Summary

The following is the Privacy Policy of SIROKO TV, in which SIROKO SOLUTIONS, S.L. (hereinafter, “SIROKO” or “the Controller”) informs about the processing of personal data of users of the audiovisual platform Siroko TV, accessible through the website www.sirokotv.com and the official mobile applications for iOS and Android (hereinafter, collectively, “the Platform”), in compliance with Regulation (EU) 2016/679 of 27 April (RGPD), Organic Law 3/2018 of 5 December on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) and other applicable provisions.

Users are advised to read this document in full. However, for purely informative purposes, the two essential purposes of the processing are: (i) the provision of the contracted services (access to audiovisual content, registration as a Standard User and, if applicable, as Siroko Creator); and (ii) compliance with the legal obligations applicable to the Platform, in particular those arising from Regulation (EU) 2022/2065 of 19 October on a single market for digital services (DSA), Law 34/2002 of 11 July on Information Society Services and Electronic Commerce (LSSI-CE) and the RGPD itself.

1. Introduction

This Privacy Policy applies to the processing of personal data that SIROKO performs in the context of the provision of the Platform’s services. The purpose of this Policy is to provide users, in accordance with Articles 13 and 14 of the GDPR, with clear, accessible and comprehensive information regarding who processes their data, what data is processed, the purposes of the processing, the applicable legal basis, the retention period, the recipients of the data and the rights available to them.

SIROKO may update this Policy due to legal, regulatory, technical or business changes. Any material changes will be communicated to users within a reasonable period in advance through the usual channels (email, notice on the Platform or in-app notification). Users are advised to review this document periodically.

2. Data controller

The controller responsible for the processing of personal data is:

SIROKO SOLUTIONS, S.L.
TAX ID: B-33950338
Registered office: Plaza 6 de Agosto, n.º 2, 2.º — 33206 Gijón (Asturias).
Registered at the Official Mercantile Registry of Asturias.
Phone number: +34 984 49 37 44
E-mail: gdpr@siroko.com

3. D.P.O. (Data Protection Officer)

SIROKO has appointed an external Data Protection Officer pursuant to Article 37 of the GDPR: Martín López Escartiín, lawyer registered with the Madrid Bar Association under membership number 103516, acting on behalf of HONOS ABOGADOS, SLP. The DPO is the single point of contact for any matters relating to the processing of personal data and the exercise of the rights recognised under Articles 15 to 22 of the GDPR.

4. Categories of personal data processed

SIROKO processes the categories of personal data listed below, differentiated according to the user’s status and the source of the data.

4.1. Standard User Data

When registering as a User of the Platform, the following minimum and necessary data is collected: first name and surname(s), email address, password (stored in encrypted form using one-way cryptographic functions) and, optionally, username or nickname and avatar. Registration may be completed directly or, where applicable, through authentication with external identity providers (social login), in which case only the basic profile data strictly necessary to create the account will be obtained.

4.2. Siroko Creator Data

Users applying to join the Siroko Creator program, once their standard User account has been activated, may additionally provide links to their public social media profiles, a free-form description of their activity and connection with sports, and, where applicable and exclusively in cases involving monetization or payment, the identification and tax data required for compliance with legal invoicing, withholding and tax payment obligations (Tax ID/NIE, postal address and bank details).

4.3. Platform usage and behavioral data

In connection with the use of the Platform, SIROKO may process data including: IP address, device identifiers, operating system and browser type and version, language, approximate geolocation based on the IP address, viewing history (videos viewed, viewing duration, pauses and abandonment), searches and applied filters, interactions (likes, ratings, comments and saved content) and, in the case of the mobile application, advertising identifiers (IDFA on iOS and AAID on Android) where the user has provided the corresponding consent in accordance with applicable regulations.

4.4. Data derived from moderation, reporting and blocking systems

In order to comply with the obligations arising under Regulation (EU) 2022/2065 (DSA) and the applicable online safety regulations, SIROKO operates an internal content moderation system involving the processing of personal data, including in particular: identification of the reporting user and the reported user in connection with each notice; the category and grounds of the report; the content subject to the report; the moderation decision adopted (removal, suspension, expulsion or dismissal) and the statement of reasons for such decision in accordance with Article 17 of the DSA; and records of user blocking actions carried out between users.

4.5. Internal Reporting System (Ethics and Whistleblowing Channel)

Where users use the Internal Information System established by SIROKO pursuant to Law 2/2023 of 20 February regulating the protection of persons reporting breaches of law and combating corruption, and Directive (EU) 2019/1937, only the data strictly necessary for handling the report will be collected. Where the reporting person chooses not to submit the report anonymously, they will be asked to provide the identification data required under the applicable regulations, subject to the confidentiality safeguards established therein

4.6. Data collected through cookies

The Platform uses cookies and similar technologies in accordance with Article 22.2 of the Spanish Law on Information Society Services and Electronic Commerce (LSSI-CE) and the current Cookie Guidelines issued by the Spanish Data Protection Agency (AEPD). Detailed information on the cookies used, their purpose, type (technical, personalization, analytics and advertising) and their retention periods is available in the Cookie Policy, accessible through the banner settings panel and from the footer of the Platform.

5. Purposes of processing and legal bases

In accordance with Article 6 of the General Data Protection Regulation (GDPR), SIROKO only processes personal data where one of the legal bases identified for each purpose in the table below applies.

Purpose	Legal basis (Article 6 GDPR)
Management of User account registration and maintenance.	Performance of a contract (Article 6(1)(b)).
Management of the Siroko Creator program: application, evaluation, operational communications and, where applicable, monetization.	Performance of a contract (Article 6(1)(b)) and compliance with legal obligations relating to applicable tax and commercial obligations (Article 6(1)(c)).
Performance of a contract (Article 6(1)(b)) and compliance with legal obligations relating to applicable tax and commercial law requirements (Article 6(1)(c)).	Performance of a contract (Article 6(1)(b)).
Customer support, management of inquiries, incidents, and support requests.	Performance of a contract (Article 6(1)(b)) and the Controller’s legitimate interest in managing the relationship with the user (Article 6(1)(f)).
Compliance with the content moderation framework: notice-and-action procedures (Article 16 DSA), statements of reasons for decisions (Article 17 DSA), and management of reports and account restrictions.	Compliance with a legal obligation (Article 6(1)(c)) and the Controller’s and other users’ legitimate interest in maintaining a safe environment (Article 6(1)(f)).
Automated content filtering to detect conduct or materials prohibited under the General Terms of Use and applicable law.	Compliance with a legal obligation (Article 6(1)(c)) and the Controller’s legitimate interest (Article 6(1)(f)). Please refer to Section 6 regarding automated decision-making.
Prevention of fraud, abuse, and misuse of the Platform; investigation of security incidents.	Legitimate interest of the Controller (Article 6(1)(f)) and compliance with a legal obligation where applicable (Article 6(1)(c)).
Sending commercial communications regarding SIROKO services and content.	Consent of the data subject (Article 6(1)(a)) or legitimate interest under Article 21.2 of the Law on Information Society Services and Electronic Commerce (LSSI-CE) for customers who have purchased similar products or services.
Social media marketing (custom and lookalike audiences).	Consent of the data subject (Article 6(1)(a)).
Compliance with accounting, tax, commercial, and administrative obligations.	Compliance with a legal obligation (Article 6(1)(c)).
Management of the Internal Information System (Ethics Channel).	Compliance with a legal obligation (Article 6(1)(c)) pursuant to Law 2/2023.
Defense against claims and exercise of legal actions.	Legitimate interest of the Controller (Article 6(1)(f)).

SIROKO does not process special categories of personal data (Article 9 GDPR), unless such data is voluntarily provided by the user when publishing content on the Platform, in which case the processing will be based on the explicit consent of the data subject pursuant to Article 9(2)(a) GDPR.

6. Automated decision-making and content filtering

As a measure to protect users and comply with the content moderation obligations arising from the Digital Services Act (DSA), SIROKO applies automated filtering systems to content published on the Platform. These systems include: (i) keyword filtering in titles, descriptions, and comments; and (ii), where applicable, integration with automated image and video moderation services provided by specialized providers, aimed at detecting sexually explicit content, graphic violence, or other prohibited materials.

Where automated filtering may result in content removal or account suspension, the affected user shall have the right to obtain human intervention, express their point of view, and challenge the decision, in accordance with Articles 22 GDPR and 17 and 20 DSA. Human review shall, in all cases, take place prior to the adoption of measures producing significant legal effects on the user.

7. Data disclosures to third parties

SIROKO may disclose personal data to third parties exclusively where there is a legal basis permitting such disclosure, in the following cases:

• Public administrations, judicial authorities, Law Enforcement Agencies and other competent bodies, in compliance with legal obligations, formal requests, or court orders.
• Digital Services Coordinators and other competent national authorities, pursuant to Articles 9 and 10 DSA and related legislation.
• Financial institutions and payment service providers, exclusively for the execution of transactions arising from the status of Siroko Creator, where applicable.
• External professional advisors (legal, tax, and auditors), subject to professional secrecy obligations.
• In the context of corporate transactions (merger, acquisition, or transfer of a business unit), exclusively to the extent strictly necessary.

SIROKO does not sell personal data to third parties for advertising purposes.

8. Data processors

For the purpose of providing the Platform services, SIROKO engages technology providers that may act as data processors within the meaning of Article 28 GDPR. The corresponding data processing agreement governing the safeguards required under the GDPR is executed with all such providers. The categories of processors currently involved are as follows:

• Cloud infrastructure, hosting, and database providers.
• Audiovisual content transmission and delivery providers (streaming and CDN).
• Web and product analytics providers.
• Providers of email communication and push notification services.
• Providers of user support and customer service tools.
• Providers of automated image and video moderation services.
• Providers of fraud prevention and cybersecurity services.
• Payment gateways and financial service providers, where applicable within the framework of the Siroko Creator program.

The updated and named list of data processors is available to data subjects upon reasoned request to the DPO at gdpr@siroko.com.

9. International data transfers

Certain data processors referred to in the previous section may be located outside the European Economic Area (EEA). In such cases, SIROKO ensures that the transfer is lawful by relying on one of the following mechanisms set out in Chapter V GDPR:

• Adequacy decisions adopted by the European Commission (Article 45 GDPR), where applicable, including, in relation to the United States, the provider’s participation in the EU-US Data Privacy Framework pursuant to Commission Implementing Decision (EU) 2023/1795.
• Standard Contractual Clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914, supplemented, where necessary, by additional safeguards based on the outcome of the transfer impact assessment (TIA).
• Any other legally valid transfer mechanisms provided for under Articles 46 to 49 GDPR.

Data subjects may request a copy of the safeguards applicable to international transfers affecting their personal data by contacting the DPO.

10. Data retention periods

Personal data will be retained only for as long as necessary to fulfil the purposes described above, in accordance with the storage limitation principle (Article 5(1)(e) GDPR), and subject to the following general retention periods:

Data category	Retention period
User account and Siroko Creator data	For the duration of the account relationship and, following account deletion, blocked for a maximum period of four years in accordance with Article 32.3 LOPDGDD, unless a longer retention period is required under applicable law.
Usage and behavioural data (logs and metrics)	Up to twelve (12) months, unless aggregated or anonymised.
Published content subsequently removed	Up to six (6) months from removal for audit and potential claims purposes, without prejudice to compliance with the DSA.
Moderation system, reports, and account restriction data	For as long as necessary to process the report and, where applicable, for the applicable limitation period for any legal actions that may arise.
Internal Information System (Ethics and whistleblowing channel) data	In accordance with Article 32 of Law 2/2023: for the duration necessary to conduct the investigation and, in any event, for no longer than ten years, as provided for under such legislation.
Accounting, tax, and commercial records	For the retention periods established under applicable law: six years (Article 30 of the Commercial Code) and the applicable tax limitation periods.
Marketing communications	Until consent is withdrawn or the data subject objects to the processing.
Legal claims and defence	For the applicable statutory limitation period relating to the relevant legal actions.

11. Security measures

SIROKO implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. In particular, and without prejudice to the confidentiality applicable to its systems architecture and configuration, SIROKO implements: encryption of data in transit (TLS) and, where appropriate, at rest; role-based access controls and the principle of least privilege; password policies and enhanced authentication measures for administrative profiles; logical segregation of production environments; regular backups with restoration testing; logging and monitoring of access to critical systems; formalised incident management and data breach notification procedures in accordance with Articles 33 and 34 GDPR; and regular staff training on data protection and information security. SIROKO undergoes periodic audits and reviews to verify the adequacy and effectiveness of these measures.

12. Marketing communications

SIROKO may send users marketing communications relating to its services and content where the user has provided consent or, in the case of existing customers, where the conditions set out in Article 21.2 LSSI-CE are met. Users may object to receiving marketing communications at any time, either through their Platform profile settings or by using the unsubscribe link included in each communication, without affecting the sending of service-related or transactional communications required for the provision of the service.

13. Social media marketing

SIROKO may use custom audience features and other marketing tools provided by the social media platforms on which it maintains a presence, solely where the user has given informed consent for such purposes through the cookie banner or any other mechanisms enabled for this purpose. Users may withdraw their consent at any time.

14. Cookies

The use of cookies and similar technologies is governed by the Cookie Policy, which is available at all times through the footer of the Platform and via the banner settings panel. The Cookie Policy forms an integral part of this Privacy Policy and provides, in accordance with Article 22.2 LSSI-CE, detailed information regarding the cookies used, their purposes, categories, and applicable retention periods.

15. Minors

Access to the Platform and registration as a User are strictly limited to individuals aged eighteen (18) or over, as set out in the General Terms of Use. SIROKO does not knowingly collect personal data from individuals under that age. If an underage user registration is identified, the account will be immediately closed and the associated data deleted, unless retention is required under applicable mandatory law. If a parent or legal guardian becomes aware of an improper registration by a minor, they may contact the DPO at gdpr@siroko.com for urgent handling of the matter.

16. Single point of contact for DSA matters

For the purposes of Articles 11 and 12 of Regulation (EU) 2022/2065 (DSA), SIROKO designates gdpr@siroko.com as its single point of contact for both authorities and recipients of the service. Communications may be submitted in Spanish or English.

17. Rights of the data subject

Data subjects may exercise the following rights in accordance with Articles 15 to 22 GDPR and Articles 11 to 18 LOPDGDD:

• Right of access to their personal data and to information relating to its processing.
• Right to rectification of inaccurate or incomplete data.
• Right to erasure, also known as the right to be forgotten, in the cases provided for under Article 17 GDPR.
• Right to restriction of processing in the cases set out in Article 18 GDPR.
• Right to data portability in accordance with Article 20 GDPR.
• Right to object to processing, including the right to object to direct marketing and related profiling activities.
• Right not to be subject to automated individual decisions producing legal effects or similarly significantly affecting the data subject, in accordance with Article 22 GDPR.
• Right to withdraw consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal.

The exercise of these rights is free of charge and may be carried out by submitting a request to the DPO at gdpr@siroko.com, specifying the right being exercised and, where necessary to verify the identity of the requester, providing a copy of an identification document. SIROKO will respond within a maximum period of one month from receipt of the request, which may be extended by an additional two months in particularly complex cases, in which event the data subject will be informed accordingly (Article 12.3 GDPR).

18. Complaint before the supervisory authority

Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with the competent supervisory authority, which in Spain is the Spanish Data Protection Agency (AEPD), located at C/ Jorge Juan, 6, 28001 Madrid, and accessible at www.aepd.es. Data subjects are encouraged to contact the DPO beforehand in order to seek an amicable resolution of the matter.

19. Contact

Any questions or requests relating to the processing of personal data or the exercise of data protection rights may be addressed to the DPO at gdpr@siroko.com.

20. Changes to this Policy

SIROKO may update this Privacy Policy to reflect changes in applicable laws, case law, technology, or the way the service is provided. Any updates will be published on this same page. Where the changes are substantial, SIROKO will notify users through its usual communication channels within a reasonable period prior to their entry into force.

21. Policy version and effective date

Privacy Policy of SIROKO TV Version 2. Effective date: April 2026.

---

Siroko Solutions, S.L. · Tax ID No. B33950338 · Plaza 6 de Agosto nº 6, 2º · 33203 Gijón (Asturias), Spain · gdpr@siroko.com