Privacy Policy

3.1 Account and Registration Data

When you create an account, we collect your name, email address, and encrypted password. If you register via Google OAuth, we also store authentication tokens (access token, refresh token, ID token) provided by Google to maintain your login session.

Legal basis: Art. 6(1)(b) GDPR (performance of contract)

3.2 Film and Submission Data

When you use our Festival Matching, Strategy, or Submission services, we collect:

• Film metadata: Title, genre, length, language, production country, production year, type (animation, documentary, live-action)
• Director information: First name, last name, age, gender, email address, biography, photo, student status, nationalities, and countries of residency
• Film materials: Synopsis (short and long), stills, trailers, film poster
• Screener access: Screener link and screener password
• Cast and crew: Names and roles of persons associated with the film
• Production company information: Company name, contact person name and email, full mailing address
• Submission history: Previous festivals, acceptances, rejections, awards
• Selected festivals and submission preferences

Legal basis: Art. 6(1)(b) GDPR (performance of contract)

3.3 Payment Data

When festival submission fees are processed through the Miralot platform, regardless of the submission channel used (third-party platform, direct integration, or festival homepage), we collect:

• Payment method information (processed by Stripe)
• Transaction history, including the 3% processing fee charged
• VAT information (if applicable)

We do not store complete credit card numbers or billing addresses. Payment processing is handled by Stripe in accordance with PCI-DSS standards. We only store Stripe reference identifiers (customer ID and checkout session ID) to link transactions to your account.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(c) GDPR (legal obligation for invoicing and tax purposes)

3.4 Communication Data

• Email correspondence with support
• Feedback and support requests

Legal basis: Art. 6(1)(b) GDPR (performance of contract)

3.5 Usage and Technical Data

• IP address (stored per authenticated session; see Section 8 for retention)
• Browser type and version, operating system (user agent string)
• Pages visited and features used
• Date and time of access, referral source

When you log in, your IP address and user agent string are recorded in your session record for security purposes (e.g. detecting unauthorised access).

Legal basis: Art. 6(1)(f) GDPR (legitimate interests in ensuring platform security and improving user experience)

3.6 Technical Storage Data

Miralot is cookieless by design. The only technical storage we use is a session cookie for login state management, and Stripe’s payment-related storage during checkout. We do not use tracking or analytics cookies. See Section 5 for full details.

4.1 Service Provision

We use your data to:

• Create and manage your account
• Provide festival matching recommendations and strategy tools
• Submit your films to selected festivals on your behalf via the applicable submission channel (third-party platform, direct integration, or festival homepage)
• Process festival submission fees and the associated 3% payment fee
• Communicate with you about your account and services
• Provide customer support

Legal basis: Art. 6(1)(b) GDPR (performance of contract)

4.2 Algorithm-Based Matching and Service Improvement

We use anonymised film metadata to improve our festival matching algorithm:

• Film metadata: Genre, length, language, production country, production year, director age/gender
• Submission outcomes: Acceptances, rejections, festival tier preferences
• AI-assisted genre extraction: We use AI to analyse film synopses and suggest genre classifications, which users can review and adjust

Personal identifying information (name, email, contact details) is never used for algorithm training. All processing takes place on EU servers hosted in Germany.

No automated decision-making: The festival matching system produces recommendations only. No legally significant or similarly impactful decisions are made automatically without human review. Users retain full control over which festivals they submit to. This system does not constitute automated decision-making within the meaning of Art. 22 GDPR.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving our services)

Your rights: You may object to this processing under Art. 21 GDPR by contacting legal@miralot.com

4.3 Business Analytics and Service Optimisation

We analyse usage data to understand how users interact with our platform and to improve our services. We may create pseudonymous user profiles to better understand user needs and tailor our service.

What is profiled: Film characteristics (genres submitted, festival tier preferences, submission frequency), user behaviour (feature usage, engagement level), and subscription type.

How profiling works: Usage data is aggregated and analysed to identify patterns at a pseudonymous level. No profiles are linked back to identifiable individuals in any reporting or decision-making context.

Significance and envisaged consequences: Profiling may influence which festivals or features are surfaced to you as recommendations. It does not affect your access to the platform, your pricing, or any legally significant decision. You remain in full control of all submission decisions.

Profiles are deleted or anonymised within 2 years of account closure.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in business development and service improvement)

Your rights: You may object to profiling at any time under Art. 21 GDPR by contacting legal@miralot.com. Upon objection, we will cease profiling your data.

4.4 Service Notifications and Marketing Communication

We distinguish between two types of email communication:

Service notifications: We send periodic notifications (approximately monthly) to inform you when new festival recommendations are available on your Miralot dashboard. These emails do not contain the recommendations themselves — they are a prompt to log in and view your matches on the platform. As these notifications are directly related to the service you have signed up for, they are sent on the basis of our legitimate interest in keeping you informed about your account activity. You can opt out of these notifications at any time via the unsubscribe link in each email.

Legal basis (service notifications): Art. 6(1)(f) GDPR (legitimate interest in providing the contracted service)

Marketing and promotional communication: We will only send marketing emails (e.g. product updates, promotional content, case studies) with your explicit prior consent. No such emails are currently sent. If we introduce a newsletter or marketing communications in future, we will obtain your consent before doing so.

Legal basis (marketing): Art. 6(1)(a) GDPR (consent)

4.5 Legal Compliance

We may process your data to comply with legal obligations, including tax and accounting requirements (10 years retention for invoices), responding to law enforcement requests, and enforcing our Terms and Conditions.

Legal basis: Art. 6(1)(c) GDPR (legal obligation)

5.1 Session Cookie (Essential)

We use a single session cookie solely to manage your login state while you are logged in to the platform. This cookie is strictly necessary for the platform to function and has a default expiry of 7 days (with automatic refresh on activity). No consent is required for this cookie as it falls within the technical necessity exemption under Art. 5(3) ePrivacy Directive.

5.2 Analytics

We use Pirsch Analytics, a privacy-friendly, cookieless analytics tool hosted in Germany (EU). Pirsch does not set any cookies and does not track users across websites. No personal data is transmitted to third parties in connection with analytics.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in understanding platform usage)

5.3 Payment Processing (Stripe)

When you make a payment via the Miralot platform, Stripe may set cookies or use local storage as part of its fraud prevention and payment security processes. These are strictly necessary for the payment transaction to function securely. For more information, see Stripe’s privacy policy at https://stripe.com/privacy.

Legal basis: Art. 6(1)(b) GDPR (performance of contract)

6.1 Festival Submissions

When you use our Submission Service, we transmit your film materials and data to the relevant festival via one of three channels:

• (a) Direct festival integration: Your data is transmitted directly to the festival via a technical integration between the festival and Miralot, without passing through a third-party platform. Miralot acts as data processor on your behalf; the festival is an independent data controller for its own subsequent processing of your data.
• (b) Third-party submission platform: Your data is transmitted via an external festival submission platform. Miralot acts as your agent in using that platform. The platform’s own terms and privacy policy apply to its processing of your data from the point of transmission.
• (c) Festival homepage submission: Your data is entered directly into the festival’s own systems via its website or submission form. Miralot acts as your representative in completing the submission. The festival becomes an independent data controller from the point your data enters its systems, and its own privacy policy applies. Miralot has no control over and accepts no responsibility for the festival’s subsequent data processing.

No joint controllership: Miralot and the festivals to which submissions are made are independent data controllers. No joint controllership arrangement within the meaning of Art. 26 GDPR exists between Miralot and any festival.

In all cases, data is transmitted only to festivals you have explicitly selected. Festival submissions may involve data transfers to countries outside the EU/EEA. By using the Submission Service, you explicitly consent to these transfers.

Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 49(1)(a) GDPR (explicit consent for international transfers)

6.2 Service Providers (Data Processors)

We use the following trusted service providers:

All service providers are bound by data processing agreements (DPAs) and process data only on our instructions.

6.3 No Sale of Personal Data

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

Right of Access (Art. 15): Request a copy of all personal data we hold about you.

Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.

Right to Erasure (Art. 17): Request deletion of your data where no longer necessary. Exceptions apply for legally required records.

Right to Restriction (Art. 18): Request limitation of processing in certain circumstances.

Right to Data Portability (Art. 20): Request your data in a structured, machine-readable format.

Right to Object (Art. 21): Object to processing based on legitimate interests (including algorithm training, analytics, and profiling) and to direct marketing at any time.

Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing.