Privacy Policy
Last updated: 2026-05-29
1. Data controller
NexZila Evolved, Postlagernd Bahnhofplatz 2 9470 Buchs SG. E-mail: dpo@zilaplayer.com.
2. The data we collect
2.1 Data collected on device pairing (Art. 6(1)(b) GDPR — performance of contract)
- Device MAC address — a persistent hardware identifier, qualified as personal data under Opinion 4/2007 of the Article 29 Working Party and CJEU case-law Breyer C-582/14. Used solely to associate the device with the purchased license and to deliver encrypted changes.
- Bcrypt hash of the Device Key (an 8-character key generated locally on the device and never sent in clear text to our server).
- Technical timestamps (
created_at,updated_at,last_seen).
2.2 Data collected on pairing attempts (Art. 6(1)(f) GDPR — legitimate interest, anti-fraud)
- IP address of the attempt — qualified as personal data under CJEU Breyer C-582/14. Auto-deleted after 24 hours.
- Target MAC, result (success/fail), timestamp.
These data points are minimal, kept for a short time and never used for profiling, advertising or any secondary purpose.
2.3 Data collected on a license purchase (optional)
- E-mail, name / company, country (for VAT calculation).
- Payment details — processed exclusively by Stripe (we do not store card numbers on our servers).
- Unique device identifier for license activation.
2.4 Data we DO NOT collect
- Your playlist URLs
- Server credentials you add (username / password)
- The content, titles or list of films / channels you watch
- Viewing history
- Demographic, behavioural or profiling data
3. End-to-end encryption (zero-knowledge)
Changes you make from the browser (e.g. “add playlist X with URL Y”) are AES-GCM 256-bit encrypted in your browser with a key derived from your device’s Device Key (PBKDF2-SHA256, 100 000 iterations, cryptographically random salt stored per-device). Our servers receive only opaque bytes that they cannot decrypt — the key never reaches us. Your device decrypts the change locally with the same Device Key, applies it, then tells the server to delete the encrypted blob. This is the same architecture Signal uses for messaging.
4. Operator with technically limited processing capability
For the AES-GCM 256-bit encrypted blobs that pass through our infrastructure, we are in a unique technical position: although we temporarily store them on our servers (Supabase, Frankfurt EU), we do not hold the decryption key. The key is derived locally from the user’s Device Key and never leaves the device.
Consequences:
- We are data controllers for: MAC, bcrypt hash, pairing IPs, timestamps, e-mail + country (at purchase), Stripe customer ID.
- For the contents of the blobs (playlist URLs and server credentials added by the user), we are mathematically unable to access them, similar to the model Signal uses for end-to-end encrypted messaging.
Implications for authority requests:
If we receive a valid legal request (court order, administrative decision) regarding a user’s activity, we can only provide the metadata stored with us (MAC, hash, IPs, timestamps). The actual playlist contents and server credentials are undecipherable even to us.
Implications for your GDPR rights:
Your rights of access (Art. 15), portability (Art. 20) and erasure (Art. 17) are fully available for the metadata. For the encrypted blobs, erasure is achieved by revoking your Device Key (clear storage on the device → re-pairing), which makes the content permanently undecipherable.
5. Purpose of processing (GDPR legal basis)
- Art. 6(1)(b) — performance of contract (pair the device with the website, deliver the license).
- Art. 6(1)(c) — legal obligations (invoicing).
- Art. 6(1)(f) — legitimate interest (rate-limiting anti brute-force, security).
6. Data retention
devicesrow (MAC + hash + salt) — as long as the device stays paired. Deleted via Clear Storage on the device.- Encrypted
pending_changesblobs — auto-deleted after delivery to the device, maximum 24 h. - Authentication-attempt log — auto-deleted after 24 h.
- Invoicing data — 10 years (EU / CH / RO fiscal obligation).
- License key (after purchase) — for the life of the license + 12 months.
7. Server locations
Data is hosted exclusively in the European Union:
- Postgres database — Supabase, Central EU region (Frankfurt, Germany).
- Web application — Vercel, EU regions (global CDN only for public static assets).
- Payment processing — Stripe Payments Europe Ltd. (Dublin, Ireland).
- Transactional e-mail — Resend (EU regions).
No transfer of personal data outside the EEA.
8. Your rights (GDPR Art. 15–22)
Right of access, rectification, erasure (“right to be forgotten”), restriction, portability, objection, withdrawal of consent, and the right to lodge a complaint with the national supervisory authority. Send your request by e-mail to dpo@zilaplayer.com. We reply within a maximum of 30 days.
Competent supervisory authority:
Federal Data Protection and Information Commissioner (FDPIC / EDÖB)
Feldeggweg 1, 3003 Bern, Switzerland
Web: https://www.edoeb.admin.ch
9. Sub-processors
- Supabase Inc. — database (Frankfurt, DE). DPA + EU SCC.
- Vercel Inc. — web application hosting (EU regions). DPA + EU SCC.
- Stripe Payments Europe Ltd. — payment processing (Dublin, IE). Intra-EU, DPA.
- Resend — transactional e-mail delivery (EU region). DPA.
10. Cookies
See our Cookie Policy.
11. Security (Art. 32 GDPR)
- TLS 1.3 for all transmissions.
- Device Key bcrypt with cost 10.
- AES-GCM 256 with PBKDF2 (100k iterations) + random per-device salt.
- HMAC-SHA256-signed session cookie, HttpOnly + Secure + SameSite=Lax.
- Rate limit of 5 attempts / 10 minutes per MAC address.
- Row-level security enabled at the database level.
12. Changes
We will notify you in advance (at least 30 days) by e-mail and a banner on the site if we materially change this policy. Current version: 2026-05-29.