Privacy Policy
Last updated: December 8, 2025
Introduction
Welcome to FilmHQ. This Privacy Policy ("Policy") describes how FilmHQ OÜ ("FilmHQ", "we", "us", or "our") collects, uses, discloses, and protects personal data through our web platform at filmhq.io (the "Site"), related mobile applications, and all other services we provide (collectively, the "Service").
FilmHQ is a film distribution management platform serving both business clients (film distributors, cinemas, and marketing professionals) and individual consumers (moviegoers) across the Baltic markets.
This Policy is incorporated into and is subject to the FilmHQ Terms of Service. By using our Service, you acknowledge that you have read and understood this Policy.
1. Data Controller
FilmHQ OÜ
Legal Address: Suur-Sepa tn 11/2 80019 Pärnu Estonia
Tallinn Office: Tööstuse 47D-15 10416 Tallinn Estonia
Registration Number: 17108523 VAT Code: EE102796694
Contact:
- General inquiries: info@filmhq.pro
- Privacy matters: privacy@filmhq.pro
2. Definitions
For the purposes of this Policy:
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Client" means a business entity (e.g., film distributor, cinema operator, marketing agency) that has entered into an agreement with FilmHQ to use our Service.
- "User" means any individual who accesses and uses the Service, including employees of Clients and individual consumers.
- "Consumer" (or "B2C User") means an individual who uses our consumer-facing portals to discover films, view showtimes, or access other entertainment information.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Processing" means any operation performed on Personal Data, such as collection, storage, use, or disclosure.
- "Sub-processor" means any third party engaged by FilmHQ to process Personal Data on behalf of a Client.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "Estonian PDPA" means the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).
3. Roles and Responsibilities
3.1 FilmHQ as Data Controller
FilmHQ acts as a Data Controller when we:
- Process Personal Data of Users who create accounts on our platform
- Process Personal Data of visitors to our websites
- Process Personal Data of individuals who contact us or register for our events
- Process Personal Data for our own business purposes (marketing, analytics, platform improvement)
3.2 FilmHQ as Data Processor
FilmHQ acts as a Data Processor when Clients use our Service to manage their own customer and business data. In such cases:
- The Client is the Data Controller and determines the purposes and means of processing
- FilmHQ processes data solely according to the Client's documented instructions
- Processing is governed by a Data Processing Agreement (DPA) between FilmHQ and the Client
- FilmHQ does not determine the purpose or means of processing Client Data
3.3 Client and Consumer Responsibilities
For Clients:
- Clients are responsible for ensuring they have lawful bases to collect and process Personal Data of their customers
- Clients must provide appropriate privacy notices to their data subjects
- Clients are responsible for responding to data subject requests related to data they control
For Consumers:
- If you are a consumer seeking to exercise your rights regarding Personal Data processed by a FilmHQ Client (e.g., a film distributor or cinema), please contact that Client directly
- FilmHQ processes such data solely on behalf of Clients and according to their instructions
4. Personal Data We Collect
4.1 Information You Provide Directly
Account Registration (B2B and B2C Users):
- Full name
- Email address
- Phone number (optional)
- Company name and role (for B2B users)
- Country and language preferences
- Profile photo (optional)
Business Client Information:
- Company registration details
- Billing and payment information
- Tax identification numbers
- Bank account details for settlements
Consumer Preferences (B2C Users):
- Movie preferences and wishlists
- Favorite genres
- Cinema preferences
- Notification preferences
Communications:
- Information you provide when contacting our support team
- Survey responses and feedback
- Event registration information
4.2 Information Collected Automatically
Technical Data:
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Time zone and language settings
- Referring URL
Usage Data:
- Pages and features accessed
- Actions performed within the Service
- Access times and frequency
- Search queries
- Clicks and navigation patterns
Cookie Data: Please see our Cookie Policy for detailed information about the cookies we use.
4.3 Information from Third Parties
Authentication Providers: When you sign in using third-party services (e.g., Google, Microsoft), we receive basic profile information as authorized by you.
Business Partners: If a Client or partner refers you to our Service, they may provide us with your contact information.
Public Sources: We may collect publicly available business information (e.g., from company registries, industry databases) for B2B purposes.
5. How We Use Personal Data
5.1 Service Provision
We process Personal Data to:
- Create and maintain your account
- Provide access to platform features
- Process transactions and settlements
- Enable collaboration features between users
- Provide customer support
- Send service-related notifications
Legal Basis: Performance of a contract (GDPR Art. 6(1)(b))
5.2 Platform Improvement
We process Personal Data to:
- Understand how users interact with our Service
- Identify and fix technical issues
- Develop new features and improvements
- Conduct analytics and generate aggregated insights
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f)) — improving our Service and user experience
5.3 Security and Fraud Prevention
We process Personal Data to:
- Protect against unauthorized access and fraud
- Monitor for suspicious activities
- Investigate and prevent security incidents
- Enforce our Terms of Service
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f)) — security and protection of rights
5.4 Communications
We process Personal Data to:
- Send essential service notifications (e.g., password resets, policy updates)
- Respond to your inquiries and support requests
- Send marketing communications (with your consent)
- Inform you about new features, events, and industry news
Legal Basis:
- Service notifications: Performance of contract (GDPR Art. 6(1)(b))
- Marketing: Consent (GDPR Art. 6(1)(a)) or legitimate interests (GDPR Art. 6(1)(f))
5.5 Legal Compliance
We process Personal Data to:
- Comply with applicable laws and regulations
- Respond to legal requests from authorities
- Establish, exercise, or defend legal claims
Legal Basis: Legal obligation (GDPR Art. 6(1)(c)) or legitimate interests (GDPR Art. 6(1)(f))
6. Third-Party Integrations and Sub-processors
6.1 Platform Infrastructure
| Provider | Purpose | Location |
|---|---|---|
| Supabase (via AWS) | Database hosting, authentication | EU (Frankfurt) |
| Vercel | Frontend hosting and CDN | EU/US |
| Cloudflare | DNS, security, CDN | Global |
6.2 Content and Media Integrations
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Frame.io (Adobe) | Creative asset management and approvals | Frame.io Privacy |
| TMDB | Film metadata enrichment | TMDB Privacy |
| YouTube API Services | Video content management, analytics | Google Privacy |
6.3 Social Media and Marketing Integrations
When Clients use our social media publishing features, data may be shared with:
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Meta (Facebook/Instagram) | Content distribution, advertising | Meta Privacy |
| Google Ads | Advertising campaigns | Google Privacy |
| TikTok | Content distribution | TikTok Privacy |
Note: FilmHQ's use of YouTube API Services is subject to the Google API Services User Data Policy, including the Limited Use requirements.
6.4 Analytics and Support
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Zoho Analytics | Business intelligence | Zoho Privacy |
6.5 Payment Processing
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Stripe | Payment processing, invoicing | Stripe Privacy |
6.6 Cinema Data Partners
We receive showtime and ticketing data from cinema operators including:
- Forum Cinemas
- Apollo Kino
- Cinamon
- Elektriteater
- Other Baltic region cinemas
This data is used to display accurate showtime information to consumers and to enable film distribution analytics.
7. Data Sharing and Disclosure
7.1 We Do Not Sell Personal Data
FilmHQ does not sell Personal Data to third parties.
7.2 Sharing Within Multi-Tenant Environment
FilmHQ operates a multi-tenant platform where each Client's data is logically separated. We implement strict Row-Level Security (RLS) to ensure Clients can only access their own data.
7.3 Disclosure to Service Providers
We share Personal Data with service providers who assist us in operating our Service. These providers are contractually bound to:
- Process data only according to our instructions
- Implement appropriate security measures
- Not use data for their own purposes
- Delete or return data upon termination
7.4 Legal and Safety Disclosures
We may disclose Personal Data when required:
- To comply with applicable law or legal process
- To respond to requests from law enforcement or government authorities
- To protect the rights, property, or safety of FilmHQ, our users, or others
- In connection with investigations of fraud or other illegal activity
7.5 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, Personal Data may be transferred to the acquiring entity. We will notify affected users before Personal Data becomes subject to a different privacy policy.
8. International Data Transfers
FilmHQ is headquartered in Estonia within the European Economic Area (EEA). However, some of our service providers operate outside the EEA.
When we transfer Personal Data outside the EEA, we ensure adequate protection through:
- Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate protection
- Standard Contractual Clauses (SCCs): EU-approved contractual safeguards
- EU-US Data Privacy Framework: For US-based service providers certified under the DPF
You may request information about the specific safeguards applied to international transfers by contacting privacy@filmhq.pro.
9. Data Retention
9.1 General Principles
We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.
9.2 Specific Retention Periods
| Data Category | Retention Period |
|---|---|
| Active user accounts | Duration of account + 90 days after closure |
| Closed paid accounts | Data deleted within 180 days of closure |
| Free trial accounts | Data deleted within 60 days of closure |
| Transaction records | 7 years (Estonian accounting requirements) |
| Support communications | 3 years after resolution |
| Marketing contact data | Until consent withdrawal + 30 days |
| Server logs | 90 days |
| Backup archives | 90 days (rolling) |
9.3 Client Data Retention
For data processed on behalf of Clients (where FilmHQ is a processor), retention periods are determined by the Client's instructions and applicable DPA.
10. Data Security
FilmHQ implements industry-standard technical and organizational measures to protect Personal Data, including:
Technical Measures:
- Encryption of data at rest (AES-256) and in transit (TLS 1.3)
- Row-Level Security (RLS) for multi-tenant data isolation
- Regular security testing and vulnerability assessments
- Secure API connections with authentication
- Automated backup systems
- Multi-factor authentication options
Organizational Measures:
- Access controls based on principle of least privilege
- Employee training on data protection
- Incident response procedures
- Vendor due diligence and DPA requirements
- Regular policy reviews
While we strive to protect your Personal Data, no method of transmission or storage is 100% secure. If you believe your data has been compromised, please contact us immediately at privacy@filmhq.pro.
11. Your Rights
Under the GDPR and Estonian PDPA, you have the following rights regarding your Personal Data:
11.1 Right of Access
You have the right to obtain confirmation whether we process your Personal Data and to request a copy of that data.
11.2 Right to Rectification
You have the right to request correction of inaccurate Personal Data or completion of incomplete data.
11.3 Right to Erasure ("Right to be Forgotten")
You have the right to request deletion of your Personal Data in certain circumstances, including when:
- The data is no longer necessary for its original purpose
- You withdraw consent (where processing was based on consent)
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
11.4 Right to Restriction of Processing
You have the right to request that we restrict processing of your Personal Data in certain circumstances, such as when you contest its accuracy.
11.5 Right to Data Portability
You have the right to receive your Personal Data in a structured, commonly used, machine-readable format and to transmit it to another controller.
11.6 Right to Object
You have the right to object to processing based on legitimate interests or for direct marketing purposes.
11.7 Right to Withdraw Consent
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
11.8 Right to Lodge a Complaint
You have the right to lodge a complaint with the supervisory authority if you believe your rights have been violated.
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) Tatari 39 10134 Tallinn Estonia Phone: +372 627 4135 Email: info@aki.ee Website: https://www.aki.ee
11.9 Exercising Your Rights
To exercise any of these rights, please contact us at:
- Email: privacy@filmhq.pro
- Subject line: "Data Subject Request - [Your Request Type]"
We will respond to your request within 30 days. If your request is complex, we may extend this period by an additional 60 days, but we will inform you of any extension within the initial 30-day period.
We may need to verify your identity before processing your request to ensure we protect your Personal Data from unauthorized access.
12. Children's Privacy
FilmHQ Services are not directed to children under the age of 16 (or such age as specified by applicable law). We do not knowingly collect Personal Data from children.
If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us at privacy@filmhq.pro. If we discover that we have collected Personal Data from a child without verification of parental consent, we will take steps to delete that information.
13. Automated Decision-Making
FilmHQ does not currently engage in fully automated decision-making that produces legal effects or similarly significant effects on individuals.
We may use automated systems for:
- Fraud detection and prevention
- Content recommendations (based on user preferences)
- Analytics and reporting
These automated processes do not make final decisions that significantly affect you without human review.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors.
When we make material changes, we will:
- Update the "Current as of" date at the top of this Policy
- Notify users via email or in-app notification
- Obtain consent where required by law
Your continued use of the Service after the updated Policy becomes effective indicates your acceptance of the revised Policy. If you do not agree with any changes, you may close your account.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
For general privacy inquiries: Email: privacy@filmhq.pro
For all other inquiries: FilmHQ OÜ Tööstuse 47D-15 10416 Tallinn Estonia Email: info@filmhq.pro
We aim to respond to all inquiries within 5 business days.
16. Additional Information for Specific Jurisdictions
16.1 European Economic Area (EEA)
This Policy is designed to comply with the GDPR and applies to all individuals in the EEA. The Estonian Data Protection Inspectorate is our lead supervisory authority.
16.2 United Kingdom
For UK residents, references to the GDPR include the UK GDPR as retained in UK law. You may also contact the UK Information Commissioner's Office (ICO) at ico.org.uk.
16.3 Latvia
For Latvian residents, you may contact the Data State Inspectorate (Datu valsts inspekcija) at dvi.gov.lv.
16.4 Lithuania
For Lithuanian residents, you may contact the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija) at vdai.lrt.lt.
This Privacy Policy was last updated on December 8, 2025.