Last updated: 2026-05-14
1. Controller
The data controller is Webmint s.r.o., Jana Zelivskeho 2, Prague, Czech Republic, EU, contact: [email protected].
2. Personal Data We Process
| Purpose | Data | Legal basis (GDPR / U.S.) | Retention |
|---|---|---|---|
| Operating the Service | IP address, user agent, request logs | Art. 6(1)(f) GDPR (legitimate interest); CCPA: business purpose | 30 days |
| Comment moderation | Author name, email, comment, IP | Art. 6(1)(b) (performance of service) | Until removal request or 5 years |
| Newsletter | Email, language preference | Art. 6(1)(a) (consent / double opt-in); CAN-SPAM compliance | Until unsubscribe |
| Open API | Email, usage URL, request logs | Art. 6(1)(b) (contract); legitimate interest for abuse prevention | 12 months after key revocation |
| Analytics | Aggregated, de-identified counters | Art. 6(1)(f) (legitimate interest) | 13 months |
3. Cookies
We use only strictly-necessary cookies for the comment session, the theme preference (trxTheme) and CSRF protection. We do not set advertising or tracking cookies. ReCaptcha is loaded only on the comment confirmation interstitial; it is provided by Google and subject to the Google Privacy Policy.
4. Recipients / Processors
- The Movie Database (TMDB) — image hosting (we hot-link only person images);
- Kinocheck — trailer publication metadata (server-side calls);
- OpenAI — text rewriting and translation of editorial copy (no personal data shared);
- Google reCAPTCHA — bot protection on the comment confirmation step;
- Google Custom Search Engine — optional secondary search (loaded only on /search/);
- Hosting and email infrastructure providers within the EU (data processors under Art. 28 GDPR).
5. International Transfers
Where personal data is transferred to a third country (notably to U.S. providers above), the transfer is based on the EU-U.S. Data Privacy Framework or Standard Contractual Clauses adopted by the European Commission.
6. Your Rights
Under GDPR you have the right to access, rectify, erase, restrict and port your data, to object to processing, and to lodge a complaint with the Czech DPA (Úřad pro ochranu osobních údajů, www.uoou.cz). California residents (CCPA/CPRA) have the right to know, delete, correct, opt-out of sale/sharing (we do not sell or share personal data) and non-discrimination. Virginia / Colorado / Connecticut / Utah residents have analogous rights under VCDPA / CPA / CTDPA / UCPA. To exercise any right, email us at [email protected].
7. Children
The Service is not directed at children under 13 (or 16 where required by Art. 8 GDPR). We do not knowingly collect personal data from children.
8. Security
Data is transmitted over TLS 1.2+. Passwords are hashed using bcrypt. Database access is restricted to the application user via least-privilege credentials.
9. Do-Not-Track / Global Privacy Control
We honor browser DNT and GPC signals where applicable.
10. Changes
This Policy may be updated; we will post the new version on this page with an updated date.