Compliance

Buddy Watch is in private beta. This page summarizes the compliance posture we're building toward and the practices already in effect. The lawyer-reviewed Privacy Policy and Terms of Service replace the current scaffolding before public launch.

Last updated: 2026-05-08

Frameworks we honor at launch

Age

Buddy Watch is 13+. Signup blocks under-13 account creation entirely. For 13–15 year olds in EU member states with an age of consent above 13 (e.g. France 15, Germany 16, Ireland 16), a parental consent flow gates the account.

What we collect

The minimum we need to run the service. No tracking pixels, no advertising identifiers, no third-party analytics embedded in the consumer surfaces today.

Your rights

Whether or not you live in a jurisdiction where these are legally required, Buddy Watch honors them for every account:

Most rights are self-serve from your settings page (export and delete in particular). For everything else, email hello@buddywatch.online. We respond within 30 days — the GDPR-default window — and will tell you immediately if a request needs longer.

Subprocessors

Vendors who process personal data on Buddy Watch's behalf under contract. Each is reviewed for security posture and privacy commitments before we onboard them.

Vendor Role Region
Amazon Web Services (AWS) Compute, database, object storage, secrets management for the Buddy Watch dev tier us-east-2 (Ohio)
Cloudflare DNS, edge TLS, DDoS protection, application delivery Global edge
Resend Transactional email delivery (account verification, friend invites, security alerts) and inbound email parsing United States
TMDB (The Movie Database) Public movie and TV metadata lookup — title, cast, runtime, art. We send a TMDB ID, we receive metadata; no user PII is sent. United States
GitHub Source-code hosting and authentication for the operator team. Customers are not represented in this processing. United States
Anthropic Operator-side coding assistants used by the team. No customer data is sent through this surface. United States

Future subprocessors — vendors planned for a future feature, not yet processing data:

We notify active users by email at least 30 days before onboarding a new subprocessor that processes user-identifiable data. Material changes to a current subprocessor's role get the same notice.

International data transfers

Personal data may move between the EU/UK and the United States in the course of running the service — our hosting and most of our subprocessors are US-based. Where data leaves the EU/UK, we rely on Standard Contractual Clauses (SCCs) — the European Commission's 2021 modules — and the UK's International Data Transfer Agreement (IDTA), plus the EU–US Data Privacy Framework where the receiving vendor is certified.

We don't currently offer EU-only or UK-only data residency tiers. If your use case requires that, email us and we'll tell you honestly whether and when we can.

Security

Buddy Watch's security posture is grounded in a few baseline practices, applied uniformly:

No system is unbreachable. We design with the assumption that things will go wrong and aim to make failures small, contained, and recoverable.

Data breach notification

If we discover a personal-data breach affecting your information, we'll:

Cookies and tracking

Buddy Watch uses cookies and equivalent local storage only for things the service can't function without:

No advertising cookies, no cross-site tracking pixels, no third-party analytics in the customer-facing surfaces today. If we add product analytics in the future (via the future-subprocessor PostHog/Sentry path), it'll be opt-out-by-design and disclosed here before activation.

Marketing emails

We send transactional email (account verification, security alerts, friend invites you triggered, watch-party invitations you opted into) by default. Marketing email — product news, release announcements, beta-cohort updates — is opt-in where required by law and includes a one-click unsubscribe. You can change your email preferences from your settings page at any time. Unsubscribing from marketing doesn't stop transactional email tied to features you're using.

Frameworks that don't apply, and why

Requests + questions

Email hello@buddywatch.online for any rights request, compliance question, or concern. We aim to respond within 30 days, the GDPR-default response window. Use subject prefix [Privacy] for data-rights requests so we route them quickly.

A formal Data Protection Officer designation isn't required at our current scale. Until that changes, the contact above is the canonical privacy point-of-contact.

Related: Privacy · Terms

← Back to home