Privacy Policy
This policy explains how WeCinema collects, uses, stores, and protects your personal information when you use our platform.
1. Overview & Scope
WeCinema ("we," "our," or "the Platform") operates wecinema.co — an independent film platform for watching, uploading, distributing, and selling video content and scripts. This Privacy Policy applies to all users, including:
Viewers / Users
Browse and watch content on the platform.
Content Creators
Upload, host, and monetize video content.
Marketplace Users
Buy and sell scripts, licenses, and services.
This policy also covers data collected through our mobile-optimised web app (PWA), email communications, and any integrations you authorise.
2. Information We Collect
2.1 Information You Provide Directly
Account Details
Username, email address, password (stored as Argon2 hash — never plaintext), profile picture, bio, and profile tags.
Payment Information
Billing details are processed exclusively by Stripe. WeCinema never stores raw card numbers or CVV data.
Content & Metadata
Video files, thumbnails, scripts, listing titles, descriptions, pricing, tags, and associated usage-rights information.
Shipping Addresses
For physical-goods orders, shipping addresses are stored AES-256-CBC encrypted using a platform-managed key.
Communications
Messages sent via our marketplace chat (stored in Firebase Firestore), support requests, and report submissions.
Identity Verification
For Stripe Connect seller onboarding, Stripe may collect government ID and bank details directly — we do not see these.
2.2 Information Collected Automatically
- IP Address & Device Info Browser type, operating system, screen resolution, device identifiers.
- Log Data Pages visited, features used, timestamps, referring URLs, error logs.
- Video Playback Telemetry Watch duration, buffering events, quality selection — used to improve streaming.
- Cookies & Local Storage Session tokens, theme preferences, sidebar state. See Section 8.
- Analytics Aggregated usage patterns via privacy-respecting analytics tools.
2.3 Information from Third Parties
- Google / Firebase Auth: If you sign in with Google, Firebase verifies your identity and returns your name, email, and profile photo.
- Stripe: Webhook events notify us of payment status, dispute outcomes, and payout completions. No raw card data is shared.
- AWS: S3 access logs and CloudFront distribution logs may include your IP address and request metadata.
3. How We Use Your Information
Platform Operation
- Authenticating your identity and maintaining secure sessions (JWT access tokens, httpOnly refresh cookies)
- Hosting, streaming, and delivering video content via AWS S3 pre-signed URLs
- Transcoding uploaded videos to 1080p / 720p / 360p renditions via AWS MediaConvert
- Processing marketplace transactions and managing escrow via Stripe
Communication
- Sending OTP verification codes during registration and login
- Order status notifications (creation, delivery, completion, disputes)
- Subscription expiry warnings and renewal reminders
- Platform announcements and policy updates (opt-out available)
Personalisation & Recommendations
- Recommending videos, creators, and marketplace listings based on your activity
- Surfacing content relevant to your profile tags and watch history
- Customising your dashboard and homepage experience
Safety & Legal Compliance
- Detecting and preventing fraud, abuse, and policy violations
- Preserving marketplace chat logs for dispute resolution
- Responding to law-enforcement requests and legal obligations
- Enforcing our Terms & Conditions and Acceptable Use Policy
5. Data Security & Technical Safeguards
WeCinema implements industry-standard technical and organisational security measures:
Password Hashing
All passwords are hashed using Argon2id — the current OWASP-recommended algorithm. Plaintext passwords are never stored.
JWT Authentication
Access tokens expire in 15 minutes. Refresh tokens (7 days) are stored in httpOnly, Secure, SameSite=Strict cookies — inaccessible to JavaScript.
Transport Encryption
All traffic between your browser and our servers is encrypted with TLS 1.2+. HSTS is enforced.
Storage Encryption
Shipping addresses: AES-256-CBC. AWS S3 objects: server-side encryption (SSE-S3). Video delivery via short-lived presigned URLs (24-hour TTL).
Input Sanitisation
All user input is validated and sanitised. MongoDB operators are stripped. Prototype pollution is actively blocked via middleware.
Rate Limiting
Authentication endpoints: 15 req/min. Payment endpoints: 5 req/min. Write operations: 10 req/30 min — mitigating brute-force attacks.
Token Revocation
Logout immediately blacklists the token's JTI. Incrementing tokenVersion globally revokes all active sessions for a user.
PCI-DSS Compliance
Payments are fully delegated to Stripe — a PCI-DSS Level 1 certified processor. WeCinema never touches raw card data.
6. Data Retention
We retain personal data only as long as necessary for the purpose it was collected, or as required by law:
| Data Type | Retention Period | Reason |
|---|---|---|
| Active account data | Duration of account | Service provision |
| Deleted account data | 90 days post-deletion | Dispute resolution & abuse prevention |
| Order & payment records | 7 years | Tax, accounting & legal compliance |
| Marketplace chat logs | 2 years | Dispute resolution |
| Video content | Until creator deletes | Content hosting agreement |
| Security & access logs | 12 months | Security monitoring |
| OTP codes | 10 minutes | One-time use — auto-expired |
| JWT refresh tokens | 7 days | Authentication lifecycle |
To request early deletion of your data, see Section 7 (Your Rights) or contact privacy@wecinema.co.
7. Your Rights & Choices
Access
Receive a copy of your personal data we hold.
Correction
Correct inaccurate or incomplete data.
Deletion
Request deletion of your account and data.
Portability
Export your data in a machine-readable format.
Objection
Object to processing based on legitimate interests.
Restriction
Request restriction of processing in certain cases.
Opt-Out
Unsubscribe from marketing emails at any time.
Withdraw
Withdraw consent where processing is consent-based.
To exercise any of these rights, email privacy@wecinema.co with your account email and the specific request. We will respond within 30 days (or 72 hours for urgent security concerns).
You may also delete your account directly from your account settings — this triggers immediate deactivation and schedules all associated data for deletion within 90 days.
9. International Data Transfers
WeCinema servers are operated by Amazon Web Services in the US East (Ohio — us-east-2) region. If you access the platform from outside the United States, your data is transferred to and processed in the United States.
For users in the European Economic Area (EEA) or United Kingdom, such transfers are made under standard contractual clauses (SCCs) or other lawful transfer mechanisms recognised under applicable data protection law.
By using WeCinema, you consent to this international transfer and processing of your personal data.
10. Children's Privacy
We do not knowingly collect personal information from anyone under 18. If we discover that a minor has created an account, we will immediately terminate the account and delete all associated data. If you believe a minor has registered, please contact privacy@wecinema.co immediately.
11. GDPR Compliance (EEA & UK Users)
If you are located in the European Economic Area or United Kingdom, the General Data Protection Regulation (GDPR / UK GDPR) gives you additional rights and protections:
Legal Bases for Processing
- Contract: Processing necessary to provide you with platform services (account, orders, payments).
- Legitimate Interests: Fraud prevention, security monitoring, platform improvement — balanced against your rights.
- Legal Obligation: Financial record-keeping, responding to lawful requests from authorities.
- Consent: Marketing communications, optional analytics — withdrawable at any time.
Our Data Protection contact for GDPR inquiries is privacy@wecinema.co. You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA in the EEA).
12. CCPA Rights (California Residents)
Under the California Consumer Privacy Act (CCPA), California residents have the right to:
- Know: What personal information is collected, used, shared, or sold.
- Delete: Request deletion of personal information we hold about you.
- Opt-Out of Sale: WeCinema does not sell personal information — this right is automatically satisfied.
- Non-Discrimination: We will not discriminate against you for exercising any CCPA right.
To submit a verifiable California consumer request, email privacy@wecinema.co with subject line "CCPA Request" from your registered account email. We will respond within 45 days.
13. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other reasons. When we make material changes:
- We will post the updated policy with a revised effective date.
- We will notify registered users via email at least 30 days before major changes take effect.
- Continued use of the platform after the effective date constitutes acceptance.
- Previous versions are archived and available upon request.
14. Contact & Data Controller
WeCinema operates as the Data Controller for personal information collected through wecinema.co.
Your Privacy Matters
Questions about this policy? Contact privacy@wecinema.co
Effective May 17, 2026 · Version 3.0 · WeCinema Video Platform · wecinema.co