media-player.appmedia-player.app

Privacy Policy

Last updated: February 19, 2026

We take the protection of your personal data seriously. This privacy policy informs you about what data we collect, process, and store in connection with our website media-player.app and the associated SaaS platform.

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) is:

TopRed Media GmbH
Witthöpen 30
27389 Fintel
Germany

Phone: +49 (0) 4261 1842690
Email: info@topred-media.com

2. Overview of Data Processing

In the course of providing our services, we process the following categories of data:

  • Account data (name, email address, organization name)
  • Authentication data (hashed passwords, API tokens)
  • Technical device data (device ID, hardware profile, firmware version)
  • Telemetry data (CPU temperature, memory usage, disk usage)
  • Server log data (IP address, user agent, timestamps)

3. Legal Bases

The processing of personal data is based on the following legal grounds:

  • Performance of contract (Art. 6(1)(b) GDPR): Processing necessary for the performance of the service agreement, in particular account creation, authentication, and provision of platform features.
  • Legitimate interest (Art. 6(1)(f) GDPR): Processing to ensure IT security, fraud prevention, error diagnosis, and improvement of our services.

4. Account Data

During registration, we collect the following data:

  • Full name
  • Email address
  • Password (stored as a Bcrypt hash, never in plain text)
  • Organization name and identifier (tenant)

Legal basis: Performance of contract (Art. 6(1)(b) GDPR). This data is required for account creation and use of the platform.

5. Authentication and Session Data

For secure use of the platform, we process:

  • API tokens (stored as SHA256 hashes, never in plain text)
  • Session data (stored encrypted in cookies)
  • Password reset tokens (hashed, expire after 60 minutes)

API tokens are stored with their last usage timestamp and an optional expiration date. You can revoke tokens at any time via the dashboard.

6. Cookies

We only use technically necessary cookies. No analytics, tracking, or advertising cookies are used.

CookiePurposeDuration
auth_tokenAuthentication in the SaaS dashboard30 days
i18n_localeLanguage preference (DE, EN, ES, AF, PL, NDS)Session
XSRF-TOKENCross-site request forgery protectionSession

No cookies are shared with third parties. No tracking takes place.

7. Device Data (Player)

For managing digital signage devices (players), we store the following technical data:

  • Device ID (UUID), system-generated
  • Device name (assigned by the administrator)
  • Hardware profile, firmware version, and Docker image version
  • Device token (stored as SHA256 hash)

Legal basis: Performance of contract (Art. 6(1)(b) GDPR). This is technical device data, not personal data of natural persons.

8. Telemetry and Monitoring

Player devices send technical status data to our servers at regular intervals (default: 60 seconds):

  • CPU temperature
  • CPU load (load average)
  • Memory usage (percent)
  • Disk usage (percent)
  • Current playback status

This data is purely technical and does not contain any personal information. It is used for operational monitoring and error diagnosis.

9. Playout Events

For playback documentation (proof of play), we record which content was played on which device, when, and for how long. This data does not contain any personal information about viewers — no cameras, microphones, or other sensors are used to capture audience data.

10. Content Data

Uploaded media (images, videos, HTML files) are stored with the following metadata: file name, SHA256 checksum, MIME type, file size, dimensions, and video duration where applicable. Files are stored within the EU (see Hosting section).

The content of uploaded media is the responsibility of the respective user (tenant) as an independent data controller. If uploaded content contains personal data (e.g., images of identifiable individuals), the data protection responsibility lies with the user.

11. Hosting and Infrastructure

Our infrastructure is operated exclusively within the European Union:

  • Application server: located in Germany
  • Database: PostgreSQL, hosted in the EU
  • File storage: AWS S3, region eu-central-1 (Frankfurt, Germany)

12. Server Log Files

Each time our servers are accessed, the following data is automatically stored in log files:

  • IP address of the accessing system
  • Requested URL and HTTP method
  • Browser identifier (user agent)
  • Date and time of access

Log files are automatically deleted after 14 days.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Storage is necessary to ensure secure and stable server operation.

13. Third-Party Services

We do not use any analytics, tracking, or advertising services. No data is transmitted to Google Analytics, Facebook, or comparable providers.

Amazon Web Services (AWS) S3

For storing media files, we use AWS S3 in the eu-central-1 region (Frankfurt). AWS processes data on our behalf based on a data processing agreement (DPA) pursuant to Art. 28 GDPR. Only media files and their metadata are stored — no personal user data.

14. Data Transfers to Third Countries

No personal data is transferred to countries outside the European Union or the European Economic Area. All data processing takes place on servers in Germany and the EU.

15. Data Security

We implement comprehensive technical and organizational measures to protect your data:

  • Encrypted data transmission via HTTPS/TLS on all connections
  • Passwords are stored exclusively as Bcrypt hashes (12 rounds)
  • API and device tokens are stored as SHA256 hashes
  • Strict tenant isolation at the database level — no cross-tenant access possible

16. Data Retention and Deletion

Personal data is only stored for as long as necessary for the respective processing purpose:

Data categoryRetention period
Account data (name, email)Until account deletion
Session data120 minutes (session duration)
Server log files14 days (automatic rotation)
Password reset tokens60 minutes
Media and contentUntil deletion by the user

17. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

  • Right of access (Art. 15 GDPR): You may request information about the personal data we store about you.
  • Right to rectification (Art. 16 GDPR): You may request correction of inaccurate data.
  • Right to erasure (Art. 17 GDPR): You may request deletion of your data, provided no legal retention obligation applies.
  • Right to restriction (Art. 18 GDPR): You may request restriction of the processing of your data.
  • Right to data portability (Art. 20 GDPR): You may request your data in a machine-readable format.
  • Right to object (Art. 21 GDPR): You may object to the processing of your data based on legitimate interests at any time.

To exercise your rights, please contact info@topred-media.com.

18. Right to Lodge a Complaint

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for us is:

Die Landesbeauftragte für den Datenschutz Niedersachsen (Lower Saxony Data Protection Authority)
Prinzenstraße 5
30159 Hannover
www.lfd.niedersachsen.de

19. Changes to This Privacy Policy

We reserve the right to update this privacy policy in response to changes in our services or the legal framework. The current version is always available at media-player.app/legal/privacy.