Privacy Policy
Last updated: 2026-05-31
1. Controller
The controller responsible for data processing is:
Lais Mahmoud
c/o flexdienst – #20789
Kurt-Schumacher-Straße 76
67663 Kaiserslautern
Germany
Email: support@trunq.de
You can also reach us through the contact form at trunq.de/legal/contact — no account required. We usually respond within 48 hours either way.
Data Protection Officer: A formal DPO is not legally required for this service (Art. 37 GDPR thresholds not reached — small-scale operation, no large-scale processing of special categories of data). All privacy enquiries are handled by the controller named above via either contact method.
2. Data We Collect
a) Account Data
- Email address
- Username
- Password (securely hashed)
Email verification is required.
b) Profile Data
Optional:
- Display name
- Bio
- Profile image
- Cover image
c) Usage Data
- Ratings
- Reviews
- Progress tracking
- Lists, groups, comments
- Likes, follows, interactions
d) Activity Data
Used for social features (feeds, visibility settings).
e) Log Data
We record short-lived security logs containing:
- IP address and timestamp on login, password change, account deletion
- IP address and timestamp when you create user content (review, group post, list, avatar/cover upload)
- Failed login attempts and rate-limit hits
- Content Security Policy violations
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in security, fraud prevention, and the ability to identify the author of illegal content if a report is filed. The forensic value justifies the minimal data set; we do not log content text in these records, only identifiers and lengths.
Retention windows are detailed in section 8 below. By default these records are auto-deleted after 30 days.
Age Restriction
This platform is not intended for children under the age of 16 (see Terms of Service section 2 for the minimum-age requirement under Art. 8 GDPR).
3. Legal Basis
- Art. 6(1)(b) GDPR – contract
- Art. 6(1)(f) GDPR – legitimate interests
- Art. 6(1)(a) GDPR – consent
4. Third-Party Services (Sub-Processors)
We engage a small number of vendors to operate the service. The complete, always-current list — including each provider's location, the data they process and the legal basis for any cross-border transfers — is published at /legal/sub-processors.
Categories today include: database & storage hosting (Supabase, EU), application hosting (Vercel), outbound and inbound email (IONOS, primary; Resend as failover), error monitoring (Sentry, EU residency), rate-limit storage (Upstash, EU), and external metadata APIs (TMDB, AniList, Movie of the Night).
We have concluded Data Processing Agreements (DPA) with every provider that processes personal data on our behalf. Cross-border transfers (e.g. to the USA) are protected by EU Standard Contractual Clauses under Art. 44 et seq. GDPR.
Material changes to this list are announced on the sub-processor page at least 30 days before they take effect.
5. External APIs
- TMDB
- AniList
- Streaming Availability
No personal data is shared.
6. Cookies & Local Storage
We use the following cookies and browser storage:
Strictly necessary (no consent required, Art. 6(1)(f) GDPR)
- Session cookie — keeps you signed in after login
- CSRF token — protects form submissions
- Language / theme / region — remembers your UI preferences
- cookie-consent — stores your decision on this banner (1 year)
Optional (only loaded after explicit consent, Art. 6(1)(a) GDPR)
- In-app analytics — opaque event log of feature usage to help us improve the product. No advertising, no cross-site tracking
- Sentry error monitoring (browser SDK) — collects unhandled exceptions and a sampled fraction of performance traces. IP and user identifiers are not auto-attached. Sentry data resides in the EU. The browser SDK is not loaded until you accept the cookie banner; server-side error monitoring runs on legitimate interest and is not consent-gated
We do not set advertising cookies and we do not share data with third-party advertising trackers.
You can change or withdraw your consent at any time — open Settings → Privacy → Cookie settings in the app, or use the Cookie settings link in the footer.
6a. Product Analytics
Once you accept analytics, we record event names tied to your user ID (e.g. 'title_rated', 'search_performed'). We do not collect IP addresses, user agents, or precise locations alongside these events. The legal basis is your consent under Art. 6(1)(a) GDPR; you can withdraw consent at any time and we will stop recording new events.
Service-operation telemetry — login attempts, registration, password changes — is recorded without consent for fraud prevention and account-security audit logs (Art. 6(1)(f) GDPR, legitimate interest).
6b. Personalised Recommendations (Profiling)
To suggest titles, ranks, and feed content that fit your taste, we analyse your activity on the platform. This is profiling within the meaning of Art. 4(4) GDPR and we want to be transparent about it.
What we analyse:
- Your tracking history (titles you've planned, watched, completed, dropped)
- Your ratings and the genres / mediaType of rated titles
- Your follow graph (who you follow and whose ratings correlate with yours — "taste twins")
- Your interaction patterns (likes, list memberships, group activity)
- Your explicit feedback signals ("More like this", "Not interested")
What we produce:
- Personalised title recommendations on the home page
- "Hidden gems" suggestions based on under-watched + highly-rated patterns
- Friend-circle anti-recommendations ("your network disliked these")
- Rank tier assignments (Explorer, Critic, etc.) derived from your activity percentile
- Rating predictions ("we think you'll rate this 7.5")
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing a personalised product). You can object to this processing at any time under Art. 21 GDPR by contacting us via the email address in section 1 or the contact form at trunq.de/legal/contact — the practical effect is that the home feed falls back to non-personalised global trending and you can no longer be discovered through the taste-twin surface.
No automated decisions with legal effect (Art. 22 GDPR): Recommendations are suggestions, not decisions. They do not affect your contracts, your access, your billing, your eligibility for anything, or any other legal or similarly significant matter. Art. 22 GDPR therefore does not apply.
7. Technical and Organizational Measures
We implement appropriate technical and organizational measures to protect your data, including:
- Encrypted data transmission (HTTPS)
- Password storage using secure hashing (bcrypt)
- Content Security Policy with per-request nonce + strict-dynamic
- Restricted access to personal data (role-based access control, server-only secrets)
- Rate-limiting on all authentication and content-mutation endpoints
- Automatic stripping of image metadata (EXIF / GPS / camera serial) on every avatar and cover upload — uploaded photos are re-encoded server-side so no location or device fingerprint reaches other users
8. Data Retention
- Account data, profile, watchlist, ratings, reviews, lists, follow graph: until you delete your account
- Comments, activity events, notifications: until you delete your account
- Bug reports and user feedback: until the report is resolved + 12 months for support continuity
- Security event log — default severity (content creation, failed logins, rate-limit hits): 30 days, automatically deleted
- Security event log — high severity (admin actions, account deletion): 180 days
- Security event log — critical severity (severe abuse, account compromise): 365 days
- Product analytics events: 12 months from event timestamp
- Access / error logs: max. 30 days
Individual security-log entries may be retained longer when required by a binding legal preservation order or an active investigation. Such entries are marked with a preservation flag and revert to the standard retention window once the order expires.
Pseudonymous moderation logs may be retained beyond account deletion where required by abuse-prevention obligations.
9. Your Rights
You have the following rights:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
Contact: support@trunq.de
10. Complaints
You may lodge a complaint with a data protection supervisory authority.
The competent authority is the one in your country or region of residence.
11. Content Moderation & Cooperation with Authorities
We operate a notice-and-action mechanism in line with the Digital Services Act (Regulation (EU) 2022/2065). Any user can report content they consider illegal or in breach of our Terms via the in-app report button on any review, list, group post, or profile.
Reports are reviewed by our moderation team. When we remove content or restrict an account, the affected user receives a notification with the specific reason for the action (statement of reasons). You can appeal a decision by replying to that notification, by writing to the email below, or by using the contact form at trunq.de/legal/contact.
We may share data with competent authorities (police, public prosecutors, courts) when we are legally required to do so or when there is a concrete suspicion of a serious criminal offence (e.g. child sexual abuse material, threats of violence). The legal basis is Art. 6(1)(c) GDPR (legal obligation) or Art. 6(1)(f) GDPR (legitimate interest in cooperating with law-enforcement to protect users and the platform).
Disclosure is limited to the minimum data necessary — typically the IP address and timestamp captured at the moment the content was created (see section 2e). We do not proactively scan user content; we act on reports and on binding legal orders.
Moderation appeals & legal inquiries: support@trunq.de
12. Changes
This policy may be updated at any time.