Privacy Policy
Last updated: February 22, 2026
Privacy Policy
Last updated: February 22, 2026
This Privacy Policy explains how Viddla ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our platform at vidd.la and its subdomains (the "Service"). Viddla is a video hosting and creator platform operated from Lithuania, within the European Union.
We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Lithuanian data protection law.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
1. Data Controller
Viddla
Email: [email protected]
For any questions or requests regarding your personal data, please contact us at the email above.
2. What Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address (required)
- Display name (required)
- Date of birth (required, to verify minimum age)
- Password (stored using a secure one-way hash; we never store your plaintext password)
- Bio (optional)
- Profile picture / avatar (optional)
- Language preference
2.2 Device and Technical Data
When you access the Service, we automatically collect:
- IP address
- Browser type and version
- Operating system and platform
- Screen resolution
- Device fingerprint (a hash derived from your device characteristics, used for security purposes)
- User agent string
2.3 Location Data
We derive approximate location information (city, region, country) from your IP address using a locally hosted geolocation database. No IP data is sent to third parties for this purpose.
2.4 Usage Data
As you interact with the Service, we collect:
- Watch history (which videos you watch and your progress, if enabled in your settings)
- Video impressions (which videos appear on your screen and from which section, e.g., home, search, trending)
- Likes, comments, and reactions
- Playlists you create and manage
- Channels you follow
- Search queries
- Traffic source within the platform (e.g., home page, search results, related videos)
2.5 Creator Data
If you use our creator features, we additionally collect:
- Channel information (channel name, description, profile image, banner)
- Uploaded video files and associated metadata (title, description, tags, thumbnails)
- Creator analytics (view counts, subscriber counts, engagement metrics)
2.6 Payment Data
When you make purchases or subscribe to paid plans, payment processing may be handled by third-party payment processors such as Stripe. We do not store your credit card number or full payment details. We retain:
- Transaction records (amount, currency, payment type, status, date)
- Subscription status and billing period
- Gift code redemption history
- Credit balance and transaction history
Where Stripe is used, their handling of your payment data is governed by Stripe's Privacy Policy.
2.7 Communication Data
- Contact form submissions (email, subject, message, request type)
- Email notification preferences
2.8 Security Data
To protect your account and the platform, we collect:
- Login attempt records (IP address, success/failure, timestamp)
- Security activity logs (login, logout, password changes, profile updates, account deletion)
- Suspicious activity records (unusual login patterns, potential abuse)
- Two-factor authentication secrets (if you enable 2FA)
3. How We Use Your Data
We process your personal data for the following purposes and legal bases:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Account creation and management | Performance of contract (Art. 6(1)(b)) |
| Authentication and session management | Performance of contract (Art. 6(1)(b)) |
| Providing the video streaming service | Performance of contract (Art. 6(1)(b)) |
| Processing payments and subscriptions | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails (verification, password reset) | Performance of contract (Art. 6(1)(b)) |
| Content recommendations and personalization | Legitimate interest (Art. 6(1)(f)) or your consent, depending on your settings |
| Platform analytics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Fraud prevention and security monitoring | Legitimate interest (Art. 6(1)(f)) |
| Rate limiting and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Marketing and promotional emails | Your consent (Art. 6(1)(a)) |
| Age verification | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest, we have assessed that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time (see Section 8).
4. Cookies and Local Storage
We do not use third-party tracking cookies or advertising cookies. We use the following browser storage mechanisms for the operation of the Service:
HTTP-Only Cookies
- Session cookie - authenticates your requests (httpOnly, Secure, SameSite=Lax)
Local Storage
- Authentication tokens - session and refresh tokens for maintaining your login
- Session expiration timestamps
- Active channel data (for creators with multiple channels)
- Theme preference (light/dark mode)
- Video player preferences (quality, subtitle settings)
Session Storage
- Analytics session ID - a temporary identifier used to deduplicate video impressions within a single browser session; cleared when the tab is closed
None of these mechanisms are used to track you across other websites.
5. Third-Party Service Providers
The following companies are involved in running the Service and may handle your data on our behalf:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe (planned) | Payment processing | Payment and subscription data | United States (with EU safeguards) |
| Hetzner | Server hosting and infrastructure | All data processed on our servers | Germany / Finland (EU) |
| netcup GmbH | Server hosting and infrastructure | All data processed on our servers | Austria (EU) |
| BunnyWay d.o.o. (Bunny CDN / BunnyStorage) | Image and video content delivery | Profile images, thumbnails, video streams | Slovenia (EU), global edge nodes |
| MEGA S4 (MEGA Privacy LLC) | Video content storage | Uploaded video files and transcoded variants | Hungary (EU) |
| Cloudflare | CDN, DDoS protection, DNS | IP address, request metadata | Global (with EU safeguards) |
| Oracle Cloud | Email delivery infrastructure | Email address, email content | Switzerland |
We do not sell your personal data to any third party. We do not use any third-party analytics, advertising, or social media tracking services.
6. International Data Transfers
Your data is primarily stored on servers located within the European Union (Hetzner, Germany/Finland). Some data may be transferred to countries outside the EU/EEA:
- Stripe (United States) - covered by Stripe's Data Processing Agreement and EU Standard Contractual Clauses (SCCs).
- Cloudflare (global edge network) - covered by Standard Contractual Clauses and Cloudflare's Data Processing Addendum.
- Oracle Cloud (Switzerland) - Switzerland has an adequacy decision from the European Commission, meaning it provides an adequate level of data protection.
- BunnyWay d.o.o. / Bunny CDN (Slovenia, EU) - primary storage in the EU; edge caching may occur globally for performance.
Where transfers occur to countries without an EU adequacy decision, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (Art. 46(2)(c) GDPR).
7. Data Retention
We retain your data for as long as necessary to fulfill the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Session tokens | 1 hour (session), up to 3 weeks (refresh token with "Remember Me") |
| Password reset tokens | 1 hour after generation |
| Email verification tokens | 24 hours after generation |
| Login attempt logs | Cleaned periodically, retained for security purposes |
| Security activity logs | Retained for legitimate security interests |
| Watch history | Until you clear it or delete your account |
| Payment records | As required by applicable tax and accounting law |
| Uploaded content | Until you or we remove it, or you delete your account |
| Device fingerprints | Retained while your account is active, for security |
When you delete your account, we permanently remove your personal data, including your account information, sessions, videos, comments, likes, playlists, subscriptions, and watch history. Certain anonymized or aggregated data that cannot identify you may be retained for analytics purposes.
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) - request a copy of the data we hold about you.
- Right to rectification (Art. 16) - correct inaccurate or incomplete data via your account settings or by contacting us.
- Right to erasure (Art. 17) - delete your account and all associated data. You can do this directly from your account settings.
- Right to restriction of processing (Art. 18) - request that we limit how we use your data in certain circumstances.
- Right to data portability (Art. 20) - receive your data in a structured, commonly used, machine-readable format.
- Right to object (Art. 21) - object to processing based on legitimate interest, including analytics and personalization.
- Right to withdraw consent (Art. 7(3)) - where processing is based on consent (e.g., marketing emails), you can withdraw at any time via your notification settings.
Exercising Your Rights
Many of these rights can be exercised directly through your Account Settings:
- Delete your account: Account Settings > Delete Account (permanent, irreversible)
- Clear your watch history: Privacy Settings > Data & Privacy
- Manage marketing email preferences: Privacy Settings > Email Preferences
For any request you cannot fulfill through the platform, email us at [email protected]. We will respond within 30 days as required by the GDPR.
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with a supervisory authority. In Lithuania, this is the State Data Protection Inspectorate (Valstybine duomenu apsaugos inspekcija):
- Website: vdai.lrv.lt
- Email: [email protected]
9. Children's Privacy
The Service is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will delete the account and associated data promptly.
If you are between 13 and 16 years old, you may need parental or guardian consent to use the Service, depending on the laws of your country within the EU/EEA.
If you believe a child under 13 has created an account, please contact us at [email protected].
10. Security Measures
We implement appropriate technical and organizational measures to protect your data, including:
- Passwords are securely hashed and never stored in plaintext
- Authentication tokens are cryptographically generated
- HTTP-only, Secure cookies with SameSite attributes
- Two-factor authentication (optional)
- Rate limiting on authentication and sensitive endpoints
- Login attempt monitoring and suspicious activity detection
- Device fingerprinting for unauthorized access detection
- HTTPS/TLS encryption for all data in transit
- Security headers (X-Frame-Options, X-Content-Type-Options, X-XSS-Protection)
- CORS policy enforcement
- Prepared statements for database queries (SQL injection prevention)
While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Posting the updated policy on this page with a revised "Last updated" date
- Sending an email notification for material changes (if you have an account)
Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: [email protected]
Contact form: vidd.la/about/contact