Compliance
Buddy Watch is in private beta. This page summarizes the compliance posture we're building toward and the practices already in effect. The lawyer-reviewed Privacy Policy and Terms of Service replace the current scaffolding before public launch.
Last updated: 2026-05-08
Frameworks we honor at launch
- GDPR — General Data Protection Regulation (EU residents).
- UK GDPR — the UK's post-Brexit equivalent; substantively the same as GDPR for our purposes.
- CCPA / CPRA — California Consumer Privacy Act + Privacy Rights Act (California residents).
- EU minor parental consent — GDPR Article 8, with member-state age-of-consent variation handled on signup.
Age
Buddy Watch is 13+. Signup blocks under-13 account creation entirely. For 13–15 year olds in EU member states with an age of consent above 13 (e.g. France 15, Germany 16, Ireland 16), a parental consent flow gates the account.
What we collect
The minimum we need to run the service. No tracking pixels, no advertising identifiers, no third-party analytics embedded in the consumer surfaces today.
- Account identity — email address, display name, password hash (or external-identity ID if you sign in via Google or Apple).
- Birth date — collected at signup for age-gating only. Stored encrypted; we never expose it to other users.
- Friend graph — who you've connected with and the invite tokens that linked you.
- Comments and reactions — content you post, plus the playback timestamp it's anchored to and the media identifier (TMDB ID) of what you were watching.
- Watch-party state — playback positions, sync events, presence indicators within an active session. Retained briefly for session continuity, then aged out.
- Connected-server metadata — base URLs and per-user tokens for your Plex / Jellyfin / Emby connections. Encrypted at rest. We don't read your library contents beyond what's needed to identify what you're currently watching.
- Operational logs — IP at request time, user-agent, request method/path, response status. Retained for security and debugging on a rolling window (typically 30 days), longer for the immutable audit-log of admin actions.
Your rights
Whether or not you live in a jurisdiction where these are legally required, Buddy Watch honors them for every account:
- Access — see the data we hold about you.
- Portability — export your data in a machine-readable format.
- Rectification — correct inaccurate data.
- Erasure — delete your account and the personal data tied to it. Audit-log entries are retained with the user reference scrubbed, which is the standard defensible posture under GDPR Article 17(3)(e).
- Opt-out of sale / sharing — moot for us because we don't sell or share personal data, but the right is honored on request anyway.
- Restriction — pause processing while we resolve a dispute about accuracy or legitimate interest.
- Object — ask us to stop a specific processing activity grounded in legitimate interest, and we'll either stop or explain why we can't.
Most rights are self-serve from your settings page (export and delete in particular). For everything else, email hello@buddywatch.online. We respond within 30 days — the GDPR-default window — and will tell you immediately if a request needs longer.
Subprocessors
Vendors who process personal data on Buddy Watch's behalf under contract. Each is reviewed for security posture and privacy commitments before we onboard them.
| Vendor | Role | Region |
|---|---|---|
| Amazon Web Services (AWS) | Compute, database, object storage, secrets management for the Buddy Watch dev tier | us-east-2 (Ohio) |
| Cloudflare | DNS, edge TLS, DDoS protection, application delivery | Global edge |
| Resend | Transactional email delivery (account verification, friend invites, security alerts) and inbound email parsing | United States |
| TMDB (The Movie Database) | Public movie and TV metadata lookup — title, cast, runtime, art. We send a TMDB ID, we receive metadata; no user PII is sent. | United States |
| GitHub | Source-code hosting and authentication for the operator team. Customers are not represented in this processing. | United States |
| Anthropic | Operator-side coding assistants used by the team. No customer data is sent through this surface. | United States |
Future subprocessors — vendors planned for a future feature, not yet processing data:
- Stripe — Subscription billing — Stripe Checkout (hosted page) so we stay in PCI scope SAQ A. Activates when paid tiers ship (Step 16.11).
- Sentry / PostHog (or equivalent) — Error tracking and product analytics, with PII-scrubbing and an env-controlled kill-switch. Activates when we light up analytics; opt-out posture documented at the time.
We notify active users by email at least 30 days before onboarding a new subprocessor that processes user-identifiable data. Material changes to a current subprocessor's role get the same notice.
International data transfers
Personal data may move between the EU/UK and the United States in the course of running the service — our hosting and most of our subprocessors are US-based. Where data leaves the EU/UK, we rely on Standard Contractual Clauses (SCCs) — the European Commission's 2021 modules — and the UK's International Data Transfer Agreement (IDTA), plus the EU–US Data Privacy Framework where the receiving vendor is certified.
We don't currently offer EU-only or UK-only data residency tiers. If your use case requires that, email us and we'll tell you honestly whether and when we can.
Security
Buddy Watch's security posture is grounded in a few baseline practices, applied uniformly:
- Encryption in transit — TLS on every connection between you and us, and between us and our subprocessors. HSTS on customer-facing surfaces.
- Encryption at rest — credentials and sensitive PII (birth date, OAuth tokens for your media servers, integration API keys) are stored Fernet-encrypted with keys managed by AWS Secrets Manager.
- Authentication — password hashing with modern parameters, MFA available for all accounts (mandatory for admin roles), session-token revocation, OAuth via Google and Apple as alternative login methods.
- Authorization — role-based access control with step-up MFA on sensitive admin actions.
- Audit logging — admin actions are recorded to an append-only audit log; PII edits hash both the old and new values rather than storing them in plaintext.
- Backups — automated daily database backups with point-in-time recovery via the hosting provider; backup retention currently 7 days, scaling up before public launch.
- Vulnerability management — dependencies are tracked, security advisories are reviewed weekly, and security-affecting fixes are prioritized over feature work.
- Defense in depth — rate-limiting on signup / login / password-reset, CAPTCHA on suspicious traffic, and IP-based abuse heuristics surfaced to the operator.
No system is unbreachable. We design with the assumption that things will go wrong and aim to make failures small, contained, and recoverable.
Data breach notification
If we discover a personal-data breach affecting your information, we'll:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required (GDPR Article 33, UK GDPR equivalent, US state attorneys general where applicable).
- Notify affected users without undue delay when the breach is likely to result in a high risk to your rights and freedoms (GDPR Article 34) — by email to the address on your account, plus an in-app banner where appropriate.
- Document what happened, what data was involved, what we did, and what you can do (rotate credentials, watch for related phishing, etc.).
Cookies and tracking
Buddy Watch uses cookies and equivalent local storage only for things the service can't function without:
- Session cookies — to keep you logged in.
- CSRF tokens — to protect form submissions.
- UI preferences — light/dark, layout, sidebar collapsed state, stored in your browser's local storage.
No advertising cookies, no cross-site tracking pixels, no third-party analytics in the customer-facing surfaces today. If we add product analytics in the future (via the future-subprocessor PostHog/Sentry path), it'll be opt-out-by-design and disclosed here before activation.
Marketing emails
We send transactional email (account verification, security alerts, friend invites you triggered, watch-party invitations you opted into) by default. Marketing email — product news, release announcements, beta-cohort updates — is opt-in where required by law and includes a one-click unsubscribe. You can change your email preferences from your settings page at any time. Unsubscribing from marketing doesn't stop transactional email tied to features you're using.
Frameworks that don't apply, and why
- COPPA (US Children's Online Privacy Protection Act) — Buddy Watch is 13+ at launch; under-13 collection is blocked.
- UK Children's Code — same reason.
- PCI DSS — no payments at launch. Future monetization uses Stripe Checkout (hosted page), keeping us in PCI's lightest scope (SAQ A).
- HIPAA — Buddy Watch doesn't collect or process health data.
- SOC 2 certification — not pursued at launch. Architecture decisions (RBAC, MFA + step-up, encryption at rest, audit logging) are made to keep future certification cheap when it becomes relevant for B2B partners.
- EU AI Act — not in scope today; we don't deploy AI systems that make decisions about users in the product. If that changes (AI moderation, recommendations, etc.), we'll add the corresponding transparency surface before activation.
Requests + questions
Email
hello@buddywatch.online
for any rights request, compliance question, or concern.
We aim to respond within 30 days, the GDPR-default response
window. Use subject prefix
[Privacy]
for data-rights requests so we route them quickly.
A formal Data Protection Officer designation isn't required at our current scale. Until that changes, the contact above is the canonical privacy point-of-contact.