Legal

Privacy Policy

Last updated 22 April 2026

Draft·Pending solicitor review. Not the final legal text — treat as a statement of intent.

This policy explains what SinguLoom collects, why, and what your rights are. SinguLoom is the data controller for personal data processed through the platform. For privacy matters, use the contact form — messages are logged and routed straight to the team.

What we collect

  • Account data. Name, email, mobile, display name, optional bio and photo. Collected on signup and when you edit your profile.
  • Production company data. Company name, country, legal entity, stated creator roles. Plus any files you upload in the application stage (portfolio evidence, identity verification where required).
  • Release metadata. Title, synopsis, cast, team, rights declarations, AI-tool disclosures. All visible on the public release page once published.
  • Payment data.Handled by Stripe. We store a Stripe account ID per company — never bank details or tax forms. Stripe's own privacy policy applies to that data.
  • Viewing analytics. Mux Data records watch time, completion, rebuffer events per view. Only collected if you grant analytics consent. Not tied to your identity beyond a Mux-generated session ID.
  • Advertising. When you grant advertising consent, our ad partner (Google Ad Manager, once wired) receives the signals needed to serve personalised ads. With consent withheld, we serve a constrained contextual ad or none at all.
  • Cookies. See the cookie policy for the full list.

Why we process it (lawful bases)

  • Contract — to run your account, process payouts, and deliver the service you signed up for.
  • Legitimate interests — fraud prevention, moderation, safety.
  • Consent — analytics cookies, advertising cookies, marketing email.
  • Legal obligation — tax records, takedown compliance, law-enforcement requests.

Where we store it

Primary data store is Supabase (EU region). Video assets are held by Mux. Payments by Stripe. Transactional email by Mailtrap (or the current provider). All three are GDPR- compliant sub-processors with appropriate transfer mechanisms.

How long we keep it

  • Account data: while your account is active, plus 3 years after deletion for fraud and audit.
  • Release metadata: indefinitely if the release is public; 90 days after takedown.
  • Financial records: 7 years (HMRC requirement).
  • Moderation and audit logs: 7 years, immutable.
  • Viewer analytics: 14 months aggregated, tied to rotating session IDs that decay after 30 days.

Your rights (UK GDPR)

You can request access, correction, deletion, restriction, portability, or object to processing. Submit a request via the contact form — include “Data request” in your message. We aim to respond within 30 days. You can also complain to the UK Information Commissioner's Office.

Children

SinguLoom is not intended for users under 16. If we learn we have collected data from a child under 16 without parental consent, we will delete it.

This is placeholder policy text — not legal advice. Final copy is pending review by a qualified solicitor before any public launch. Questions in the meantime: /support.