Back
/

Privacy Policy

How we handle your data

Last updated: 17 February 2026

1. Data Controller

The controller responsible for data processing on this website is:

Jon Murtezani

c/o MDC Management#6181

Welserstr. 3

87463 Dietmannsried

Email: hello@ovkinos.de

2. Overview of Data Processing

OV Kinos is a free, ad-free cinema showtime aggregator. We process personal data only to the extent necessary to provide a functional website. We do not sell your data, do not build advertising profiles, and do not share data with third parties beyond the service providers listed below.

3. Legal Bases

  • Consent (Art. 6(1)(a) GDPR) — Google Analytics, newsletter, browser geolocation
  • Legitimate interest (Art. 6(1)(f) GDPR) — Hosting, error monitoring, security, essential third-party services
  • Contract performance (Art. 6(1)(b) GDPR) — Newsletter delivery after subscription

4. Third-Party Services & Data Processors

Below is a complete list of external services that may process personal data when you use OV Kinos.

Cloudflare Legitimate Interest

Our website is hosted on Cloudflare Pages. Cloudflare provides CDN, DDoS protection, and edge computing (Workers, KV cache). All requests pass through Cloudflare's network.

Provider: Cloudflare, Inc. (USA)
Data processed: IP address, request headers, page URL, timestamps
Transfer: USA & global edge network (Standard Contractual Clauses)
Google Analytics 4 Consent

We use Google Analytics 4 to understand how visitors use the site. GA4 is only loaded after you give consent via our cookie banner. IP anonymization is enabled, and advertising features (Google Signals) are disabled.

Provider: Google LLC (USA)
Data processed: Page views, events, device type, browser (anonymized IP)
Retention: 14 months (GA4 default)
Cookies: _ga, _ga_* (up to 2 years)
Transfer: USA (Standard Contractual Clauses)
Opt-out: Decline in cookie banner or change via "Cookie Settings" in the footer
Cloudflare Web Analytics Legitimate Interest

Cookieless, privacy-first analytics that provides basic page view statistics. No cookies are set, no personal data is collected, and no visitor can be individually identified.

Provider: Cloudflare, Inc. (USA)
Data processed: Anonymous page views, referrer, country (no IP stored)
Cookies: None
Sentry Legitimate Interest

We use Sentry for error tracking and performance monitoring to identify and fix bugs. Sentry also captures session replays (DOM snapshots) to help diagnose errors. Input fields are masked by default.

Provider: Functional Software, Inc. (USA)
Data processed: Error details, stack traces, device/browser info, performance traces, DOM snapshots (session replays with masked inputs)
Data center: EU (ingest.de.sentry.io)
Retention: 90 days
DPA: Sentry DPA
TMDB (The Movie Database) Legitimate Interest

Movie posters and metadata are loaded from TMDB's image CDN. Your browser connects directly to image.tmdb.org to load poster images.

Provider: TiVo Platform Technologies LLC (USA)
Data processed: IP address (via image loading)
Photon (Komoot) Legitimate Interest

When you type an address in the location field, it is sent to Komoot's Photon geocoder to convert it to map coordinates. Only contacted when you actively use the location feature.

Provider: Komoot GmbH (Germany)
Data processed: Address text, IP address
Nominatim (OpenStreetMap) Legitimate Interest

When you share your GPS location, your coordinates are sent to Nominatim for reverse geocoding (converting GPS to an address name). Only contacted when you actively use the GPS location feature.

Provider: OpenStreetMap Foundation (UK)
Data processed: GPS coordinates, IP address
CARTO (Map Tiles) Legitimate Interest

Map tiles are loaded from CARTO's CDN when you use the map view. Your browser connects directly to basemaps.cartocdn.com.

Provider: CARTO (Spain/USA)
Data processed: IP address (via tile loading)
CDN Resources (Alpine.js, MapLibre) Legitimate Interest

JavaScript libraries are loaded from CDN providers. Your browser connects to these servers to download the code.

Providers: jsDelivr (cdn.jsdelivr.net), unpkg (unpkg.com)
Data processed: IP address (via resource loading)
AWS SES (Newsletter Email) Consent

Newsletter emails are sent via Amazon Simple Email Service. Your email address is only processed after you complete double opt-in confirmation.

Provider: Amazon Web Services EMEA SARL (Luxembourg)
Data processed: Email address
Transfer: EU (eu-central-1 region)

5. Browser Geolocation

When you use the "Find near me" feature, your browser asks for permission to share your GPS coordinates. This is a browser-native consent prompt (not our cookie banner). Coordinates are only used to calculate distances to cinemas and are never sent to our servers. Your last location is stored in your browser's localStorage for convenience.

6. Local Storage

We use your browser's localStorage (not cookies) to store preferences and consent state. This data never leaves your device and is not sent to any server.

  • Consent state and timestamp
  • Language preference (EN/DE)
  • Last known location (for convenience)
  • View preferences (list/map/calendar)
  • PWA install prompt state

7. Newsletter

If you subscribe to our newsletter, we store your email address, IP address (for abuse prevention), user agent, and confirmation tokens in a Cloudflare D1 database. We use a double opt-in process: you must confirm your subscription via a link sent to your email. Every email contains a one-click unsubscribe link. You can unsubscribe at any time.

8. Your Rights (GDPR Art. 15–21)

You have the following rights regarding your personal data:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw consent at any time (Art. 7(3))

To exercise your rights, contact us at hello@ovkinos.de.

9. Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Alt-Moabit 59-61

10555 Berlin

www.datenschutz-berlin.de

10. Third-Country Transfers

Some of our service providers are based in the USA (Google, Cloudflare, Sentry, TMDB). Data transfers to the USA are protected by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR and, where applicable, the EU-US Data Privacy Framework.

11. Data Retention

  • Showtime cache: 1–24 hours (automatically deleted)
  • Analytics data (GA4): 14 months
  • Error reports (Sentry): 90 days
  • Newsletter data: until unsubscription
  • Server logs (Cloudflare): 7 days

12. Changes to This Policy

We may update this privacy policy from time to time. The current version is always available at this URL. If we make significant changes, we will reset your consent preference so you can review the new policy.