DBL FilmsLEGAL · PRIVACY POLICY

LEGAL

Privacy Policy

Last updated: 2 May 2026

DBL Films ("the Studio", "we", "us") respects your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use it, who we share it with, how long we keep it, and the rights you have over it.

This document is designed to comply with the EU General Data Protection Regulation (GDPR), the United Kingdom GDPR (UK GDPR), the California Consumer Privacy Act and Privacy Rights Act (CCPA / CPRA), the Netherlands Implementation Act for the GDPR (UAVG), and similar regimes worldwide.

1. Data Controller

DBL Films is the data controller for personal information processed through this Site. The Studio is an independent boutique production company. For all data-protection enquiries: info@dblfilms.com (subject line "Privacy").

2. Data We Collect — The Minimum Necessary Principle

We collect only what we need to operate the Site and respond to enquiries.

  • Browser-supplied technical data — IP address, user-agent string, referrer, language preference, device type. Used solely for security (rate limiting, abuse prevention) and for operational logs.
  • Cookie consent choice — your acceptance / refusal of non-essential cookies, stored in your browser's local storage. We do NOT log this server-side; it lives only on your device.
  • Email contact — when you email info@dblfilms.com, we receive whatever you choose to send (typically your name, email address, and message). Inbound email is processed solely to reply.
  • Analytics (only if you consent) — Google Analytics 4 with IP anonymisation. Loaded ONLY after you have actively accepted analytics cookies in the consent banner. Aggregated, pseudonymised page-view and session data.
  • Admin authentication — restricted to internal Studio staff for the /admin backend only. Public visitors do not create accounts and cannot log in. Admin password hashes (never the password itself) are stored in our database using scrypt with strong parameters.

We do not collect: payment data (no e-commerce on the public site), precise geolocation, biometrics, special-category personal data, or any data from children under 16.

3. Why We Process Your Data — Legal Basis (GDPR Article 6)

  • Legitimate Interests — operating, securing, and improving the Site; preventing abuse; defending against bot attacks; replying to inbound enquiries you initiate.
  • Consent — for analytics cookies and any future marketing cookies. You may withdraw consent at any time via the "Cookie preferences" button in the footer.
  • Legal Obligation — to comply with tax, accounting, or law-enforcement requests where applicable.
  • Contractual Necessity — only relevant if we enter into a separate written agreement with you (for example, a production engagement).

4. Sub-Processors and Third-Party Services

The Studio uses the following service providers to deliver the Site. Each operates under its own privacy policy and applicable data-processing agreements:

  • Vercel Inc. — application hosting and edge delivery (United States, with EU edge locations). Privacy policy.
  • Neon Inc. — managed PostgreSQL database for site content and admin records (United States / EU regions). Privacy policy.
  • Amazon Web Services, Inc. — S3 object storage and CloudFront CDN for media files (configurable region). Privacy policy.
  • Vimeo, Inc. — embedded video player. The Vimeo iframe sets cookies once a clip plays. We pass dnt=1 (Do Not Track) on every embed. Vimeo privacy policy.
  • Google LLC (YouTube) — embedded video player and oEmbed metadata. The YouTube iframe sets cookies under its standard embed domain once a clip plays. Google privacy policy.
  • Google LLC (Analytics 4) — page-level traffic analytics, loaded only with your explicit consent and with IP anonymisation enabled. GA4 data privacy.
  • Cloudflare, Inc. — DNS, edge security, and (where configured) Turnstile anti-bot challenges on contact forms. Cloudflare privacy policy.

Where personal data is transferred from the European Economic Area to the United States, we rely on the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs) as appropriate.

5. The Edit Bay — A Note on Screenings

When you compose a screening using the Edit Bay, the entire sequence (clip IDs and trim points) is encoded into the URL. Nothing about your screening is sent to or stored by the Studio's servers. When you copy a share link, you are sharing a URL — not data we hold about you. If you do not share the URL, no one but you ever sees the composition.

6. Your Privacy Rights

Regardless of where you are located, the Studio honours the following rights:

  • Access — request confirmation that we hold personal data about you and a copy of that data.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of personal data, subject to legal retention obligations.
  • Restriction — request limitation of processing in certain circumstances.
  • Portability — request a machine-readable export of data you provided.
  • Objection — object to processing based on our legitimate interests, including for direct marketing.
  • Withdraw Consent — at any time, where processing is based on consent. Use the "Cookie preferences" button in the site footer to update analytics consent.
  • Lodge a Complaint with your supervisory authority (in the Netherlands: the Autoriteit Persoonsgegevens; in the UK: the Information Commissioner's Office).

To exercise any of these rights, email info@dblfilms.com. We will respond within 30 days.

For California residents: the rights above include the CCPA / CPRA rights to know, to delete, to correct, to opt out of "sale" or "sharing" of personal information (the Studio does not sell or share personal information as defined by the CCPA), and to non-discrimination for exercising your rights.

7. Data Retention

  • Server logs — IP address, user-agent, timestamps: retained for up to 30 days for security and abuse-investigation purposes, then deleted or aggregated.
  • Login attempt records (admin only) — retained for 12 months for security audit, then purged.
  • Email correspondence — retained for as long as needed to handle the original enquiry plus a reasonable follow-up window (typically 24 months), unless a longer retention is required (e.g., for an active project engagement).
  • Cookie consent record — stored locally in your browser only. We have no copy.
  • Analytics data (if you consented) — retained for the duration configured in our analytics provider. We use the shortest retention period the provider supports (currently 14 months on GA4) and disable advertising features.

8. Security

  • Encryption in transit — all traffic is delivered over HTTPS with TLS 1.2 or higher; HSTS is enforced with a two-year max-age and preload.
  • Encryption at rest — database storage is encrypted by our managed-database provider; admin password hashes use scrypt with OWASP-recommended cost parameters and per-user 32-byte salts.
  • Access controls — admin areas require authenticated session cookies. Server actions check authentication on every call.
  • No cleartext credentials — passwords are never logged or stored unencrypted.
  • Defence in depth — strict Content Security Policy, security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), HTML sanitisation on all rich-text rendering paths, parameterised database queries throughout.

9. International Data Transfers

The Site's servers and sub-processors operate primarily in the European Union and the United States. By using the Site you acknowledge that your data may be transferred to, stored in, and processed in countries outside your country of residence, including jurisdictions whose data-protection laws may differ. Where data leaves the EEA, we rely on Adequacy Decisions, Standard Contractual Clauses, or other appropriate safeguards.

10. Children's Privacy

The Site is not directed at children. We do not knowingly collect personal data from individuals under 16 years of age. If we discover that we have collected such data, we will delete it promptly. If you are a parent or guardian and believe we may hold data about your child, please contact us at info@dblfilms.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in legal requirements, technology, or our practices. The "Last updated" date at the top of this page indicates when the most recent revision was made. Material changes will be highlighted on the Site for a reasonable period.

12. Contact

DBL Films — Data Controller

Email: info@dblfilms.com (subject line "Privacy")

If you are in the EU and are not satisfied with our response, you may lodge a complaint with your local data-protection supervisory authority.