Privacy Policy
Last updated: 22 May 2026
1. Data controller
The data controller for the Cabin service at cabinplay.app is:
- Daniele Calderazzo (Cabin)
- Postal address: Italy
- Privacy enquiries: [email protected]
- General contact: [email protected]
Further provider identification: Imprint.
2. Data we collect
- Account data: email, hashed password, display name, plan tier, account creation date, and Stripe customer identifiers when you subscribe.
- Content (stored, not inspected for substance): video files you upload, titles you provide, technical metadata (size, duration, codec), and watch progress. Files are stored on object storage on your behalf. We do not open, view, or catalogue your files for editorial purposes. Automated technical processing (transcoding, integrity checks, deduplication) is limited to delivering the service.
- Usage data: storage used, monthly upload count, job history, locale preference.
- Technical logs: IP address, user agent, request timestamps, and error events for security, abuse prevention, and debugging.
- Billing (paid plans): payment and subscription data processed by Stripe. We never store full card numbers.
3. Purposes and legal basis
- Providing the service (GDPR art. 6(1)(b), contract).
- Authentication, security, abuse prevention (art. 6(1)(f), legitimate interest).
- Billing, invoices, and tax compliance (art. 6(1)(c), legal obligation, paid plans only).
- Transactional email such as password reset and verification (art. 6(1)(b), contract).
- Error monitoring to keep the service reliable (art. 6(1)(f), legitimate interest, when enabled).
4. User content and inspection
We do not inspect, moderate, or index user content for editorial or surveillance purposes. Inspection of specific files may occur only upon a legally binding order or a substantiated report of clearly illegal material. You remain responsible for the lawfulness of content you store and play.
5. Storage and retention
- Account and content data are kept while your account is active and you use the service.
- If you do not sign in for 24 consecutive months, we email you at the address on file. If there is still no activity 30 days after that notice, we delete the account and associated content, except where law requires longer retention (for example tax records).
- When you delete your account, content is removed within 30 days. Backups roll off within 90 days.
- Technical and security logs are retained for up to 90 days, then deleted or aggregated.
- Stripe retains payment records according to its own policies and legal obligations as an independent controller for card processing.
6. Sub-processors
We use the following processors. They process data only on our instructions and for the purposes listed. We update this list when processors change.
| Provider | Role | Location |
|---|---|---|
| Backblaze, Inc. (B2) | Encrypted object storage for uploaded videos and derived encodes | United States |
| Stripe, Inc. / Stripe Payments Europe Ltd. | Payments, subscriptions, checkout, invoicing | United States / Ireland (EU) |
| Resend, Inc. | Transactional email (verification, password reset, service notices) | United States |
| i18nez | On-demand translation of UI strings shown in the app | See i18nez privacy policy |
| Functional Software, Inc. (Sentry) | Error and performance monitoring when Sentry is enabled | United States |
We do not use advertising analytics platforms (no Google Analytics, Meta Pixel, or similar) on the Cabin app.
7. International transfers
Some processors above are located outside the European Economic Area (notably the United States). Where personal data is transferred to countries without an EU adequacy decision, we rely on appropriate safeguards under GDPR Chapter V, including:
- the European Commission Standard Contractual Clauses (SCCs), or equivalent contractual clauses offered by the provider;
- where applicable, the EU-US Data Privacy Framework and UK extension for US providers certified under that framework (including Stripe and Backblaze when certified).
You may request more information on the safeguards in place by emailing [email protected].
8. Automated decision-making and profiling
Cabin does not use automated decision-making or profiling that produces legal or similarly significant effects on you. We do not build marketing profiles from your viewing history.
9. Your rights and response time
Under the GDPR and applicable law, you may request:
- access to your personal data;
- rectification of inaccurate data;
- erasure ("right to be forgotten") where applicable;
- restriction of processing;
- data portability for data you provided;
- objection to processing based on legitimate interest;
- withdrawal of consent where processing is consent-based (without affecting prior lawful processing).
Send requests to [email protected] from the email address tied to your account (or with enough detail for us to verify you). We respond within one month of receipt, as required by GDPR art. 12. That period may be extended by two further months for complex requests; we will tell you if an extension applies.
10. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement. If you are in Italy, the competent authority is the Garante per la protezione dei dati personali: https://www.garanteprivacy.it.
We encourage you to contact us first at [email protected] so we can address your concern.
11. Cookies
Cabin uses only strictly necessary cookies and local storage for authentication, locale, and watch progress, plus optional analytics only if we enable them in future (off by default). Details are in our Cookie Policy.
12. Changes
We may update this Privacy Policy. The date at the top shows the current version. Material changes will be highlighted on this page.