Privacy notice.

1. Data controller and contact

The data controller for the personal data described in this notice is Mann Technologies Inc., a corporation incorporated under the laws of Ontario, Canada (the "Operator", "we", "us"). The Operator provides the technical platform on which this website operates and determines the purposes and means of processing the personal data covered by this notice.

For all matters relating to this notice, including the exercise of your rights under the GDPR, you may contact us at privacy [at] manntechnologies [dot] ca. We respond to substantive privacy enquiries within thirty (30) days; complex requests may extend to a maximum of three (3) months in line with Article 12(3) GDPR, in which case we will inform you of the extension and the reasons for it within thirty (30) days.

We have not appointed a Data Protection Officer ("DPO") on the basis that the requirements of Article 37(1) GDPR are not triggered by our processing activities. We will keep this assessment under review.

2. Scope of this notice

This notice applies to personal data processed by the Operator in providing the platform. The lecturer or organisation whose content you view through the platform (the "Lecturer") is an independent controller in respect of the content they publish and any direct interactions you have with them outside the platform (for example, by replying to an email solicited via their website). This notice does not cover the Lecturer's separate processing.

Where the Operator and the Lecturer process the same personal data for distinct purposes, each acts as a separate controller for its own purposes within the meaning of Article 4(7) GDPR. The Lecturer's privacy notice, where one is provided, governs their independent processing.

3. Categories of personal data we process

We process the following categories of personal data about you:

• Account data — email address, display name, profile picture (where supplied by your authentication provider), encrypted authentication credentials or OAuth identifiers, and account-status flags (active, suspended, deleted).
• Service-usage data — records of content you have viewed, your playback position within content, items you have saved to your library, and timestamps and identifiers necessary to associate that data with your account.
• Technical and device data — IP address, user-agent string, device type, browser type and version, operating system, approximate geographic location at country level (derived from IP), and timestamps of requests.
• Preference data — your selected display language, theme (light or dark), and similar interface preferences.
• Communications data — the content of emails, support enquiries, or other communications you send to the Operator and our responses.

4. Purposes of processing and legal bases

We process your personal data only where we have a valid legal basis under Article 6(1) GDPR. The table below sets out, for each purpose, the categories of data involved and the legal basis we rely on.

• Account creation and authentication — Account data, communications data. Legal basis: performance of a contract (Art. 6(1)(b) GDPR), namely the terms of service you accept when you create an account.
• Delivery of the service — Account data, service-usage data, technical and device data. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• Personalisation (continue-watching rail, saved-items library, content recommendations) — Service-usage data, preference data. Legal basis: performance of a contract (Art. 6(1)(b) GDPR), where this functionality is part of the service you have requested; otherwise our legitimate interest (Art. 6(1)(f) GDPR) in providing a useful product, balanced against your interests as the data subject.
• Security, fraud prevention, and abuse mitigation — Technical and device data, account data. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in protecting our infrastructure and our users from unauthorised access, abuse, or attack, and compliance with our legal obligations (Art. 6(1)(c) GDPR) where applicable.
• Diagnostics, debugging, and service improvement — Technical and device data, service-usage data. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in maintaining and improving the service.
• Compliance with legal obligations — Any category, as required. Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR), including responses to lawful requests from public authorities and tax-record retention.
• Establishment, exercise, or defence of legal claims — Any category, as relevant to the matter. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

5. Sources of personal data

We collect personal data directly from you when you create an account, sign in, or interact with the service. Where you sign in with a third-party authentication provider (for example, Google), we receive the data fields that provider releases to us in accordance with the permissions you grant during sign-in — typically your email address, display name, and a profile picture URL. We do not receive your password from authentication providers.

Technical and device data is generated automatically by your interaction with our infrastructure.

6. Recipients of personal data

We do not sell your personal data. We do not share it with third parties for advertising. We disclose personal data only to the categories of recipient set out below, and only to the extent necessary for the corresponding purpose.

• Sub-processors providing the technical infrastructure — application hosting, database hosting, video and asset storage, caching, transactional email, error tracking, and similar services. We have written processing agreements in place with each sub-processor under Article 28 GDPR. The current list is published below in section 7.
• Third-party authentication providers — Google and any other identity provider you choose to use. These providers act as independent controllers in respect of the authentication step itself and operate under their own privacy notices.
• Public authorities — where we are compelled by valid legal process or required by law to disclose personal data. We resist over-broad requests and will challenge requests we believe to be unlawful.
• Successors in interest — in the event of a merger, acquisition, restructuring, or sale of substantially all of our assets, your data may be transferred to the acquirer. We will notify affected users in advance where it is lawful and practicable to do so.
• Professional advisers — our legal, accounting, and audit advisers, where access to personal data is necessary to provide their services and they are bound by professional confidentiality obligations.

7. Sub-processors

The Operator currently engages the sub-processors listed below to provide the technical infrastructure of the service. We update this list when sub-processors change; significant changes are notified at least thirty (30) days in advance to the Lecturer (and through the Lecturer to you, to the extent the Lecturer has agreed transparency mechanisms). The current list is:

• Vercel Inc. — application hosting and content delivery; primary processing region as configured for the project.
• Supabase Inc. — managed PostgreSQL database hosting; processing region: European Union (Frankfurt) for personal data covered by this notice.
• Cloudflare Inc. — object storage (R2) for video and image assets; multi-region storage with content served via global CDN edge.
• Upstash Inc. — Redis-based caching and rate-limiting; processing region: European Union.
• Google LLC — OAuth authentication, where you elect to sign in with Google.
• Third-party error and performance monitoring — Sentry, configured to redact personal data from event payloads except where strictly necessary for diagnostics.

8. International transfers

Where personal data is transferred outside the European Economic Area ("EEA") or the United Kingdom, we rely on one of the following transfer mechanisms in accordance with Chapter V GDPR:

• Adequacy decisions issued by the European Commission, where the destination country is the subject of a current adequacy decision (for example, Canada in respect of commercial organisations subject to PIPEDA).
• EU-U.S. Data Privacy Framework certification, where the recipient is a self-certified U.S. organisation under the Framework (Commission Implementing Decision (EU) 2023/1795).
• Standard Contractual Clauses ("SCCs") adopted by the European Commission under Decision (EU) 2021/914, supplemented where necessary by additional safeguards following a transfer impact assessment.

9. Retention periods

We retain personal data only for as long as necessary for the purpose for which it was collected, except where a longer retention period is required or permitted by law.

• Account data — for the duration of your account; deleted within thirty (30) days of account closure, save for any items we are required to retain for legal or regulatory compliance.
• Service-usage data (watch history, saved items) — deleted in line with account closure; you may also remove individual items at any time.
• Technical and device data and security logs — typically retained for up to twelve (12) months from collection, unless required for an active security or legal investigation.
• Communications data — retained for up to thirty-six (36) months from the last interaction, to enable us to respond to follow-up enquiries and to defend any potential claims.
• Backups — older versions of personal data may persist in encrypted backups for up to ninety (90) days after deletion from production systems, after which they are overwritten.

10. Your rights as a data subject

Subject to the limits and exemptions in Articles 15–22 GDPR, you have the following rights in respect of your personal data:

• Right of access (Art. 15) — to obtain confirmation of whether we process personal data about you and, if so, a copy of that data and the supplementary information set out in Article 15(1).
• Right to rectification (Art. 16) — to have inaccurate personal data corrected and incomplete data completed.
• Right to erasure (Art. 17) — also known as the "right to be forgotten", subject to the grounds and exceptions in Article 17.
• Right to restriction of processing (Art. 18) — to require us to stop processing your data in certain circumstances while a dispute is resolved.
• Right to data portability (Art. 20) — to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
• Right to object (Art. 21) — to object to processing carried out on the basis of legitimate interests, including any profiling related to it.
• Right not to be subject to a decision based solely on automated processing (Art. 22) — see section 12 below.
• Right to withdraw consent (Art. 7(3)) — where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

11. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority — in particular the supervisory authority of the Member State of your habitual residence, place of work, or place of the alleged infringement — if you consider that our processing of personal data infringes the GDPR (Art. 77 GDPR).

You can find the contact details for the supervisory authority in your country at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en. We would, however, appreciate the opportunity to address any concerns directly before you escalate them; please write to us at privacy [at] manntechnologies [dot] ca.

12. Automated decision-making and profiling

We do not subject you to decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR.

We do use automated systems to suggest related content (the "continue watching" rail and topic-based recommendations). These suggestions are based on your viewing history but do not produce legal or similarly significant effects. You can disable personalisation by signing out, by using the service without an account, or by exercising your right to object under Article 21 GDPR.

13. Cookies and similar technologies

In line with the ePrivacy Directive 2002/58/EC and Article 5(3) thereof, we set only cookies and similar storage technologies that are strictly necessary to provide the information-society service you have requested. We do not require, and do not display, a consent banner because we do not set non-essential cookies. The cookies we set are:

• Authentication / session cookie — keeps you signed in across requests; expires when you sign out or after a period of inactivity defined in our session policy.
• Locale cookie — remembers the language you selected.
• Theme cookie — remembers light or dark mode preference.
• CSRF token cookie — prevents cross-site request forgery on form submissions.

14. Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk in accordance with Article 32 GDPR. Measures include encryption in transit (TLS 1.2 or above) and at rest, access controls based on the principle of least privilege, audit logging, separation of production and non-production environments, vulnerability management, and incident-response procedures.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of it (Art. 33 GDPR), and notify affected data subjects without undue delay where the breach is likely to result in a high risk (Art. 34 GDPR).

15. Children

The service is not directed to children under the age at which a child can validly consent to information-society services in their country of residence (16 in some Member States, lower where reduced under Article 8(1) GDPR). We do not knowingly process personal data of children below that age without verifiable parental consent. If you believe a child has provided personal data to us in contravention of this notice, please contact us at privacy [at] manntechnologies [dot] ca and we will promptly delete the data.

16. Changes to this notice

We may amend this notice from time to time to reflect changes in our processing or in applicable law. The "Last updated" date at the top reflects the most recent revision. Where a change is material, we will notify signed-in users by email or by a prominent notice on the service in advance of the change taking effect.

17. How to contact us

For privacy-related enquiries or to exercise any of the rights set out in this notice, please contact: privacy [at] manntechnologies [dot] ca. We reserve the right to verify your identity before responding to a rights request to the extent permitted under Article 12(6) GDPR.