Account data: email address, username, password hash, timezone, last sign-in timestamp, account creation date, and (for inactive accounts) the date on which a deletion warning was sent.

Watchlist and collaboration content: tracked shows, notes, personal links, platform availability tags, country selections, reactions, shares, friend connections, and inbox items.

Contact and report data: when you use the contact form, the operator stores the case ID, category, subject and message body, the name and email address you provide, and, for illegal-content reports, the URL or identifier of the reported content and whether the report was marked as suspected child sexual abuse material (CSAM). Signed-in users are linked to their message; reports marked as suspected CSAM may be submitted without name or email.

Technical data: server access logs (IP address, user agent, timestamp, request path, HTTP status) and application security logs (failed sign-in attempts, rate-limiting events, and one-time markers used to prevent replay of solved ALTCHA challenges).

Cookies and session storage: see the Cookie Notice for details.

Providing the service (account creation, watchlist features, collaboration, sharing) - Art. 6 (1) (b) GDPR.

Security of the service (rate limiting, bot protection on the sign-in page, intrusion detection, abuse investigation, access logging) - Art. 6 (1) (f) GDPR.

Handling contact messages, suggestions and data-protection requests submitted through the contact form - Art. 6 (1) (b) and (f) GDPR.

Handling illegal-content reports received under Article 16 of the Digital Services Act, and responding to lawful orders and data-subject requests - Art. 6 (1) (c) GDPR.

Sending deletion-warning emails to accounts that have been inactive for approximately 23 months, before erasing them at the 24-month mark - Art. 6 (1) (f) GDPR, with overriding interest in keeping the user informed.

Providing an email address, username and password is required to use the service. All other personal data is optional and provided voluntarily.

Personal data is processed by the following recipients on behalf of, or alongside, the operator:

STRATO AG (Pascalstraße 10, 10587 Berlin, Germany) - web hosting and server infrastructure. The application, database, and outbound SMTP mail relay used for account-related emails run on STRATO infrastructure located in Germany. Processor under Art. 28 GDPR.

Cloudflare, Inc. (101 Townsend Street, San Francisco, CA 94107, USA) - domain registrar and authoritative DNS for the domain used to reach this service. Cloudflare processes connection metadata in the course of DNS resolution.

TVmaze, LLC and The Movie Database (TMDB) - public APIs used to fetch show metadata. These providers receive technical request metadata when the server fetches show information; no user account data is transmitted.

Recipients of emails: users receive transactional emails (inactive-account warnings) at the email address attached to their account. The operator receives internal notifications of contact-form submissions at the address published in the Legal Notice.

Hosting and database storage take place inside the EU (Germany). No personal data is stored outside the EEA by the operator.

Cloudflare, Inc., TVmaze, and TMDB are established in the United States. Transfers to these providers take place when DNS lookups or metadata API calls are made, and are based on the European Commission's adequacy decision for the EU-US Data Privacy Framework where applicable, and otherwise on the Standard Contractual Clauses.

Anti-bot protection on the sign-in page is provided by ALTCHA, a self-hosted proof-of-work mechanism that runs entirely between the user's browser and the operator's server. No third party is involved in this check.

Account and watchlist data - retained for as long as the account exists. On account deletion the account and all linked personal data are erased immediately from the live database. Backups containing the data are overwritten within the backup retention window.

Server access logs - up to 14 days, then automatically deleted.

Application security logs (failed sign-ins, rate-limit events, used-challenge markers) - up to 30 days.

Database backups - up to 30 days, encrypted at rest. After 30 days, backups are rotated and deleted.

Contact and report messages - retained for up to 24 months after the case has been closed, to comply with record-keeping obligations under the Digital Services Act and to handle follow-up questions. When the author deletes their account, the user link on their past messages is removed and the message body is kept only to the extent necessary for legal record-keeping.

Inactive accounts - if a user has not signed in for 23 months, the operator sends a warning email and records the warning date. If the user still has not signed in after 24 months and 30 days have passed since the warning, the account and linked personal data are deleted from the live database. Backups age out within the normal 30-day backup retention window.

Under the GDPR you have the right to: access your personal data (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object to processing based on legitimate interests (Art. 21). Where processing is based on consent, you may withdraw that consent at any time with effect for the future (Art. 7 (3)).

You can exercise most of these rights directly in the app. For a copy of your data (Art. 20), contact the contact address published in the Legal Notice. A self-service export is available in account settings.

You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77). A list of German authorities is available at datenschutzkonferenz-online.de.

Watch uses HTTPS, secure cookies in production, salted password hashing, login rate limiting, a self-hosted ALTCHA proof-of-work challenge with replay protection on the sign-in and contact pages, per-IP rate limiting on the contact form, and TLS for outbound email to deter automated abuse on watch.nynx.cc.

No service can promise absolute security. The operator keeps dependencies, hosting, and environment configuration up to date and reviews security periodically.