Privacy Policy
Effective Date: 30 September 2025
Operated by: Miralot GmbH, Pestalozzistr. 5–8, 13187 Berlin, Germany
Website: http://www.miralot.com
Contact: legal@miralot.com
1. Introduction and Data Controller
Miralot GmbH ("Miralot", "we", "us", "our") operates the Miralot platform and is the data controller responsible for the processing of your personal data in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
Data Controller:
Miralot GmbH
Pestalozzistr. 5–8, 13187 Berlin, Germany
Email: legal@miralot.com
Data Protection Contact:
For all data protection inquiries, please contact: legal@miralot.com
2. Scope of This Privacy Policy
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Miralot platform. It applies to all users, including filmmakers, production companies, distributors, and festival organizers.
By using our services, you acknowledge that you have read and understood this Privacy Policy and our Terms and Conditions.
3. Personal Data We Collect
3.1 Account and Registration Data
When you create an account, we collect:
- Name and surname
- Email address
- Password (encrypted)
Legal basis: Art. 6(1)(b) GDPR (performance of contract)
3.2 Film and Submission Data
When you use our Strategy or Submission Services, we collect:
- Film metadata: Title, genre, length, language, production country, production year
- Director information: Name, age, gender
- Film materials: Synopsis, stills, trailers, press kits
- Submission history: Previous festivals, acceptances, rejections, awards
- Selected festivals and submission preferences
Legal basis: Art. 6(1)(b) GDPR (performance of contract)
3.3 Payment Data
For paid subscriptions, we process:
- Payment method information (processed by Stripe and PayPal)
- Billing address
- Transaction history
- VAT information (if applicable)
We do not store complete credit card numbers. Payment processing is handled by our payment providers (Stripe, PayPal) in accordance with PCI-DSS standards.
Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(c) GDPR (legal obligation for invoicing and tax purposes)
3.4 Communication Data
- Email correspondence with support
- Newsletter subscriptions (if opted in)
- Feedback and support requests
Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(a) GDPR (consent for newsletters)
3.5 Usage and Technical Data
- IP address (anonymized or deleted after 7 days)
- Browser type and version
- Operating system
- Pages visited and features used
- Date and time of access
- Referral source
Legal basis: Art. 6(1)(f) GDPR (legitimate interests in ensuring platform security and improving user experience)
3.6 Cookies and Tracking Data
We use cookies and similar technologies. See Section 5 for details.
4. How We Use Your Personal Data
4.1 Service Provision
We use your data to:
- Create and manage your account
- Provide strategy recommendations for festival submissions
- Submit your films to selected festivals on your behalf (Submission Service)
- Process payments and manage subscriptions
- Communicate with you about your account and services
- Provide customer support
Legal basis: Art. 6(1)(b) GDPR (performance of contract)
4.2 Algorithm-Based Matching and Service Improvement
We use anonymized film metadata to improve our festival matching algorithm:
Current processing:
- Film metadata: Genre, length, language, production country, production year, director age/gender
- Submission outcomes: Acceptances, rejections, festival tier preferences
- AI-assisted genre extraction: We use AI to analyze film synopses and suggest genre classifications, which users can review and adjust
Future processing:
- Film screenshots and visual analysis (frames from trailers/films)
Important: Personal identifying information (name, email, contact details) is never used for algorithm training. All processing takes place on EU servers (hosted in Germany).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving our services)
Your rights: You may object to this processing under Art. 21 GDPR by contacting legal@miralot.com
4.3 Business Analytics and Service Optimization
We analyze usage data and business metrics to:
- Understand how users interact with our platform
- Identify popular features and areas for improvement
- Optimize our service offering and pricing
- Conduct market research and trend analysis
- Improve user experience and platform performance
Data processed:
- Usage patterns (features used, submission frequency, festival preferences)
- Aggregated submission success rates
- Platform performance metrics
- Subscription and conversion data
Profiling: We may create pseudonymous user profiles to better understand user needs and tailor our services. These profiles are based on:
- Film characteristics (genres submitted, festival tier preferences)
- User behavior (submission frequency, feature usage)
- Subscription type and engagement level
Individual users are not identified in aggregate reports. Profiles are deleted or anonymized within 2 years of account closure.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in business development and service improvement)
Your rights: You may object to profiling under Art. 21 GDPR by contacting legal@miralot.com
4.4 Marketing and Communication
With your explicit consent, we may:
- Send newsletters about new features and updates
- Use your film materials for promotional purposes (case studies, marketing materials)
You can withdraw consent at any time by clicking "unsubscribe" in emails or contacting legal@miralot.com.
Legal basis: Art. 6(1)(a) GDPR (consent)
4.5 Legal Compliance
We may process your data to comply with legal obligations, such as:
- Tax and accounting requirements (10 years retention for invoices)
- Responding to law enforcement requests
- Enforcing our Terms and Conditions
Legal basis: Art. 6(1)(c) GDPR (legal obligation)
5. Cookies and Tracking Technologies
5.1 What Are Cookies?
Cookies are small text files stored on your device when you visit our website. They help us provide and improve our services.
5.2 Types of Cookies We Use
Essential Cookies (always active):
- Session management and authentication
- Security and fraud prevention (CSRF protection)
- Load balancing
- Shopping cart functionality (for paid plans)
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in platform security and functionality)
Optional Cookies (require consent):
- Analytics: Pirsch Analytics (privacy-friendly, EU-based), potentially Google Analytics in the future
- A/B Testing: Testing tools for improving user experience (planned)
- Marketing: Facebook Pixel (if implemented)
Legal basis: Art. 6(1)(a) GDPR (consent via cookie banner)
5.3 Managing Cookie Preferences
You can manage your cookie preferences:
- Through our cookie banner: Available on first visit and in account settings
- Browser settings: Configure your browser to block or delete cookies
- Third-party opt-outs:
- Google Analytics: Available through our cookie settings (if implemented)
- Facebook Ads: https://www.facebook.com/settings?tab=ads (if implemented)
Please note that disabling essential cookies may affect platform functionality.
6. Data Sharing and Third-Party Services
We share your data only when necessary to provide our services or as required by law.
6.1 Festival Submissions
When you use our Submission Service, we transmit your film materials and data to:
- Film festival submission platforms: FilmFreeway (USA), Festhome (Spain), Shortfilmdepot (Germany), and others
- Individual festivals worldwide (as selected by you)
Important: Festival submissions may involve data transfers to countries outside the EU/EEA, including the USA. By using the Submission Service, you explicitly consent to these transfers.
Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 49(1)(a) GDPR (explicit consent for international transfers)
6.2 Service Providers (Data Processors)
We use the following trusted service providers:
| Service Provider | Purpose | Location | Data Transfer Safeguards |
|---|---|---|---|
| Hetzner | Hosting and infrastructure | Germany (EU) | N/A (EU-based) |
| Stripe | Payment processing | USA | Standard Contractual Clauses (SCCs) |
| PayPal | Payment processing | USA | Standard Contractual Clauses (SCCs) |
| Brevo | Email communication & newsletters | France (EU) | N/A (EU-based) |
| Pirsch Analytics | Privacy-friendly web analytics | Germany (EU) | N/A (EU-based) |
| Google Analytics (planned) | Web analytics | USA | Google Analytics 4 with anonymization |
All service providers are bound by data processing agreements (DPAs) and process data only on our instructions.
6.3 No Sale of Personal Data
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
7. International Data Transfers
7.1 Transfers Outside the EU/EEA
Data transfers to countries outside the EU/EEA occur in the following cases:
- Festival submissions to non-EU festivals (with your explicit consent)
- Payment processing via Stripe and PayPal (protected by Standard Contractual Clauses)
- Potential use of Google Analytics (anonymized, with user consent)
7.2 Safeguards
We ensure adequate protection through:
- Standard Contractual Clauses (SCCs): EU-approved contracts for data transfers
- Explicit consent: For festival submissions to non-EU countries
- Anonymization: Where possible, we anonymize data before transfer
8. Data Retention
8.1 Active Accounts
Your personal data is retained while your account is active and for as long as necessary to provide our services.
8.2 After Account Termination
After termination of your subscription or deletion of your account:
- Personal data and film materials: Deleted within 90 days after completion of all festival submissions
- Anonymized metadata: May be retained indefinitely for service improvement (you can object under Art. 21 GDPR)
- Invoices and payment records: Retained for 10 years to comply with German tax law (§§ 147 AO, 257 HGB)
8.3 IP Addresses and Log Files
- IP addresses: Anonymized or deleted after 7 days
- Server log files: Retained for 31 days for security purposes (fraud detection, abuse prevention)
- Exception: Data may be retained longer if required for legal proceedings
8.4 Backups
Deleted data may remain in our backup systems for up to 90 days after deletion. Backups are automatically overwritten on a rolling basis.
8.5 Legal Holds
Data may be retained longer if required by law or to defend legal claims.
9. Your Data Protection Rights
Under the GDPR, you have the following rights:
9.1 Right of Access (Art. 15 GDPR)
You can request a copy of all personal data we hold about you.
9.2 Right to Rectification (Art. 16 GDPR)
You can request correction of inaccurate or incomplete data.
9.3 Right to Erasure (Art. 17 GDPR)
You can request deletion of your data in certain circumstances (e.g., when no longer necessary for the purposes collected).
Exceptions: We may retain data if required by law (e.g., tax records for 10 years) or to defend legal claims.
9.4 Right to Restriction (Art. 18 GDPR)
You can request that we limit how we use your data in certain situations.
9.5 Right to Data Portability (Art. 20 GDPR)
You can request your data in a structured, machine-readable format to transfer to another service.
9.6 Right to Object (Art. 21 GDPR)
You can object to:
- Processing based on legitimate interests (e.g., anonymized data for algorithm training, business analytics, profiling)
- Direct marketing at any time
9.7 Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on consent (e.g., newsletters, promotional use of materials, optional cookies), you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
9.8 Right to Lodge a Complaint
If you believe we have violated your data protection rights, you can lodge a complaint with:
German Supervisory Authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstr. 219
10969 Berlin, Germany
Website: https://www.datenschutz-berlin.de
9.9 How to Exercise Your Rights
To exercise any of these rights, please contact us at: legal@miralot.com
We will respond to your request within 30 days (extendable by 60 days in complex cases).
10. Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
10.1 Technical Measures
- Encryption: SSL/TLS encryption for data transmission
- Password protection: Encrypted password storage (bcrypt/Argon2)
- Server security: EU-based servers (Germany) with regular security updates
- Access controls: Role-based access to data
- Backups: Regular encrypted backups with 90-day retention
- Log file monitoring: 31-day retention for security incident detection
10.2 Organizational Measures
- Data processing agreements with all service providers
- Employee training on data protection
- Incident response procedures
- Regular security audits
- Privacy by design and default principles (Art. 25 GDPR)
10.3 Your Responsibility
Please keep your login credentials secure and notify us immediately at legal@miralot.com if you suspect unauthorized access to your account.
11. Children's Privacy
Miralot is not intended for children under 18. Users under 18 may only use our services under parental supervision and with parental consent.
We verify age through payment methods (credit card holders must be 18+). If we become aware that we have collected personal data from a child under 18 without parental consent, we will delete that data promptly.
12. Server Log Files and Access Data
Our hosting provider collects technical data about every access to our servers:
- Name and URL of accessed files
- Date and time of access
- Amount of data transferred
- Browser type and version
- Operating system
- Referrer URL (previously visited page)
- IP address (anonymized after 7 days)
- Access provider
This data is collected for security purposes and to ensure platform stability. Log files are retained for a maximum of 31 days and then automatically deleted, unless required for investigating security incidents.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in platform security and technical operation)
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email at least 6 weeks in advance.
If you do not object in writing within this period and continue to use the platform, the changes will be deemed accepted. If you object, your contract continues under the old Privacy Policy, but either party may terminate with statutory notice.
Continued use of the platform after the effective date of changes constitutes acceptance of the updated Privacy Policy.
The current version is always available at: http://www.miralot.com/privacy
14. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
Miralot GmbH
Pestalozzistr. 5–8
13187 Berlin, Germany
Email: legal@miralot.com
Website: http://www.miralot.com
