Skip to main content
Sign in Sign up free

Privacy Policy

Last updated: June 2, 2026

The short version

We collect what's needed to run Screentour, meaning your account details and the films and submissions you add. Payments go through Paddle, so we never see your payment details. We don't sell your data, share it with advertisers, or use it to train AI. You decide who you share a space with, and you can export or delete your data.

Who we are

Screentour™ is built and operated by:

Christian Xu
Kentzlerdamm 18A
20537 Hamburg
Germany

Christian Xu is the controller responsible for your personal data. For anything in this policy, email [email protected]. Our full legal details are in the Impressum.

What we collect

When you create an account, we collect:

  • Your email address, to identify your account and send service-related messages
  • Your name, which you add during onboarding so we know what to call you
  • Optionally a Passkey public key, if you use passwordless sign-in
  • Account timestamps, to know when your account was created and last active

You can also add optional profile details, such as a photo, a title, and a short bio.

When you use Screentour, we also store:

  • Films, including titles, descriptions, and any other details you add
  • Submissions, including the festivals you submit to, deadlines, status, and notes
  • Screenings, including where and when your work was shown
  • Settings, such as your timezone and date format
  • Uploaded files, such as profile photos, film posters, and stills, which we store with our object-storage provider (listed on the Sub-processors page)
  • An activity history, a log of changes to your films and submissions

If you subscribe to a paid plan, we also store a small amount of billing information, described under Payments and billing below. We don't collect your phone number, and we never see or store your card details.

Your film and submission records can include information about other people, such as the names and roles of cast and crew. For sufficient matching and diversity research, those records can also include the gender and nationality, and potentially the age, of the director and producer. These details are sensitive, since nationality in particular can point to ethnic or national origin (a special category under Art. 9 GDPR), so we handle them all with that level of care. We use them for the fairness analysis only when a space opts in, and only in pseudonymised form under research safeguards. See Research and statistics.

Why we collect it

We use your data only to run the service. Each use has a legal basis under Article 6(1) GDPR.

  • Running your account, and storing and displaying your films and submissions. This performs the contract you signed up for (Art. 6(1)(b)).
  • Account and security emails, such as password resets, security notices, and important service changes. This performs the contract and serves our legitimate interest in keeping accounts secure (Art. 6(1)(b) and (f)).
  • Optional product-update emails. We send these only with your consent, which you can withdraw at any time (Art. 6(1)(a)).
  • Keeping the service secure, available, and working, such as error monitoring, uptime checks, and abuse prevention. This rests on our legitimate interest (Art. 6(1)(f)). We use the minimum data needed. When something goes wrong, an error report can include technical context about the request, such as what you were doing and an identifier for your account, which our error-monitoring provider receives (it is listed on the Sub-processors page). This is the kind of processing you would reasonably expect from any well-run service, and you can object at any time, so we consider it does not override your interests.
  • Billing and tax. This performs the contract and meets our legal record-keeping duties (Art. 6(1)(b) and (c)). See Payments and billing below.
  • Anonymous statistics, and academic research. Explained under Research and statistics below. Anonymous statistics and aggregate research figures rest on our legitimate interest (Art. 6(1)(f)). Pseudonymised diversity data about the director and producer is shared only when a space opts in, on the scientific-research basis (Art. 9(2)(j) GDPR with the Art. 89(1) and § 27 BDSG safeguards).
  • Improving the product. We look at how features are used inside Screentour, in aggregate, to decide what to build and fix. This is internal, privacy-friendly analysis with no profiling and no cross-device tracking, and it does not use the content of your films or submissions. It rests on our legitimate interest in improving the service (Art. 6(1)(f)), and you can object at any time (Art. 21).

Payments and billing

Paid plans are sold and billed through Paddle (Paddle.com Market Ltd), our authorised reseller and Merchant of Record. When you pay, you pay Paddle, and Paddle handles the payment transaction, the invoice, and any tax.

For data-protection law, this means Paddle acts as its own (independent) controller for your payment and tax data. It decides how to process that data to meet its own legal duties, such as card processing, fraud prevention, and tax records. It does this on its own account rather than on our instructions. You can read how Paddle handles your data in Paddle's privacy policy.

Your payment details are entered with Paddle and stored by Paddle. Screentour never sees or stores them. On our side, we keep only what we need to run your subscription. That means your current plan, whether it is active, how many seats you have, when the period ends, and the customer and subscription reference numbers Paddle gives us. We use these to give you the right level of access and to answer billing questions.

AI and search features

Screentour has features that help you find and research film festivals, plus an optional AI prefill that fills in a new project's form from a description you provide. To power these, we use third-party AI and web-search providers: Mistral and OpenAI for AI language models, and Firecrawl and Tavily for web search and scraping of public festival information.

Festival research. What we send is limited to public festival information. To the search providers we send festival names and generic search terms, for example a festival's name, a deadline, or an eligibility keyword. To the AI models we send public festival information for analysis, such as text from official festival websites. For these features we do not send any account details, the content of your films, or your private notes, so they do not share information that identifies you.

AI prefill. This feature is optional. If you use it, the input you provide, such as a synopsis, treatment, URL, or press kit, is sent to the AI models so they can prefill the form fields for you. Only the text you choose to paste is sent, and only when you use the feature. Please don't include anything you would not want shared with these providers.

We rely on these features to provide the service you asked for, and on our legitimate interest in offering useful festival research and faster data entry (Art. 6(1)(b) and (f) GDPR). Each provider is listed on our Sub-processors page, with its location and the safeguard that applies to any transfer.

Research and statistics

Turning festival activity into useful insight for filmmakers is central to what Screentour does, including how fairly the festival system treats different filmmakers. We do it in layers with different rules, and the parts that use sensitive data or leave Screentour are the space owner's choice.

Anonymous statistics and analytics

We produce aggregate statistics from submission activity, such as how many films are submitted, accepted, rejected, or withdrawn, broken down by factors like genre, topic, and content classification, and we study how films circulate between festivals. We turn this into clear reports on festival acceptance and rejection practices and on film circulation, so filmmakers can make better-informed submission decisions. That analysis is a core purpose of Screentour. These statistics are anonymous and never identify you or a single film. We rely on our legitimate interest in producing it (Art. 6(1)(f) GDPR), with the safeguards for statistical purposes (Art. 89(1) GDPR and § 27 BDSG), and you can object at any time (Art. 21).

We use Plausible to understand how Screentour is used, such as which pages people visit and where traffic comes from. Plausible is privacy-friendly and runs without cookies. It doesn't store IP addresses, build a profile of you, or track you across other sites, so there's no personal data involved and nothing for you to consent to. Plausible processes this data in the EU on our behalf and is listed on our Sub-processors page.

Research participation, decided by the space owner

A space can take part in academic research, and that choice sits with the space owner in the space's settings. It is off by default. Films and submissions belong to the space, so this is a space-level decision rather than a personal one. Any member can still object to the use of their own personal data, and we exclude it.

What we share when a space takes part

For film circulation we share aggregate, non-identifying figures, never record-level data. The fairness analysis assesses equity, gender, and diversity in how films are selected and circulate, for example the share of selected films with women or under-represented filmmakers in key roles, so we can produce honest reports on how fair the festival system is. It uses the gender and nationality, and potentially the age, of the director and producer. Nationality in particular can point to ethnic or national origin, which is special-category data (Art. 9 GDPR), so we process and share these details only in pseudonymised, minimised form, on the scientific-research basis (Art. 9(2)(j) GDPR, with the safeguards in Art. 89(1) GDPR and § 27 BDSG), under a data-sharing agreement, and after a data protection impact assessment. The findings are only ever aggregate. We use this basis rather than ask you to consent on other people's behalf, which you could not validly do. When a space opts in, the owner confirms that the space is entitled to provide the director's and producer's details.

For the fairness research we share pseudonymised crew data only with public academic research institutions in the EEA, each acting as an independent controller for its own research under a data-sharing agreement with us. The current partner is NTNU (Norway), and the up-to-date list is shown in your space settings. We add a partner only under the same safeguards, we tell affected spaces first, and you can object. If a space turns participation off, we stop sharing further data, though data already shared may be kept by a partner where research law allows. Directors, producers, and crew can object to this use of their data, and we act on it subject to the limits that apply to research data.

Who sees your data

People you share a space with. Screentour is built for collaboration. When you invite someone to a space as a member, or to a project as a guest, they can see the films, submissions, and related details in that space or project, and members can work on them. So the first people who see your data are the people you choose to share it with. Who counts as an owner, member, or guest is explained in the Ownership Policy.

When you invite someone. To send an invitation, you give us that person's email address, which we store and use to send the invite and, if they accept, to set up their access. That is personal data about someone else that we process on your instruction, so please invite only people who expect to hear from you.

Your data is processed by the sub-processors listed on our Sub-processors page, the third-party services we use to host and run Screentour. They act on our behalf and on our instructions. The one exception is Paddle, which is an independent controller for payment and tax data, as explained under Payments and billing.

Feedback you send to us is handled by Userback, whose widget loads only when you click "Give feedback." Until then, no feedback-tool script runs and no data is sent to it. When you do open it, your name and email are shared so we can follow up.

If you contact us within the app and open the help widget by clicking "Get help", your name and email are shared for the same reason with Help Scout.

Beyond the service providers listed on the Sub-processors page, we don't sell or rent your data, and we don't share it with advertisers or marketing third parties. The only other recipients are academic research partners, and only if you opt in, as described under Research and statistics.

International data transfers

Some of our providers are based outside the EU/EEA, or may process data outside it. Whenever personal data leaves the EU/EEA, we make sure an approved safeguard is in place so your data keeps essentially the same level of protection. We rely on one or more of the following.

  • Standard Contractual Clauses (SCCs), the European Commission's approved data-transfer contracts, with each non-EU provider.
  • The provider's certification under the EU-US Data Privacy Framework, where it appears on the official list.
  • An adequacy decision for the country in question, for example the United Kingdom.

A signed data-processing agreement (DPA) on its own is not a transfer safeguard. On the Sub-processors page we therefore name the actual mechanism for each provider, along with where it is based and where the data sits.

How we protect your data

We use appropriate technical and organizational measures to protect your data, including encryption in transit over HTTPS and access controls (Art. 32 GDPR). Our network provider, Cloudflare, and our host process your IP address to route and protect traffic, while the app does not log it to identify you. If a personal-data breach ever poses a serious risk to your rights, we notify the competent authority and, where required, you, in line with Art. 33 and 34 GDPR.

How long we keep it

We keep your account data for as long as your account is active. If you delete your account, we erase or anonymize your personal account data, such as your name, email, and profile, from the live service within 30 days, and remove it from our backups within the normal backup-rotation period after that. If you belong to a shared space, the films and submissions you added belong to that space and stay with it after you leave, so your collaborators don't lose shared work. A space where you are the only member is dissolved when you close your account.

The law requires one exception. Invoices and tax-relevant records must be kept for a statutory retention period, currently 8 years under German tax and commercial law (reduced from 10 to 8 years in 2025 by the Bürokratieentlastungsgesetz IV). These records are held by Paddle and in our bookkeeping, not in the Screentour app database. So even after you delete your account, Art. 17(3)(b) GDPR lets us keep those billing records for that period. We keep only those records, and only for that purpose.

Anonymized, non-identifying usage statistics may be kept longer to help us improve the service.

Your rights

Under the GDPR you have the right to:

  • Access (Art. 15). Ask what data we hold about you and get a copy.
  • Rectification (Art. 16). Correct anything that's wrong.
  • Erasure (Art. 17). Have your data deleted, the "right to be forgotten," subject to the tax-record exception above.
  • Portability and export (Art. 20). Get a copy of your data in a structured, machine-readable format. You can export it yourself from your account while your data is available, at no cost. We don't lock your data in.
  • Restriction (Art. 18) and objection (Art. 21). Limit or object to certain processing, including anything we base on our legitimate interests.
  • Withdraw consent (Art. 7(3)). Opt out of optional emails at any time, without affecting anything we did before.
  • No solely-automated decisions (Art. 22). We don't make decisions with legal or similarly significant effect about you based only on automated processing. Features like festival suggestions are recommendations that you stay in control of.

To exercise any of these, email [email protected]. We'll respond within 30 days. For complex requests we may extend this by up to two further months, and we'll tell you if we need to.

Children

Screentour isn't directed at children. You must be at least 16 to use it, and 18 or older to buy a paid plan, as set out in our Terms. We don't knowingly collect data from children under 16. If you believe a child has given us their data, email [email protected] and we'll remove it.

Cookies

Screentour uses only the essential cookies required for the service to function, namely session management and security. There are no tracking cookies, no analytics cookies, and no third-party advertising scripts.

Complaints

If you think we've mishandled your data, please tell us first, and we'll do our best to put it right. You also have the right to lodge a complaint with a data protection authority.

Our lead supervisory authority is the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI).

Ludwig-Erhard-Straße 22, 20459 Hamburg, Germany datenschutz-hamburg.de

If you live or work in another EU/EEA country, you can also complain to the data protection authority there. If Swiss data-protection law applies to you, your authority is the Federal Data Protection and Information Commissioner (FDPIC).

Changes to this policy

If we make significant changes, we'll email you. For minor updates, we'll just update this page with a new date.

Questions?

Email us at [email protected]. We're happy to help.

Adapted from the 37signals open-source policies under CC BY 4.0.