Privacy policy.
Effective date: 10 June 2026
Curtyn is committed to protecting your privacy. This policy explains what data we collect, why we collect it, and how we handle it.
The data controller for personal data processed about your own account is Curtyn, a trade name of Ruben Wijnheijmer (sole proprietorship / eenmanszaak), Rector Coppenserf 101, 5046 AX Tilburg, Netherlands (KvK 65353498, BTW-ID NL002338831B79). For any privacy question or request, contact support@curtyn.com.
1. Data we collect
We collect the following categories of data:
- Account data: your email address and a password hash when you register, and the date you accepted these terms.
- Profile and business details: information you choose to add to your profile, such as your name, business name, business address, creative disciplines, default rates, logo, and display preferences.
- Onboarding and waitlist information: if you join a waitlist or complete onboarding, details you provide such as your role, company, team size, country, website, the tools you currently use, how you heard about us, and any feature requests, together with basic referral/campaign attribution (e.g. UTM parameters).
- Project content: scripts, video and image files, and the lists, schedules and cast/crew details you create or upload.
- Usage and product analytics:first-party events about how the service is used — for example which tools you create, edit, open, or delete, session starts, and share-link / portal engagement (views, scroll depth, video watch time, and files downloaded). This is used in aggregate to understand and improve the product; we do not use it for third-party advertising.
- Billing data: processed securely by Mollie; we do not store your credit card or bank account numbers on our servers.
- Server logs: standard access logs (including IP addresses and timestamps) for security, abuse prevention, and debugging. IP addresses are used transiently (for example for rate limiting) and are not used to build advertising profiles.
2. How we use your data
- Provide, maintain, and improve the Curtyn service.
- Process video files (transcoding and thumbnail generation).
- Send transactional emails (notifications, receipts, collaborator invites).
- Detect and prevent fraudulent or abusive use of our infrastructure.
Legal bases (GDPR Art. 6). We process account and project data to perform our contract with you (Art. 6(1)(b)); server logs, security, and abuse-prevention data on the basis of our legitimate interest in keeping the service secure and reliable (Art. 6(1)(f)); billing data to comply with our legal and tax obligations (Art. 6(1)(c)); and any optional processing for which we ask your consent on that consent (Art. 6(1)(a)), which you may withdraw at any time.
3. Our Role (GDPR)
When you use Curtyn to store information about your clients, cast, or crew (such as names, emails, or phone numbers in crew lists or contact records), you are the Data Controller and we are the Data Processor. You are responsible for ensuring you have the legal right to collect and upload their data to our platform.
4. Data sharing & Sub-processors
We never sell your data. We share data only with the following sub-processors strictly required to run the service:
- Supabase: database hosting and authentication (EU region).
- Backblaze: encrypted cloud file storage.
- Hetzner / Vultr: ephemeral video processing and transcoding servers.
- Cloudflare: Content Delivery Network (CDN) and security routing.
- Vercel: frontend hosting and edge network.
- Mollie: payment processing and subscription management.
- Resend: transactional email delivery.
We engage each sub-processor under a written data processing agreement. Where you act as a data controller and we process personal data on your behalf, the same terms apply through our Data Processing Agreement, and we will give you notice of changes to our sub-processors so you can object.
International transfers.We host primary data in the EU (Supabase EU region and EU-located storage). Some sub-processors are established in or may process data from the United States (for example Cloudflare, Vercel, Backblaze, and Resend). Where personal data is transferred outside the European Economic Area, we rely on an adequacy decision where one applies (including the EU–US Data Privacy Framework) or on the European Commission’s Standard Contractual Clauses together with appropriate supplementary safeguards.
5. Cookies
We use strictly necessary cookies for authentication and session management. We do not use advertising, retargeting, or third-party marketing tracking cookies.
6. Data retention
Project data is retained for as long as your account is active. When you delete an item, it is flagged for deletion and permanently removed on the following schedule:
- Files: permanently destroyed from our storage servers within 30 days.
- Projects, clients, invoices, and other business records: permanently deleted within 90 days.
- Server and audit logs: retained for up to 365 days for security and abuse prevention, then automatically purged.
- Billing records: retained as long as required to meet our legal and tax obligations (in the Netherlands, generally 7 years).
When you close your account, all of your data is flagged for deletion immediately and permanently removed within 90 days, in line with the windows above.
7. Your rights
Under the GDPR and applicable data protection laws, you have the right to access, correct, export, or delete your personal data, to restrict or object to processing, and to data portability. Where processing is based on consent, you may withdraw it at any time. To exercise these rights, email us at support@curtyn.com. We respond within the time limits set by the GDPR.
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with a data protection supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl); you may also contact the authority in your country of residence.
8. Security
All data is encrypted in transit (TLS) and at rest. Access to production systems is strictly limited. However, no internet transmission is 100% secure; you upload data at your own risk.
9. Changes to this policy
We will notify you of material changes by email or in-app notice at least 14 days before they take effect.