1. Introduction

OurFrame SA ("OurFrame", "we", "us", or "our"), a company incorporated under Swiss law with its registered office in Geneva, Switzerland, operates the WaterBear streaming service (the "Service").

This Privacy Policy explains how we collect, use, store, and share your personal data when you visit our website, use our streaming platform, or interact with our television applications (collectively, the "Service").

We are committed to protecting your privacy in accordance with the Swiss Federal Act on Data Protection (FADP/nDSG), the EU General Data Protection Regulation (GDPR), and other applicable data protection laws.

2. Data Controller

The data controller for the processing described in this policy is:

OurFrame SA Geneva, Switzerland Email: privacy@ourframe.ch

3. What Data We Collect

3.1 Data you provide directly

When you create an account or interact with the Service, we may collect:

• Account data: name (where provided), email address, password (stored in hashed form), account creation date

• Profile data: viewing preferences, content interests, account settings, language preferences

• Communication data: email communication preferences, and any information you provide when contacting us (e.g. support requests)

• Newsletter preferences: your subscription choices for our newsletter

• User-generated content: any content you upload or share on the platform, where applicable

3.2 Data collected automatically

When you use the Service, we automatically collect:

• Usage data: viewing history, content interactions, pages visited, videos watched, search queries, time spent on the Service, playback events (start, progress, completion), session data

• Device and technical data: browser type and version, operating system, screen resolution, device type, IP address

• Referral data: the source that brought you to the Service (e.g. search engine, social media link, campaign URL)

3.3 Data from third-party services

We may receive limited data from our third-party service providers, in particular from Vimeo in relation to your viewing activity on the streaming platform.

4. How We Use Your Data

We process your personal data for the following purposes and on the following legal bases:

PurposeLegal basis (GDPR)Legal basis (Swiss FADP)Providing and operating the Service, including account managementPerformance of contract (Art. 6(1)(b) GDPR)Legitimate purposeDelivering video content and maintaining playback qualityPerformance of contractLegitimate purposeSending newsletters (via Bevo)Consent (Art. 6(1)(a) GDPR)ConsentAnalysing usage patterns to improve the Service (via Google Analytics)Legitimate interest (Art. 6(1)(f) GDPR)Legitimate purposeMeasuring content performance and audience behaviourLegitimate interestLegitimate purposeEnsuring the security of the Service and preventing abuseLegitimate interestLegitimate purposeComplying with legal obligationsLegal obligation (Art. 6(1)(c) GDPR)Legal obligation

Where we rely on legitimate interest as a legal basis, we have assessed that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time (see Section 8).

5. Who We Share Your Data With

We share your personal data only with the following categories of recipients, and only to the extent necessary for the purposes described in this policy:

Service providers:

• Vimeo, Inc. (New York, USA) for video hosting, streaming delivery, and platform services. Vimeo processes data on our behalf under a data processing agreement. Vimeo's privacy policy: https://vimeo.com/privacy

• Google LLC (Mountain View, USA) for web analytics (Google Analytics 4). Google processes anonymised and pseudonymised usage data. Google's privacy policy: https://policies.google.com/privacy

• Bevo for newsletter delivery. Bevo processes your email address and subscription preferences on our behalf when you subscribe to our newsletter.

We do not sell your personal data. We do not share your data with advertisers.

6. International Data Transfers

Some of our service providers are based in the United States. When personal data is transferred outside Switzerland or the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs) as approved by the European Commission

• The Swiss-US Data Privacy Framework, where applicable

• Adequacy decisions by the Swiss Federal Council or the European Commission, where applicable

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Account data: retained for as long as your account is active, and deleted within 90 days of account deletion

• Usage and analytics data: retained in identifiable form for up to 26 months, then anonymised or deleted

• Newsletter data: retained until you unsubscribe

• Communication data: retained for up to 12 months after the last interaction

We may retain certain data for longer periods where required by law or to establish, exercise, or defend legal claims.

8. Your Rights

Depending on your location, you have the following rights regarding your personal data:

• Right of access: you may request a copy of the personal data we hold about you

• Right to rectification: you may request correction of inaccurate or incomplete data

• Right to erasure: you may request deletion of your personal data, subject to legal retention requirements

• Right to restriction: you may request that we restrict the processing of your data in certain circumstances

• Right to data portability: you may request to receive your data in a structured, commonly used, machine-readable format

• Right to object: you may object to processing based on legitimate interest at any time

• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at privacy@ourframe.ch. We will respond within 30 days.

If you are located in the EU/EEA, you also have the right to lodge a complaint with your local data protection supervisory authority.

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS 1.2+) and at rest, access controls with multi-factor authentication, and regular security reviews.

However, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also inform you directly without undue delay, in accordance with Article 34 GDPR.

11. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us at privacy@ourframe.ch and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes, we will make reasonable efforts to notify you via email or through the Service.

We encourage you to review this policy periodically.