DRAFT, pending counsel review. This document is an internal draft prepared on 2026-04-26 by the engineering team. It has NOT been reviewed by external legal counsel. Do not rely on it for legal advice. Effective date is a placeholder pending sign-off. Apostle Pty Ltd makes no representation that this draft satisfies any specific jurisdictional requirement until counsel-reviewed.

PYLON Privacy Policy

This Privacy Policy explains how Apostle Pty Ltd (ACN: TBD; ABN: TBD) (Apostle, PYLON, we, us, our) collects, uses, shares, retains and protects personal information when you use the PYLON streaming service at https://pylon.video and our associated applications and APIs (the Service). It also explains the rights you have over your personal information and how to exercise them.

This Policy is a companion to the Terms of Service, Cookie Policy, Do-Not-Sell page and Children's Privacy Notice.

Table of contents

1. Who we are
2. The personal information we collect
3. How we collect personal information
4. Why we use personal information (and our legal bases)
5. Who we share personal information with
6. International transfers
7. How long we keep personal information
8. Your rights
9. Cookies and similar technologies
10. Children
11. How we secure personal information
12. Breach notification
13. Contact us; complaints
14. Changes to this Policy

1. Who we are

The data controller (or, in Australian terms, the APP entity) for the Service is:

Apostle Pty Ltd [REGISTERED ADDRESS: TBD] Sydney, New South Wales, Australia [ABN: TBD] · [ACN: TBD]

For privacy enquiries, contact our Privacy Officer at [email protected]. We do not currently have an EU representative or a UK representative under Article 27 GDPR / UK GDPR; we will appoint one and update this Policy if and when we cross the relevant establishment-or-volume threshold.

2. The personal information we collect

We deliberately practise data minimisation. We collect only what we need to operate the Service, comply with the law and provide you with the features you request.

2.1 Account identity

• Email address, verified by magic link or by your OAuth provider (Google, Apple). Required for sign-in and for transactional communications.
• OAuth provider identifier, when you sign in with Google or Apple, we receive a stable user identifier from that provider. We do not receive your provider password.
• Display name, optional; you set it on your profile.
• Avatar image, optional; either an image you upload or the avatar attached to your OAuth account.
• Date of birth (DOB), required for age verification, Australian Online Safety Act compliance, age-classification gating and to refuse service to children under thirteen.
• Locale and country code, your locale for UI language and formatting; your country code derived from Cloudflare's IP-geolocation signal at first sign-in. Used for jurisdictional features (classification, tax, payment availability, age rules).
• Role, viewer, creator, curator, senior_curator or admin. Most users are viewer.
• Two-factor authentication state, whether you have enrolled, whether your current session has cleared the 2FA challenge, and a hashed copy of your one-time recovery codes.

In some EU/UK jurisdictions, your date of birth, in combination with other data we hold, may be treated as an indicator of age and (for users under sixteen) as special category data subject to GDPR Article 9. We process DOB only on the legal basis of contract performance and legal obligation (age-restricted content, child-safety law).

2.2 Subscription and payment

• Subscription status, plan, billing period, cancel-at-period-end, pause and downgrade flags, held in our database for entitlement checks.
• Stripe customer ID and Stripe subscription ID, opaque tokens we use to communicate with Stripe.
• Payment method metadata, last four digits, card brand, expiry month/year, postal code or country (received from Stripe). We do not see, store or process your full primary account number, CVC, banking credentials or full bank-account number. Stripe is the processor of record; see Stripe's privacy notice at https://stripe.com/privacy.

2.3 Streaming and product behaviour

• View progress, for each title you watch, we store your last position, percentage complete, and last-watched timestamp so we can resume playback and populate Continue Watching.
• View events, playback start, pause, seek, complete, error and similar events, with the device class (web/iOS/Android/CTV) and DRM system used. Used for billing accuracy (creator pro-rata payouts), fraud detection and aggregate analytics.
• Daily aggregates, a per-day rollup of your viewer-seconds and titles-watched, used for in-app dashboards and creator earnings.
• Q&A RSVPs and chat messages, when you participate in a community feature.
• Newsletter subscription state, segment, verified-at, unsubscribed-at.

2.4 Sessions and security

• Session identifier and Better Auth token, a server-side session record so we can authenticate your subsequent requests.
• User agent string, your browser or app version, for device recognition and fraud detection.
• Hashed IP address, we store the SHA-256 hash of your source IP, not the IP itself. The hash is one-way; we cannot reconstruct the original IP from it.
• Country code, derived once from Cloudflare's IP-geolocation header at sign-in.
• Audit log, actions you take that have a security or compliance signal (sign-in, password / 2FA change, role change, subscription events, data export request, deletion request).

2.5 Creator-only data

If you participate as a Creator (filmmaker, studio, distributor):

• Creator profile, slug, creator type, festival page URL, IMDb URL, personal site URL, social handles.
• Stripe Connect account ID and onboarding/verification status, for payouts.
• Payout country, for tax reporting.
• Earnings, payouts and minimum-guarantee ledger entries, internal accounting records.
• AI provenance attestations and clearance representations, for the AI Provenance Attestation and the Filmmaker Distribution Agreement.
• Submission metadata, duration, resolution, source, status.

2.6 Mobile application data

When you use the PYLON Cinema mobile app on iOS or Android we collect a small additional set of identifiers required for native app functionality:

• Push notification token, an opaque identifier issued by Expo (a managed wrapper around Apple Push Notification service and Firebase Cloud Messaging), the platform (iOS / Android), the app version, and an internal OS build identifier (Device.osInternalBuildId). The push token is stored locally in the OS keychain and on our server; it is deleted when you sign out and purged automatically after 180 days of inactivity. We do not collect the Identifier for Advertisers (IDFA), Identifier for Vendors (IDFV), or any advertising identifier. The internal OS build identifier is not used for tracking and is not shared with ad networks.
• In-app purchase receipts and entitlement state, validated and cached on-device by the RevenueCat SDK. RevenueCat receives your user ID, the app version and the platform; it does not receive payment card data (Apple and Google handle that on their own infrastructure).
• Referral code (if you arrived via a referral link), stored locally in the OS keychain and attributed to your Account on first sign-in.
• Aggregate product analytics via PostHog, off by default and gated on the same consent framework as the web. When enabled, your playback events (start, heartbeat, complete, paywall interaction, referral attribution) are sent to our reverse proxy with your user ID, device class, app version and DRM system. No advertising signals are collected. There is no Sentry crash reporting in the mobile app at this time.

2.7 What we do NOT collect

• Your password (we are passwordless).
• Your full payment-card number, CVC or bank-account number (Stripe).
• Your raw IP address (we hash on ingress and discard the raw value).
• Your precise device location (we do not request GPS or device-location permissions).
• Biometric data.
• Race, religion, political opinion or trade-union membership.

3. How we collect personal information

We collect personal information:

• Directly from you when you create an Account, complete a profile, start a Subscription, submit User Content, contact support, fill in a form, or use any feature of the Service;
• Automatically as a consequence of your use of the Service, cookies, analytics, security telemetry, server logs;
• From third-party providers, Google or Apple when you sign in with OAuth; Stripe when you make a payment; SignatureAPI when a Creator signs an agreement; Cloudflare for IP geolocation and bot detection;
• From you when you reach out by email ([email protected], [email protected], etc.); and
• From Creators about your interactions with their titles (aggregated; never individual).

4. Why we use personal information (and our legal bases)

We use personal information for the following purposes. For users covered by the EU/UK GDPR, the lawful basis is shown in brackets per Article 6(1) (or Article 9(2) for special-category data).

We do not use your personal information for automated decision-making that produces legal or similarly significant effects about you, in the sense of GDPR Article 22.

We do not use your personal information for AI training. Your User Content is not used to train any third-party large language model, image model or video model. Aggregated and de-identified usage statistics may inform internal product analytics but are not provided to AI training pipelines.

5. Who we share personal information with

We share personal information only with the following categories of recipients, and only to the extent necessary for the purpose.

5.1 Service providers (processors)

We have a written data-processing agreement (DPA) with each processor, incorporating the Standard Contractual Clauses (Module 2, controller- to-processor) where the processor is outside the EEA, and equivalent provisions for UK GDPR (the UK IDTA) and Australian APP 8.

We do not share with: ad networks, ad-tech vendors, data brokers, people-search services, marketing-data marketplaces, or AI-training data buyers.

5.2 Other categories of recipient

• Creators (filmmakers), we share aggregate watch data attributed to their titles for the purpose of payouts and analytics. We do not share individual viewers' identities with Creators. A Creator can see, for their title, how many minutes were watched, what region the watch came from and similar aggregates; they cannot see who watched.
• Authorities, when required by valid legal process, regulatory request or law-enforcement request that we have verified. We evaluate every request on its merits, refuse over-broad requests and, where lawful and consistent with the request, notify the affected user. We will publish a transparency report when our request volume warrants it.
• Acquirers, in connection with a merger, acquisition, financing or sale of all or substantially all of our assets, we may transfer personal information to the counterparty subject to a confidentiality obligation and continued compliance with this Policy or its successor.

5.3 We do not "sell" personal information

We do not sell personal information for money. We do not engage in "sharing" for cross-context behavioural advertising as that term is defined in the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Cal. Civ. Code §1798.140.

You can confirm or change your Do Not Sell or Share preference at any time at /legal/do-not-sell.

6. International transfers

PYLON is operated from Australia. Personal information is processed at Cloudflare edge nodes around the world, and by service providers in the United States and (in some cases) the European Economic Area.

When we transfer personal information out of the EEA, the UK or Switzerland to a country that does not benefit from a European Commission adequacy decision, we rely on the Standard Contractual Clauses (EU SCCs Module 2; UK IDTA) and we apply supplementary measures where necessary, including encryption in transit (TLS 1.2+) and at rest (AES-GCM for sensitive columns), pseudonymisation (hashed IPs), and contractual assistance with data-subject rights.

Australian Privacy Principle 8 applies to overseas disclosures from Australia: we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.

7. How long we keep personal information

We retain personal information only for as long as we have a lawful basis to do so.

When you request deletion, we operate a thirty (30) day grace window during which you can cancel the request by signing back in. After thirty days, our automated cron deletes or anonymises your personal data per the cascade documented at apps/api/src/cron/gdpr.ts. Some operational records (audit log, financial records) are retained per the table above.

After the cascade, your users row is tombstoned, email, display-name, image, DOB, country code and Stripe customer ID are zeroed; the row itself is retained because non-nullable foreign keys from retained business records (titles, payouts, audit) reference it. This is a privacy-preserving design choice: we keep referential integrity on retained records without keeping any personal data.

8. Your rights

Your rights vary by jurisdiction. We honour the following rights to the extent applicable to you. To exercise any right, email [email protected] or use Account → Privacy & Data.

We aim to respond within thirty (30) days. We may extend this by a further sixty (60) days for complex requests; we will tell you if we need to. We do not charge a fee for a first request in any twelve-month period.

8.1 GDPR (EU) and UK GDPR

If you are in the European Economic Area, the United Kingdom or Switzerland, you have the rights to:

• Access the personal information we hold about you (Art. 15);
• Rectify inaccurate or incomplete information (Art. 16);
• Erase your personal information (the "right to be forgotten", Art. 17), subject to our retention obligations;
• Restrict our processing (Art. 18);
• Receive a portable copy of your information in a machine- readable format (Art. 20), our GDPR export tool delivers a JSON archive at the link we email you;
• Object to processing based on legitimate interest, including direct marketing (Art. 21);
• Withdraw consent at any time, without affecting the lawfulness of past processing (Art. 7(3));
• Not be subject to automated decision-making with legal or similarly significant effects (Art. 22), we do not engage in such automated decision-making; and
• Lodge a complaint with your supervisory authority. A list is maintained by the European Data Protection Board at https://edpb.europa.eu. UK residents may complain to the UK Information Commissioner's Office (ICO) at https://ico.org.uk.

8.2 Australian Privacy Act 1988

If you are in Australia, the Australian Privacy Principles (APPs) apply, including:

• APP 1, open and transparent management of personal information;
• APP 5, notification of collection (this Policy is that notification);
• APP 6, limited use and disclosure;
• APP 8, overseas disclosure (see section 6);
• APP 11, security of personal information;
• APP 12, access on request;
• APP 13, correction on request.

You may complain to the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au if you are not satisfied with our handling of your personal information.

8.3 California (CCPA / CPRA)

If you are a California resident, you have the rights to:

• Know what personal information we collect, use, disclose and sell or share (Cal. Civ. Code §1798.110, §1798.115);
• Delete personal information (§1798.105);
• Correct inaccurate personal information (§1798.106);
• Opt out of "sale" or "sharing" of personal information for cross-context behavioural advertising (§1798.120), see /legal/do-not-sell;
• Limit use and disclosure of sensitive personal information (§1798.121), we do not use sensitive PI for any purpose beyond those listed in §1798.121(a)(1)–(8), so this right is auto-honoured;
• Non-discrimination for exercising your privacy rights (§1798.125); and
• Authorise an agent to act for you, subject to verification.

8.4 Other US states

If you are a resident of Colorado (CPA), Connecticut (CTDPA), Delaware, Florida, Indiana, Iowa, Maryland, Minnesota, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas (TDPSA), Utah (UCPA) or Virginia (VCDPA), you have substantially equivalent rights to access, correct, delete and opt-out of targeted advertising and the sale of personal information. Email [email protected] to exercise.

8.5 Canada (PIPEDA)

If you are in Canada, you have the rights of access, correction and withdrawal of consent (subject to legal and contractual restrictions) under the Personal Information Protection and Electronic Documents Act (PIPEDA) and equivalent provincial laws. The applicable supervisory authority is the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca.

8.6 Brazil (LGPD)

We do not currently offer the Service in Brazil and do not knowingly process personal data of Brazilian data subjects. If we extend the Service to Brazil, we will update this Policy with the Lei Geral de Proteção de Dados (LGPD)–specific rights and the relevant authority (ANPD).

8.7 Verification

Before we act on a rights request, we will verify your identity to a reasonable degree of confidence appropriate to the sensitivity of the data and the nature of the request, typically by requiring you to authenticate to your Account and to confirm the request from the verified email address on the Account.

9. Cookies and similar technologies

The cookies and local-storage entries we use are described in the Cookie Policy. In summary:

• Strictly necessary cookies (session, CSRF, viewing-progress, offline-download tag) are always on. They are required for the Service to work.
• Functional cookies (theme, captions, locale) are off by default.
• Analytics cookies (PostHog, Sentry) are off by default and only switched on when you grant consent.
• Marketing cookies are off by default. We currently use none.

The PYLON Cinema mobile app uses the same per-purpose consent framework (functional, analytics, marketing). Your decision is stored on-device in the OS keychain and synchronised to your Account so it carries across devices. You can review or change your choices at any time in the app under You → Privacy, and on the web at /legal/cookie-policy.

You can change your choices at any time at /legal/cookie-policy.

10. Children

The Service is not directed to children under thirteen (13). See the Children's Privacy Notice for our COPPA-compliant approach. If you believe we have inadvertently collected personal information from a child under thirteen, contact [email protected] and we will delete it.

11. How we secure personal information

We implement administrative, physical and technical safeguards designed to protect personal information against loss, misuse and unauthorised access, disclosure, alteration and destruction. These include:

• TLS 1.2+ for all data in transit, with HSTS preloading and modern cipher suites only;
• AES-GCM at rest for sensitive columns (e.g., 2FA secrets, recovery-code hashes, IP hashes);
• Passwordless authentication by default, magic-link or OAuth, to eliminate password-reuse risk;
• Two-factor authentication available to all users; required for privileged roles (admin, senior_curator);
• Hashed IP addresses, we never store raw IPs;
• Allow-list data minimisation in our automated GDPR export, only explicitly listed columns are exported;
• Audit logging of all security-sensitive actions;
• Role-based access control, engineers do not have routine access to user data; access is logged and reviewed;
• Vendor risk review before onboarding new processors;
• Annual review of this Policy and the underlying controls.

We do not currently hold a SOC 2, ISO 27001, HIPAA or PCI DSS certification. We will publish certifications on this page if and when we obtain them. We are PCI DSS out of scope because we never see card data, Stripe handles all PCI scope.

No security control is perfect. We cannot guarantee absolute security.

12. Breach notification

If a personal-information breach occurs, we will:

• contain and assess the breach;
• where required, notify the relevant supervisory authority within the statutory window, seventy-two (72) hours for GDPR Art. 33; "as soon as practicable" for the Australian Notifiable Data Breaches scheme (Privacy Act 1988 Part IIIC);
• where required by law or where the breach is likely to result in a significant risk of serious harm to you, notify you directly and provide guidance on protective steps you can take.

We maintain a Data Breach Response Plan internally and exercise it annually.

13. Contact us; complaints

Privacy enquiries and rights requests: [email protected] Postal: Apostle Pty Ltd, [REGISTERED ADDRESS: TBD]

We will acknowledge your enquiry within five (5) business days and aim to resolve within thirty (30) days.

Supervisory authorities and complaint channels:

• Australia, Office of the Australian Information Commissioner (OAIC), https://www.oaic.gov.au;
• EU, your national data-protection authority (list maintained by the EDPB at https://edpb.europa.eu);
• United Kingdom, Information Commissioner's Office, https://ico.org.uk;
• California, California Privacy Protection Agency, https://cppa.ca.gov;
• Canada, Office of the Privacy Commissioner, https://www.priv.gc.ca.

You have the right to lodge a complaint without contacting us first, though we encourage you to give us a chance to address your concern.

14. Changes to this Policy

We may amend this Policy from time to time. Material changes will be notified by email to your Account address and/or by an in-product notice at least fourteen (14) days before they take effect (or such longer notice as required by applicable law). The most current version is always at https://pylon.video/legal/privacy-policy.

Sibling documents

• Terms of Service
• Cookie Policy
• Do-Not-Sell
• Children's Privacy Notice
• Marketing Communications
• Subscription Agreement
• Refund Policy
• DMCA Policy

Note on Do-Not-Sell. For the canonical Do-Not-Sell mechanism, see the live page at /legal/do-not-sell.

Version history