1. Introduction

Welcome to AllStream, a movie and TV series discovery platform developed by Gold Co ("we", "us", or "our"). AllStream lets you build watchlists, track what you've seen, rate content, share lists with friends, and get personalized recommendations based on your taste profile.

This Privacy Policy applies to our application available on the web and on Android via Google Play (as a Trusted Web Activity). It explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have over it.

By using AllStream, you agree to the practices described in this policy. If you do not agree, please discontinue use of the App. Questions? allstream.app.contact@gmail.com

2. Data We Collect

We only collect data that is necessary to provide the features of AllStream. The categories below match Google Play's Data Safety categories.

2.1 Personal Information — Account Data

AllStream lets you sign in with Google Sign-In (OAuth) or Facebook Login (provided by Meta). You choose one provider when you create your account. We receive only what that provider shares for sign-in; we do not receive your password for Google or Facebook.

Google Sign-In. When you sign in with Google, Google provides us with:

• Email address — used to identify your account; never shared publicly
• Google profile photo — used as your default avatar

Facebook Login. When you sign in with Facebook, Meta may provide us with:

• Email address — if you grant the email permission; used to identify your account; never shared publicly
• Name — as shown on your Facebook profile (we may use it to prefill your display name during onboarding)
• Facebook profile picture — used as your default avatar

How Meta processes data when you use Facebook Login is described in Meta's Privacy Policy. Our use of information received from Meta complies with Meta's applicable terms and policies for developers.

During onboarding, you are asked to choose a username (required and publicly visible). You may optionally also provide:

• Display name
• Biography / bio text
• Date of birth (used for age-appropriate content; not shared publicly)
• Gender
• Custom avatar image (uploaded by you; stored securely)

2.2 App Activity — Content Interactions

To provide watchlist, recommendation, and social features, we store the following activity data linked to your account:

• Watchlist items and their watch status (to watch, watching, watched, abandoned)
• Personal ratings (1–10 stars) assigned to movies or TV shows
• Content likes and superlikes
• Shared watchlists created or joined with other users
• User-created curated movie/TV lists (public or private)
• Taste profile — automatically computed affinities for genres, tags, cast members, and directors, derived from your activity. Used exclusively to generate recommendations within the App.

2.3 App Info & Performance — Analytics

We use the following services to monitor App performance and understand how it is used, in order to fix issues and improve features:

• Google Analytics (GA4) — anonymized page views, session duration, and usage patterns. No personally identifiable information is linked to these events. Subject to Google's Privacy Policy.
• Vercel Analytics & Speed Insights — anonymized, cookie-less page performance and traffic data. Subject to Vercel's Privacy Policy.

2.4 Device or Other IDs — Approximate Location

• Country code (approximate location) — inferred from your IP address via Cloudflare edge network headers. Used exclusively to display localized streaming availability (e.g., which services carry a title in your country). We do not request, store, or use GPS coordinates or any precise location data.
• Device and browser type — collected by analytics tools (see §2.3) solely for performance monitoring. Not used for advertising or profiling.

3. What We Do NOT Collect

4. How We Use Your Data

4.1 Purposes

• Create and manage your account
• Provide core features: watchlists, ratings, curated lists, content discovery
• Generate personalized recommendations using your taste profile (processed entirely within our own infrastructure — not shared with advertisers)
• Enable social features: shared watchlists, public lists viewable by other users
• Display localized streaming availability based on your country
• Monitor App performance and fix bugs (analytics)
• Respond to your support requests

4.2 Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) or United Kingdom (UK), our legal basis for processing your personal data is:

• Contract — processing your account data and content interactions is necessary to provide the service you signed up for.
• Legitimate interests — analytics data is processed to improve the App. This interest does not override your rights.
• Consent — optional profile information (bio, birthdate, gender) is processed only if you choose to provide it. You can remove it at any time.

5. Public Profile & Visibility

Some of your AllStream data is visible to other users or the public. Please be aware of what you share:

• Username and avatar — visible to all AllStream users
• Display name and bio — visible on your profile page if set
• Public lists — any list you mark as "public" is visible to all users
• Shared watchlists — content and watch status within a shared watchlist is visible to the user(s) you share it with

The following data is never visible to other users: your email address, date of birth, gender, taste profile affinities, private lists, and your watch history on private lists.

6. Third-Party Services

AllStream integrates with the following third-party services. Each has its own privacy policy. We only share the minimum data necessary for each service to function.

7. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to any third party. We do not share your data for advertising purposes. Data is shared only in the following limited circumstances:

• Service providers — listed in §6, solely to operate the App
• Other AllStream users — only the public profile and content data described in §5
• Legal requirements — if required by applicable law, valid court order, or governmental authority, after assessing the legality of the request
• Business transfers — if Gold Co is involved in a merger, acquisition, or asset sale, we will notify you before your data is transferred and becomes subject to a different privacy policy

8. Data Storage and Security

• Storage — all user data is stored in Supabase's PostgreSQL database infrastructure, encrypted at rest using AES-256.
• Transit encryption — all data transmitted between your device and our servers uses HTTPS (TLS 1.2+). All API calls to third-party services also use HTTPS.
• Access control — Row Level Security (RLS) policies ensure each user can only read and modify their own data. No employee has routine access to your data.
• File storage — avatar images are stored in Supabase Storage with access controls enforced at the infrastructure level.

While we apply industry-standard security measures, no system is completely immune to breaches. In the event of a data breach affecting your rights, we will notify you as required by applicable law.

9. Account and Data Deletion

When you delete your account, we permanently delete:

• Your profile data (username, display name, bio, birthdate, gender, avatar)
• Your watchlist and all watchlist items
• Your ratings, likes, and superlikes
• Your curated lists
• Your taste profile
• Your participation in shared watchlists
• Your authentication record

Deletion is completed within 30 days of your request. Anonymized analytics data (which cannot be linked back to you) may be retained.

10. Your Rights

10.1 GDPR Rights (EEA / UK Users)

You have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your data ("right to be forgotten")
• Portability — receive your data in a machine-readable format
• Restriction — request we limit how we process your data
• Objection — object to processing based on legitimate interests
• Withdraw consent — at any time, for data processed on the basis of consent (optional profile fields)

You also have the right to lodge a complaint with your local data protection authority (e.g., your national DPA in the EEA, or the ICO in the UK).

10.2 CCPA Rights (California Residents)

• Know what categories of personal information are collected and how they are used
• Request deletion of your personal information
• Opt out of the sale of personal information — we do not sell your data
• Non-discrimination for exercising these rights

10.3 How to Exercise Your Rights

Email us at allstream.app.contact@gmail.com with the subject "Privacy Request". We will respond within 30 days (or as required by your applicable law). You may also update or delete profile data directly within the App's settings.

11. Children's Privacy

AllStream does not have an age restriction and is accessible to users of all ages. However, we do not knowingly collect personal information from children under the age of 13 (or the applicable minimum age in their country).

Sign-in is handled through Google OAuth or Facebook Login. Google and Meta each require users to meet their minimum age to use those accounts (typically at least 13 years old, or higher where local law requires). We do not offer a sign-in method intended for children below those providers' requirements.

If you are a parent or guardian and believe your child has created an account without your consent, please contact us at allstream.app.contact@gmail.com. We will delete the account and all associated data promptly.

12. Cookies and Tracking Technologies

AllStream uses the following cookies and tracking technologies:

• NEXT_LOCALE (essential) — stores your language preference (Spanish or English). Required for the App to display in the correct language.
• Supabase session token (essential) — a secure, HTTP-only token that keeps you signed in. Deleted when you sign out or the session expires.
• Google Analytics (GA4) (analytics) — uses cookies to measure anonymized usage patterns. You can opt out via the Google Analytics Opt-out Browser Add-on.
• Vercel Analytics (analytics) — cookie-less, privacy-friendly analytics. No personally identifiable information is tracked.

We do not use advertising cookies, retargeting cookies, or any cookies that track you across other websites.

13. Data Retention

We retain your personal data for as long as your account is active and as needed to provide you with the service. If you delete your account, your personal data is permanently deleted within 30 days (see §9 for full details).

Aggregated, anonymized analytics data (which cannot identify you) may be retained indefinitely for product improvement purposes.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Effective Date" at the top of this page will always reflect the date of the most recent version. For material changes, we will provide at least 30 days' notice — for example, via a notice in the App or an email to your registered address.

Your continued use of AllStream after a change takes effect constitutes your acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:

Gold Co
Email: allstream.app.contact@gmail.com

We aim to respond to all privacy-related inquiries within 30 days.