Legal

Privacy Policy

Last updated: 2026-01

Who we are

Mavshack Movies is operated by Mavshack Group (mavshack.se), a Swedish company offering a curated catalog of public-domain and licensed classic films for streaming in the Nordics. This policy explains what personal data we process and why.

What data we collect

Visitors (public site)

  • IP address & user agent: processed by our CDN (Cloudflare) for security, abuse prevention, and regional content rules.
  • Analytics (Google Analytics 4): if you accept analytics cookies, GA4 collects pseudonymous data about page views, session length, device type, and approximate location. IP addresses are truncated in transit.
  • YouTube playback: when you press play on a film, YouTube (operated by Google Ireland Limited) loads in an iframe and may set cookies and collect playback telemetry. We embed videos via the privacy-enhanced youtube-nocookie.com domain, which defers cookie setting until you press play. After that point YouTube's own privacy policy applies.

Administrators (admin area)

  • Username and bcrypt-hashed password. We never store plaintext passwords.
  • An encrypted session cookie (HttpOnly, SameSite=Lax) that identifies you while signed in.
  • IP-based rate limiting on login attempts (in-memory, not persisted).

Cookies

See the dedicated Cookie policy for the specific cookies we set, their lifetime, and how to manage your consent.

Legal basis

  • Essential cookies (session, security): legitimate interest (GDPR art. 6(1)(f)).
  • Analytics & YouTube cookies: consent (GDPR art. 6(1)(a)), collected via the consent banner.

Data sharing

We do not sell your data. Pseudonymous analytics are shared with Google Ireland Limited (GA4 processor). Embedded videos are served by Google Ireland Limited (YouTube). Our CDN/infrastructure provider is Cloudflare, Inc. and our hosting is in the EEA.

International transfers

Google may process data outside the EEA under Standard Contractual Clauses. You may decline analytics and avoid playing embedded videos to keep all processing within the EEA / our own infrastructure.

Data retention

  • Analytics: 14 months (GA4 default minimum).
  • Admin sessions: 7 days, sliding.
  • Server logs (Cloudflare/Apache): up to 30 days, then purged.

Your rights

Under GDPR you have the right to access, correct, or erase personal data we hold about you, and to object to or restrict processing. To exercise these rights, contact us via the email below. You can also lodge a complaint with the Swedish Authority for Privacy Protection (IMY).

Contact

Mavshack Group
Email: privacy@mavshack.se