Privacy Policy

This Privacy Policy explains how Just Some Coding Ltd — the company that operates the CliffPop product — (“CliffPop”, “we”, “us”, “our”) collects, uses, and protects personal data when you use the CliffPop website, mobile experience, and related services (the “Service”). It is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Maltese Data Protection Act (Chapter 586 of the Laws of Malta).

1. Who we are

Just Some Coding Ltd is a company registered in Malta. We operate CliffPop as a product and act as the “data controller” for the personal data described in this policy, meaning we decide why and how it is processed.

For any questions about this policy, or to exercise the rights described in section 9, contact us at privacy@cliffpop.com.

2. What data we collect

We collect only what we need to run the Service. Specifically:

2.1 Account data

• First name and surname
• Email address
• Date of birth (used to confirm you are 18 or older)
• Country of residence
• Encrypted password hash, if you registered with email and a password (we never see your plaintext password)
• Google account identifier, if you registered with “Sign in with Google.” This is an opaque ID provided by Google; we do not see or store your Google password
• Account role (viewer, creator, or administrator)
• Display name and optional avatar (creators only)

2.2 Usage data

• Series and episodes you unlock or add to your favourites
• Watch history and watch progress per episode
• Playback preferences (autoplay, language, notifications)
• Credit purchases, balances, and unlock activity

2.3 Payment data

Payments are processed by Stripe Payments Europe, Ltd. We do not see or store full card details. We retain the Stripe customer identifier, the amount and currency of each transaction, and the transaction status, which we need for tax, accounting, and fraud prevention.

2.4 Creator data

If you submit a series for review or operate a creator account, we additionally process the contents of your submission (synopsis, video files, artwork), payout details you provide, and earnings history.

2.5 Technical data

• IP address (in server logs, for security and abuse prevention)
• Browser type, device type, and operating system
• Approximate location derived from IP (country level)
• Diagnostic logs of API and video-delivery requests

3. How we use your data (lawful bases)

Under the GDPR every use of personal data needs a “lawful basis”. Ours are:

• Performance of a contract (Art. 6(1)(b)): creating and operating your account, processing credit purchases, unlocking episodes you paid for, paying creators their share of earnings.
• Legal obligation (Art. 6(1)(c)): retaining financial records for tax and accounting purposes, responding to lawful requests from authorities.
• Legitimate interests (Art. 6(1)(f)): keeping the Service secure, preventing fraud and abuse, debugging incidents, and improving the product. We have weighed these interests against your rights and believe they are proportionate.
• Consent (Art. 6(1)(a)): sending you marketing email, and the use of Google Analytics cookies (the analytics tag itself loads on every page in a cookieless mode and only switches to cookie-based measurement after you accept on the cookie banner). You can withdraw consent at any time.

4. Cookies and similar technologies

CliffPop uses a small number of strictly necessary storage mechanisms (such as a token in your browser’s localStorage to keep you signed in, and a record of your cookie-banner choice). These are essential to deliver a service you have requested and do not require consent under the EU ePrivacy Directive.

We use Google Analytics 4 to understand how the Service is used. Google’s Consent Mode v2 is configured to deny analytics storage by default, so until you click Accept all on the cookie banner, Google Analytics runs cookielessly — no _ga cookies are set and no client identifier is stored in your browser. When you accept, Google Analytics sets its standard _ga / _ga_* cookies (typically a 2-year lifetime) to recognise your browser. IP addresses are anonymised before transmission; we do not use Google Signals or any advertising features.

We do not use advertising cookies, retargeting beacons, or cross-site trackers of any kind. See our Cookie Notice for the full list of what is stored, including Google Analytics’ cookies when active.

5. Who we share data with (sub-processors)

We use a small number of trusted service providers (“sub-processors”) to operate the Service. Each is bound by a Data Processing Agreement that requires them to protect your data and only use it on our instructions.

We do not sell your personal data and we do not share it with third parties for their own marketing purposes.

6. International transfers

Some of our sub-processors are based outside the European Economic Area (EEA), most notably in the United States. Where data is transferred outside the EEA, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, additional safeguards such as encryption in transit and at rest.

7. How long we keep data

• Account data: kept for as long as your account exists. If you delete your account, identifying fields are erased or anonymised promptly.
• Financial records (credit purchases, payouts, invoices): retained for up to 10 years as required by Maltese tax and VAT legislation. After deletion of your account, these records are anonymised so they can no longer be linked to you personally.
• Watch history and unlock records: kept while your account is active, deleted on account closure.
• Server logs: retained for approximately 30 days for security and incident response, then automatically purged by our hosting provider.
• Submitted content: if your submission is rejected, the video files are deleted from source storage. Approved series remain available on the platform for as long as the creator and CliffPop agree.

8. How we protect data

• All traffic is served over HTTPS / TLS.
• Passwords are hashed with bcrypt; we never store plaintext passwords.
• Authentication tokens (JWT) are signed with a secret stored only on the server.
• Database backups are encrypted at rest by our hosting provider.
• Access to production systems is restricted to a small number of named administrators.
• Sensitive fields (email, tokens) are redacted from application logs.

9. Your rights

Under the GDPR you have the right to:

• Access the personal data we hold about you (Art. 15)
• Rectify inaccurate or incomplete data (Art. 16)
• Erase your data, subject to our legal retention obligations (Art. 17)
• Restrict or object to certain processing (Art. 18 & 21)
• Portability — receive your data in a machine-readable format (Art. 20)
• Withdraw consent at any time, where processing is based on consent
• Lodge a complaint with a supervisory authority (see section 10)

To exercise any of these rights, email privacy@cliffpop.com. We will respond within one month, as required by Article 12(3) GDPR. We may ask you to verify your identity before acting on a request.

10. Supervisory authority

If you believe we have mishandled your personal data, you have the right to complain to the Office of the Information and Data Protection Commissioner (IDPC) in Malta:

You may also complain to the supervisory authority in the EU country where you live or work.

11. Children

CliffPop is intended for adults. The Service is not directed at children under 18 and we do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, please contact us and we will remove it.

12. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of the page reflects the most recent change. If we make material changes, we will notify registered users by email or through the Service before the changes take effect.

13. Contact

Just Some Coding Ltd (operator of CliffPop)
Malta
Email: privacy@cliffpop.com