Privacy Policy
Last updated: 19 May 2026
1. Who we are
Cinemail is operated by Daniel Fainberg, an independent developer based abroad, doing business as dafaspace. You can reach us anytime at hello@dafaspace.com or support@dafaspace.com.
2. What data we collect
2.1 Account information
When you create an account, we collect:
- Email address (used to sign in and contact you about your account)
- Password (stored securely as a hash via Supabase Auth; we never see your plain password)
- Optional display name
2.2 Content you create
When you use Cinemail, we store the data you generate:
- Films you've added to your watchlist or marked as watched, along with ratings, notes and dates
- Lists you've created and people you've shared them with
- Friend connections within Cinemail
- Feedback messages and optional screenshots you submit
2.3 Technical data
For security and basic functioning, we may process:
- Anonymised request logs (IP address, user-agent string, timestamp) on our server infrastructure, kept only as long as needed to investigate abuse
- App version, device type and basic diagnostics when you submit feedback
2.4 What we do not collect
- No third-party analytics (no Google Analytics, no Facebook Pixel, no Mixpanel, nothing)
- No advertising IDs, no tracking SDKs
- No location data
- No contacts, photos or files beyond what you explicitly upload
3. How we use your data
We use the data above only to:
- Provide the core app functionality (your watchlist, AI picks, sharing with friends)
- Sync your data across your devices when signed in
- Respond to your feedback or support requests
- Protect the service against abuse (rate-limiting, fraud prevention)
We do not sell your data. We do not share it with advertisers. We do not use it to train AI models.
4. Where your data is stored
4.1 Supabase
Your account, watchlist and lists are stored in Supabase, a managed PostgreSQL service. Servers are located in the EU (Frankfurt) at the time of writing. Supabase acts as our data processor under standard contractual terms.
4.2 Cloudflare
API requests (TMDB film data, AI features) are proxied through a Cloudflare Worker for security and rate-limiting. Cloudflare may temporarily process request metadata at the edge.
5. Third-party services
5.1 TMDB
Film data, posters and crew information come from The Movie Database (TMDB). When you search for a film, your query is forwarded to TMDB via our proxy. Cinemail uses the TMDB API but is not endorsed or certified by TMDB. See TMDB's privacy policy.
5.2 Anthropic (AI picks)
When you ask for an AI recommendation, we send anonymised film preferences (titles, genres, ratings - not your name, email or personal identifiers) to Anthropic's Claude model via API. Anthropic does not train on customer API data by default.
5.3 Music links
Soundtrack buttons open external services (Spotify, Apple Music, YouTube Music). These platforms have their own privacy policies; we never share your data with them - the link opens with only the search term.
6. Cookies and local storage
Cinemail stores authentication tokens and a local cache of your data in your browser's IndexedDB and localStorage. This is necessary for the app to work offline and stay signed in. We do not use cookies for tracking or advertising.
7. Your rights
Regardless of where you live, you have the right to:
- Access - request a copy of all the data we hold about you
- Export - you can export your watchlist as CSV or JSON anytime from the app (Settings → Backup)
- Correct - fix any inaccurate data through the app or by emailing us
- Delete - delete your account and all associated data. Email hello@dafaspace.com with the subject line "Delete my account" and we will process it within 7 days
- Object / restrict - ask us to stop processing your data in any specific way
- Withdraw consent - revoke any consents by deleting your account
- Lodge a complaint - with your local data protection authority if you believe we've handled your data unlawfully
8. Data retention
We keep your account data for as long as your account exists. If you delete your account, all your personal data is removed from our active databases within 7 days. Anonymised backups may be retained for up to 30 days after that for disaster recovery, then permanently deleted.
Feedback messages may be kept indefinitely as part of our product improvement records, but we remove any personally identifying details on request.
9. Security
We use industry-standard security practices: HTTPS everywhere, hashed passwords, row-level security on the database (so users can only see their own data), and short-lived authentication tokens. No system is perfectly secure, but we take reasonable steps and will notify you promptly if we ever discover a breach involving your data.
10. Children's privacy
Cinemail is not directed at children under 13 (or under 16 in jurisdictions where that age applies under GDPR). We don't knowingly collect data from children. If you believe a child has signed up, please email us and we'll delete the account.
11. International transfers
If you use Cinemail from outside the EU, your data may be transferred to servers in the EU (Supabase, Frankfurt) or routed through Cloudflare's global network. We rely on Standard Contractual Clauses and the providers' compliance frameworks to safeguard those transfers.
12. Changes to this policy
If we make material changes to this policy, we'll notify you in the app and update the "Last updated" date above. Trivial wording changes won't trigger a notification. Continued use of Cinemail after a change means you accept the new policy.
13. Contact
Questions, concerns, or just want to say hi? Email hello@dafaspace.com. A real human (me, Daniel) reads every message.