Privacy policy

Administrator details

The controller of your personal data is Watchimo s.r.o, Company ID: 220 78 568, with its registered office at Kaprova 42/14, Staré Město, 110 00 Prague 1 , registered in the Commercial Register kept by the Municipal Court in Prague under file number C 410619 (hereinafter referred to as the “ Controller ”), which is the operator of the Watchimo platform (hereinafter referred to as the “ Platform ”). The Controller operates the Platform through which it connects users - creators of digital content who independently provide digital content (hereinafter referred to as the “ Creators ”), and users of the Platform as viewers of digital content (hereinafter referred to as the “ Users ”), who can use the services of these Creators through the Platform or otherwise navigate the Platform (Users, Creators and any other visitors and users hereinafter collectively referred to as the “ Users ” or “Visitors”). On this Platform, the Administrator processes and exercises control over the processing of your personal data as data subjects - both Creators and Users.

The controller processes your personal data, and therefore we decide how your personal data will be processed, for what purpose and for how long. It may also select other personal data processors who will assist in the processing of personal data and who are listed in this Personal Data Processing Policy.

As part of the provision of services, your data is also processed by the Platform Users. This processing is not covered by these Personal Data Processing Policies.

Exercise of individual rights, contact details of the Administrator

The administrator can be contacted in all matters related to the processing of personal data at the email address gdpr@watchimo.com, or by post to the address: Watchimo sro, Company ID: 220 78 568, with registered office at Kaprova 42/14, Staré Město, 110 00 Prague 1 Requests are processed without undue delay, but within one month at most. In exceptional cases, especially due to the complexity of the request, this period may be extended by another two months. The Administrator will inform the data subjects of such a possible extension and its justification in a timely manner

Administrator Statement

The Administrator declares that, as the administrator of the personal data of the platform users, it complies with all legal obligations required by applicable legislation, in particular Act No. 110/2019 Coll., on the processing of personal data, as amended, and Regulation (EU) No. 2016/679 of the European Parliament and of the Council (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the " GDPR "), and therefore that:

will process the personal data of users (Creators and Users) only on the basis of a valid legal reason, primarily legitimate interest, performance of a contract, legal obligation or consent granted,
fulfills the information obligation pursuant to Article 13 of the GDPR before the processing of personal data begins,
will enable users (Creators and Users) and will support them in exercising and fulfilling their rights under the Personal Data Processing Act and the GDPR.

What personal data is processed and for what purpose?

In connection with the provision of platform services, the Administrator processes the following personal data:

Identification data:

To create and maintain a User account, the Administrator requires an email address.

To create and manage the Creator's account, the Administrator processes the name and surname (or, for legal entities, the business name), address, company ID and VAT number (if the Creator is an entrepreneur).

Contact details:

The Administrator primarily processes the name, surname, e-mail, Buyer ID (User) and Seller ID (Creator) so that services on the Platform can be properly provided.

Image details:

When using the single sign-on service of Meta or Google Inc., your likeness will be uploaded to your profile, if you give your voluntary consent in advance. You can also upload your likeness during registration or subsequently. The Administrator always processes your likeness only on the basis of your consent. The Administrator further processes likenesses of persons who are the subject of individual digital content created by Creators, and only with their prior consent. The Creator is responsible for ensuring that only likenesses of data subjects who have consented to the creation and commercial use of this content are uploaded to the Platform. You have the right to freely withdraw your consent to the processing of likeness at any time. The Administrator only points out that if you withdraw your consent, you may not be technically able to use some functions of the Platform - for example, if you withdraw your consent to the use of your likeness as a Creator, it is not possible to upload digital content that displays your likeness as a Creator to the Platform.

Payment processing and accounting data:

Payment transactions are handled by Stripe as a separate personal data administrator; the Administrator does not store payment card data. From Stripe, the Administrator only receives the following aggregate transaction data for internal records: content ID, seller ID (Creator), buyer ID (User), first and last name of the buyer (User), buyer (User) email, amount, service fee amount, Stripe fee amount, amount after deducting costs, transaction ID, transaction date, transaction status change date. The Administrator uses this data for accounting, billing of service fees, support for payment disputes (chargeback) and fraud prevention. The Administrator does not transfer Users' personal data to the Creators; the necessary payment data is made available to the Creators directly by Stripe in their Stripe account (in the role of a separate administrator). The Administrator stores the registration data for the period specified by accounting and tax regulations (typically up to 10 years).

Data on ongoing communication:

This data includes both the content of messages sent between Creators and Users, between data subjects and the Platform, and metadata about the sending and delivery of these messages.

Data on the use of the Platform and the Administrator's website:

The Administrator processes in particular the type of browser used, its operating system and IP address, data on orders or behavior on the platform. By using the Platform and the website in the Internet environment, some data is automatically sent from the device of the data subject and website visitors. From the logs, which also record information about the activity of the data subject on the Platform and the website for security reasons, it is possible to deduct the length of one login, the actions that the data subject performed on the website, and also information about the data filled in the forms. The Administrator does the above so that it can constantly improve the services and adapt them to current technical possibilities.

Data from cookies and other tracking technologies:

If the browser allows the storage of cookies, the Administrator obtains information about the websites you visit, user preferences on your computer, etc. This also includes data from similar tracking technologies.

The administrator processes personal data for the following legal reasons :

Functioning of user accounts on the Platform:

To create an account on the Platform for Creators, the Administrator needs to process your identification data, contact data, and payment and accounting data. The legal reason for this processing is the performance of the contract that you conclude with the Administrator in the manner described in the GTC, i.e. by your registration on the Platform. This data is used in particular to send login details to the user account. For this purpose, personal data is processed for the duration of the Contract, i.e. for the duration of the existence of your account. Without this data, the Platform services cannot be used. The same applies to access to digital content without registration.

Provision of services, performance of the contract:

In order for you to fully use the Platform and either offer services as a Creator or use them as a User of the service, we will process your identification data and contact details. The legal basis for this processing is our legitimate interest in being able to properly act as an intermediary between our customers. We also provide or publish some personal data within the interface of our Platform. For this purpose, we process your data in particular for the duration of your use or provision of services with us on the Platform.

Fulfillment of legal obligations

As an intermediary and service provider, the Administrator has certain legal obligations that it must fulfill and needs to process your personal data to do so. Typically, this is an obligation to process and provide certain payment data to Stripe for recording and preparing payments, to comply with consumer protection on the Platform, or simply to properly identify customers (users – Creators and Users) who use the Platform. Based on this purpose, the Administrator may process, in particular, your identification data, contact data, and payment and accounting data. The legal reason for this processing is the fulfillment of legal obligations. For these purposes, the Administrator processes personal data for a period according to the given statutory deadlines, usually not exceeding ten (10) years as the maximum processing period according to accounting regulations. The Administrator uses personal data (e-mail and name), gender, and behavior on the platform for the purpose of direct marketing – sending commercial communications, based on a legitimate interest and on the assumption that users (Creators or Users) are interested in this information, but for a maximum period of five (5) years from the granting of consent. Both the Creator and the User can revoke their consent to the sending of commercial communications by using the appropriate link in each email sent.

Website inquiries

The Administrator will process the personal data of users (Creators and Users) (e-mail, first and last name, address and any other data provided by the user) for the purposes of responding to user inquiries and reporting content.

Protection of the Administrator's legal interests and maintenance of internal records:

The Administrator further processes the personal data of data subjects to protect their rights and keep internal records of data subjects, for possible needs of enforcing rights or effective defense in a possible dispute. For this purpose, the Administrator may process all categories of data listed above. The legal basis for processing here is the Administrator's legitimate interest in protecting rights, legal claims and keeping records of the performance provided. Personal data is generally stored for the duration of the statutory limitation period, but usually no longer than sixteen (16) years after the provision of the service or after the termination of the contract, including the deletion of the user account.

Brand promotion and marketing communication:

The Administrator uses personal data for the purpose of promoting its brand, including information about offers and news about the services provided within the Platform, but all in such a way as to avoid unnecessary harassment. For this purpose, the Administrator processes in particular identification, contact data and/or data on the use of the Platform. The legal basis for processing is the Administrator's legitimate interest in promoting its brand, the Platform and services. At the same time, in some cases, you can give your consent to the processing of personal data. If the Administrator processes your personal data on the basis of legitimate interest, it does so for the duration of the existence of the account, which you can delete at any time. You have the right to object to such processing. If the Administrator processes your personal data on the basis of your consent, it does so until you withdraw your consent.

Operation of the website and Platform:

For the proper operation of the website and the Platform, the Administrator processes both the personal data of users (Creators and Users) and, where applicable, other website visitors who do not yet have an account, for the purposes listed below, also when they visit or navigate the website and the Administrator's Platform, including cookies and other technologies. Processing of personal data that is necessary for the operation of the Platform and its security. The Administrator processes personal data if necessary for the proper operation of the website and the Platform, in particular to ensure their security and functionality. For this purpose, the Administrator identifies data subjects when logging into the Platform. For this reason, the Administrator processes data on the use of the Platform and the website to the necessary extent, as well as data from cookies and other tracking technologies. The legal basis for this processing of personal data is the Administrator's legitimate interest in ensuring the functionality of the website and the Platform and their security. The Administrator stores personal data only for the necessary period of time, usually for a period of two (2) years from the visit to the website or logging into the Platform.

Where does the Administrator obtain personal data from?

The Administrator processes personal data that it receives from its data subjects when accessing the Platform, an account or based on monitoring the behavior of visitors and users on the Platform or websites. The Administrator obtains other personal data within the Platform, which is mainly derived from data provided by each other between data subjects. The Administrator may then obtain other personal data from its partners who are the controllers of your personal data (in particular Stripe when processing payments and related data), and who transfer it to the Administrator according to its own instructions and for its own purposes, and where the Administrator is only a processor for your personal data, i.e. it processes personal data according to the instructions of its partners. However, there may also be partners for whom the Administrator will be in joint custody with its partners, which means that the Administrator who will decide on the processing of your personal data in a given case will be responsible for the processing of your personal data.

No processing of personal data of minors

Our Platform is not intended for persons under the age of 13. Users must also be of an age at which they can consent to the processing of their personal data, otherwise their legal guardian must provide such consent. If we discover that we have accidentally obtained a child's personal data without the consent of the legal guardian, we will immediately delete such data. If you are a parent or legal guardian and believe that your child has provided us with personal data without your consent, please contact us at the contacts listed above.

Cookies

When using the website or Platform, cookies or other technologies are stored on your device (computer, phone).

Some cookies are stored directly on the basis of technical operations of the website and the Platform and are necessary for their functioning. The Administrator points out that if the user (Creator or User, i.e. a visitor to the website and the Platform without registration) chooses to block these - Necessary cookies, then the website or the Platform may not function properly and may show technical errors. Necessary cookies are obtained mainly when moving between individual parts of the website and the Platform and during repeated visits, when displaying the content of the website and the Platform, when ensuring security or recording errors of the website or the Platform.

Name	Value	Domain	Path	Expiry	Size (B)	HttpOnly	Secure	SameSite	Priority
_cs_c	0	.watchimo.com	/	2027-03-02	6	No	Yes	Lax	Medium
_cs_id	45b4c0c3-7f53-a803…	.watchimo.com	/	2027-03-02	97	No	Yes	Lax	Medium
_cs_s	5.0.U.9.1769857667756	.watchimo.com	/	2026-01-31	26	No	Yes	Lax	Medium
_fbp	fb.1.1769855171304…	.watchimo.com	/	2026-05-01	41	No	No	Lax	Medium
_ga	GA1.1.955588277…	.watchimo.com	/	2027-03-07	29	No	No	—	Medium
_ga_3T28NE4Y18	GS2.1.s1769855171…	.watchimo.com	/	2027-03-07	59	No	No	—	Medium
_gcl_au	1.1.1876569369…	.watchimo.com	/	2026-05-01	32	No	No	—	Medium
access_granted	true	watchimo.com	/	2026-03-02	18	Yes	Yes	Lax	Medium
cookieyes-consent	consentid:… consent:yes	watchimo.com	/	2027-01-31	170	No	Yes	Strict	Medium
watchimo_session	eyJpdiI6InJsYlR0TXdF…	watchimo.com	/	2026-02-01	358	Yes	Yes	Lax	Medium
XSRF-TOKEN	eyJpdiI6IlpXUzVZVTdy…	watchimo.com	/	2026-02-01	352	No	Yes	Lax	Medium

Google User Data and OAuth Information

As part of providing a seamless login and registration experience, Watchimo allows users to sign in using their Google account. This process is handled through Google's OAuth authentication system, which ensures that your login credentials are never shared with Watchimo.

Data we collect through Google Sign-In

When you choose to register or log in using Google Sign-In, we only request access to the following basic information from your Google account:

your Google account name,
your Google email address,
your Google profile picture (optional, depending on permissions).

We do not access any other information such as your contacts, files, calendar, or emails.

Purpose of data collection

The above information is used exclusively for the following purposes:

to authenticate your identity and allow secure login or registration,
to create and manage your Watchimo user account,
to personalize your profile (e.g. display your name or profile picture),
to communicate with you about your account or important service updates.

We do not use Google user data for advertising, analytics, or marketing purposes.

Storage and protection of Google user data

All data received through Google Sign-In is stored securely using encryption and strict access controls. We do not store your Google password or other sensitive authentication details. Access tokens provided by Google are used only for session validation and are never shared with third parties.

Data is retained only as long as necessary to maintain your account or as required by law. When you delete your Watchimo account, all associated Google user data is permanently removed within a reasonable period of time.

Data sharing and disclosure

Watchimo does not sell, rent, or otherwise share Google user data with third parties. Data may only be disclosed if:

required by law or a valid legal process, or
necessary to protect the rights or security of Watchimo or its users.

All handling of Google user data complies with Google’s Limited Use Requirements, meaning that such data is used only to provide or improve user-facing features within Watchimo.

Revoking access

You can revoke Watchimo’s access to your Google account at any time by visiting your Google Account Permissions page. After revoking access, you may need to reconnect your Google account to log in again.

Compliance with Google API policies

Watchimo’s use and transfer of information received from Google APIs to any other application adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Security and privacy

The Administrator protects personal data to the maximum extent possible using modern technologies that correspond to the level of technical development. The Administrator has adopted and maintains all possible (currently known) technical and organizational measures to prevent misuse, damage or destruction of users' personal data.

The protection of your data is a priority. For this reason, the Administrator has adopted, maintains and constantly improves technical and organizational measures to protect against the leakage, loss, deletion or misuse of personal data. These include in particular the following measures:

encryption of data during transmission, both communication between the Administrator's servers and your device, as well as communication during technical transmissions within the framework of the operation of the services;
ensuring the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;
ensuring the ability to restore the availability and access to personal data in the event of any incidents;
regular testing, assessment and evaluation of the effectiveness of measures implemented to ensure the security of processing;
control and recording of access to personal data and any handling thereof;
regular backup of personal data to independent locations;
use of antivirus and antimalware systems, including firewalls and intrusion detection systems (IDS/IPS);
monitoring and logging access to systems containing personal data in order to prevent and detect unauthorized access;
regular updates of software and operating systems, including security patches;
using secure hosting and cloud services that meet data protection standards (e.g. ISO/IEC 27001, GDPR compliance);

Transfer of personal data to third parties

The Administrator's employees and collaborators, who are bound by confidentiality and are trained in the security of personal data processing, have access to users' personal data.

To ensure certain specific processing operations that the Controller cannot ensure on its own, it uses the services and applications of processors who specialize in the given processing and proceed in accordance with the GDPR.

The administrator may transfer your personal data, based on your consent, also to other entities that act as administrators .

The controller uses the following personal data processors for the processing of personal data:

External accounting firm for accounting processing
IT support to ensure the smooth operation of information systems
Meta for the purposes of logging into the Platform
Google Inc. for the purposes of logging into the Platform and for the purposes of carrying out take-down procedures

The administrator reserves the right to decide in the future to use other applications or processors to facilitate and improve processing, while placing at least the same demands on security and quality of processing when selecting a processor.

Data transfer outside the European Union

Data is processed predominantly in the European Union or in countries that ensure an adequate level of protection based on a decision by the European Commission.

Equivalent protection of personal data is ensured. The Administrator continuously evaluates this fact and, if equivalent protection is no longer ensured, will take measures in accordance with the GDPR to ensure that personal data continues to be properly protected.

Any transfer of data outside the EU will only take place if the relevant processor or controller undertakes to comply with the standard contractual clauses issued by the European Commission, available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en .

User rights in relation to the protection of personal data

In connection with the protection of personal data, the Controller respects a number of rights. To exercise their rights, data subjects may contact the Controller using the contact details provided above.

The right to information , which is already fulfilled by this information page with the principles of personal data processing.
Right of access . The data subject may at any time request the Controller to provide information about what personal data is being processed about him or her and to obtain access to such personal data, including a copy thereof, with the first copy being made available to users free of charge and subsequent copies for a fee.
the right to restrict processing if they believe that the Administrator is processing inaccurate data, if they believe that the Administrator is processing without sufficient legal basis, but the user is not interested in deleting all data or if an objection has been raised to the processing . The user may limit the scope of personal data or the purposes of processing (e.g. by unsubscribing from the newsletter, they limit the purpose of processing for sending commercial communications).
Right to data portability . The user has the right to obtain the personal data that he/she has provided to the Administrator. The Administrator shall provide such data to the user in a structured, commonly used format within 30 days of receiving a request for data portability from the data subject.
Right to rectification. If the user discovers that the personal data processed by the Administrator are inaccurate or incomplete, they have the right to have the Administrator correct or supplement them without undue delay.
Right to erasure (to be forgotten) . Users have the right to erasure (to be forgotten), with the Administrator noting that this right does not apply if the processing of personal data is still necessary for the fulfillment of other legal obligations. The user has the right to erasure of personal data if (i) he withdraws consent to the processing of personal data, which concerns data for the processing of which consent is necessary and there is no other legal reason for the processing of personal data, (ii) he objects to the processing of personal data that the Administrator processes on the basis of his legitimate interest, (iii) the processing of personal data is no longer in accordance with generally binding regulations.
Right to withdraw consent

If you give the Administrator your consent to the processing of personal data, this is a completely voluntary consent, which you can withdraw at any time by sending an e-mail to support@watchimo.com . The Administrator points out that the withdrawal of consent does not affect the lawfulness of the processing prior to this withdrawal or the possibility of maintaining the processing of personal data based on other legal titles.

Right to object to processing

Users always have the right to object to the processing of personal data based on the legitimate interest of the Administrator. The Administrator will always comply with such an objection if it processes personal data for marketing purposes; for other reasons, the Administrator will cease processing personal data unless it has compelling legitimate grounds for continuing to process personal data.

The right to file a complaint with the Office for Personal Data Protection. Complaint with the Office for Personal Data Protection. Users have the right to contact the Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, 170 00 Prague 7, at any time with their complaint against the processing of personal data by the Administrator.

Effectiveness of policies

These principles of processing and protection of personal data are effective as of March 10, 2026.