Privacy Policy | Cine Power Planner

Privacy Policy

Last Updated: April 17, 2026

This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Introduction

This Privacy Policy explains how Cine Power Planner collects, uses, stores, and protects your personal data when you use our application. We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR/DSGVO).

2. Data Controller

For any privacy-related inquiries, please contact us at the address above or through the Help section of the application.

Luca Zanner

Email: support@cine-power-planner.com

Website: https://cine-power-planner.com

For any privacy-related inquiries, you can reach us via the email address above, through the Help section of the application, or by postal mail to the address listed above.

3. Data We Collect

Local Data (Stored on Your Device):

  • Project names, client information, and gear lists
  • Contact names, roles, phone numbers, and email addresses
  • Template data and device library items
  • User preferences (theme, language, settings)

Cloud Data (When Signed In):

  • Email address
  • Profile information (display name, photo)
  • Device identifier (for multi-device sync)
  • Active session information
  • Synchronized project and template data
  • Subscription status and plan information (payment details are processed exclusively by Stripe)
  • Shared project data, collaborator roles, presence indicators, and chat messages exchanged within shared projects
  • Browser geolocation coordinates (only when you explicitly grant permission for weather or location features)
  • Push notification subscription endpoint (if you opt in to browser notifications)
  • Hashed password history (stored server-side to prevent password reuse; we never store plaintext passwords)
  • Email notification preferences (whether you have opted in or out of transactional emails)
  • Anonymous usage data: If you use the application without signing in, a one-way hash of your browser fingerprint and a project count are stored server-side to enforce free-tier limits. This hash cannot be used to identify you personally.
  • Accessories store order history and shipping details (if you make purchases)

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR:

  • Performance of a contract (providing the gear list service)
  • Your explicit consent (for optional cloud synchronization)
  • Legitimate interests (app functionality, security, technical maintenance)
  • Legal obligations (compliance with applicable laws)

5. Data Storage and Security

Local-First Architecture: By default, all your data is stored locally on your device using IndexedDB and the Origin Private File System (OPFS). Your data never leaves your device unless you explicitly choose to sign in and enable cloud synchronization.

Cloud Storage: When you sign in, your data is synchronized to Supabase, our cloud infrastructure provider, hosted on Hetzner Cloud in Nuremberg, Germany. Data is encrypted in transit (TLS) and at rest.

Encryption at Rest: Sensitive local data (contacts, billing, user profile) is encrypted using AES-GCM-256 with a key derived from your user ID via PBKDF2. This protects your data at rest in IndexedDB and cloud sync payloads.

Retention Period: We retain your data for as long as your account is active. Local data remains on your device until you delete it or perform a factory reset.

Server Logs: Our web server records access logs (requested URL with sensitive query parameters redacted, HTTP status, user agent, and IP address) for security, abuse prevention, and technical troubleshooting. Logs are retained for a maximum of 52 days and then automatically deleted. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operational security).

Data Deletion: You can request complete deletion of all your personal data by deleting your account through Settings or by contacting support@cine-power-planner.com. We will confirm deletion in writing upon completion.

Data Breach Notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the competent supervisory authority without undue delay, and in any case within 72 hours of becoming aware of the breach, in accordance with Art. 33 and Art. 34 GDPR.

6. Your Data Protection Rights

Under GDPR, you have the following rights:

Right to AccessDownload all your data using the backup export feature
Right to RectificationEdit your profile and project data at any time
Right to ErasureDelete your account or perform a factory reset to remove all data
Right to Data PortabilityExport your data in JSON format for transfer to other services
Right to RestrictionDisable cloud sync to limit data processing
Right to ObjectOpt out of any future data processing by deleting your account

Right to Lodge a Complaint: You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. The competent supervisory authority is the data protection authority of the German state in which the data controller is established.

To exercise these rights, use the data management features in Settings or contact us through the Help section.

7. Third-Party Services

Supabase: We use a self-hosted Supabase instance (located in Germany) for cloud authentication and data synchronization. Data is processed on our own server and is not shared with Supabase Inc.

Hetzner Cloud: Our self-hosted Supabase infrastructure runs on Hetzner Cloud (Hetzner Online GmbH, Germany) in the Nuremberg data center. All synced user data is stored on this server. Hetzner acts as a hosting provider and does not access your data. Privacy Policy: https://www.hetzner.com/legal/privacy-policy/. Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in reliable infrastructure).

Stripe: We use Stripe (Stripe Payments Europe, Ltd., Ireland) for payment processing and subscription management. When you subscribe to a paid plan, Stripe processes your payment information (email, card details, IP address) in accordance with their Privacy Policy: https://stripe.com/privacy. Legal basis: Art. 6(1)(b) GDPR (contract performance).

Transactional Email: We send transactional emails using our self-hosted SMTP server (hosted on the same Hetzner infrastructure as the application). Email types include: account welcome, collaboration invites, comment mentions, and subscription lifecycle notifications (started, renewal reminder, renewed, canceled). Your email address is used solely for these service-related communications. You can opt out of non-essential emails in Settings. No email data is shared with third-party email marketing services. Legal basis: Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(f) GDPR (legitimate interest in service communication).

Cloudflare Turnstile: We use Cloudflare Turnstile as a bot protection mechanism during sign-in and sign-up. Cloudflare may process your IP address and browser metadata to verify you are human. No cookies are set. Privacy Policy: https://www.cloudflare.com/privacypolicy/. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing abuse).

Open-Meteo: We use Open-Meteo (Open-Meteo GmbH, Germany) for weather forecast data in the calendar and shoot planning features. When you use these features, GPS coordinates and your IP address are transmitted. Privacy Policy: https://open-meteo.com/en/terms. Legal basis: Art. 6(1)(a) GDPR (consent through voluntary use of the feature).

Nominatim / OpenStreetMap: We use the Nominatim geocoding service (OpenStreetMap Foundation, UK) to convert addresses into coordinates for location-based features. When you use these features, the queried address and your IP address are transmitted. Usage Policy: https://operations.osmfoundation.org/policies/nominatim/. Legal basis: Art. 6(1)(a) GDPR (consent through voluntary use of the feature).

OpenRouteService: We use OpenRouteService (HeiGIT gGmbH, Germany) for optional route planning and location features. When you use these features, your queried coordinates and IP address are transmitted. Privacy Policy: https://openrouteservice.org/privacy-policy/. Legal basis: Art. 6(1)(a) GDPR (consent through voluntary use of the feature).

Push Notifications: If you opt in, we use the Web Push API to send browser notifications about project updates, sync events, and maintenance reminders. Your push subscription endpoint (provided by your browser vendor, e.g. Google FCM for Chrome, Mozilla Push for Firefox) and device information are stored in our Supabase database. You can revoke push notification permissions at any time through your browser settings or the application's notification preferences. Legal basis: Art. 6(1)(a) GDPR (explicit consent).

No Tracking: We do not use Google Analytics, Facebook Pixel, or any other tracking services.

No Advertising Cookies: We do not use cookies for advertising or profiling purposes.

8. International Data Transfers

Your data is processed exclusively within the European Union (Germany). No personal data is transferred to third countries outside the EU/EEA, with the exception of Cloudflare Turnstile (USA — processes only IP and browser metadata on auth forms; covered by SCCs module 2 and the EU-US Data Privacy Framework). Stripe (Ireland) and all other services (Supabase self-hosted, Hetzner Germany, Open-Meteo Germany, OpenRouteService Germany, Nominatim UK under Art. 45 adequacy) are based in the EU/UK.

9. Data Processing Agreements

Where required under Art. 28 GDPR, we have entered into Data Processing Agreements (Auftragsverarbeitungsverträge / AVV) with our third-party data processors, including Stripe and Hetzner. Our Supabase infrastructure is self-hosted on a server in Germany (Hetzner Cloud, Nuremberg), minimizing third-party data transfers.

10. Cookies and Local Storage

We use browser localStorage, sessionStorage, and IndexedDB to save your data locally. A device identifier is stored to enable multi-device synchronization when you choose to sign in. An encryption salt is stored in localStorage to protect sensitive data at rest. sessionStorage is used for temporary data such as form drafts, conflict resolution history, and dismissed alerts — this data is automatically cleared when you close the browser tab. No third-party cookies are used.

11. Children's Privacy

Cine Power Planner is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you become aware that a child under 16 has provided us with personal data, please contact us at support@cine-power-planner.com. If we become aware that we have collected personal data from a child under 16, we will take steps to delete such data promptly.

12. Automated Decision-Making

Cine Power Planner does not use automated decision-making or profiling as defined by Art. 22 GDPR. No decisions with legal or similarly significant effects on you are made based solely on automated processing of your personal data.

11. Contact Information

For any privacy-related questions or to exercise your data protection rights, please contact us through the Help section in the application, email support@cine-power-planner.com, or write to the postal address listed under Section 2.

  • Email: support@cine-power-planner.com
  • In-App: Help section within Cine Power Planner

We aim to respond to data protection requests within 30 days as required by Art. 12(3) GDPR.

Identity Verification: Before fulfilling requests for access, rectification, erasure, or data portability, we may need to verify your identity to prevent unauthorized disclosure — typically by asking you to submit the request from the email address associated with your account. This additional processing is based on Art. 6(1)(c) GDPR in conjunction with Art. 12(6) GDPR.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by updating the "Last Updated" date at the top of this policy. Please review this policy periodically.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after update constitutes acceptance of the revised policy.