Filmchief Privacy Policy

1. Who we are

Filmchief is provided by:

Filmchief B.V.

Chamber of Commerce, KvK: 98804545

VAT: NL868650523B01

Registered office: Gorterplaats 1, 6531HZ Nijmegen, The Netherlands

Country: The Netherlands

Email for privacy matters: privacy@filmchief.com

In this Privacy Policy, “Filmchief”, “we”, “us”, and “our” refer to Filmchief B.V.

2. Scope of this Privacy Policy

This Privacy Policy applies to personal data processed by Filmchief in connection with:

1. (a) the Filmchief website;
2. (b) demo requests, sales enquiries, customer onboarding, customer communication, billing, support, and administration;
3. (c) Filmchief user accounts and administrative access to the Filmchief platform;
4. (d) security, diagnostics, error logging, system administration, and service improvement;
5. (e) personal data processed in Filmchief environments used by festival customers, to the extent this Privacy Policy explains Filmchief’s role as processor.

This Privacy Policy does not replace the privacy notices of Filmchief’s festival customers. If you interact with a festival through a Filmchief-powered portal, form, ticket shop, online screening environment, accreditation form, submission form, RSVP form, or public page, the relevant festival organisation is usually responsible for explaining how it uses your personal data.

3. Key definitions

Customer means a festival organisation or other organisation that uses Filmchief.

Authorised User means a person who is given access to a Customer’s Filmchief environment, such as festival staff, programmers, reviewers, guest coordinators, accreditation coordinators, ticketing staff, volunteers, contractors, or administrators.

End User means a person who interacts with a Customer’s Filmchief environment without necessarily having administrative access, such as a filmmaker, submitter, guest, ticket buyer, accreditation applicant, festival visitor, online screening viewer, press or industry guest, jury member, or RSVP recipient.

Customer Data means personal data and other content entered into, uploaded to, generated in, published through, or processed through a Customer’s Filmchief environment.

Personal data means information relating to an identified or identifiable natural person.

4. Filmchief as controller and Filmchief as processor

Filmchief may process personal data in two different roles.

4.1 Filmchief as controller

Filmchief acts as controller when it determines the purposes and means of processing personal data for its own business purposes.

This includes, for example:

1. (a) managing the Filmchief website;
2. (b) responding to enquiries;
3. (c) providing demos;
4. (d) managing customer relationships;
5. (e) creating and managing Filmchief accounts;
6. (f) billing and bookkeeping;
7. (g) providing customer support;
8. (h) securing and maintaining the Service;
9. (i) improving Filmchief;
10. (j) complying with legal obligations;
11. (k) communicating about Filmchief services.

When Filmchief acts as controller, this Privacy Policy explains how Filmchief processes personal data.

4.2 Filmchief as processor

Filmchief acts as processor when it processes personal data on behalf of a Customer in the Customer’s Filmchief environment.

This includes, for example, personal data relating to submissions, accreditations, guests, ticket buyers, online screening viewers, filmmakers, press, industry guests, jury members, invitees, festival visitors, and other people whose data is processed by or for the Customer through Filmchief.

In these cases, the Customer is normally the controller. The Customer decides why the data is collected, what data is collected, how forms are configured, which communications are sent, who receives access, how long data is kept, and how the data is used for festival operations.

Filmchief processes such personal data on the Customer’s instructions and in accordance with the Data Processing Agreement between Filmchief and the Customer.

5. Personal data we process as controller

When Filmchief acts as controller, we may process the following categories of personal data.

5.1 Website and enquiry data

This may include:

1. (a) name;
2. (b) organisation name;
3. (c) job title or role;
4. (d) email address;
5. (e) phone number;
6. (f) message content;
7. (g) website or festival URL;
8. (h) country;
9. (i) information provided in demo, contact, or sales requests;
10. (j) technical information such as IP address, browser type, device information, and usage information.

5.2 Customer and business contact data

This may include:

1. (a) names and contact details of customer representatives;
2. (b) billing contacts;
3. (c) legal contacts;
4. (d) technical contacts;
5. (e) support contacts;
6. (f) role, department, and organisation details;
7. (g) contract and billing information;
8. (h) communication history;
9. (i) notes relating to onboarding, support, commercial discussions, or customer relationship management.

5.3 Account and access data

This may include:

1. (a) name;
2. (b) email address;
3. (c) username;
4. (d) hashed password;
5. (e) role and permissions;
6. (f) account settings;
7. (g) login history;
8. (h) authentication information;
9. (i) security and access logs.

5.4 Support and diagnostic data

This may include:

1. (a) support requests;
2. (b) screenshots or files provided for support;
3. (c) technical logs;
4. (d) error messages;
5. (e) browser and device information;
6. (f) IP addresses;
7. (g) affected URLs;
8. (h) order references, payment references, account references, or other diagnostic identifiers where needed to resolve an issue.

5.5 Billing and administration data

This may include:

1. (a) customer name;
2. (b) billing address;
3. (c) VAT or tax number;
4. (d) Chamber of Commerce or registration number;
5. (e) invoice details;
6. (f) payment status;
7. (g) payment references;
8. (h) purchase order details;
9. (i) accounting records;
10. (j) correspondence with finance contacts.

5.6 Marketing and communication data

This may include:

1. (a) name;
2. (b) email address;
3. (c) organisation;
4. (d) role;
5. (e) communication preferences;
6. (f) responses to newsletters, updates, or announcements, where applicable.

Filmchief does not sell personal data.

6. Personal data processed in Customer environments

Customers use Filmchief for many different festival workflows. Depending on how a Customer configures Filmchief, Customer Data may include:

1. (a) names;
2. (b) email addresses;
3. (c) phone numbers;
4. (d) physical addresses;
5. (e) organisation names;
6. (f) job titles and professional roles;
7. (g) film credits;
8. (h) biographies;
9. (i) film submission information;
10. (j) accreditation information;
11. (k) guest and hospitality information;
12. (l) travel and accommodation information;
13. (m) invitation and RSVP information;
14. (n) ticket order information;
15. (o) payment references;
16. (p) online screening access information;
17. (q) communication history;
18. (r) jury, review, selection, voting, or programming information;
19. (s) photographs or profile images;
20. (t) dietary preferences, accessibility needs, or other information collected by the Customer where relevant to festival operations;
21. (u) any other information the Customer chooses to collect, upload, or process through Filmchief.

The exact categories depend on the Customer’s use of Filmchief. Customers are responsible for ensuring that they only collect and process personal data that is necessary, lawful, and appropriate for their festival operations.

7. Purposes and legal bases

When Filmchief acts as controller, we process personal data for the purposes and legal bases described below.

7.1 To provide and administer Filmchief

We process personal data to create accounts, provide access, manage subscriptions, communicate with Customers, provide support, maintain the Service, and perform our contractual obligations.

Legal basis: performance of a contract or steps prior to entering into a contract.

7.2 To respond to enquiries and provide demos

We process personal data to respond to contact requests, demo requests, questions, and commercial enquiries.

Legal basis: legitimate interests, or steps prior to entering into a contract.

Our legitimate interest is to respond to people and organisations who contact us about Filmchief.

7.3 To provide support and resolve issues

We process personal data to investigate support requests, troubleshoot problems, answer questions, review reported issues, and improve the reliability of the Service.

Legal basis: performance of a contract and legitimate interests.

Our legitimate interest is to provide reliable support and maintain the quality and security of the Service.

7.4 To secure and maintain the Service

We process personal data to monitor, protect, troubleshoot, debug, maintain, and secure the Service. This may include access logs, IP addresses, authentication logs, security logs, error logs, and diagnostic information.

Legal basis: legitimate interests and, where applicable, legal obligation.

Our legitimate interest is to protect Filmchief, Customers, Authorised Users, End Users, systems, data, and third parties against unauthorised access, misuse, fraud, abuse, errors, and security incidents.

7.5 To invoice and administer our business

We process personal data for invoicing, payment administration, bookkeeping, tax records, contract administration, and financial reporting.

Legal basis: performance of a contract and legal obligation.

7.6 To communicate about important service matters

We process personal data to send service announcements, security notices, administrative messages, support messages, billing messages, and important updates about Filmchief.

Legal basis: performance of a contract, legal obligation, and legitimate interests.

7.7 To improve Filmchief

We may process limited personal data and usage information to understand how Filmchief is used, identify problems, improve workflows, prioritise development, and improve documentation and support.

Legal basis: legitimate interests.

Where possible, we use aggregated or de-identified information for this purpose.

7.8 To send optional marketing communications

Where applicable, we may use contact details to send newsletters, product updates, or other marketing communications.

Legal basis: consent, legitimate interests, or another applicable legal basis depending on the context and applicable law.

Recipients can unsubscribe from marketing communications where required.

7.9 To comply with legal obligations and protect rights

We may process personal data to comply with legal obligations, respond to lawful requests, enforce agreements, resolve disputes, prevent abuse, protect rights, and defend legal claims.

Legal basis: legal obligation and legitimate interests.

8. Customer responsibility for festival data

Customers are responsible for personal data processed in their Filmchief environments, except where Filmchief processes data for its own controller purposes.

This means Customers are responsible for:

1. (a) determining what personal data is collected;
2. (b) determining the purposes for which personal data is used;
3. (c) ensuring that there is a valid legal basis for processing;
4. (d) providing appropriate privacy notices to End Users;
5. (e) obtaining consent where required;
6. (f) deciding retention periods for Customer Data;
7. (g) managing Authorised User access and permissions;
8. (h) handling data subject requests relating to Customer Data;
9. (i) ensuring that forms, ticketing flows, submission flows, accreditation flows, guest workflows, online screening workflows, and communications are lawful and appropriate;
10. (j) avoiding the collection of sensitive or special category data unless necessary and lawful.

Filmchief provides tools that Customers can configure and use. Filmchief does not decide how a Customer runs its festival, which data the Customer requests from End Users, which End Users are contacted, which tickets are sold, which submissions are selected, which guests are invited, or how Customer Data is used for festival operations.

9. Data Processing Agreement

Where Filmchief processes personal data on behalf of a Customer, the Filmchief Data Processing Agreement applies and forms part of the agreement between Filmchief and the Customer.

The Data Processing Agreement sets out the terms under which Filmchief processes personal data as processor on behalf of the Customer as controller.

If there is a conflict between this Privacy Policy and the Data Processing Agreement regarding processor processing, the Data Processing Agreement prevails for that processor processing.

10. Cookies, analytics, and customer-selected tracking

Filmchief uses cookies and similar technologies where needed to operate, secure, and improve the website and Service.

10.1 Strictly necessary cookies

Filmchief uses strictly necessary cookies for purposes such as:

1. (a) login and authentication;
2. (b) session management;
3. (c) security;
4. (d) remembering technical state during use of the Service;
5. (e) preventing abuse;
6. (f) keeping users logged in where applicable;
7. (g) enabling core functionality of the website or Service.

These cookies are needed for the website or Service to function.

10.2 Functional cookies

Filmchief may use functional cookies to remember preferences, settings, language choices, display choices, or similar choices.

These cookies improve usability but are not used for advertising or tracking across websites.

10.3 Analytics cookies on Filmchief’s own website

Filmchief uses Google Analytics on its main website, filmchief.com, to understand how visitors use the website and to improve Filmchief’s public communication, website structure, and content.

Where required, Filmchief will ask for consent before placing non-essential analytics cookies.

Filmchief does not use Google Analytics on festival customer subdomains by default.

10.4 Marketing or tracking cookies by Filmchief

Filmchief does not use marketing cookies, tracking cookies, retargeting pixels, advertising pixels, or similar tracking technologies for its own purposes unless this is clearly indicated and, where required, consent has been obtained.

10.5 Festival customer subdomains

Festival customer subdomains, such as customername.filmchief.com, do not include Google Analytics, Meta Pixel, or similar analytics or tracking tools by default.

However, Customers may choose to add their own analytics, marketing, tracking, advertising, retargeting, measurement, or similar code to their Filmchief-powered public pages, portals, ticket shops, online screening environments, or other subdomain pages.

Examples may include Google Analytics, Meta Pixel, or similar third-party tools.

Where a Customer chooses to add such code, the Customer is responsible for that choice and for ensuring that its use is lawful. This includes:

1. (a) providing appropriate privacy information;
2. (b) providing appropriate cookie information;
3. (c) obtaining consent where required;
4. (d) configuring the tool appropriately;
5. (e) entering into any required agreement with the third-party provider;
6. (f) assessing any international data transfers;
7. (g) handling related data subject requests;
8. (h) complying with applicable privacy, cookie, marketing, and consumer protection laws.

Filmchief may technically enable a Customer to add or manage such code, but Filmchief does not determine the Customer’s purposes for analytics, marketing, advertising, retargeting, or tracking, and does not use the resulting analytics or tracking data for Filmchief’s own purposes.

10.6 Customer-selected third-party code

Customer-selected analytics, marketing, tracking, advertising, retargeting, measurement, embedded content, or similar third-party code is not automatically a Filmchief subprocessor service.

Unless Filmchief has separately engaged the relevant third party as a subprocessor for Filmchief’s own provision of the Service, such third-party code is selected and controlled by the Customer.

Filmchief may refuse, remove, disable, or suspend customer-selected code where Filmchief reasonably believes it creates a security risk, legal risk, operational risk, performance issue, privacy risk, or risk to Filmchief, other customers, End Users, or third parties.

10.7 Cookie information and consent

Filmchief will provide information about cookies used by Filmchief where required.

Where a Customer uses Filmchief public pages, ticket shops, portals, online screening environments, embedded content, integrations, or customer-selected third-party code in a way that involves cookies or similar technologies, the Customer is responsible for providing any required cookie information and obtaining consent where required.

11. Third-party services and subprocessors

Filmchief uses third-party providers to provide, maintain, support, secure, and administer the Service.

Depending on the Customer configuration and the relevant part of the Service, these may include:

1. (a) hosting and infrastructure providers;
2. (b) email delivery providers;
3. (c) payment service providers;
4. (d) video hosting and streaming providers;
5. (e) analytics providers;
6. (f) support and administration tools;
7. (g) bookkeeping and invoicing providers;
8. (h) DNS, domain, and security providers;
9. (i) API and integration providers;
10. (j) professional advisors;
11. (k) other service providers needed to operate Filmchief.

Examples of third-party services that may be relevant in a Filmchief context include email delivery services, payment providers, video platforms, address validation services, and customer-selected integrations such as submission platforms, payment providers, website integrations, or APIs.

Where Filmchief acts as processor, subprocessors are governed by the applicable Data Processing Agreement.

Where Customers choose to connect third-party services to their Filmchief environment, such as a payment provider, submission platform, website, analytics service, video provider, or API consumer, the Customer is responsible for that choice and for any required legal arrangements with that third party.

Filmchief may disclose personal data where necessary to:

1. (a) provide the Service;
2. (b) process payments and invoices;
3. (c) send emails;
4. (d) host, secure, and maintain the Service;
5. (e) provide support;
6. (f) comply with law;
7. (g) respond to lawful requests from authorities;
8. (h) enforce agreements;
9. (i) protect rights, security, and legitimate interests;
10. (j) complete a merger, acquisition, restructuring, or transfer of business, subject to appropriate safeguards.

Filmchief does not sell personal data.

12. International transfers

Filmchief is based in the Netherlands.

Where possible and appropriate, Filmchief processes personal data in the European Economic Area.

Some third-party providers or Customer-selected integrations may process personal data outside the European Economic Area. Where personal data is transferred outside the European Economic Area, Filmchief will use appropriate safeguards where required by applicable law. These safeguards may include adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms.

Where Filmchief acts as processor, international transfers are governed by the applicable Data Processing Agreement.

Customers are responsible for assessing international transfers caused by their own choices, settings, integrations, embedded content, payment provider choices, video provider choices, or API connections.

13. Retention

Filmchief does not keep personal data longer than necessary for the purposes for which it is processed, unless a longer retention period is required or permitted by law.

Retention periods depend on the category of data and the context.

13.1 Customer account and contract data

We retain customer account, contract, and relationship data for as long as the customer relationship continues and for a reasonable period afterwards, where needed for administration, support, dispute resolution, legal compliance, or legitimate business purposes.

13.2 Billing and accounting data

We retain billing, invoice, payment, and accounting data for as long as required by applicable tax, accounting, and legal obligations.

13.3 Support data

We retain support correspondence and related diagnostic information for as long as reasonably needed to provide support, maintain service history, resolve disputes, improve the Service, and protect legitimate interests.

13.4 Security and technical logs

We retain security logs, access logs, and technical logs for a limited period appropriate to security, troubleshooting, abuse prevention, and service maintenance purposes, unless a longer period is necessary for investigation, legal compliance, or dispute resolution.

13.5 Marketing data

We retain marketing contact data until the recipient unsubscribes, objects, withdraws consent where applicable, or the data is no longer needed for the purpose for which it was collected.

13.6 Customer Data in Filmchief environments

Where Filmchief acts as processor, Customer Data is retained according to the Customer’s instructions, the applicable agreement, the Data Processing Agreement, and the Customer’s use of available deletion, export, or retention settings.

After termination or expiry of the customer relationship, Customer Data may be deleted, anonymised, returned, or retained for a limited period according to the applicable agreement, the Data Processing Agreement, legal obligations, and reasonable operational requirements.

13.7 Backups

Deleted data may remain in backups for a limited period until those backups are overwritten or deleted according to backup cycles. During that period, backup data is protected and not used for ordinary operational purposes.

14. Security

Filmchief uses appropriate technical and organisational measures designed to protect personal data against unauthorised access, unlawful processing, accidental loss, destruction, alteration, or disclosure.

These measures may include, where appropriate:

1. (a) encrypted connections;
2. (b) access controls;
3. (c) role-based permissions;
4. (d) password hashing;
5. (e) firewall protections;
6. (f) monitoring and logging;
7. (g) backup procedures;
8. (h) security updates;
9. (i) administrative access restrictions;
10. (j) confidentiality obligations;
11. (k) internal procedures for support and incident handling.

No online service can be guaranteed to be completely secure, uninterrupted, or free from vulnerabilities. Customers and Authorised Users are responsible for using strong passwords, managing account access carefully, removing access for people who no longer need it, and protecting exported data.

15. Support access and administrative access

Filmchief may access Customer environments, records, logs, settings, or Customer Data where reasonably necessary for:

1. (a) customer support;
2. (b) troubleshooting;
3. (c) maintenance;
4. (d) security;
5. (e) debugging;
6. (f) data migration;
7. (g) customer-requested configuration assistance;
8. (h) investigating suspected misuse;
9. (i) preventing harm;
10. (j) legal compliance;
11. (k) enforcing agreements.

Filmchief limits such access to what is reasonably necessary for the relevant purpose.

Where Filmchief acts as processor, support access and administrative access are subject to the Data Processing Agreement and the Customer’s instructions.

16. Data subject rights

Depending on the situation and applicable law, individuals may have rights relating to their personal data, including:

1. (a) the right to be informed;
2. (b) the right of access;
3. (c) the right to rectification;
4. (d) the right to erasure;
5. (e) the right to restriction of processing;
6. (f) the right to data portability;
7. (g) the right to object;
8. (h) the right to withdraw consent, where processing is based on consent;
9. (i) rights relating to automated decision-making, where applicable;
10. (j) the right to lodge a complaint with a supervisory authority.

GDPR Article 15 gives individuals a right of access to their personal data, and Article 77 gives individuals the right to lodge a complaint with a supervisory authority.

To exercise rights in relation to personal data for which Filmchief is the controller, contact us at:

privacy@filmchief.com

We may need to verify your identity before responding.

Some rights are subject to conditions, exceptions, or limitations under applicable law.

17. Requests relating to festival Customer Data

If your request relates to personal data processed in a festival Customer’s Filmchief environment, the relevant Customer is usually the controller.

Examples include requests relating to:

1. (a) a film submission;
2. (b) an accreditation request;
3. (c) a guest profile;
4. (d) a ticket order;
5. (e) an online screening account;
6. (f) an RSVP;
7. (g) festival communications;
8. (h) programme, jury, review, selection, or voting data;
9. (i) other data entered into or processed through a Customer’s Filmchief environment.

In these cases, you should normally contact the relevant festival organisation directly.

If you send such a request to Filmchief, we may forward it to the relevant Customer, redirect you to the Customer, or assist the Customer in handling the request, depending on the circumstances and the Data Processing Agreement.

Filmchief cannot independently decide to delete, change, disclose, restrict, or export Customer Data where the Customer is the controller, unless instructed by the Customer, required by law, or otherwise permitted under the applicable agreement.

18. Automated decision-making

Filmchief does not use personal data for its own controller purposes to make decisions based solely on automated processing that produce legal effects or similarly significant effects for individuals.

Customers may use Filmchief to support festival workflows such as review, selection, programming, accreditation, ticketing, reporting, audience voting, or guest management. Where a Customer uses Filmchief in a way that involves automated decision-making or profiling, the Customer is responsible for informing individuals and complying with applicable law.

19. Complaints to the supervisory authority

If you are concerned about how Filmchief processes personal data, please contact us first so we can try to resolve the issue.

You also have the right to lodge a complaint with a supervisory authority.

For Filmchief B.V. in the Netherlands, the relevant supervisory authority is:

Autoriteit Persoonsgegevens

The Dutch Data Protection Authority

The Autoriteit Persoonsgegevens provides information about submitting complaints to the AP.

If your complaint relates to a festival Customer’s use of your personal data, you may also contact the relevant Customer or the supervisory authority that applies to that Customer.

20. Changes to this Privacy Policy

Filmchief may update this Privacy Policy from time to time.

The version number and effective date are shown at the top of this Privacy Policy.

If we make material changes, we will take reasonable steps to make the updated Privacy Policy available, for example by publishing it on the Filmchief website or informing Customers through appropriate channels.

Changes do not apply retroactively where this would be unlawful or unfair.

For Customer agreements that refer to a specific version of this Privacy Policy or a specific Data Processing Agreement, the versioning and precedence rules in the applicable agreement apply.

21. Contact details

For privacy questions about Filmchief’s own processing of personal data, contact:

Filmchief B.V.

Email: privacy@filmchief.com

Website: https://filmchief.com

Registered office: Gorterplaats 1, 6531HZ Nijmegen, The Netherlands

Chamber of Commerce, KvK: 98804545

VAT: NL868650523B01

For privacy questions about a specific festival, film submission, accreditation request, guest record, ticket order, online screening account, or other Customer Data, please contact the relevant festival organisation first.