Privacy Policy — LookUpVOD

Effective date: April 4, 2026

1. Data Controller

  1. The data controller is Code Truck Sp. z o.o., with its registered office in Stawno, Stawno 9, 72-131 Stawno, Poland, entered in the National Court Register (KRS) under number 0001192715, Tax ID (NIP): 542646870, REGON: 542646870.
  2. Contact: contact@lookupvod.com.

2. What Data We Collect

  1. Registration data: email address, name, profile picture. When logging in via Google (Google OAuth), this data is obtained from the User's Google account and is used solely for identification within the Service.
  2. Functional data: watchlists (want/watched/hidden), collections, movie plans, selected VOD platforms, region preferences.
  3. Technical data: IP address is used temporarily for automatic country detection. Technical data (including IP addresses) may be recorded in hosting infrastructure security logs (Vercel) for a limited period (up to 30 days).
  4. We do not collect: payment data (during beta), location data (GPS), social media data, tracking cookies, or analytics cookies.

3. Purpose of Data Processing

  1. Service delivery (Art. 6(1)(b) GDPR) — registration, login, storing lists and preferences.
  2. Communication (Art. 6(1)(b) GDPR) — service change notifications.
  3. Security (Art. 6(1)(f) GDPR) — protection against unauthorized access and abuse, infrastructure security logs.

4. Data Storage

  1. User data is stored in a Neon Postgres database (EU servers) with encrypted connections.
  2. Data is stored for the duration of Account existence. Upon Account deletion, data is removed from active systems. Some data may be retained for a limited time in infrastructure backups or for the purpose of defending legal claims, in accordance with applicable law.
  3. Infrastructure security logs (including IP addresses) are retained by the hosting provider (Vercel) for a maximum of 30 days.

5. Data Sharing and Processors

  1. The Operator does not sell User data.
  2. Data may only be shared with data processors to the extent necessary for service delivery:
    • Vercel (Vercel Inc., USA) — application hosting, edge computing, security logs,
    • Neon (Neon Inc.) — Postgres database (EU servers),
    • Upstash (Upstash Inc.) — Redis cache (AI cache, tag index, share links),
    • Google (Google LLC, USA) — OAuth authentication (email, name, profile picture),
    • Anthropic (Anthropic PBC, USA) — AI features (descriptions, recommendations, tags; account-related data may be included in AI queries),
    • Resend (Resend Inc.) — transactional email.
  3. Data may be shared with legal authorities only pursuant to a valid legal order.

6. Data Transfers Outside the European Economic Area

  1. User data may be processed outside the European Economic Area (EEA) by the following infrastructure providers: Vercel, Google, Anthropic, Resend.
  2. Data transfers are carried out on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission or equivalent legal safeguards ensuring an adequate level of personal data protection.

7. Cookies, localStorage and Analytics

  1. The Service does not use tracking cookies. The Service uses the hosting platform's built-in analytics tool (Vercel Web Analytics), which collects only anonymous, aggregated visit statistics. The tool does not use cookies, does not identify users, and does not track their activity across pages. Data collected includes: browser type, operating system, country, and visited pages.
  2. The Service uses browser localStorage solely for functional purposes: remembering language preferences, theme (light/dark), and selected region.
  3. Login sessions are stored in httpOnly cookies (functional, necessary for service operation).

8. User Rights (GDPR)

  1. Users have the right to:
  2. Access their data — contact: contact@lookupvod.com.
  3. Rectification — change data in Account settings or by contacting the Operator.
  4. Erasure — Account deletion (§7 of Terms of Service).
  5. Restriction of processing — in cases specified in Art. 18 GDPR.
  6. Object to processing based on the Operator's legitimate interest (Art. 21 GDPR).
  7. Data portability — watchlist export (planned).
  8. Withdrawal of consent — to the extent processing is based on consent, without affecting the lawfulness of processing carried out prior to withdrawal.
  9. Lodge a complaint with a supervisory authority — in Poland: PUODO (President of the Personal Data Protection Office), ul. Stawki 2, 00-193 Warsaw.

9. Changes to Privacy Policy

  1. Users will be notified of Privacy Policy changes at least 14 days in advance.
  2. The current version is always available at lookupvod.com/privacy.