Privacy


This Privacy Policy defines the principles and conditions for the processing of personal data within the FilmBox+ platform, including information collected and stored as so-called cookies.

I. GENERAL PROVISIONS
1. The personal data Controller is Mediabox Broadcasting International Limited (hereinafter referred to as: “Mediabox”), a company incorporated under the laws of the United Kingdom, with its registered office at: 1 Cornhill, London, EC3V 3ND, United Kingdom, with the number 8353015.
2. The Controller notifies that it has not appointed a Personal Data Protection Officer. In cases related to the processing and protection of personal data, you can contact us by email at the following address: [email protected]
3. The Controller has the right to make changes to this Privacy Policy at any time and the User should become familiar with its updated text.

II. DEFINITIONS
Whenever the terms defined below are used in this Privacy Policy, they should be understood as defined below:
Privacy Policy – this document entitled “Privacy Policy”;
Controller – a natural or legal person, public authority, company or another entity which independently or jointly with others, determines the purposes and means of the processing of personal data;
Personal data – any information about an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction;
Platform – FilmBox+ streaming platform, which may be accessible via a web browser, a TV application, mobile apps, as well as through technological solutions owned (managed) by third parties, e.g. telecommunications Operators.
Website – the website at filmboxplus.com and its subpages;
User – a person who uses the Platform or has subscribed or has been subscribed to the Platform and a person who uses the Website;
Operator – an entity cooperating with the Controller and conducting the sale of services including the Platform and providing Users with means (e.g. activation codes) to enable the creation of an account on the Platform;
Cookies – small text files that are saved on a User’s computer or mobile device while they are browsing the content available on the Platform or on the Controller’s website. The files may only be read by the Platform or the Website.
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Social Media – websites and applications or apps which make it possible for Users to create and make available content within their profiles.


III. SCOPE OF PERSONAL DATA COLLECTION
The Controller collects, stores and provides access to and processes in some other way the following personal data categories:
1. Information which the Operator or a User provided through the Platform and related websites and while getting an access to the Controller’s services through third parties’ applications and websites, in particular: email address – pursuant to Article 6(1)(b) of the GDPR, i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
2. Information about the Controller’s content, products and services that a User ordered or sent an inquiry about, together with recordings of conversations – pursuant to Article 6(1)(b) of the GDPR, i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. Data indicating whether a User has an access to the Platform at the moment – pursuant to Article 6(1)(b) of the GDPR, i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
4. Analytical data, including the number of views of a material; the time spent on the Platform/time of playing a given material; dates of logging in/using the Platform; information about which material was played – in order to offer Users appropriate content on the Platform – pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
5. Information collected by Cookies and other technologies from devices used by a User to access products and services related to the Platform or third parties’ content, products and services. This includes information about devices, machines or web browser used by a User that may be obtained while Cookies are turned on – pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
6. IP address, MAC address, unique identification number, online identifier, information about the location of Internet connection, logical network address and other similar data required for a User’s devices to communicate with websites and applications in the Internet to offer the User appropriate content within the Platform – pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
7. Technical information from devices used by a User while receiving the Controller’s programs, products and services, e.g. a collection of diagnostic information and information about traffic and location – pursuant to Article 6(1)(a) of the GDPR, i.e. the data subject has given consent to the processing of his or her personal data for one or more specific purposes. Devices and applications or apps have their own privacy settings and a User may give consent to collecting specific personal data;
8. Information collected automatically to adapt the Platform to a User’s expectations (displaying personalized content and recommendations) – pursuant to Article 6(1)(b) of the GDPR, i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Personalization does not apply to children’s profiles.
9. Information provided by a User when contacting the Controller, in particular the name and email address, to enable a response to the User – pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
10. Information necessary for the performance of duties under the law, including to enforce the rights of data subjects – pursuant to Article 6(1)(c) of the GDPR, i.e. processing is necessary for compliance with a legal obligation to which the Controller is subject;
11. Information necessary to fulfill archiving duties and to ensure the correct performance of legal obligations to which the Controller is subject – pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
12. Information necessary to determine, pursue or defend against claims – pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
13. Information provided by a User through the Controller’s Social Media profiles, including the name, a profile photograph and content of the User’s comments/posts, to manage Social Media profiles and answers to Users’ questions – pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
14. Information provided voluntarily by a User, including sex, age, place of residence – pursuant to Article 6(1)(a) of the GDPR, i.e. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
15. Information provided to subscribe to the Newsletter – pursuant to Article 6(1)(a), i.e. the data subject has given consent to the processing of his or her personal data for one or more specific purposes; and pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data;
16. Information provided for other kind of direct marketing – pursuant to Article 6(1)(a) of the GDPR, i.e. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
17. Information about effectiveness of delivered marketing content which are personal data rendered anonymous – pursuant to Article 6(1)(f) of the GDPR, i.e. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

IV. PERSONAL DATA COLLECTION
1. The Controller collects and processes Users’ personal data provided by the Operator or the User before registration, during the registration process and while using the Platform or the Website. Some data are collected automatically in the form of cookies or server logins.
2. The provision of personal data is voluntary but the refusal to provide some of them may result in the impossibility of using the Platform.

V. RIGHTS OF DATA SUBJECTS
1. Right of access to personal data and the right to obtain their copies;
2. Right to rectification and completion of data;
3. Right to erasure of data (‘right to be forgotten’) if there are no grounds for the data processing;
4. Right to restriction of processing if it was done without legal grounds or in an incorrect way;
5. Right to data portability;
6. Right to object to processing of the data subject’s personal data based on the Controller’s legitimate interest;
7. Right to lodge a complaint with a supervisory authority if the data subject finds that the processing does not comply with personal data protection laws currently in force.
These rights may not apply in the case of conflicting rights of other parties. A User is, however, always entitled to lodge a complaint with a supervisory authority.


VI. WITHDRAWAL OF THE CONSENT
1. If a User’s personal data are processed on the basis of a consent, the consent may be withdrawn at any time, in which case the data will be deleted by the Controller unless there are other grounds for processing the data. Withdrawal of consent does not affect the processing of data that was carried out on the basis of the consent before it was withdrawn.
2. The Controller has the right to store all or some of personal data in spite of withdrawal of the consent to defend itself against possible claims for a period in compliance with the laws in force.
3. In each case, the Controller shall respond to a User’s request, specifying further actions that will be done.

VII. RECIPIENTS OF PERSONAL DATA
The data may be disclosed to the following entities:
a. the Controller’s personnel authorized to it;
b. companies supporting the Controller with respect to technical and IT services (entities delivering IT solutions and providing IT and technical support services of delivery, implementation and maintenance of software and service of IT hardware, hosting services) only to the extent of tasks assigned to them;
c. law firms providing services to the Controller as well as entitles providing debt collection services;
d. consulting, auditing and advisory companies – within the scope of the services provided by these entities to the Controller, including entities providing marketing services, performing analyses and compiling statistical data;
e. entities related by capital or personal links to the Controller for internal administrative purposes;
f. third parties in the event of a reorganization, sale, joint venture, merger, assignment, transfer or other disposal of all or part of the Controller’s business, services, assets or interests;
g. public authorities and entities performing public tasks or acting on behalf of public authorities, to the extent and for the purposes arising from generally applicable laws;

VIII. DATA TRANSFER TO THIRD COUNTRIES
Users’ data are processed by a Controller, which is an entity with registered offices is in the United Kingdom, i.e. outside the European Economic Area. In accordance with decisions issued by the European Commission on 28 June 2021, confirming the adequate level of personal data protection in the United Kingdom of Great Britain and Northern Ireland, the United Kingdom guarantees a similar level of personal data protection to that adopted in the European Union. The Controller guarantees that the processing remains in compliance with the GDPR and this Privacy Policy.
In addition, the Controller, if needed, transfers data to entities in third countries other than the United Kingdom, where other personal data regulations may be in force than in the European Economic Area, e.g. for the purposes of using tools provided by Google LLC, Microsoft Corporation or Meta Platforms, Inc. If data are transferred to countries outside the European Economic Area, each recipient, processor or personal data co-controller is verified by the Controller and the processing remains in compliance with the GDPR. In particular, the Controller:
• cooperates with entities with registered offices in the countries with respect to which a relevant decision of the European Commission has been issued;
• when starting cooperation with entities having their registered offices outside the EEA, applies the Standard Contractual Clauses issued by the European Commission or applies binding corporate rules approved by the relevant supervisory authority.
Data are transferred to third countries to maintain the Controller’s social media profiles on Facebook and Instagram. Meta Platforms Ireland Limited guarantees compliance with the GDPR, among others, by using the Standard Contractual Clauses in agreements with data processors. At present, most services are provided by the suppliers through companies registered in the European Union. The Controller, for the Platform and the Website, also uses Google Analytics, through with personal data are processed by Google Ireland Limited, in connection with which data may be transferred to third countries. Google Ireland Limited guarantees compliance with the GDPR in the way described in the privacy policy to which a link has been provided below.
Detailed information about personal data processing with the use of the above platforms is available here:
For Meta Platforms Ireland Limited at: https://pl-pl.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0
For Google Ireland Limited at: https://policies.google.com/privacy#europeanrequirements

IX. PERIOD OF PERSONAL DATA PROCESSING
The personal data referred to in this Privacy Policy will be retained for the periods set out below:
1. for the duration of the provision of services by the Controller;
2. until the expiry of the limitation period of the claims deriving from the services provided, in accordance with the applicable law;
3. for the period required by law, including tax laws;
4. until an effective objection is made pursuant to Article 21 of the GDPR;
5. until the purpose of the processing has been achieved;
6. until the consent is withdrawn by the User if the processing is carried out on the basis of the consent;
7. for a period of at most three years from the moment of resignation from the subscription of the Newsletter, in order to protect against potential claims;
8. until the User’s data become out of date or are no longer useful.
The storage periods specified in years are counted at the end of a calendar year in which data processing started.


X. TECHNICAL REQUIREMENTS
To use the Website or the Platform, it is necessary to have an access to the Internet and to have an active email address. Detailed information has been provided by the Controller at the link https://www.filmboxplus.com/supported-devices/ .


XI. SOCIAL MEDIA
1. The Controller processes personal data in connection with maintaining profiles on platforms in Social Media: facebook.com and instagram.com. For each platform, the co-controller is Meta Platforms Ireland Limited (the platform owner).
2. The Controller has access to information provided on the User’s profile in Social Media when the User enters into interaction with the Controller’s profile, including liking the profile or sending a message.
3. More information about personal data processing by Meta Platforms Ireland Limited is given in section VIII.

XII. COOKIES AND OTHER TRACKING TECHNOLOGIES
The Platform and the Website use Cookies defined in section II. They are saved by the server on a computer of the person visiting the Platform and the Website. A cookie usually contains the name of the domain from which it originates, the time it is stored on the end device and an individual random number identifying the cookie. Information collected by such files help adjust the Platform or the Website to individual preferences and real needs of Users. Cookies also make it possible to compile general statistics about using the Platform but do not allow for identification of a specific natural person.
The entity placing cookies on the User’s end device and obtaining access to them is the Controller.
Cookies are completely safe for computers. In particular viruses cannot enter Users’ computers in them. A User may nevertheless restrict or turn off cookies to make it impossible for them to enter his or her computer or another device.When using that option, it is in principle possible to navigate the pages of the Platform and the Website but the possibilities of using certain functions of the Platform and the Website may be limited.
A User’s consent to the Controller’s use of cookies is not required if they are necessary to use the Platform or guarantee information security.
Cookies are stored and used by the Controller in order to:
a. adjust and optimize the contents of the Platform to a User’s preferences;
b. compile statistics about how Users use the Platform; to improve the contents and clarity of the Platform on an ongoing basis.
The following types of cookies are used on the Platform and the Website:
a. “temporary” session-related cookies remain in the browser only for the duration of the session, i.e. until you leave a given website;
b. “permanent” cookies remain in the browser after the session ends (unless they are deleted by the User);
c. “analytical” cookies collect information about the use of a website, such as the pages visited by a given User and any error messages; they do not collect information that makes it possible to identify the User and the data collected are aggregated in such a way that they are rendered anonymous. Analytical cookies are used in order to improve the operation of the Platform website;
d. “functional" cookies allow the website to remember any choices made on the pages (such as changing the font size, customizing the page) and make such services such possible as adding comments to someone’s blog.
Users of the Platform and the Website may change the settings related to the behavior of cookies at any time. Detailed information about the operation of cookies is available in the settings of a web browser or the Platform.
The Controller reserves the right to use services of third parties to prepare statistics about using the Platform or the Website. Such entities will not be provided with any data identifying Users.
The Website contains pixels of the Facebook and Instagram platforms. Data may be exchanged between the Website and the platforms. After clicking on a pixel, the User will be redirected to the Controller’s profile in the Social Media and data about the actions taken by the User on the profile will be automatically collected by the Controller. The collected data are anonymous, which means that they do not make it possible to identify the User. Social Media Platforms may combine collected information with other information about a User and use it for their own purposes.
Furthermore, in connection with the Controller’s use of Google Analytics, when a User visits the Platform or the Website, Google Cookie, a remarketing file, is left on the User’s device automatically making it possible to display advertisements based on the User’s interests. Further processing takes place only if the User gave consent to it.


XIII. PROFILING
A User’s personal data will not be used for automated decision making which affects the User’s rights and duties or freedoms within the meaning of the GDPR.
As part of tracking technologies, a User’s data may be profiled in order to adjust the Controller’s offer to the User’s needs. However, this should not have any impact on the User’s legal situation. The information used is anonymous.


XIV. ADDITIONAL PROVISIONS
1. If a User shares his or her account on the Platform with other persons who reside with him or her, the User must ensure that each of the persons familiarizes himself or herself with the contents of this Privacy Policy.
2. Users should not send to Mediabox any sensitive data. If such data are received, they will be erased.
3. Mediabox uses security measures to protect Users’ personal data against loss, theft, unauthorized access and modification.

This Privacy Policy enters into force on 18.07.2024.