Privacy Policy

Last updated: 27 May 2026 · View Terms of Service

Durex.media is a media review and file collaboration platform. This policy describes the data we collect and how we use it.

1. Data Controller

The data controller is the operator of Durex.media. Contact: our contact form

2. Data we collect

• Account data: email address, username, display name (optional), avatar (optional)
• Authentication data: hashed password, 2FA codes, OAuth provider tokens (email only)
• Session data: IP address, browser user-agent, login time, active sessions
• Files and metadata: uploaded files, folder structure, versions, custom metadata fields
• Comments and reviews: text, timestamps, drawing annotations, approval decisions
• Share audit data: when a share link is opened — the viewer's username (if logged in) or "Guest", browser user-agent, and timestamp. No IP address is stored for share views.
• Payment data: processed entirely by Stripe Inc. — we never store card numbers or payment details
• Error logs: PHP error messages, URLs, and user context for debugging

3. Legal basis (GDPR)

• Art. 6(1)(b) — Contract performance: account management, file storage, service delivery
• Art. 6(1)(f) — Legitimate interests: security, abuse prevention, debugging
• Art. 6(1)(a) — Consent: social login (OAuth), optional email notifications
• Art. 6(1)(c) — Legal obligation: financial records

4. Social Login (OAuth)

When signing in with Google, Discord, GitHub or X (Twitter), we receive only your email address and basic profile information. We never post on your behalf or access private data beyond what you explicitly authorize. You can disconnect OAuth accounts in your account settings at any time.

5. Share links and third-party viewers

When you share a file via a share link, anyone with the link can view it (subject to password protection if set). When a viewer opens a share link, we log: their username (if they have an account and are signed in) or "Guest", their browser user-agent (to show device type), and the timestamp. This data is visible only to the file owner and administrators. No IP address is stored for share views.

6. Data sharing (sub-processors)

• Stripe Inc. (USA) — payment processing, subscription management; receives email + billing details only
• Brevo / Sendinblue (EU) — transactional email delivery (verification, password reset, invites, invoices, notifications); receives email address + message content only
• Infrastructure/hosting providers — EU-based servers where data is stored
• Government or legal authorities — only when required by applicable law

We do not sell, rent or trade your personal data to any third party. No analytics, advertising or tracking services are used.

7. Data retention

• Account and file data: active account lifetime + 30 days after deletion request
• Share audit logs: 12 months, then auto-deleted
• Payment records: 5 years (legal obligation)
• Error and security logs: 90 days
• Session data: 24 hours of inactivity

8. Your rights (GDPR)

• Access — request a copy of your data (Settings → Export data)
• Rectification — correct inaccurate data (Settings → Profile)
• Erasure — delete your account and all data (Settings → Delete account)
• Portability — export your files and data in standard formats
• Objection — object to processing based on legitimate interests
• Complaint — lodge a complaint with your national data protection authority

Contact for data requests: our contact form

9. Cookies

We use only a single session cookie (PHPSESSID) for authentication. No advertising, analytics or tracking cookies are used.

10. Security

Passwords are hashed with bcrypt. All connections are encrypted via HTTPS. Sessions are invalidated on logout. Two-factor authentication (2FA) is available for all accounts.

11. Children

The service is not directed at children under 16. We do not knowingly collect data from minors.

12. Policy changes

Material changes to this policy will be communicated by email or in-app notification at least 14 days before taking effect.