Privacy

Privacy Notice

Effective date: June 4, 2026. Version 2026-06-04.

Personal data is processed only to the extent necessary to provide a functional Mirulog service, including account creation, media tracking, public profile publishing, embeds, and account security.

For the purposes of Regulation (EU) 2016/679 (GDPR), processing means any operation performed on personal data such as collection, storage, retrieval, use, disclosure, restriction, or deletion.

I. Controller

Andreas Saks
Ludwig-Erhard-Str. 18
c/o IP-Management #24947
20459 Hamburg
Phone: 025113396512
Email: legal@andrus.io

II. Rights of data subjects

  • Right of access, including confirmation whether personal data is processed and a copy of that data under Art. 15 GDPR.
  • Right to rectification of inaccurate or incomplete data under Art. 16 GDPR.
  • Right to erasure under Art. 17 GDPR or, where applicable, restriction of processing under Art. 18 GDPR.
  • Right to data portability under Art. 20 GDPR.
  • Right to object to processing based on legitimate interests under Art. 21 GDPR.
  • Right to lodge a complaint with a supervisory authority under Art. 77 GDPR.

III. Information about the processing of personal data

Account registration and account management

When you register, Mirulog processes your name, email address, encrypted password, acceptance of the Terms of Service and Privacy Notice, and technical metadata required to establish and secure your account.

The legal basis is Art. 6 para. 1 lit. b GDPR for the performance of the user contract and Art. 6 para. 1 lit. c GDPR for documenting mandatory legal notices and consent records where required.

Email verification and service communication

Your email address is used to verify your account, send security-related messages, and deliver service communications that are necessary to operate the account.

The legal basis is Art. 6 para. 1 lit. b GDPR.

Public profile pages, embeds, and media entries

Mirulog stores the media entries, ratings, notes, watched dates, and page settings you create. Content that you mark or configure as public may be displayed on your public page, compact view, feed, and embed endpoints.

The legal basis is Art. 6 para. 1 lit. b GDPR. Publication of content is initiated by your settings and instructions inside the service.

Server logs and security

The hosting environment may process IP address, browser data, referrer URL, timestamps, and requested resources in server logs to ensure stability, prevent abuse, and investigate incidents.

The legal basis is Art. 6 para. 1 lit. f GDPR. The legitimate interest is the secure and reliable operation of the service. Unless longer retention is required for incident investigation, server logs should be deleted within seven days.

Session cookies and authentication

Mirulog uses technically necessary session cookies to keep you logged in, protect forms against CSRF, and maintain authenticated workflows. These cookies are required for the service to function.

The legal basis is Art. 6 para. 1 lit. b GDPR and Art. 6 para. 1 lit. f GDPR.

Captcha and abuse prevention

If Cloudflare Turnstile is enabled on registration or password-reset forms, your browser connects to Cloudflare to assess whether the request is likely to be human. Cloudflare may process technical usage data for this purpose.

The legal basis is Art. 6 para. 1 lit. f GDPR. The legitimate interest is the prevention of automated abuse and account attacks.

Third-party metadata lookups

When you search for movies or TV shows in the authenticated dashboard, Mirulog sends the search query and requested media type to The Movie Database (TMDB) through the server-side integration in order to return results and external metadata.

The legal basis is Art. 6 para. 1 lit. b GDPR because the lookup is part of the requested service functionality.

Retention

Account data is retained for as long as the account exists, unless statutory retention obligations require longer storage. If you delete your account, personal data connected to the account is deleted or anonymized unless continued retention is legally required or necessary to resolve abuse, fraud, or security incidents.

IV. Requests and contact

Requests relating to privacy, access, deletion, or objections can be sent to legal@andrus.io.