Privacy Policy - CrewMailer

Last Updated: March 31, 2025

1. Introduction

This Privacy Policy explains how CrewMailer, operated by NamiLink Kft ("CrewMailer", "we", "us", "our"), collects, uses, discloses, and protects your personal information when you use our Service. NamiLink Kft acts as the Data Controller for the personal data related to your account management, billing, and our direct interactions with you. When you use our Service to upload, manage, and distribute documents containing personal data (including recipient lists), NamiLink Kft acts as a Data Processor on your behalf (you, the user, are typically the Data Controller for that data). We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Information We Collect

We collect different types of information to provide and improve our Service

2.1 Account Information (Controller Role)

• Name and contact details (including email address)
• Company/Production name
• Job title/role
• Authentication data via Auth0 (including email, social login IDs, device information)
• IP addresses and timestamps for authentication events
• Billing information (for paid projects, processed according to Hungarian financial regulations)

2.2 Usage Information (Controller Role)

• Access logs, IP addresses, timestamps
• Device and browser information (type, operating system)
• Features used within the Service, activity history
• General analytics on service performance and usage patterns

2.3 User Content & Recipient Data (Processor Role)

• Uploaded Documents: Files (PDFs, other formats) you upload for storage and distribution. These may contain personal data related to cast, crew, or other individuals, as determined by you.
• Recipient Information: Names and email addresses of individuals you add as project members or to distribution lists for the purpose of receiving documents via the Service.
• Project Details: Information related to the production project you create within the Service (e.g., project name).

3. How We Use Your Information

We use the information we collect for the following purposes

• Providing the Service (Contract Performance / Processor Instructions):
  • To set up and maintain your account.
  • To enable you to upload, store, and manage documents.
  • To apply watermarks to PDF documents based on recipient data as configured by you.
  • To send emails containing documents to recipients designated by you.
  • To provide customer support and respond to your requests.
• Improving the Service (Legitimate Interest):
  • To understand how users interact with the Service for enhancement and development.
  • To monitor service performance and ensure security.
  • To troubleshoot issues and fix bugs.
• Security and Authentication (Legitimate Interest / Legal Obligation):
  • To verify accounts and activity.
  • To detect and prevent fraud, abuse, and security incidents.
• Communication (Legitimate Interest / Contract Performance):
  • To send important service updates, security alerts, and administrative messages.
  • To respond to support requests and inquiries.
• Legal Compliance (Legal Obligation):
  • To comply with applicable laws, regulations, legal processes, or governmental requests (e.g., financial record keeping).
  • To enforce our Terms of Service.

4. Legal Basis for Processing (GDPR)

Our legal basis for collecting and using the personal information described above depends on the specific information and context

• Contract Performance: Processing necessary to provide the core Service features you request (account creation, file upload, watermarking, emailing, support for paid users).
• Legitimate Interests: Processing for service improvement, security, analytics, and non-essential communications, provided these interests are not overridden by your data protection rights.
• Legal Obligation: Processing required to comply with laws (e.g., tax laws for invoicing).
• Consent: Where required by law (e.g., for certain types of cookies or optional marketing communications from us), we will obtain your explicit consent. Note: As a Processor, we rely on your (the User's) lawful basis (e.g., consent, contract, legitimate interest) for processing the personal data contained within User Content and Recipient Data.

5. Data Storage, Security, and Retention

5.1 Security Measures

We implement industry-standard technical and organizational measures to protect your data, including
- Encryption of data in transit (TLS/HTTPS).
- Encryption of sensitive data at rest where appropriate.
- Regular security reviews and audits.
- Strict access controls and monitoring.
- Use of secure data centers located within the European Union (see Section 7).
- Regular data backup procedures.

5.2 Data Retention

We retain personal data for as long as necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. Specific retention periods
- Account Information: For the duration your account is active, plus a limited period afterward (e.g., 30 days) for operational purposes or as required for legal compliance. If deletion requested, processed within 2 business days, subject to legal holds.
- Original Uploaded Files: While the associated project is active. Deleted 90 days after the project is archived by the user.
- Watermarked Files: Deleted immediately after successful email transmission.
- Recipient Data (Names, Emails): While the associated project is active. Deleted 90 days after the project is archived by the user.
- Usage Logs & Email Metadata Logs (Neon DB): Retained for 90 days after the associated project is archived.
- Transactional Email Logs (ZeptoMail): Retained by ZeptoMail according to their policies (currently up to 365 days for metadata).
- Backup Data: Retained for up to 90 days on a rolling basis.
- Financial Records: Retained as required by Hungarian law (typically 5-8 years).

6. Your Data Protection Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data under GDPR

• Access: Request access to the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure ('Right to be Forgotten'): Request deletion of your personal data, subject to legal limitations (e.g., retention obligations).
• Restriction: Request restriction of processing under certain conditions.
• Portability: Request to receive your data in a structured, commonly used, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Lodge a Complaint: Lodge a complaint with your local data protection authority or the Hungarian Data Protection Authority (NAIH - Nemzeti Adatvédelmi és Információszabadság Hatóság, Website: http://naih.hu).

To exercise these rights regarding your Account Information or Usage Information (where we are Controller), please contact us at privacy@crewmailer.com or the DPO at dpo@crewmailer.com.

For requests related to User Content or Recipient Data (where we are Processor), please direct your request to the CrewMailer user (the film production/company) who uploaded the data, as they are the Data Controller. We will assist our users in responding to such requests as required by law and our agreements.

7. Data Sharing and Subprocessors

We do not sell your personal information. We only share data as necessary to provide the Service, comply with the law, or with your explicit consent.

7.1 We Do Not

• Sell personal information to third parties.
• Share data with unauthorized parties.
• Use User Content or Recipient Data for unrelated marketing or purposes other than providing the contracted service.

7.2 Subprocessors

We use trusted third-party service providers (subprocessors) to help us operate the Service. These subprocessors process data on our behalf based on our instructions and are contractually bound to implement appropriate security and confidentiality measures. Our key subprocessors include
- Auth0 by Okta (Authentication Services): - Provides secure authentication services including email magic links, Google, Apple ID, and Microsoft account login. Auth0 processes authentication data globally with appropriate safeguards for international transfers.
- Neon.tech (Database Hosting via AWS): - Provides managed PostgreSQL database services. Data is hosted within the Amazon Web Services (AWS) EU (Frankfurt) region (aws-eu-central-1) in Germany. Neon Inc. is a US-based company, but processing occurs in the EU.
- Hetzner Online GmbH (Server Hosting): - Provides server infrastructure for our application backend and frontend. Servers are located in Falkenstein, Germany.
- Zoho Corporation B.V. (Email Gateway - ZeptoMail): - Provides transactional email delivery services. Data is processed within the European Union (Netherlands).

7.3 Legal Requirements

We may disclose your information if required by law, subpoena, or other legal process, or if we have a good faith belief that disclosure is reasonably necessary to (a) enforce our Terms of Service, (b) detect or prevent fraud or security issues, or (c) protect the rights, property, or safety of CrewMailer, our users, or the public.

We have Data Processing Agreements (DPAs) in place with our subprocessors where required by GDPR.

8. International Data Transfers

All primary data processing activities for the Service occur within the European Union (Germany, Netherlands).
While our database provider (Neon.tech via AWS) and email gateway (ZeptoMail via Zoho) ensure data residency within the EU, their parent companies (Neon Inc. - USA, Zoho Corp - India/USA/NL) are located outside the EU/EEA. Any potential access or transfer of data required for support or administration by personnel outside the EU/EEA is conducted in compliance with GDPR, utilizing appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by technical and organizational measures.

9. Cookie Usage

We use cookies and similar technologies. Please refer to our separate Cookie Policy for detailed information on the types of cookies used, their purpose, and how you can manage your preferences.

10. Children's Privacy

The Service is not intended for or directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information promptly.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post any changes on this page with an updated "Last Updated" date. For significant changes, we may provide more prominent notice, such as via email. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

12. Contact Information

For any questions or concerns about this Privacy Policy or our data practices, please contact us

Data Controller & Service Provider:
NamiLink Kft
Address: 2856 Szákszend, Móra Ferenc utca 8/c, Hungary
Tax number: 32462663-2-11
EU VAT: HU32462663
Company registration number: 11-09-030788

Privacy Inquiries: privacy@crewmailer.com

Data Protection Officer: dpo@crewmailer.com

Supervisory Authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf.: 9.
Phone: +36-1-391-1400
Email: ugyfelszolgalat@naih.hu
Website: http://naih.hu