Privacy Policy

Last updated: 10 April 2026

This Privacy Policy informs you, pursuant to Articles 13 and 14 of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Telecommunications and Telemedia Data Protection Act (TTDSG), and the German Digital Services Act (DDG), about the processing of your personal data by the Riffly app.

1. Controller

Name: Sebastian Mück
Postal address:
Schellingstraße 87
80799 München
Germany

Email: support@riffly.tv

2. Categories of Data Processed and Purposes

Riffly processes the following categories of personal data:

2.1 Account credentials (email address and password)

  • Purpose: Registration, authentication, and account security
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Retention period: Until deletion of the user account

2.2 Profile data

  • Data: Username, profile picture (optional), display preferences
  • Purpose: Personalisation of the app, social features
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Retention period: Until deletion of the user account

2.3 Audio sync clips (short audio recordings for synchronisation)

  • Data: Short audio recordings (a few seconds) used to synchronise movie playback between devices
  • Purpose: Technical synchronisation of movie playback in shared sessions
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract); where processed by third parties, Art. 6(1)(a) GDPR (consent given by using the feature)
  • Retention period: Ephemeral — no persistent storage. Clips are processed solely during the synchronisation session and deleted immediately afterwards.

Notice under § 201 of the German Criminal Code (StGB — protection of confidentiality of the spoken word): Audio recording takes place only when you actively use the synchronisation feature. No background recordings are made. Third parties in your surroundings whose voices may be incidentally captured do not give explicit consent. Please use this feature only in appropriate environments and ensure that you do not record the conversations of others without their knowledge.

2.4 Audio reactions

  • Data: Audio comments intentionally recorded by you about films or scenes
  • Purpose: Social interaction, sharing film reactions with other users
  • Legal basis: Art. 6(1)(a) GDPR (consent given by actively recording)
  • Retention period: Until deleted by the user or deletion of the account

2.5 Social connections (follows)

  • Data: Lists of followed and following users (user IDs)
  • Purpose: Social features, discovery of content from connected users
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Retention period: Until the connection is removed or the account is deleted

2.6 Reactions and votes

  • Data: Reactions submitted by you (e.g. emojis, thumbs up/down) on films and other users' content
  • Purpose: Social interaction, content rating
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Retention period: Until deleted by the user or deletion of the account

2.7 Session data (shared film sessions)

  • Data: Session ID, participant IDs, film selection, synchronisation status, timestamps
  • Purpose: Execution and coordination of shared film sessions
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Retention period: Kept until user deletes account

2.8 User statistics

  • Data: Number of films watched, sessions joined, reactions and votes submitted (aggregated usage data)
  • Purpose: Display of your personal activity in your profile
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Retention period: Until deletion of the user account

2.9 Device storage (AsyncStorage — local data)

  • Data: Session tokens, app settings, offline action queue
  • Purpose: Maintaining the login session, offline functionality, improving app performance
  • Legal basis: § 25(2) No. 2 TTDSG (technically necessary for the service requested by the user)
  • Retention period: Until logout or uninstallation of the app

Notice under § 25 TTDSG: The app stores information on your end device (AsyncStorage). This storage is technically necessary to provide the services you have requested (in particular login sessions and offline functionality). Your separate consent is not required for this.

3. Recipients and Processors

3.1 Supabase (database infrastructure and authentication)

Riffly uses Supabase as its backend infrastructure. Supabase acts as a data processor pursuant to Art. 28 GDPR.

  • Provider: Supabase Inc., 970 Trestle Glen Rd, Oakland, CA 94610, USA
  • Data processed: Account credentials, profile data, session data, audio reactions, reactions, votes, follows, user statistics
  • Purpose: Storage and management of all server-side app data
  • Third-country transfer: Data may be transferred to the USA. Appropriate safeguards are in place via Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR.
  • Supabase Privacy Policy: https://supabase.com/privacy

3.2 Groq (Whisper API — audio transcription)

The Groq Whisper API may be used to process audio sync clips.

  • Provider: Groq Inc., 530 Lytton Avenue, Palo Alto, CA 94301, USA
  • Data processed: Short audio recordings (audio sync clips) for synchronisation detection
  • Purpose: Transcription/analysis of audio for technical synchronisation
  • Third-country transfer: Data may be transferred to the USA. Appropriate safeguards are in place via Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR.
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract) / Art. 6(1)(a) GDPR (consent)
  • Groq Privacy Policy: https://groq.com/privacy-policy/

3.3 OMDB API (film search)

The OMDB API is used for film search functionality.

  • Provider: Brian Fritz (omdbapi.com)
  • Data processed: Search queries (film titles) — no personal data are transmitted
  • Purpose: Retrieval of film information and metadata

4. Third-Country Transfers

Where data are transferred to third countries (outside the EU/EEA), such transfers are based on appropriate safeguards pursuant to Art. 46 GDPR (in particular Standard Contractual Clauses) or on an adequacy decision by the European Commission under Art. 45 GDPR. Details are provided in Section 3 (Recipients) above.

5. Minimum Age

Riffly is intended exclusively for persons who have reached the age of 16 (§ 8 BDSG). Use of the app by persons under the age of 16 is not permitted. We do not knowingly collect data from persons under 16. Should we become aware of such data, we will delete it without undue delay.

6. Automated Decision-Making and Profiling

Riffly does not carry out automated decision-making within the meaning of Art. 22 GDPR that produces legal effects or similarly significantly affects you.

7. Your Rights as a Data Subject

You have the following rights against the controller:

  • Right of access (Art. 15 GDPR): You may request information about your stored personal data.
  • Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR, “right to be forgotten”): You may request the deletion of your data, provided no retention obligations apply.
  • Right to restriction of processing (Art. 18 GDPR): Under certain conditions, you may request that processing of your data be restricted.
  • Right to data portability (Art. 20 GDPR): You may receive your data in a structured, machine-readable format.
  • Right to object (Art. 21 GDPR): You may object to the processing of your data where it is based on legitimate interests (Art. 6(1)(f) GDPR).
  • Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw that consent at any time with effect for the future.

To exercise your rights, please contact: support@riffly.tv

8. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority concerning the processing of your personal data (Art. 77 GDPR). The competent authority is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18
91522 Ansbach
www.lda.bayern.de

An overview of all German supervisory authorities is available at: https://www.bfdi.bund.de

9. Obligation to Provide Data

Providing your email address and a password is contractually required to register for and use Riffly. Without these details, an account cannot be created. All other data (e.g. profile picture, audio reactions) are voluntary.

10. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in the law or in our service and data processing practices. The current version is always available in the app and at https://policy.riffly.tv/privacy-policy. We recommend reviewing this policy periodically.