• Forget my password

    Reset my password
    Cancel

    GDPR Aggrement

    CINEMAFON PERSONAL DATA PROTECTION AND PRIVACY POLICY

    (Compliant with GDPR & UK DPA 2018) 

    1. Parties

    • Data Controller : Cinemafon Limited (Registered in the UK, address: IP28 7DE Suffolk). 

    • Data Processors : Sub-processors under GDPR Article 28 (list available upon request). 

    2. Data Collection Methods

    • Collected Data :

      • Identity (name, surname), contact (email, phone), financial (IBAN, payment history), technical (IP, cookies).

      • No Special Category Data is collected (GDPR Article 9).

    • Collection Channels :

      • Web forms, contracts, automated systems (cookies), payment gateways (PCI-DSS compliant providers like Stripe, PayPal).


    3. Data Processing Purposes & Legal Bases (GDPR Article 6)

    Purpose
    		Legal Basis
    		Retention Period
    Contract execution (membership)
    		Contract performance (6/1/b)
    		10 years
    Legal obligation (tax, FCA)
    		Legal compliance (6/1/c)
    		As required by law
    Marketing (newsletter)
    		Explicit consent (6/1/a)
    		Until consent withdrawal
    Analytics (Google Analytics)
    		Legitimate interest (6/1/f)
    		26 months


    4. Data Sharing

    • Within UK/EU: 

      • Banks (payments), accounting firms (legal reporting).

    • Transfers Outside EU: 

      • Only under GDPR Articles 45-46 via:

        • Adequacy Decisions (e.g., Switzerland),
        • Standard Contractual Clauses (SCCs) (e.g., US cloud providers).


    5. Cookie Policy (ePrivacy Directive & PECR)

    • Essential Cookies : Session management (non-optional). 

    • Analytical Cookies: Google Analytics (requires consent under GDPR Article 7).
    • Consent Management: Collected via tools like Cookiebot.


    6. Your Rights (GDPR Articles 12-23 & UK DPA Part 3)

    • Access, Rectification, Erasure (Right to be Forgotten),
    • Object to Processing (absolute right for marketing),
    • Data Portability (in JSON/CSV format),
    • No Automated Decision-Making (no profiling).

    Requests to: info@cinemafon.com (responded within 30 days). 

    7. Security Measures (GDPR Article 32)

    • Technical: SSL/TLS, pseudonymization, audit logs.
    • Organizational: DPO appointment, staff training.


    8. Exceptions (GDPR Article 23)

    • Legal Obligation: Court orders, FCA audits.
    • Vital Interests: User safety emergencies.


    9. Contact

    • UK ICO Complaints: ico.org.uk
    • EU Representative: (If appointed under GDPR Article 27).

    APPENDICES

    Appendix 1: Sub-Processor List (GDPR Article 28)

    Cinemafon Limited engages the following sub-processors. This list is available electronically upon request:

    Sub-Processor 
    		Service 
    		Purpose 
    		Location 
    		Compliance 
    Stripe Payments UK LtdPayment processing
    		Secure payment gateway
    		UK
    		PCI-DSS, GDPR
    Google Cloud Europe LtdData hosting
    		Server storage
    		Netherlands
    		SCC, ISO 27001
    Mailchimp (Intuit)
    		Email marketing
    		Newsletters
    		USA
    		SCCs + BCRs


    Appendix 2: Cross-Border Data Transfers (SCCs)

    (GDPR Article 46 & UK IDTA) 

    • Transfer Mechanism: European Commission’s 2021/914 SCCs.

    • Key Safeguards: 

    • Encryption: AES-256 for data in transit.
    • Audit Rights: Annual audits for sub-processors.


    Declaration 

    "Cinemafon Limited is registered with the UK ICO and has appointed a DPO under GDPR Article 37." 

    ACCEPTANCE


    "I consent to the processing of my personal data under the above terms." 

    [✔️] I Agree
    [ ] I Disagree