Privacy Policy

Last updated: February 2026

1. Data controller

The data controller is Diego López García, operator of the bimi.tv platform.
Address: Calanda 22 3ºB, 28037 Madrid, Spain.
For any privacy-related questions, you may contact us at [email protected].

2. Data we collect

2.1 Account data (platform users)

When an administrator creates an account, we store: username, display name, preferred language and a cryptographic hash of the password. We do not store passwords in plain text.

2.2 Session and security data

When you log in, we collect: IP address, browser user agent string, device type, and a session token. If IP geolocation is enabled, we may look up the approximate geographic location (country, region) and internet service provider associated with your IP address using third-party services.

2.3 Video viewer analytics

When a viewer watches an embedded video, we collect anonymous playback events including: video event type (load, play, completion), the page URL where the player is embedded, the viewer's IP address, browser user agent, screen resolution, browser language and device type. This data is used exclusively to generate aggregate statistics for the video publisher.

2.4 Company billing data

Companies using the platform may provide: company name, country, address, postal code, VAT number, IBAN and SWIFT code. This data is used solely for invoicing and accounting purposes.

3. Purpose and legal basis

We process personal data for the following purposes:

• Service provision — to operate the platform, authenticate users and deliver video content (legal basis: contract performance).
• Security — to detect and prevent unauthorized access, fraud and abuse (legal basis: legitimate interest).
• Analytics — to provide video publishers with aggregate audience statistics (legal basis: legitimate interest).
• Billing — to issue invoices and manage payments (legal basis: legal obligation and contract performance).

4. Cookies

BIMI.TV uses the following strictly functional cookies:

• bimitv_session — Identifies the active user session. HttpOnly, Secure, SameSite=Strict. Expires at browser close or after 90 days if "remember me" is enabled.
• bimitv_device — A device fingerprint token used for session security. HttpOnly, Secure, SameSite=Strict. Expires after 365 days.

We do not use advertising cookies, tracking pixels or third-party analytics cookies.

5. Third-party services

We use the following external services that may process personal data:

• ip-api.com — IP geolocation service used to determine the approximate geographic location of login sessions and video viewers. Your IP address is sent to this service.
• Google IMA SDK — Used for serving video advertisements when ad monetization is enabled. Subject to Google's privacy policy.

6. Data retention

We retain data for the following periods:

• Account data — retained while the account is active. Deactivated accounts may be retained for up to 12 months before deletion.
• Session data — login attempt records are automatically deleted after 30 days. Security events after 90 days.
• Video analytics — aggregate statistics (per country, per day) are retained indefinitely. Raw event data is processed and then deleted periodically.

7. Your rights

Under the General Data Protection Regulation (GDPR), you have the right to:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate data.
• Erasure — request deletion of your data when it is no longer necessary.
• Restriction — request limitation of processing in certain circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.

To exercise any of these rights, contact us at [email protected]. You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD).

8. Security measures

We implement appropriate technical and organizational measures to protect your data, including: password hashing with bcrypt, HTTPS encryption for all communications, HttpOnly and Secure cookie flags, CSRF protection, Content Security Policy headers and rate limiting on authentication endpoints.

9. Changes to this policy

We may update this privacy policy to reflect changes in our practices or applicable law. We will publish the updated version on this page with the corresponding date.