Privacy Policy

Last updated: March 2026

1. Who We Are and How to Contact Us

TribuShare is operated by SYLOE GROUP, SAS, registered in France (SIREN 898 633 409), with its registered office at 1 rue Albert Camus, 95130 Le Plessis-Bouchard, France. SYLOE GROUP, SAS is the data controller for personal data processed in connection with the operation of the TribuShare Service.

Data Controller	SYLOE GROUP, SAS — 1 rue Albert Camus, 95130 Le Plessis-Bouchard, France
Privacy enquiries	privacy@tribushare.com
Data subject rights	privacy@tribushare.com — response within 30 days
Supervisory authority	CNIL — 3 place de Fontenoy, 75007 Paris — www.cnil.fr

2. Scope and Application

This Privacy Policy applies to personal data collected and processed by SYLOE GROUP, SAS through the TribuShare platform, including the website (tribushare.com), web and mobile applications, APIs, and all related services. It applies to all Users: Viewers, Creators, and Partners.

This Privacy Policy does not apply to the personal data of Viewers collected by Creators through their distribution activity on TribuShare. In that context, the Creator is the data controller and TribuShare acts as data processor — governed by Data Processing Addendum.

TribuShare operates primarily within the European Union and is subject to GDPR (Regulation (EU) 2016/679). Where TribuShare processes data of individuals in other jurisdictions, TribuShare complies with applicable local data protection law to the extent required.

3. Personal Data We Collect

3.1 Data You Provide Directly

Account registration: name, email address, password (hashed), country of residence, language preference
Creator Account additional data: legal name or business name, tax identification number, payment account details (IBAN or equivalent), billing address
Partner Account additional data: promotional channel information, website or social media URL
Payment data: credit/debit card details and payment instrument data processed by Stripe (TribuShare does not store card numbers — Stripe acts as independent data controller for payment data)
Communications: content of messages sent to TribuShare support, legal@tribushare.com, or privacy@tribushare.com
UGC: reviews, comments, forum posts, and live event chat messages submitted through the Service
Content metadata: for Creators, film titles, descriptions, cast/crew information, and territorial availability settings uploaded to the Service

3.2 Data Collected Automatically

Usage data: pages visited, features used, content viewed, search queries, referral source, session duration
Device and technical data: IP address, browser type and version, operating system, device identifiers, screen resolution
Streaming data: playback events (start, pause, completion), buffering events, viewing duration, and quality metrics — used for service optimisation and Creator analytics
Transaction data: purchase history, ticket purchases, donation amounts, referral conversions
Log data: server access logs, error logs, security event logs — retained for a maximum of 6 months
Cookies and tracking data: as described in Section 6

3.3 Data from Third Parties

Payment confirmation and fraud signals from Stripe
Social login data where you choose to authenticate via a third-party identity provider (Google, Apple, etc.) — limited to the data you authorise that provider to share
Partner tracking data: click and conversion events generated through Partner Links, used for Commission attribution

4. How We Use Your Personal Data — Legal Bases

TribuShare processes personal data only where a valid legal basis under GDPR Art. 6 applies. Each processing activity has a single designated legal basis.

Processing Activity	Legal Basis (GDPR Art. 6)	Retention Period	Primary Processor
Account creation and management	Contract (Art. 6.1.b)	Duration of Account + 3 years	Neon DB (EU region) + application layer
Payment processing and billing	Contract (Art. 6.1.b)	Duration + 10 years (accounting)	Stripe Inc. (DPF certified)
Content delivery and streaming	Contract (Art. 6.1.b)	Duration of access period	Gumlet / Cloudflare CDN
Creator Revenue Share calculation and disbursement	Contract (Art. 6.1.b)	Duration + 10 years (accounting)	TribuShare / Stripe
Partner Commission tracking and payment	Contract (Art. 6.1.b)	Duration + 3 years	TribuShare Tracking System
Customer support and legal correspondence	Legitimate interests (Art. 6.1.f)	3 years from last interaction	Support CRM (EU-hosted)
Fraud detection and platform security	Legitimate interests (Art. 6.1.f)	6 months (logs) / 3 years (fraud cases)	TribuShare / Cloudflare
Service analytics and performance optimisation	Legitimate interests (Art. 6.1.f) or Consent	13 months maximum	PostHog
Transactional email notifications	Contract (Art. 6.1.b)	3 years	Brevo
Marketing newsletter (opt-in)	Consent (Art. 6.1.a)	Until consent withdrawn	Brevo
Tax and regulatory compliance	Legal obligation (Art. 6.1.c)	10 years	TribuShare accounting
Technical server and security logs	Legitimate interests (Art. 6.1.f)	6 months	Hosting provider (EU)
Creator audience analytics (aggregate)	Legitimate interests (Art. 6.1.f)	13 months	PostHog / TribuShare
Viewing status tracking (not started / in progress / completed) for withdrawal right determination	Legitimate interests (Art. 6.1.f)	Duration of access period + 3 years (statute of limitations)	TribuShare application layer
DRM and watermark attribution	Legitimate interests (Art. 6.1.f)	Duration of content availability + 3 years	Gumlet DRM / TribuShare
Marketplace tax calculation and collection (VAT/GST/sales tax on Viewer purchases)	Legal obligation (Art. 6.1.c) — EU OSS registration + applicable marketplace facilitator laws	10 years (tax record retention requirement)	Stripe Tax / TribuShare
DAC7 platform operator reporting — Creator (seller) revenue reporting to tax authorities	Legal obligation (Art. 6.1.c) — EU Directive 2021/514 (DAC7), applicable from threshold	10 years	TribuShare accounting / SYLOE GROUP
Content rating declaration storage (Creator-declared rating per film)	Contract (Art. 6.1.b) — required for platform operation and legal compliance	Duration of Content availability + 5 years (legal record)	TribuShare / Neon DB
Internal AI content assessment score (platform-generated, not disclosed to Creator)	Legitimate interests (Art. 6.1.f) — platform safety, AVMSD compliance, regulatory defensibility	Duration of Content availability + 5 years	TribuShare (internal only — not shared with Creator or third parties)

Legitimate interests pursued by TribuShare include: operating a secure and functional service; preventing fraud and abuse; improving the platform based on usage patterns; and enforcing our Terms of Service. Where legitimate interests are relied upon, TribuShare has conducted a balancing test confirming that these interests are not overridden by the data subjects' rights and freedoms.

5. Who We Share Your Data With

5.1 Sub-Processors (Service Providers)

TribuShare uses the following third-party service providers who process personal data on TribuShare's behalf. A Data Processing Agreement (DPA) is in place or in progress with each provider. DPA reference URLs are provided for transparency and can be verified independently.

Provider	Purpose	Location	Transfer Basis	DPA URL
Stripe, Inc.	Payments & Stripe Connect	US (DPF certified)	EU-US DPF + SCCs	stripe.com/legal/dpa
Neon, Inc.	Primary PostgreSQL DB — all user & transaction data	US (EU region: eu-central-1)	DPF + SCCs + UK Addendum + SOC 2 Type 2	neon.tech/partnerdpa
Gumlet	Video streaming, encoding, CDN	Global (EU primary)	SCCs	support@gumlet.com
Cloudflare, Inc.	CDN, DDoS, security proxy	Global (EU primary)	SCCs	cloudflare.com/cloudflare-customer-dpa
Brevo (Sendinblue)	Email: transactional & newsletter	EU (France)	EU — no transfer	CGU Brevo — section DPA
PostHog (EU cloud)	Product analytics	EU (eu-central-1)	EU — no transfer	posthog.com/dpa
Sentry (Functional Software, Inc.)	Error monitoring and performance tracking	US (DPF certified)	EU-US DPF + SCCs	sentry.io/legal/dpa

DPF = EU-US Data Privacy Framework. SCC = EU Standard Contractual Clauses (Commission Decision 2021/914). SOC 2 = independent annual security audit. TribuShare notifies users within 30 days of any sub-processor change. Full list: privacy@tribushare.com.

5.2 Creators — Access to Viewer Data and Joint Controllership

Creators have access to aggregated and anonymised audience analytics for their Content through the Creator Dashboard (e.g., total views, geographic distribution, engagement metrics). Creators do not have access to individually identifiable Viewer data (names, email addresses, payment details) unless the Viewer has explicitly consented to share their contact information with the Creator through the platform's opt-in mechanism.

Where a Viewer purchases access to a Creator's Content or registers for a Creator's live event, TribuShare may share the Viewer's email address with the Creator solely for the purpose of delivering that specific purchase or event — and only where this is necessary to fulfil the service. This processing is governed by the Creator's own privacy policy and the Creator's obligations as data controller under Data Processing Addendum.

Where a Viewer opts in to a Creator's marketing newsletter at account creation, TribuShare and the Creator act as joint controllers within the meaning of GDPR Art. 26 with respect to that email address at the point of transfer. TribuShare collects the email as controller for account management purposes; upon opt-in confirmation, TribuShare transfers the email to the Creator's designated email platform (Brevo, Mailchimp, or equivalent). From the point of transfer, the Creator becomes the sole data controller for that email address for marketing purposes. The Creator is solely responsible for operating their newsletter in compliance with applicable e-privacy and anti-spam law (including EU opt-in requirements).

5.3 Legal Disclosure

TribuShare may disclose personal data to law enforcement authorities, regulatory bodies, or courts where required by applicable law, court order, or regulatory instruction. TribuShare will endeavour to notify the affected User in advance where legally permitted. TribuShare will not disclose personal data in response to informal requests from law enforcement without a formal legal mandate.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of TribuShare's assets, personal data held by TribuShare may be transferred to the acquiring entity as part of the transaction, subject to equivalent data protection safeguards and notification to affected Users.

5.5 No Sale of Personal Data

TribuShare does not sell, rent, or trade personal data to third parties for their own marketing or commercial purposes. TribuShare does not allow third-party advertisers to target Users on the basis of their TribuShare activity.

6. Cookies and Tracking Technologies

6.1 What We Use

TribuShare uses cookies, local storage, and similar tracking technologies to operate the Service and, where you have consented, to analyse usage and improve the platform.

Category	Can be disabled?	Purpose
Strictly necessary	No — required for Service to function	Authentication, session management, security, payment processing, streaming DRM
Functional	Yes — via consent banner	Language preference, playback settings, Creator dashboard state
Analytics	Yes — via consent banner	Usage statistics, performance monitoring, error tracking (PostHog where consented)
Partner tracking	Yes — via consent banner (affects Commission attribution)	Attribution of referral traffic to Partner Links for Commission calculation

6.2 Managing Your Preferences

At your first visit, a consent management banner allows you to accept or decline non-essential cookies. The banner provides equally prominent "Accept All" and "Reject All" options, in compliance with CNIL recommendations (2020, updated 2022). You may change your preferences at any time via the cookie settings link in the footer of the Service. Consent is valid for a maximum of 13 months, after which your preferences will be requested again. For detailed information about the specific cookies used on the Service, including their names, providers, and durations, please see our Cookie Policy.

7. Your Rights

If you are located in the European Union or European Economic Area, you benefit from the following rights under GDPR. TribuShare will respond to all valid requests within 30 days of receipt. Where a request is complex or numerous, the response period may be extended by a further 60 days with notice to you. All standard requests are free of charge.

Right	What it means in practice
Access (Art. 15)	Request a copy of all personal data TribuShare holds about you, including processing purposes and retention periods.
Rectification (Art. 16)	Request correction of inaccurate personal data. Update most data directly through your Account settings.
Erasure (Art. 17)	Request deletion of your personal data where: (i) it is no longer necessary for the purpose it was collected; (ii) you withdraw consent and no other basis applies; (iii) you object to processing and no overriding legitimate interest exists. Note: TribuShare may retain data where required by legal obligation (e.g., accounting records).
Restriction (Art. 18)	Request that TribuShare restrict processing of your data pending resolution of an objection or accuracy dispute.
Portability (Art. 20)	Receive your personal data in a structured, commonly used, machine-readable format (CSV or JSON) for data processed by automated means on the basis of contract or consent.
Objection (Art. 21)	Object to processing based on legitimate interests. TribuShare will cease processing unless it demonstrates compelling legitimate grounds that override your interests, rights, and freedoms.
Withdraw Consent (Art. 7.3)	Withdraw consent for any processing based on consent (e.g., marketing emails, analytics cookies) at any time, without affecting the lawfulness of processing before withdrawal.
Lodge a complaint	Lodge a complaint with the CNIL (France) or the supervisory authority of your EU country of residence, at any time, regardless of whether you have first raised the matter with TribuShare.

8. International Data Transfers

TribuShare is based in France and processes data primarily within the European Union. Some sub-processors operate globally or in the United States. Where personal data is transferred outside the European Economic Area (EEA), TribuShare ensures that appropriate safeguards are in place:

EU-US Data Privacy Framework (DPF) — for US-based processors certified under the DPF (including Stripe and Google)
EU Standard Contractual Clauses (SCCs) — the 2021 Commission SCCs, incorporated into DPAs with processors in non-adequate countries
Adequacy decisions — where the European Commission has determined that the destination country provides an adequate level of protection

TribuShare does not transfer personal data to countries without an applicable transfer mechanism. The sub-processor list in Section 5.1 identifies the transfer mechanism applicable to each provider. You may request a copy of the relevant SCCs by contacting privacy@tribushare.com.

9. Data Security

TribuShare implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
Access controls: role-based access, least-privilege principles, multi-factor authentication for administrative access
Regular automated backups with 90-day retention
Security monitoring: intrusion detection, anomaly alerting, and regular vulnerability scanning
Secure software development practices including code review and dependency auditing
DRM protection for all streamed Content to prevent unauthorised copying

No system can guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, TribuShare will notify the CNIL within 72 hours of becoming aware of the breach, and will notify affected Users without undue delay where the risk to their rights is high.

10. Minors

The Service is intended for individuals aged 18 and over. TribuShare does not knowingly collect personal data from individuals under the age of 18. If TribuShare becomes aware that personal data has been collected from a minor without appropriate parental consent, TribuShare will delete such data promptly. If you believe that a minor's data has been collected, please contact privacy@tribushare.com immediately.

11. Changes to This Privacy Policy

TribuShare may update this Privacy Policy from time to time to reflect changes in the law, our data processing activities, or our services. Material changes will be notified by email and by a prominent notice on the Service at least 30 days before taking effect. The effective date is displayed at the top of this document.

Data Processing Addendum (DPA)

Last updated: March 2026

DPA 1. Parties, Roles and Relationship

DPA 1.1 Data Controller

The Creator, as defined in the Creator Agreement, acts as the data controller for personal data of Viewers who purchase access to, or otherwise engage with, the Creator's Content on TribuShare. The Creator determines the purposes and means of processing such data, including the pricing, access conditions, territories, and marketing activities associated with their Content.

DPA 1.2 Data Processor

SYLOE GROUP, SAS (operating TribuShare) acts as the data processor on behalf of the Creator for personal data processed in connection with the Creator's distribution activity on TribuShare. TribuShare processes such data solely on documented instructions from the Creator (as expressed through the Creator's configuration of the platform tools), except where required to do so by applicable law.

DPA 1.3 Independent Controller Activities

Notwithstanding the above, TribuShare acts as an independent data controller (not as processor) for: (i) personal data processed for TribuShare's own operational purposes (account management, fraud prevention, platform analytics, legal compliance) and (ii) aggregated and anonymised data derived from platform activity, which TribuShare may use for product development and reporting without restriction.

DPA 2. Subject Matter, Duration, and Scope

DPA 2.1 Subject Matter

The subject matter of the processing is the operation of the TribuShare platform for the Creator's distribution activities, including: secure video hosting and delivery; payment processing and revenue management; audience access management; referral tracking; live event hosting; and associated analytics.

DPA 2.2 Duration

Processing continues for the duration of the Creator Agreement and any renewal periods, until the Creator Account is terminated and all personal data is deleted or exported pursuant to DPA, Section 7.

DPA 2.3 Categories of Data Subjects

Viewers who purchase or obtain access to the Creator's Content
Viewers who register for live events hosted by the Creator
Individuals who engage with the Creator's referral program through Partner Links
Individuals who subscribe to the Creator's newsletter through the TribuShare platform opt-in

DPA 2.4 Categories of Personal Data

Identity data: name, email address, account identifier
Transaction data: purchase history, access periods, ticket orders, donation amounts
Engagement data: viewing history, event participation, referral activity
Contact preferences: newsletter opt-in/opt-out status, communication language
Technical data: IP address (at point of access), device type — retained in logs for 6 months maximum

DPA 2.5 Processing Purposes

TribuShare processes Viewer personal data on the Creator's behalf solely for the following purposes: (i) enabling Viewer access to purchased Content; (ii) processing payments and issuing receipts; (iii) providing Creator analytics dashboards; (iv) operating live events; (v) managing referral attributions; and (vi) delivering transactional email communications (purchase confirmations, event reminders) where instructed by the Creator.

DPA 3. TribuShare's Obligations as Processor

DPA 3.1 Processing on Instructions Only

TribuShare shall process Viewer personal data only on documented instructions from the Creator, as expressed through the Creator's configuration of the TribuShare platform tools and the terms of the Creator Agreement. TribuShare shall promptly inform the Creator if, in its opinion, an instruction infringes GDPR or other applicable data protection law, before proceeding with the instruction.

DPA 3.2 Confidentiality

TribuShare ensures that all personnel authorised to process Viewer personal data are subject to binding confidentiality obligations. Access to Viewer personal data is restricted to staff who require it to perform their functions.

DPA 3.3 Security Measures

TribuShare implements the technical and organisational security measures described in Privacy Policy, Section 9, in respect of Viewer personal data processed on behalf of Creators. TribuShare shall maintain these measures throughout the term of this DPA and shall update them to reflect evolving security threats and best practices.

DPA 3.4 Sub-Processors

The Creator authorises TribuShare to engage the sub-processors listed in Privacy Policy, Section 5.1 for the processing activities described in this DPA. TribuShare shall: (i) enter into written agreements with each sub-processor imposing equivalent data protection obligations to those in this DPA; (ii) notify the Creator at least 30 days in advance of adding or replacing any sub-processor; and (iii) remain fully liable to the Creator for the performance of each sub-processor's obligations.

If the Creator objects to a new sub-processor on reasonable grounds related to data protection, the Creator shall notify TribuShare in writing within 14 days of the notification. The parties shall negotiate in good faith; if no resolution is reached within 30 days, the Creator may terminate the Creator Account without penalty with respect to the sub-processor change.

DPA 3.5 Assistance with Data Subject Rights

Taking into account the nature of the processing, TribuShare shall assist the Creator in fulfilling data subject rights requests (access, rectification, erasure, restriction, portability, objection) received by the Creator from Viewers. TribuShare will provide the Creator with the relevant data or functionality within the platform to respond to such requests within 5 business days of a written request from the Creator.

DPA 3.6 Assistance with Creator's Compliance Obligations

TribuShare shall assist the Creator in complying with its obligations under GDPR Articles 32 to 36, including: security of processing; breach notification; data protection impact assessments (DPIA); and prior consultation with supervisory authorities. TribuShare will provide the Creator with a summary of its security controls and, where relevant, information for DPIA purposes, upon written request.

DPA 4. Personal Data Breach Notification

TribuShare shall notify the Creator without undue delay, and in any event within 48 hours of becoming aware of a personal data breach affecting Viewer personal data processed on behalf of the Creator. The notification shall include, to the extent known at the time:

A description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected
The name and contact details of the TribuShare privacy contact (privacy@tribushare.com)
The likely consequences of the breach
The measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects

TribuShare shall provide the Creator with all further information and cooperation required to enable the Creator to meet its own GDPR breach notification obligations to the supervisory authority (72-hour deadline from Art. 33 GDPR) and to affected Viewers (Art. 34 GDPR).

DPA 5. International Transfers of Viewer Data

Where TribuShare transfers Viewer personal data outside the EEA in connection with the Creator's distribution activity, TribuShare shall ensure an appropriate transfer mechanism is in place (EU-US DPF, SCCs, or applicable adequacy decision), consistent with Privacy Policy, Section 8 of this document. TribuShare shall provide the Creator with details of applicable transfer mechanisms upon request.

DPA 6. Audit Rights

The Creator may, upon reasonable written notice of no less than 30 days, request documentation evidencing TribuShare's compliance with this DPA, including: (i) this DPA and its associated records; (ii) summaries of TribuShare's security certifications or penetration test reports (where available and subject to confidentiality redactions); (iii) the current sub-processor list. On-site audits are not required; TribuShare will respond to documentation requests within 15 business days at no additional charge (once per calendar year). Requests requiring substantial custom reporting may incur fees to be agreed in advance.

DPA 7. Data Return and Deletion on Termination

Upon termination of the Creator Agreement or upon written request from the Creator, TribuShare shall, at the Creator's election:

Export all Viewer personal data associated with the Creator's account in a structured, machine-readable format (CSV or JSON) within 30 days of the termination date or request
Securely delete all Viewer personal data associated with the Creator's account within 30 days of the termination date, and provide written confirmation of deletion

TribuShare may retain Viewer personal data beyond this period only where required by applicable law (e.g., financial records required by French accounting law for 10 years), in which case TribuShare shall restrict processing of the retained data to that legal obligation only, and shall notify the Creator of the retention and its legal basis.

Data retained within the Creator's integrated third-party systems (Brevo, Mailchimp, Stripe) is accessible directly through those platforms and is the Creator's independent responsibility.

DPA 8. Creator's Obligations as Data Controller

The Creator, as data controller, is solely responsible for:

Maintaining a valid legal basis under GDPR for all processing of Viewer personal data conducted through the TribuShare platform (e.g., contractual necessity for delivering purchased Content; legitimate interest or consent for marketing to Viewers)
Providing Viewers with a compliant privacy notice that accurately describes the processing activities conducted through TribuShare, including the use of TribuShare as a data processor
Ensuring that any marketing communications sent to Viewers obtained through TribuShare comply with applicable e-privacy and anti-spam laws (including the requirement for prior opt-in for marketing to EU consumers)
Responding to data subject rights requests from Viewers within the statutory time limits (30 days under GDPR)
Maintaining its own records of processing activities as required by GDPR Article 30, including a description of TribuShare's role as sub-processor
Not instructing TribuShare to process Viewer personal data in a manner that would violate GDPR or applicable data protection law

DPA 9. Governing Law

This Data Processing Addendum is governed by the laws of France and, where applicable, Regulation (EU) 2016/679 (GDPR). In the event of any conflict between this DPA and GDPR, GDPR prevails. Any disputes arising from this DPA shall be resolved pursuant to the dispute resolution mechanism in the Creator Agreement, Section 15.

Acceptance

Privacy Policy is accepted by all Users upon Account creation, in accordance with the Terms of Service, Section 17.1.

Data Processing Addendum is accepted by Creators upon Creator Account activation, in accordance with the Creator Agreement, Section 17.1. Acceptance of the Creator Agreement constitutes acceptance of this DPA.

For questions about this document: privacy@tribushare.com

SYLOE GROUP, SAS — 1 rue Albert Camus, 95130 Le Plessis-Bouchard, France — SIREN 898 633 409