obligation (Art. 6.1.c) |
| Platform security and fraud prevention | IP, User-Agent, session data, API token usage | Legitimate interests (Art. 6.1.f) |
| Platform analytics and improvement | Usage data (anonymised where possible) | Legitimate interests (Art. 6.1.f) — or consent for non-essential cookies |
| Legal dispute resolution and audit trails | All relevant data | Legitimate interests (Art. 6.1.f) |
These cookies are strictly necessary for the Platform to function. They cannot be disabled.
| Cookie | Purpose | Duration |
|---|---|---|
| Session token | Maintains your authenticated session (Better Auth) | 30 days (refreshed every 24h) |
active_account_id | Remembers your currently selected Account | Session |
| CSRF token | Protects against cross-site request forgery | Session |
With your explicit consent, we may use analytics cookies to understand how Users interact with the Platform. These are only loaded after you opt in via the cookie consent banner.
With your explicit consent, we may use marketing cookies to measure campaign effectiveness. These are only loaded after you opt in.
A cookie consent banner is displayed on your first visit to the Platform. Your consent choices are stored for 13 months (in line with CNIL recommendations). You can modify your preferences at any time via the "Manage cookies" link in the footer.
Refusing analytics and marketing cookies has no impact on your ability to use the Platform's core features.
We do not sell your personal data to third parties.
We share personal data with the following sub-processors as strictly necessary to provide the Services:
| Sub-processor | Purpose | Country | Safeguard |
|---|---|---|---|
| Stripe, Inc. | Payment processing, KYC verification (Rights Holders), payouts | USA | Standard Contractual Clauses (SCCs) |
| Resend, Inc. | Transactional email delivery | USA | Standard Contractual Clauses (SCCs) |
| Scaleway SAS | Cloud hosting, managed PostgreSQL database, file storage (DCP delivery) | France / EU | GDPR applies directly |
| TMDB | Film metadata API — no personal data is transmitted | USA | No personal data transferred |
| Legal / judicial authorities | If required by applicable law or court order | As applicable | Legal obligation |
All sub-processors outside the EEA are subject to appropriate safeguards in accordance with GDPR Chapter V (Standard Contractual Clauses or adequacy decisions).
| Data category | Retention period | Justification |
|---|---|---|
| Active User account data | Duration of active account | Necessary for the service |
| Data after account closure | 3 years post-closure | Potential legal disputes |
| Transaction and order records | 10 years | French commercial law (Code de commerce, Art. L123-22) |
| Invoicing and financial data | 10 years | French tax law |
| Terms of Service acceptance records | 5 years from last acceptance | Proof of consent obligations |
| Terms of Sale acceptance records | 5 years from last acceptance | Proof of consent obligations |
| IP address and security logs | 12 months | Security and fraud prevention |
| Cookie consent records | 13 months | CNIL recommendation |
| Support communications | 3 years from resolution | Dispute handling |
| API token metadata (hash, last used) | Duration of token existence + 12 months after revocation | Security audit |
After the applicable retention period, data is securely deleted or anonymised.
We implement appropriate technical and organisational measures to protect your personal data:
In the event of a personal data breach likely to risk your rights and freedoms, we will notify the CNIL (French supervisory authority) within 72 hours and affected individuals as required by GDPR Articles 33–34.
Under GDPR, you have the following rights with respect to your personal data:
| Right | Description | How to exercise |
|---|---|---|
| Access (Art. 15) | Obtain a copy of the personal data we hold about you | Email hello@timeless.film |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data | Email hello@timeless.film or update in Profile settings |
| Erasure (Art. 17) | Request deletion of your data ("right to be forgotten"), subject to legal retention obligations | Email hello@timeless.film |
| Restriction (Art. 18) | Request that we limit processing of your data in certain circumstances | Email hello@timeless.film |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format | Email hello@timeless.film |
| Objection (Art. 21) | Object to processing based on legitimate interests | Email hello@timeless.film |
| Withdraw consent (Art. 7.3) | Withdraw consent for consent-based processing (e.g. analytics cookies) at any time | Manage cookies link in the footer |
We will respond to all rights requests within 30 days. Response may be extended to 60 days for complex requests, with notice.
You also have the right to lodge a complaint with the competent supervisory authority:
CNIL — Commission Nationale de l'Informatique et des Libertés 3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07 www.cnil.fr
Some of our sub-processors (Stripe, Resend) are located in the United States. Data transfers to these processors are conducted under the European Commission's Standard Contractual Clauses (SCCs), ensuring an equivalent level of data protection to that provided within the EEA.
TIMELESS CINEMA's primary hosting infrastructure (Scaleway) is located in France and falls within the scope of GDPR directly.
We do not use fully automated decision-making processes that produce legal or similarly significant effects for our Users.
The Platform is exclusively B2B and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors.
We may update this Privacy Policy from time to time. Material changes will be notified via the Platform and/or by email. Your continued use of the Platform following notification of changes constitutes acceptance of the updated Policy.
The current version is always accessible at timeless.film/privacy.
For any privacy-related enquiry or to exercise your rights:
TIMELESS CINEMA 46 Rue Rouget de Lisle, 92800 Puteaux, France hello@timeless.film
Last updated: March 17, 2026 Version: 1.0