Privacy Policy — CineChums

1. Who we are

CineChums ("we", "us", "our") is a social platform for film lovers, operated at cinechums.com.

2. What data we collect

When you create an account and use CineChums, we collect:

Account data — email address, username, hashed password (for email/password sign-up).
Profile data — profile picture, country preference, display settings.
OAuth data — if you sign in with X (Twitter) or Facebook, we receive your user ID, display name, and email from that provider. We store only what is needed to link your account.
Activity data — movies you log, diary entries, lists, journal posts, challenge participation, friends, and awards votes.
Usage data — last login timestamp, recently visited movies and people (last 10 entries).

We do not collect advertising data, use tracking pixels, or run analytics services (no Google Analytics, Plausible, Mixpanel, etc.).

3. How we use your data

To operate your account and provide the service.
To send transactional emails (e.g. account confirmation). We never send marketing email without consent.
To display your public profile and activity to other users (subject to your privacy settings).
To detect and prevent abuse, fraud, and spam.

4. Legal basis for processing (GDPR)

If you are in the European Economic Area (EEA), we process your data under these legal bases:

Contract — processing necessary to provide the service you signed up for (account creation, diary, watchlist).
Legitimate interests — security monitoring, abuse prevention, improving service reliability.
Consent — linking a third-party OAuth account (X/Twitter, Facebook) requires your active authorisation on that platform.

5. Third parties we share data with

AWS S3 — profile pictures and uploaded images are stored in Amazon Web Services S3 (US). Public profile images are accessible via a public URL.
MailTrap — transactional emails are delivered via MailTrap, which processes your email address.
X (Twitter) / Facebook — only when you explicitly link one of these accounts. We store an access token to allow posting on your behalf when you choose to share.
TMDB — all movie and person data is sourced from The Movie Database (TMDB). Your personal data is not sent to TMDB.

We do not sell your data to any third party.

6. Cookies and session storage

We use a single session cookie to keep you logged in. This cookie:

Contains only a session identifier — no personal information.
Is marked HttpOnly (cannot be read by JavaScript) and Secure (HTTPS only).
Expires after 7 days of inactivity.

This is a strictly necessary cookie required for the service to function. Under the ePrivacy Directive and GDPR, strictly necessary cookies do not require consent.

We also store theme preference and temporary game state in localStorage in your browser. This data never leaves your device.

7. Data retention

Account data is retained until you delete your account.
Session data expires automatically after 24 hours server-side, or 7 days with "remember me".
Rate-limit violation logs are deleted automatically after 90 days.

8. Your rights (GDPR)

If you are in the EEA, you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate data via your Settings page.
Erasure ("right to be forgotten") — request deletion of your account and associated data.
Portability — request your data in a machine-readable format.
Restriction / Objection — restrict how we process your data or object to processing based on legitimate interests.

9. Children

CineChums is not directed at children under 13 (or under 16 in the EEA). If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced via the platform. The "last updated" date at the top of this page reflects the most recent revision.