Privacy Policy

Eris ("we", "us", or "our") operates the website eris.tv (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service. Eris is operated from Poland and is subject to the General Data Protection Regulation (GDPR) and applicable Polish and EU data protection laws. By using the Service, you agree to the collection and use of information in accordance with this policy.

We collect the following categories of personal data:

Registration Data: When you create an account, we collect your name, email address, and password (stored as a secure hash — we never store plain-text passwords). You may also provide an optional avatar image, bio, profile accent color, and display preferences.

OAuth Data: If you sign in via Google or Facebook, we receive your name, email address, profile picture URL, and the provider's unique user ID. We do not receive or store your social media passwords.

Behavioral Data: We collect data about your interactions with the Service, including: watch history (episodes marked as watched with timestamps), show/actor/character subscriptions, trivia game scores and answers, show ratings and reviews, trivia pack creation and editing activity, and feature requests you submit.

Payment Data: Payments are processed by Stripe. We store your Stripe customer ID, subscription ID, price ID, payment method type and last four digits, subscription tier, amount, currency, and billing dates. We never store full credit card numbers, CVVs, or complete payment credentials.

Notification Data: If you enable push notifications, we store your Firebase Cloud Messaging (FCM) token and your per-entity notification preferences (email, push, or in-app) and global notification settings (digest day, reminder hours).

We use your personal data for the following purposes:

• Service Operation: To provide, maintain, and improve the Service — including episode tracking, subscriptions, personalized recommendations, trivia games, and calendar features.
• Authentication: To create and manage your account, verify your identity, and provide secure access.
• Notifications: To send you episode air date reminders, subscription updates, and other notifications you have opted into, via email, push, or in-app.
• Payments: To process Guardian subscription payments, manage billing, and provide receipts through Stripe.
• Analytics & Improvement: We use Google Analytics 4 to understand usage patterns and improve the Service. GA4 collects anonymized page view and interaction data. IP addresses are anonymized by default. You can control analytics cookies via the cookie settings on our website.
• Security: To detect and prevent fraud, abuse, and unauthorized access.

We use cookies and browser storage mechanisms as follows:

Item	Purpose	Duration
XSRF-TOKEN	CSRF protection for form submissions	Session
laravel_session	Server session management	120 minutes
i18n_redirected	Language preference	Session
localStorage (Pinia)	Browse state, auth status, UI preferences	Persistent
sessionStorage	Content guard cache, auth flags	Tab session
Service Worker caches	API responses (1hr), images (30d), fonts (1yr)	Various
Google AdSense cookies	Ad targeting and delivery (free users only)	Per Google's policy
Google reCAPTCHA cookies	Bot detection scoring (registration only)	Per Google's policy
_ga	Google Analytics: distinguishes users	2 years
_ga_*	Google Analytics: maintains session state	2 years
_gid	Google Analytics: distinguishes users (24h)	24 hours

You can clear cookies and browser storage at any time through your browser settings. Note that clearing session cookies will log you out.

We share data with the following third-party services as necessary to operate the Service:

Stripe — Processes payments for Guardian subscriptions. Receives your email, user ID, and payment tokens. Stripe Privacy Policy.

Firebase Cloud Messaging (Google) — Delivers push notifications to your devices. Receives FCM tokens and notification payloads. Firebase Privacy Policy.

Google OAuth — Provides optional sign-in via Google. Standard OAuth flow — we receive your name, email, and profile picture. Google Privacy Policy.

Facebook OAuth (Meta) — Provides optional sign-in via Facebook. Standard OAuth flow — we receive your name and email. Meta Privacy Policy.

Google reCAPTCHA — Protects the registration form from bots. Processes your IP address and interaction patterns. Google Privacy Policy.

Google AdSense — Displays advertisements to free-tier users. May collect cookies and browsing behavior for ad targeting. Guardians (paid subscribers) do not see ads. Google Ads Privacy.

Sentry / GlitchTip — Captures application errors for debugging. May include your user ID and email in error reports when you are authenticated. Sentry Privacy Policy.

Google Analytics 4 — Collects anonymized usage data (page views, interactions, device info) to help us understand how users interact with the Service. IP addresses are anonymized. Google Analytics Privacy. You can opt out via our cookie settings or by installing the Google Analytics Opt-out Browser Add-on.

Services that do not receive your personal data: TVMaze, TheTVDB (data sources for show information), Meilisearch (self-hosted search), Reverb (self-hosted WebSockets).

Free-tier users may see advertisements served by Google AdSense. These ads may use cookies and similar technologies to serve personalized content based on your browsing behavior across the web. You can manage your Google ad preferences at Google Ad Settings.

Guardian subscribers (paid tier) enjoy a completely ad-free experience. No ad-related cookies or tracking scripts are loaded for Guardians.

We retain your personal data for as long as your account is active or as needed to provide you with the Service. Specific retention periods:

• Account data: Retained until you delete your account.
• Watch history and subscriptions: Retained until you delete your account.
• Trivia scores and game data: Retained until you delete your account.
• Payment records: Retained for 7 years after the last transaction, as required by Polish tax and accounting regulations.
• Error logs (Sentry): Automatically purged after 90 days.
• Server logs: Automatically purged after 30 days.

When you delete your account, we remove your avatar, subscriptions, preferences, authentication tokens, and notification settings. Your user record is soft-deleted (retained in anonymized form for referential integrity) and permanently purged after 30 days.

We implement appropriate technical and organizational measures to protect your personal data, including:

• All data transmitted via HTTPS/TLS encryption
• Passwords stored using bcrypt hashing (never in plain text)
• CSRF protection on all form submissions
• Rate limiting on authentication and API endpoints
• Server-side session management with secure, HTTP-only cookies
• Regular security updates and dependency patching

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

As a resident of the European Union or European Economic Area, you have the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request that we correct inaccurate or incomplete data.
• Right to Erasure: You may request deletion of your personal data ("right to be forgotten"). You can delete your account at any time from your profile settings, or contact us.
• Right to Data Portability: You may export your data in JSON or CSV format from your profile settings at any time.
• Right to Restriction: You may request that we restrict processing of your data in certain circumstances.
• Right to Object: You may object to our processing of your data for specific purposes.
• Right to Lodge a Complaint: You may file a complaint with the UODO (Urząd Ochrony Danych Osobowych — Polish Data Protection Authority) at uodo.gov.pl.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to Know: You may request details about the categories and specific pieces of personal data we have collected.
• Right to Delete: You may request deletion of your personal data.
• Right to Opt-Out: You may opt out of the "sale" of personal data. Eris does not sell your personal data to third parties.

To exercise these rights, contact us at [email protected].

The Service is not intended for children. You must be at least 16 years old to create an account if you are located in the EU/EEA (as required by GDPR), or at least 13 years old if located outside the EU/EEA. We do not knowingly collect personal data from children under these ages. If we discover that a child under the applicable minimum age has provided us with personal data, we will delete that data promptly. If you believe a child has provided us with their data, please contact us.

Our servers are located in Poland (European Union). Your data is primarily stored and processed within the EU. However, some third-party services (Stripe, Google, Firebase) may transfer your data to the United States or other countries. These transfers are protected by appropriate safeguards, including EU Standard Contractual Clauses and adequacy decisions where applicable.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service or sending an email to your registered address. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Service after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at:

Email: [email protected]
Supervisory Authority: UODO — Urząd Ochrony Danych Osobowych