Privacy policy
Last updated: 2 June 2026
This policy describes how REQUEST'S NOW (the "Data Controller") collects and processes users' personal data in accordance with Regulation (EU) 2016/679 (GDPR) and the French Data Protection Act.
1. Data controller
The data controller is REQUEST'S NOW (SAS), 67 rue d'Hautpoul, 75019 Paris, France. Contact for any question regarding personal data: privacy@cinelova.com.
2. Data Protection Officer
No Data Protection Officer (DPO) has been formally appointed. For any request regarding your data, you may contact our GDPR point of contact: privacy@cinelova.com. (Note: appointing a DPO may become mandatory in case of large-scale regular and systematic monitoring — see audit report.)
3. Data collected
- Identification and profile data: username, email address, password (encrypted), date of birth, photo, biography, preferences, as well as connection data (IP address and an approximate location — country/city — derived from it).
- Content data: posts, messages, comments, uploaded media.
- Technical and connection data: IP address, browser type (user-agent), connection and action timestamps, session identifiers, security logs.
- Payment data: for subscriptions, card data is processed directly by our provider Stripe. We never keep the full card number; only the card type and the last four digits are stored for reference, along with purchase history.
- Communication and device data: phone number (optional, used for SMS verification) and push notification tokens (device identifiers) used to deliver notifications.
- Diagnostic data: error and crash reports (technical information about the incident), collected to ensure the stability and security of the service.
4. Purposes and legal bases
- Service provision and account management — legal basis: performance of the contract (Art. 6.1.b GDPR).
- Subscription and payment management — legal basis: performance of the contract.
- Security, fraud prevention and retention of connection logs — legal basis: legal obligation (Art. 6.1.c) and legitimate interest (Art. 6.1.f).
- Audience measurement cookies and marketing communications — legal basis: consent (Art. 6.1.a).
- Verification of the minimum legal age at sign-up (date of birth) — legal basis: legal obligation and legitimate interest (Art. 6.1.c and 6.1.f, Art. 8 GDPR).
5. Retention periods
- Account data: kept as long as the account is active, then deleted or anonymized within 12 months of closure.
- Connection and identification data (IP, user-agent, timestamps): kept for 1 year in accordance with Article L.34-1 of the French Postal and Electronic Communications Code and Decree no. 2021-1362.
- Billing data: kept for 10 years (accounting obligations, Art. L.123-22 of the Commercial Code).
- Cookie consent data: consent duration capped at 13 months.
6. Recipients and processors
Your data is never sold. It may be shared with technical providers (processors within the meaning of Art. 28 GDPR) acting on our behalf, under our instructions and solely for the purposes described above:
- Stripe — payment and subscription processing (billing data).
- OVHcloud (EU) — hosting, transactional email delivery and verification SMS.
- Cloudflare R2 — storage and delivery of media (photos, videos, audio files and documents).
- Pusher — real-time delivery of messages and notifications.
- Google / Firebase — delivery of push notifications (device token).
- Sentry — collection of error and crash reports for diagnostics and stability.
6. Your rights
You have the rights of access, rectification, erasure, restriction, portability and objection to the processing of your data, as well as the right to define post-mortem directives. To exercise them, contact privacy@cinelova.com. You may also lodge a complaint with the CNIL (www.cnil.fr).
7. Transfers outside the European Union
Some providers (Stripe, Inc., Cloudflare, Inc., Google LLC and Functional Software, Inc. — Sentry, located in the United States) may process data outside the European Union. These transfers are governed by the European Commission's standard contractual clauses and, where applicable, by the EU–US Data Privacy Framework. Our messaging (Pusher) and hosting/email/SMS (OVHcloud) services are operated within the European Union.
8. Security
We implement appropriate technical and organizational measures (password encryption, HTTPS, access control, logging) to protect data against unauthorized access, loss or alteration.
9. Cookies
The use of cookies is detailed in our Cookie Policy. You can change your choices at any time via the cookie manager. Cookie policy.
10. Private messaging
Private messages exchanged between users are stored to provide the messaging feature. They are not systematically read. They may, however, be reviewed by our moderation team following a report, or disclosed upon request from a judicial authority. Messages are kept for the lifetime of the conversation and, after account deletion, deleted or anonymised within 12 months, subject to legal retention obligations.
Safety, blocking and moderation
To ensure your safety and compliance with community rules, we process certain data related to safety and moderation tools:
- User blocks (identifiers of the blocker and the blocked person, date) to make profiles, content and exchanges mutually invisible.
- Contact requests ("friends only" mode): sender, recipient, status (pending, accepted, declined) and, where applicable, the first message awaiting acceptance.
- Chat moderation sanctions: temporary suspension of messaging (suspension end date) decided by a moderator.
- Content you chose to hide from your feed (personal, reversible hiding).
- Moderation logs (reports, decisions, hidings, suspensions) kept for safety, evidence and compliance purposes.
11. Portability and export of your data
You can export a copy of your personal data (profile, posts, messages, subscriptions) in a structured, machine-readable format (JSON) directly from your personal area, under "My data". Any request sent to privacy@cinelova.com is handled within a maximum of one month, in accordance with Article 12 of the GDPR.
12. Account and data deletion
You can delete your account at any time from your personal area. Upon deletion, your profile data is erased or anonymised. Some published content (comments, contributions to discussions) may be anonymised rather than deleted where their retention is necessary for the integrity of exchanges or to comply with a legal obligation. Connection and billing data are kept for the legal periods mentioned above.
Partner Hosts: verification and reviews
For Partner Host accounts, we process the venue's legal information (SIREN/SIRET, business name) to verify its existence against the official business registry (public open data). The legal basis is contract performance and our obligations as an intermediary (fraud prevention). We only keep strictly necessary data (identifiers, business name, verification status and date). Reviews left on a venue page are public and associated with the author's first and last name; they can be reported and moderated.