Smadi Privacy Policy

Privacy Policy

Version 1.1 · Effective April 19, 2026

Downloadable PDF The full Privacy Policy is available as a printable PDF for your records.

Download PDF

Summary

What this policy covers. Smadi is a streaming platform operated by Smadi, LLC (Georgia, USA), from Lisbon, Portugal. This policy explains how we collect, use, store, and protect your personal data across smadi.tv and associated subdomains.

Key commitments. All your data is stored in the European Union on Supabase EU Central infrastructure. We do not sell your personal information to anyone. We do not use behavioral tracking or build advertising profiles without your explicit consent. Advertising on our free tier is targeted only by content context, language, and approximate country — never by individual behavior.

Your rights. If you are in the EU, UK, or EEA, you have full GDPR rights including access, erasure, rectification, portability, and objection. If you are in California, you have CCPA/CPRA rights including the right to know, delete, and correct your data. Other U.S. state residents (VA, CO, CT, TX) have equivalent rights. All rights are exercised by contacting support@smadi.tv.

This summary is provided for your convenience. The authoritative legal text below is in English. In the event of any conflict between this summary (or any translation) and the English legal text, the English text prevails.

By accessing the Smadi Platform, you consent to this Privacy Policy. Before clicking to accept, you have the opportunity to read this Privacy Policy in full on-screen or in printed form, and to direct any questions to Smadi prior to acceptance at support@smadi.tv. Your acceptance confirms that you have exercised this opportunity to your satisfaction, or have voluntarily elected to proceed without doing so.

This Privacy Policy applies to all Users of the Platform, including Viewers, Creators, and Advertisers, regardless of geographic location. Users located in the European Union, the European Economic Area, or the United Kingdom are entitled to the additional rights and protections described in Section 13 (EU/UK Supplement), which governs to the extent of any conflict with the general provisions of this Policy with respect to those Users.

1. Identity of the Data Controller

Smadi, LLC, a limited liability company organized under the laws of the State of Georgia, United States of America, is the data controller in respect of personal data collected through the Platform. Smadi, LLC is a subsidiary of Red Hill Media, LLC, which does not independently collect personal data through the Platform.

Smadi's operating base is Lisbon, Portugal, and all personal data is stored within the European Union on infrastructure operated by Supabase (EU Central region), ensuring EU data residency. Smadi's designated contact for privacy matters is:

Smadi, LLC
300 Colonial Center Parkway, Suite 100
Roswell, GA 30076, United States
support@smadi.tv

A Data Protection Officer will be appointed where required by applicable law. The current privacy contact for all purposes is support@smadi.tv. Smadi will designate representatives under GDPR Article 27 (EU) and UK GDPR Article 27 prior to any material EU or UK marketing activity that requires such designation; representative contact details will be published on this Policy at that time.

2. Scope of This Policy

This Privacy Policy applies to the collection, use, storage, and disclosure of personal information by Smadi in connection with:

The Platform website at smadi.tv and all associated subdomains;
Mobile applications published by Smadi (when available);
The Creator Portal at creator.smadi.tv;
The Advertiser Portal at media.smadi.tv;
Any communications between Smadi and Users, Creators, or Advertisers, including email correspondence.

This Policy does not apply to: (a) third-party websites or services linked from the Platform, which are governed by their own privacy policies; (b) the Smadi internal operations system (team.smadi.tv), which is restricted to Smadi staff and subject to separate internal data governance policies; or (c) data collected by Advertisers through their own tracking technologies, subject to Section 10 of this Policy.

3. Categories of Personal Data Collected

3.1 Data You Provide Directly

Smadi collects personal data that you provide directly when you register an account, subscribe, upload content, or otherwise interact with the Platform:

Category	Examples
Account Registration Data	Name, email address, username, password (hashed), date of birth (for age verification)
Profile Data	Display name, profile photograph, biography, country of residence, language preferences
Payment Data	Billing name, billing address, last four digits of payment card (full card data processed by Stripe — not stored by Smadi). Bank account details for Creator payouts via Stripe Connect or Wise.
Creator Submission Data	Film titles, synopses, language and region data, upload history, metadata, legal documents (chain of title, licenses, talent releases)
Advertiser Data	Company name, contact details, campaign briefs, creative materials, billing information
Survey and Support Data	Responses to creator surveys, support inquiries, feedback submitted through the Platform
Tax and Compliance Data	Tax identification numbers (NIF, W-8BEN, EIN) collected for payout compliance purposes from Creators receiving payments

3.2 Data Collected Automatically

When you access the Platform, Smadi and its service providers automatically collect certain technical and behavioral data:

Category	Examples
Device and Technical Data	IP address, browser type and version, operating system, device type, screen resolution, referring URL
Usage Data	Pages visited, Content viewed (including timestamps), playback duration, completion rate, search queries, features accessed, errors encountered
Location Data	Country and approximate region derived from IP address (not precise GPS location)
Smadis Transaction Data	Smadis pack purchases, Smadis tips sent, Content unlocked, Smadis balance, transaction timestamps
Comments and Interactions	Timestamp-anchored comments posted, reactions, follows, and other social interactions on the Platform

3.3 Data Collected Through Cookies and Similar Technologies

Smadi uses cookies, web beacons, and similar tracking technologies to operate and improve the Platform. Full details of the cookies used, their purposes, and how to manage them are set out in the Cookie Policy, which is incorporated into this Privacy Policy by reference.

Prior to the deployment of any non-essential cookies (including analytics or advertising cookies), Smadi will obtain your explicit consent through a cookie consent management platform, in accordance with applicable EU/UK law and the U.S. state privacy laws described in Section 11.

3.4 Data Received From Third Parties

Smadi may receive personal data about you from the following third-party sources:

Stripe: payment status, subscription status, and payout confirmation data;
Wise: payout confirmation data for Creators receiving payments via Wise;
Google Gemini API: anonymized chatbot interaction metadata (no personally identifiable content is transmitted);
Anthropic Claude API: anonymized staff-facing query metadata used for platform operations (no viewer personal data is transmitted);
Mux: video delivery analytics, including playback events and delivery quality metrics, linked to session identifiers.

4. Purposes of Processing and Legal Basis

Smadi processes personal data for the following purposes. For each purpose, the applicable legal basis under EU/UK GDPR is identified. For U.S. Users, processing is conducted in accordance with applicable U.S. federal and state privacy law.

Purpose	Data Used	GDPR Legal Basis
Account creation and authentication	Registration data, device data	Performance of a contract (Art. 6(1)(b))
Providing the streaming service	Account data, usage data, subscription status	Performance of a contract (Art. 6(1)(b))
Processing subscription payments	Payment data via Stripe	Performance of a contract (Art. 6(1)(b))
Creator onboarding and content management	Creator submission data, tax data	Performance of a contract (Art. 6(1)(b))
Processing Creator payouts	Tax data, payment data, earnings records	Legal obligation (Art. 6(1)(c)); Contract (Art. 6(1)(b))
Serving contextual advertising (free tier)	IP-derived location, content viewed, language preference	Legitimate interests (Art. 6(1)(f))
Analytics and Platform improvement	Usage data, device data, anonymized viewing data	Legitimate interests (Art. 6(1)(f))
Content moderation and safety	User-generated content, reports, flags	Legal obligation; Legitimate interests
Legal and regulatory compliance	All categories as required	Legal obligation (Art. 6(1)(c))
Fraud prevention and security	Device data, transaction data, behavioral signals	Legitimate interests (Art. 6(1)(f))
Sending service communications	Email address, account data	Performance of a contract (Art. 6(1)(b))
Sending marketing communications	Email address, preference data	Consent (Art. 6(1)(a))
Behavioral advertising (future phase)	Consent-gated behavioral data	Consent (Art. 6(1)(a))
Tax reporting and record-keeping	Tax data, earnings records, payout records	Legal obligation (Art. 6(1)(c))

Where Smadi relies on legitimate interests as a legal basis, Smadi has conducted a legitimate interests assessment (LIA) and determined that its interests are not overridden by the interests, rights, or freedoms of the data subject. You have the right to object to processing based on legitimate interests as described in Section 13.

5. Advertising and Tracking Technologies

5.1 Contextual Advertising

Smadi's free tier is supported by advertising. Advertising displayed to free-tier Users is targeted based on the following non-behavioral signals only: (a) the content category of the Content currently being viewed; (b) the User's language preference as set in their account; and (c) approximate geographic location derived from IP address (country and region only). No individual behavioral profile is created for advertising purposes based on this data.

5.2 No Individual Behavioral Tracking Without Consent

Smadi does not deploy individual behavioral tracking for advertising purposes (including cross-site tracking, interest-based profiling, or retargeting) without your prior, freely given, specific, informed, and unambiguous consent. If Smadi introduces behavioral advertising in a future platform phase, a separate consent flow will be presented to all Users before any such tracking commences.

5.3 Advertiser Data Sharing

Smadi shares only aggregate, anonymized audience data with Advertisers for campaign reporting purposes. This data does not identify any individual User and does not constitute personal data. Individual viewer-level data is never shared with Advertisers under any circumstances. Advertiser tracking pixels require explicit User consent under the cookie consent framework prior to deployment.

5.4 Third-Party Analytics

Smadi may use third-party analytics providers to understand Platform usage and improve performance. Such providers process data under data processing agreements with Smadi and are not permitted to use data for their own commercial purposes. Details of analytics providers in use are set out in the Cookie Policy.

6. Data Sharing and Disclosure

6.1 Service Providers (Data Processors)

Smadi shares personal data with the following categories of service providers who process data on Smadi's behalf, subject to data processing agreements that require them to protect your data and use it only for the purposes specified by Smadi:

Service Provider	Purpose / Data Shared
Payment Processing — Stripe	Payment data for subscription billing, Smadis purchases, Creator payouts via Stripe Connect
International Payments — Wise	Creator name, payout amount, bank account details for international Creator payouts (Phase 1 fallback rail)
Video Infrastructure — Mux	Video files, playback session identifiers, delivery analytics
Cloud Hosting — Supabase (EU Central)	All platform data stored within the EU. Supabase processes data as a data processor under a DPA.
Content Delivery — Cloudflare	Web request data for Platform delivery, edge caching, and DDoS protection
AI Services — Google Gemini API	Scoped, anonymized chatbot interaction data (viewer and creator portals only — no PII transmitted)
AI Services — Anthropic Claude API	Scoped, anonymized operational query data (staff portal only — no viewer PII transmitted)
E-Signature — ZohoSign	Name, email address, and document content for contracts executed via ZohoSign
Email Communication — Resend	Email address and communication content for transactional and notification emails

6.2 Legal Disclosure

Smadi may disclose your personal data to law enforcement agencies, courts, regulators, or other public authorities where required to do so by applicable law, valid legal process (including court orders and subpoenas), or where Smadi in good faith believes disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend the rights or property of Smadi; (c) prevent or investigate possible wrongdoing in connection with the Platform; or (d) protect the personal safety of Users or the public.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy involving Smadi or Red Hill Media, LLC, your personal data may be transferred to a successor entity as part of that transaction. You will be notified of any such transfer and any material changes to the way your data is used, and where required by applicable law, your consent will be sought.

6.4 No Sale of Personal Data

Smadi does not sell, rent, or trade your personal data to any third party for that party's independent commercial purposes. This applies to all Users regardless of geographic location and is consistent with Smadi's obligations under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and the privacy laws of other U.S. states described in Section 11.

7. International Data Transfers

7.1 Data Residency

All personal data collected by Smadi is stored within the European Union on Supabase infrastructure located in the EU Central region. This ensures that personal data of EU/UK Users remains within the EU/EEA at the point of storage.

7.2 Transfers to Third-Party Service Providers

Some of Smadi's service providers are located outside the European Economic Area, including in the United States. Where Smadi transfers personal data from the EU/EEA to a country not recognized by the European Commission as providing an adequate level of data protection, Smadi relies on one or more of the following safeguards:

Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914), incorporated into data processing agreements with the relevant service providers;
The EU-U.S. Data Privacy Framework (DPF), where the recipient is certified under that framework;
UK International Data Transfer Agreements (IDTAs) for transfers from the UK, where applicable.

A list of the transfer mechanisms relied upon for each international service provider is available upon request by contacting support@smadi.tv.

7.3 Transfer Impact Assessments

Where required under applicable EU/UK supervisory authority guidance, Smadi conducts Transfer Impact Assessments (TIAs) prior to commencing international transfers. TIAs are reviewed and updated whenever there is a change in the legal or factual circumstances relevant to the transfer.

8. Data Retention

Smadi retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, to comply with legal obligations, and to resolve disputes. The following retention schedule applies:

Data Category	Retention Period
Account and profile data	Duration of account plus 30 days following account deletion, then permanently deleted (except as required by law)
Payment and billing records	7 years from the date of the transaction
Creator earnings and payout records	7 years from the date of payout
Tax compliance documents (W-8BEN, NIF)	4 years from the date of last payment
Creator contract records	Duration of contract plus 7 years following expiration or termination
Content (uploaded films and metadata)	Duration of Creator License Agreement plus 30 days following license termination
Usage and analytics data (anonymized)	Up to 36 months in anonymized, aggregated form
Support and correspondence records	3 years from the date of last interaction
Fraud and security logs	2 years, or longer if subject to an active investigation
Cookie consent records	5 years from the date of consent
Deleted account data	30 days in backup systems following deletion request, then permanently purged

Where data is retained for legal compliance purposes beyond the standard account lifecycle, it is isolated from active processing systems, accessible only to authorized personnel, and deleted as soon as the legal retention obligation expires.

9. Data Security

Smadi implements appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:

All personal data is stored within EU-region Supabase infrastructure with encryption at rest and in transit (TLS 1.2 minimum);
Row Level Security (RLS) is enforced at the database level, ensuring that each user role can access only the data to which they are entitled;
All financial write operations are conducted through server-side edge functions using service-role credentials — no client-side financial writes are permitted;
No financial data is stored in plaintext; all monetary values are stored as integer cents and processed through Stripe's PCI-DSS compliant infrastructure;
All platform API keys and credentials are stored exclusively in server-side environment variables — no secrets are committed to source code or accessible to the frontend;
Access to the internal operations system (team.smadi.tv) is restricted to verified staff with role-appropriate access, created manually by the system administrator — there is no public signup;
Regular security audits, rate limiting on all edge functions, and Content Security Policy (CSP) headers are implemented as part of platform security hardening;
An immutable audit log records all material financial and administrative decisions, including who acted, when, and why.

Notwithstanding these measures, no transmission of data over the internet or method of electronic storage is completely secure. Smadi cannot guarantee absolute security of personal data. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Smadi will notify the relevant supervisory authority within 72 hours of becoming aware, and will notify affected individuals without undue delay where the breach is likely to result in a high risk to those individuals, in accordance with Article 33 and Article 34 of the GDPR.

10. Children's Privacy

The Platform is not directed to children under the age of thirteen (13). Smadi does not knowingly collect personal information from children under the age of thirteen (13). If Smadi becomes aware that it has collected personal information from a child under thirteen (13) without verifiable parental consent, Smadi will take immediate steps to delete that information from its systems.

Users between the ages of thirteen (13) and seventeen (17) may access the Platform only with the prior verifiable consent of a parent or legal guardian. Where such Users access the Platform, Smadi will: (a) collect only the minimum personal data necessary; (b) not serve behavioral advertising to such Users under any circumstances; (c) not share such Users' personal data with third parties for marketing purposes; and (d) enable parental review and deletion of such Users' data upon request.

If you are a parent or legal guardian and believe that your child under the age of thirteen (13) has provided personal information to Smadi without your consent, please contact Smadi immediately at support@smadi.tv to request deletion of that information.

11. U.S. User Rights

11.1 California Residents (CCPA/CPRA)

California residents have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: The right to request disclosure of the categories and specific pieces of personal information Smadi has collected about you, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom Smadi shares your information.
Right to Delete: The right to request deletion of personal information Smadi has collected about you, subject to certain exceptions.
Right to Correct: The right to request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: Smadi does not sell or share personal information for cross-context behavioral advertising. If this practice changes, you will be notified and provided a clear opt-out mechanism.
Right to Limit Use of Sensitive Personal Information: The right to limit Smadi's use of sensitive personal information to purposes authorized under the CPRA.
Right to Non-Discrimination: Smadi will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise any of these rights, please submit a verifiable consumer request to support@smadi.tv. Smadi will respond within 45 days of receipt of a verifiable request. This period may be extended by an additional 45 days where reasonably necessary, with notice to the requesting party.

11.2 Other U.S. State Privacy Rights

Residents of the following states have substantially similar privacy rights under their applicable state privacy laws, and may exercise those rights through the same contact mechanism:

Virginia (Virginia Consumer Data Protection Act — VCDPA)
Colorado (Colorado Privacy Act — CPA)
Connecticut (Connecticut Data Privacy Act — CTDPA)
Texas (Texas Data Privacy and Security Act — TDPSA)
Other U.S. states as applicable state privacy legislation enters into force

Smadi will respond to rights requests from residents of these states in accordance with the applicable state law requirements and within the response windows mandated by those laws.

12. Cookies and Consent Management

Smadi uses cookies and similar technologies to operate the Platform, remember your preferences, and, with your consent, to analyze Platform performance. Smadi's use of cookies is governed by the Cookie Policy.

Smadi will present a cookie consent banner to all Users upon first access to the Platform, and to all returning Users where consent has not previously been captured or has expired. Consent is managed through a Cookie Management Platform (CMP) that records consent status, consent timestamp, and the version of the cookie policy in effect at the time of consent.

You may withdraw or modify your cookie consent at any time by accessing the Cookie Settings tool available at the footer of every page on the Platform. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

13. EU/UK GDPR Supplement

This Section 13 applies exclusively to Users located in the European Union, the European Economic Area, or the United Kingdom, and supplements the general provisions of this Privacy Policy. In the event of any conflict between this Section 13 and the preceding sections of this Policy with respect to EU/UK Users, this Section 13 prevails.

13.1 Data Controller Identification (GDPR Art. 13/14)

For the purposes of EU/UK GDPR, the data controller is Smadi, LLC, 300 Colonial Center Parkway, Suite 100, Roswell, GA 30076, United States. Smadi's representatives under GDPR Article 27 (EU) and UK GDPR Article 27 will be designated prior to any material EU or UK marketing activity that requires such designation; representative details will be published on this Policy at that time. The current privacy contact for all purposes is support@smadi.tv.

13.2 Your Rights Under EU/UK GDPR

EU/UK Users have the following rights under the GDPR and UK GDPR respectively. These rights may be exercised by contacting support@smadi.tv. Smadi will respond to rights requests within one calendar month of receipt, with the option to extend this period by a further two months where the request is complex or numerous, with notice to the requesting party.

Right	Description
Right of Access (Art. 15)	Obtain confirmation of whether Smadi processes personal data about you, and receive a copy of that data and supplementary information about how it is processed.
Right to Rectification (Art. 16)	Require Smadi to correct without undue delay any inaccurate personal data concerning you, and to have incomplete personal data completed.
Right to Erasure (Art. 17)	Require Smadi to delete your personal data in defined circumstances, subject to exceptions including legal record-keeping obligations.
Right to Restriction (Art. 18)	Require Smadi to restrict processing of your personal data in defined circumstances.
Right to Data Portability (Art. 20)	Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to Object (Art. 21)	Object at any time to processing based on Smadi's legitimate interests.
Right to Withdraw Consent (Art. 7(3))	Withdraw consent at any time where processing is based on consent.
Automated Decision-Making (Art. 22)	Not be subject to solely automated decisions producing legal or similarly significant effects. Smadi does not currently employ such automated decision-making.

13.3 Right to Lodge a Complaint

Without prejudice to any other administrative or judicial remedy, EU/UK Users have the right to lodge a complaint with a supervisory authority. Smadi's lead supervisory authority, by virtue of its operating base in Lisbon, Portugal, is the Comissão Nacional de Proteção de Dados (CNPD), and for UK Users, the Information Commissioner's Office (ICO).

13.4 Legal Bases Summary

The legal bases on which Smadi relies for processing personal data are identified in Section 4 of this Privacy Policy. Where processing is based on legitimate interests under Article 6(1)(f), you may request the specific legitimate interests assessment (LIA) conducted by Smadi by contacting support@smadi.tv.

13.5 Automated Processing and Profiling

Smadi does not make any decisions based solely on automated processing of personal data that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 GDPR. Platform recommendations and content discovery features use algorithmic processing to suggest Content, but these do not produce decisions with legal or equivalent significance, and human editorial oversight is applied to all featured content designations.

13.6 Data Protection Impact Assessments (DPIA)

Smadi will conduct Data Protection Impact Assessments (DPIAs) prior to commencing any processing operations that are likely to result in a high risk to the rights and freedoms of natural persons, in accordance with Article 35 GDPR.

13.7 Special Categories of Personal Data

Smadi does not intentionally collect special categories of personal data as defined under Article 9 GDPR. Where such data is incidentally collected through Creator content metadata or profile descriptions, it is processed solely to the extent necessary for the operation of the Platform and is subject to enhanced access restrictions.

14. Updates to This Privacy Policy

Smadi reserves the right to update this Privacy Policy at any time. Material changes will be communicated to registered Users via the email address on file at least thirty (30) days prior to the change taking effect, and by prominent notice on the Platform. For EU/UK Users, where a material change affects the legal basis on which data is processed, Smadi will seek fresh consent where required by applicable law.

The version number and effective date at the top of this Policy identify the current version. Your continued use of the Platform following the effective date of any update constitutes your acceptance of the updated Policy, to the extent permitted by applicable law.

15. Contact and Privacy Requests

For any questions, concerns, or requests relating to this Privacy Policy or Smadi's data practices, please contact:

Privacy Inquiries: support@smadi.tv
Data Subject Rights Requests: support@smadi.tv (subject line: 'Data Rights Request — [Your Name]')
Registered Address: 300 Colonial Center Parkway, Suite 100, Roswell, GA 30076

You also have the right to direct any questions about this Policy to your designated Smadi contact prior to accepting it, and Smadi will respond to such inquiries within five (5) business days.