Privacy Policy

The Data Controller for personal data is Andrea Pascali, registered at Via Bocci 5, 50141, Florence (Italy), Tax Code: PSCNDR89M06D862B, email: admin@loreing.com. No Data Protection Officer (DPO) has been appointed, as our processing activities do not meet the mandatory thresholds of Art. 37 GDPR. For any privacy-related inquiries, contact us at admin@loreing.com. We will respond to all data subject requests within one (1) month of receipt, as required by Art. 12 GDPR. This period may be extended by a further two (2) months where the complexity or volume of requests so requires, in which case we will notify you within the initial month.

We collect the following categories of personal data: • Registration data: username, email address, password (hashed), optional avatar. • Payment data: transactions are handled by Stripe and Lemon Squeezy. We do not store credit card details on our servers. • Usage data: episodes watched, commissioned series, content preferences. • Technical data: IP address, browser type, operating system, pages visited and access times. Providing your email address and username is a contractual requirement to create an account and use the service. Failure to provide this data means we cannot perform the contract. All other data (avatar, preferences) is optional. For users in California and other US states, the categories of personal information we collect (as defined under applicable state law) include: identifiers (name, email address, IP address); commercial information (purchase history, commissioned series); internet or other electronic network activity (browsing behaviour, content preferences); and inferences drawn from the above.

Your data is processed for the following purposes: • Contract performance (Art. 6(1)(b) GDPR): service provision, account management, payment processing, delivery of commissioned episodes. • Legitimate interest (Art. 6(1)(f) GDPR): platform security, fraud prevention, and service improvement through aggregated analytics. We have conducted a Legitimate Interest Assessment (LIA) for each of these activities, balancing our interests against your rights and freedoms. A summary of our LIA is available upon request at admin@loreing.com. • Consent (Art. 6(1)(a) GDPR): sending promotional communications and newsletters (only if explicitly accepted); installation of analytics cookies (see Section 11). • Legal obligation (Art. 6(1)(c) GDPR): retention of fiscal and accounting records.

Account data is retained for the duration of the contractual relationship and, thereafter, for the period required by applicable tax law (generally 10 years). Usage data and technical logs are retained for a maximum of 24 months. You may request deletion of your account at any time by contacting admin@loreing.com.

We do not make decisions based solely on automated processing — including profiling — that produce legal or similarly significant effects concerning you (Art. 22 GDPR). No automated decision-making takes place in connection with account creation, access to content, or the commissioning or delivery of series.

Your data may be shared with the following third parties solely for the stated purposes: • Firebase (Google LLC, USA) — authentication, database, file storage. • Stripe (Stripe, Inc., USA) — payment processing. • Lemon Squeezy (Lemon Squeezy LLC, USA) — payment processing. • Resend (Resend Inc., USA) — transactional email delivery. • Cloudflare (Cloudflare, Inc., USA) — video distribution and CDN. • Vercel (Vercel Inc., USA) — hosting and infrastructure. All vendors are based in the United States and act as Data Processors under Art. 28 GDPR, bound by appropriate contractual safeguards (see Section 7 for transfer mechanisms). We do not sell your personal data to any third party.

All vendors listed in Section 6 are based in the United States. Transfers of personal data to the US are carried out on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46 GDPR. Where an adequacy decision applies (e.g., the EU–US Data Privacy Framework), we rely on that mechanism in addition to or in lieu of SCCs.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights: • Access your personal data (Art. 15 GDPR). • Rectify inaccurate data (Art. 16 GDPR). • Request erasure ("right to be forgotten", Art. 17 GDPR). • Restrict processing (Art. 18 GDPR). • Receive a portable copy of your data (Art. 20 GDPR). • Object to processing based on legitimate interest (Art. 21 GDPR) — you may object at any time on grounds relating to your particular situation; we will cease processing unless we demonstrate compelling legitimate grounds that override your interests. • Withdraw consent at any time (Art. 7 GDPR) — withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. To exercise any of these rights, write to admin@loreing.com. We will respond within one (1) month. You also have the right to lodge a complaint with your national supervisory authority. In Italy: Garante per la Protezione dei Dati Personali — www.garanteprivacy.it.

If you are a resident of California or another US state with a comprehensive privacy law (including Virginia, Colorado, Connecticut, Texas, Utah, and others), you have the following rights under applicable state law. California (CCPA / CPRA): • Right to Know: request disclosure of the categories and specific pieces of personal information collected about you in the past 12 months, the sources, the business or commercial purposes, and the categories of third parties with whom we share it. • Right to Delete: request deletion of personal information we have collected, subject to certain exceptions (e.g., information needed to complete a transaction or comply with a legal obligation). • Right to Correct: request correction of inaccurate personal information. • Right to Opt-Out of Sale or Sharing: we do not sell or share personal information (as defined under CCPA/CPRA) for cross-context behavioural advertising. No opt-out is required, but contact admin@loreing.com to confirm. • Right to Limit Use of Sensitive Personal Information: we do not collect or process sensitive personal information beyond what is necessary to provide the service. • Right to Non-Discrimination: we will not discriminate against you for exercising your CCPA/CPRA rights. To submit a verifiable consumer request, email admin@loreing.com. We will respond within 45 days, extendable by a further 45 days with prior notice. Other US states (Virginia, Colorado, Connecticut, Texas, Utah, and others): Residents of these states have substantially similar rights: access, deletion, correction, portability, and opt-out of targeted advertising and profiling for decisions producing significant effects. We do not engage in targeted advertising or profiling for such decisions. To exercise your rights, contact admin@loreing.com.

Our email communications comply with applicable law, including the US CAN-SPAM Act where applicable. Each promotional or commercial email we send includes: • Our physical mailing address: Via Bocci 5, 50141, Florence (Italy). • A clear and conspicuous opt-out mechanism. We will honour all opt-out requests within 10 business days of receipt. Transactional emails — such as order confirmations, delivery notifications, and account alerts — are sent on the basis of contract performance and cannot be opted out of while you maintain an active account, as they are necessary to provide the service.

This site uses cookies and similar technologies, governed by the ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) and, in Italy, Art. 122 of the Privacy Code (D.Lgs. 196/2003 as amended) and the Garante's 2021 Cookie Guidelines. We use two categories of cookies: Technical and functional cookies (legal basis: contract performance, Art. 6(1)(b) GDPR — no consent required): • admin_key — loreing.com — Admin authentication session — Duration: 8 hours Third-party analytics cookies (legal basis: consent, Art. 6(1)(a) GDPR — consent required before installation): • _ga — Google LLC — Distinguishes individual users for Google Analytics 4 — Duration: 2 years • _ga_[ID] — Google LLC — Maintains session state for Google Analytics 4 — Duration: 2 years Analytics cookies are installed only upon your explicit consent via the banner displayed on the site. You may withdraw your consent at any time by deleting cookies via your browser settings (typically: Settings → Privacy & Security → Clear browsing data → Cookies and other site data). The consent banner will reappear on your next visit. You may also contact us at admin@loreing.com. Note: deleting browser cookies is the correct mechanism for withdrawing cookie consent. Clearing localStorage alone will not remove cookies. Google Analytics may transfer data to the US under Standard Contractual Clauses (Art. 46 GDPR). For more information: policies.google.com/privacy. We do not use profiling or advertising cookies.

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. In the event of a personal data breach, we will: • Notify the competent supervisory authority (the Garante, for Italy-based processing) within 72 hours of becoming aware of the breach, where it is likely to result in a risk to your rights and freedoms (Art. 33 GDPR). • Notify you directly, without undue delay, where the breach is likely to result in a high risk to your rights and freedoms (Art. 34 GDPR). To report a suspected security incident, contact admin@loreing.com.

The service is intended exclusively for persons aged 18 or over. We do not knowingly collect personal data from minors. In particular, we do not knowingly collect personal information from children under the age of 13, in compliance with the US Children's Online Privacy Protection Act (COPPA). If you believe a child under 13 has created an account or provided personal information, please contact us immediately at admin@loreing.com and we will promptly delete such information.

We reserve the right to update this Privacy Policy. Material changes will be communicated via email to registered users with at least 15 days' notice before taking effect. Where a change affects processing activities based on consent (Art. 6(1)(a) GDPR), we will seek fresh consent before the change applies. Continued use of the service after a policy update does not constitute consent to changes in consent-based processing activities.