Mynd yn syth i'r cynnwys
WhereToStream

Mewngofnodi i WhereToStream

Cydweddu eich rhestr wylio ar draws dyfeisiau

Rhad ac am ddim i'w ddefnyddio. Nid oes cyfrinair angenrheidiol.

Privacy Policy

Diweddarwyd ddiwethaf: 1 May 2026

Last updated: 1 May 2026
Effective from: 1 May 2026

Section 1 — Who We Are

WhereToStream (“we”, “us”, “our”) is a UK-based streaming content discovery service available at wheretostream.app.

Contact: privacy@wheretostream.app

If you have any questions about this policy, please contact us at the email above.

Section 2 — What This Policy Covers

This policy explains what information we collect when you use WhereToStream, how we use it, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).

Section 2a — Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for each activity that involves processing personal data. The table below sets out each processing activity, the basis we rely on, and why.

Processing activityLawful basisDetail
Site analytics (Vercel)Legitimate interestUnderstanding how the site is used to improve it. No personal data is collected.
Account creation (Google/Microsoft OAuth)ContractNecessary to provide the service you signed up for.
Syncing watchlist, preferences, and progressContractNecessary to deliver the features you opted into by creating an account.
Email notificationsConsentYou opt in explicitly. You can withdraw consent at any time.
IP hashing for abuse preventionLegitimate interestPreventing manipulation of community availability reports.

Section 3 — Information We Collect

3.1 Analytics Data (Vercel Web Analytics)

We use Vercel Web Analytics to understand how visitors use our site. This service is designed to be privacy-friendly:

  • It does not use cookies
  • It does not track you across websites
  • It does not collect personally identifiable information
  • Data collected includes: page views, referrer (where you came from), browser type, device type, and country-level location
  • No IP addresses are stored

Because no cookies are used and no personal data is collected, this analytics service does not require your consent under UK GDPR.

3.2 Data Stored on Your Device (localStorage)

To provide core features, WhereToStream stores the following data locally on your device using your browser’s localStorage:

  • Your selected streaming services
  • Your watchlist (titles you have saved)
  • Titles you have marked as watched
  • Your series progress
  • Your display preferences (for example: dark mode, accessibility settings)
  • A randomly generated session token (used for anonymous feedback and reporting only — not linked to any personal identity)

If you are not signed in, this data:

  • Never leaves your device
  • Is not transmitted to our servers
  • Is not accessible to us
  • Can be cleared at any time by clearing your browser’s site data

3.3 User Feedback and Reports

If you submit a feedback reaction or report an error on a title page, we collect:

  • The page URL
  • The nature of your feedback or report
  • Any optional comment you provide (maximum 200 characters)
  • Your anonymous session token (randomly generated, not linked to your identity)

When you report incorrect availability data, we collect a one-way hash of your IP address for rate-limiting purposes only. This hash cannot be reversed to identify your IP address. It is retained for 30 days and then deleted. We do not collect your name or email address in connection with reports.

Section 4 — Accounts

WhereToStream offers optional sign-in via Google or Microsoft. When you sign in, we receive and store:

  • Your email address
  • Your display name
  • Your profile picture URL (if provided by your sign-in provider)

We use this information solely to identify your account and sync your data across devices.

When signed in, the following data is stored on our servers (hosted by Supabase):

  • Your selected streaming services
  • Your watchlist
  • Titles you have marked as watched
  • Your series progress
  • Your notification preferences

You can download all your data at any time from Settings. You can delete your account and all associated data at any time from Settings. Deletion is immediate and irreversible.

If you use WhereToStream without signing in, none of this data leaves your device.

Section 4a — Email Communications

If you opt in to email notifications, we use Resend (resend.com) to send you:

  • Weekly digest emails (what is new or leaving on your services)
  • Watchlist alerts (titles leaving soon, titles becoming available)
  • Price change notifications

Your email address is shared with Resend solely for the purpose of sending these emails. You can unsubscribe at any time from any email or from Settings. Resend’s privacy policy is available at resend.com/legal/privacy-policy.

Section 5 — Cookies

WhereToStream uses essential cookies for authentication only. If you sign in via Google or Microsoft, session cookies are set by Supabase Auth to keep you signed in. These are strictly necessary cookies and do not require consent under UK PECR. We do not use any analytics, advertising, or tracking cookies.

Future Advertising Cookies

We intend to introduce display advertising in a future update. When we do, advertising cookies will be used by third-party advertising networks (including Google AdSense). Before this happens:

  • We will update this privacy policy
  • We will display a cookie consent notice
  • You will be able to manage your cookie preferences

No advertising cookies are active at the time this policy was last updated.

Section 6 — Third-Party Services

6.1 Vercel (Hosting and Analytics)

Our website is hosted by Vercel Inc. Vercel processes web requests on our behalf. Vercel’s privacy policy is available at vercel.com/legal/privacy-policy.

6.2 Content Data Providers

Poster images and title metadata are sourced from:

  • OMDb API (omdbapi.com) — data retrieved server-side; your device does not contact OMDb directly

6.3 Supabase (Database and Authentication)

User account data and synced preferences are stored by Supabase Inc. Supabase processes data on our behalf as a data processor. Data is stored in the EU. Supabase’s privacy policy is available at supabase.com/privacy.

6.4 Resend (Email Delivery)

Transactional and notification emails are sent via Resend. Resend processes your email address on our behalf. Resend’s privacy policy is available at resend.com/legal/privacy-policy.

6.5 TMDB (The Movie Database)

Title metadata and availability information is sourced from TMDB’s API. TMDB data is retrieved server-side; your device does not contact TMDB directly.

6.6 Google and Microsoft (Authentication)

Sign-in is provided via OAuth 2.0 through Google and Microsoft. When you sign in, we receive basic profile information as described in Section 4. We do not access your Google or Microsoft account data beyond what is listed.

6.7 Streaming Services

WhereToStream displays availability information about content on third-party streaming platforms (such as Amazon Prime Video, Disney+, and others). Clicking through to those platforms will take you to services with their own privacy policies, which we do not control.

Section 6a — International Data Transfers

Some of our third-party service providers are based outside the UK, primarily in the United States. These providers (Vercel, Supabase, Resend, Google, Microsoft) process data under Standard Contractual Clauses (SCCs) or equivalent transfer safeguards as required by UK GDPR. We only use providers who maintain appropriate technical and organisational measures to protect your data.

Section 7 — Data Accuracy

Streaming availability information on WhereToStream is provided for informational purposes only. We make reasonable efforts to keep information accurate and up to date, but we cannot guarantee that availability data reflects real-time changes made by streaming services. See our Terms of Service for full details.

Section 8 — Data Retention

DataRetention
Analytics (Vercel)Aggregated, no personal data
localStorageUntil you clear it
Account dataUntil you delete your account
IP hashes (reports)30 days
Email address (notifications)Until you unsubscribe or delete account

Section 9 — Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of personal data we hold about you
  • Restrict processing — request that we limit how we use your data
  • Portability — receive your data in a portable format
  • Object — object to processing of your data
  • Withdraw consent — where processing is based on consent

To exercise any of these rights, contact us at privacy@wheretostream.app. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

Section 10 — Children

WhereToStream does not knowingly collect personal data from children under 13. If you believe a child has submitted personal data to us, please contact us at privacy@wheretostream.app and we will delete it promptly.

Section 11 — Changes to This Policy

We may update this policy from time to time. The “last updated” date at the top of this page will reflect any changes. For significant changes, we will display a notice on the website.

Section 12 — Governing Law

This policy is governed by the laws of England and Wales.