SIROKO TV PRIVACY POLICY
Summary
The following is the Privacy Policy of SIROKO TV, in which SIROKO SOLUTIONS, S.L. (hereinafter, “SIROKO” or “the Controller”) provides information regarding the processing of personal data of users of the Siroko TV audiovisual platform, accessible via the website www.sirokotv.com and the official mobile applications for iOS and Android (hereinafter, collectively, “the Platform”), in compliance with Regulation (EU) 2016/679 of April 27 (GDPR), Organic Law 3/2018 of December 5 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and other applicable provisions.
Users are advised to read this text in its entirety. However, for informational purposes only, the two essential purposes of the processing are: (i) the provision of the contracted services (access to audiovisual content, registration as a Standard User and, where applicable, as a Siroko Creator); and (ii) compliance with the legal obligations applicable to the Platform, in particular those arising from Regulation (EU) 2022/2065 of October 19 on a Single Market for Digital Services (DSA), Law 34/2002 of July 11 on Information Society Services and Electronic Commerce (LSSI-CE), and the GDPR itself.
1. Introduction
This Privacy Policy applies to the processing of personal data carried out by SIROKO in the context of providing the Platform’s services. Its purpose is to provide the user, in compliance with Articles 13 and 14 of the GDPR, with clear, accessible, and comprehensive information regarding who processes their data, what data is processed, for what purposes, on what legal basis, for how long, to whom it is disclosed, and what rights they have.
SIROKO may update this Policy due to legal, jurisprudential, technical, or business changes. Any substantial changes will be communicated to the user with reasonable advance notice through the usual channels (email, notice on the Platform, or in-app notification). We recommend reviewing this document periodically.
2. Data Controller
The data controller for personal data is:
SIROKO SOLUTIONS, S.L.
Tax ID: B-33950338
Registered office: Plaza 6 de Agosto, No. 2, 2nd Floor — 33206 Gijón (Asturias).
Registered in the Commercial Registry of Asturias.
Phone: +34 984 49 37 44
Email: gdpr@siroko.com
3. Data Protection Officer (DPO)
SIROKO has appointed an external Data Protection Officer, in accordance with Article 37 of the GDPR, in the person of Mr. Martín López Escartiín, a lawyer with the Madrid Bar Association, membership number 103516, representing HONOS ABOGADOS, SLP. The DPO is the single point of contact for any matter relating to the processing of personal data and the exercise of the rights recognized in Articles 15 through 22 of the GDPR.
4. Categories of personal data processed
SIROKO processes the categories of personal data listed below, differentiated based on the user’s status and the source of the data.
4.1. Standard User Data
When registering as a User of the Platform, the following data is collected, to the minimum extent necessary: first and last name, email address, password (stored in encrypted form using one-way cryptographic functions), and, optionally, username or nickname and avatar. Registration may be completed directly or, where applicable, through authentication with third-party identity providers (social login), in which case only the basic profile data strictly necessary to create the account will be obtained.
4.2. Siroko Creator Data
Users who request access to the Siroko Creator program, once their standard user account has been activated, may additionally provide: links to their public social media profiles, a free-form description of their activity and connection to sports, as well as, where applicable and exclusively when required due to monetization or payment, the necessary identification and tax information (Tax ID/Foreign ID, mailing address, and bank details) to comply with legal obligations regarding invoicing, withholding, and tax payments.
4.3. Usage and Behavior Data on the Platform
As a result of the ordinary use of the Platform, SIROKO processes data that may include: IP address, device identifiers, type and version of the operating system and browser, language, approximate geolocation (based on the IP address), viewing history (videos played, viewing time, pauses, and drop-offs), searches and filters applied, interactions (likes, ratings, comments, and saved content), and, in the case of the mobile app, advertising identifiers (IDFA on iOS, AAID on Android) when the user has provided the corresponding consent in accordance with applicable regulations.
4.4. Data derived from the moderation system, reports, and blocks
To comply with the obligations arising from Regulation (EU) 2022/2065 (DSA) and applicable regulations regarding online safety, SIROKO operates an internal content moderation system that involves the processing of personal data, specifically: identification of the reporting user and the reported user in relation to each notification; category and reason for the report; content subject to the report; moderation decision adopted (removal, suspension, expulsion, or dismissal) and the rationale for it in accordance with Article 17 of the DSA; and record of blocks imposed by some users on others.
4.5. Internal Reporting System (Ethics Channel)
When a user utilizes the Internal Reporting System implemented by SIROKO in compliance with Law 2/2023 of February 20, regulating the protection of persons reporting regulatory violations and combating corruption, and Directive (EU) 2019/1937, only the data strictly necessary to process the report will be collected. When the whistleblower chooses not to submit their report anonymously, they will be asked to provide the identifying information required by the regulations, with the confidentiality guarantees that these regulations require.
4.6. Data Collected Through Cookies
The Platform uses cookies and similar technologies in accordance with Article 22.2 of the LSSI-CE and the current Cookie Guidelines of the Spanish Data Protection Agency. Detailed information on the cookies used, their purpose, their type (technical, personalization, analytics, and advertising), and retention periods is available in the Cookie Policy, accessible from the banner settings panel and from the Platform’s footer.
5. Purposes of Processing and Legal Bases
In accordance with Article 6 of the GDPR, SIROKO only processes personal data when one of the legal bases identified for each purpose in the following table applies:
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Management of user registration and maintenance of the user account. | Performance of a contract (Art. 6.1.b). |
| Management of the Siroko Creator program: application, evaluation, operational communications, and, where applicable, monetization. | Performance of a contract (Art. 6.1.b) and legal obligation regarding applicable tax and commercial obligations (Art. 6.1.c). |
| Provision of Platform services: content playback, searches, recommendations, and social features (likes, comments, saves). | Performance of a contract (Art. 6.1.b). |
| User support, management of inquiries, incidents, and support requests. | Performance of a contract (Art. 6.1.b) and the Controller’s legitimate interest in managing the relationship with the user (Art. 6.1.f). |
| Compliance with the content moderation policy: notification and action (Art. 16 DSA), justification of decisions (Art. 17 DSA), management of reports and blocks. | Compliance with a legal obligation (Art. 6.1.c) and the legitimate interest of the Data Controller and other users in having a safe environment (Art. 6.1.f). |
| Automated content filtering to detect conduct or materials prohibited by the General Terms of Use and applicable regulations. | Compliance with a legal obligation (Art. 6.1.c) and the legitimate interest of the Data Controller (Art. 6.1.f). See Section 6 on automated decisions. |
| Prevention of fraud, abuse, and misuse of the Platform; investigation of security incidents. | Legitimate interest of the Data Controller (Art. 6.1.f) and legal obligation where applicable (Art. 6.1.c). |
| Sending commercial communications regarding SIROKO’s services and content. | Consent of the data subject (Art. 6.1.a) or legitimate interest under Article 21.2 of the LSSI-CE for customers who have purchased similar products or services. |
| Social media marketing (custom audiences and similar). | Consent of the data subject (Art. 6.1.a). |
| Compliance with accounting, tax, commercial, and administrative obligations. | Compliance with a legal obligation (Art. 6.1.c). |
| Management of the Internal Reporting System (Ethics Channel). | Compliance with a legal obligation (Art. 6.1.c) pursuant to Law 2/2023. |
| Defense against claims and pursuit of legal actions. | Legitimate interest of the Data Controller (Art. 6.1.f). |
SIROKO does not process special categories of personal data (Article 9 GDPR), unless the user voluntarily provides them when publishing content on the Platform, in which case the processing will be based on the explicit consent of the data subject in accordance with Article 9.2.a) GDPR.
6. Automated decision-making and content filtering
As a measure to protect users and comply with the moderation obligations arising from the DSA, SIROKO applies automated filtering systems to the content published on the Platform. These systems include: (i) keyword filtering in titles, descriptions, and comments; and (ii), where applicable, integration with automated image and video moderation services offered by specialized providers, aimed at detecting sexually explicit content, graphic violence, or other prohibited materials.
When automated filtering may result in the removal of content or the suspension of an account, the affected user has the right to request human intervention, to express their point of view, and to challenge the decision, in accordance with Articles 22 of the GDPR and 17 and 20 of the DSA. Human review is conducted, in all cases, prior to the adoption of measures with significant legal effects on the user.
7. Disclosure of Data to Third Parties
SIROKO may disclose personal data to third parties exclusively when there is a legal basis justifying such disclosure, in the following cases:
- Public administrations, judicial authorities, law enforcement agencies, and other competent bodies, in compliance with legal obligations, formal requests, or court orders.
- Digital Services Coordinator and other competent national authorities, pursuant to Articles 9 and 10 of the DSA and related regulations.
- Financial institutions and payment service providers, exclusively for the execution of transactions arising from the status of Siroko Creator, where applicable.
- External professional advisors (legal counsel, tax advisors, and auditors), within the framework of professional confidentiality.
- In the context of corporate transactions (mergers, acquisitions, or transfers of business units), exclusively to the extent strictly necessary.
SIROKO does not sell personal data to third parties for advertising purposes.
8. Data Processors
In order to provide the Platform’s services, SIROKO engages technology providers who may act as data processors under the terms of Article 28 of the GDPR. A corresponding contract is signed with each of them, setting forth the safeguards required by the GDPR. The categories of data processors currently involved are as follows:
- Cloud infrastructure, hosting, and database providers.
- Audiovisual content transmission and delivery providers (streaming and CDN).
- Web and product analytics providers.
- Providers of email communications and push notifications.
- User support and customer service tool providers.
- Providers of automated image and video moderation services.
- Fraud prevention and cybersecurity service providers.
- Payment gateways and financial service providers, where applicable within the framework of the Siroko Creator program.
The updated, named list of data processors is available to data subjects upon submission of a reasoned request to the DPO at gdpr@siroko.com.
9. International Data Transfers
Certain data processors mentioned in the previous section may be established outside the European Economic Area (EEA). In such cases, SIROKO ensures the lawfulness of the transfer by applying one of the following instruments provided for in Chapter V of the GDPR:
- European Commission adequacy decisions (Article 45 of the GDPR), where applicable, including, with respect to the United States, the provider’s adherence to the EU-US Data Privacy Framework in accordance with Implementing Decision (EU) 2023/1795.
- Standard contractual clauses approved by the European Commission through Implementing Decision (EU) 2021/914, supplemented, where necessary, by additional measures required in light of the transfer impact assessment (TIA).
- Other legally admissible mechanisms provided for in Articles 46 to 49 of the GDPR.
The data subject may request from the DPO a copy of the safeguards applicable to international transfers involving their data.
10. Retention Periods
Personal data will be retained for the time strictly necessary to fulfill the described purposes, in accordance with the principle of storage limitation (Article 5.1.e) GDPR), in accordance with the following general rule:
| Data category | Retention period |
|---|---|
| User account and Siroko Creator data | For the duration of the account and, once canceled, for up to four years in a locked state, in accordance with Article 32.3 of the LOPDGDD, unless specific regulations impose longer retention periods. |
| Usage and behavior data (logs and metrics) | Up to twelve (12) months, unless aggregated or anonymized. |
| Published and subsequently removed content | Up to six (6) months from removal, for audit purposes and potential claims, without prejudice to compliance with the DSA. |
| Moderation system data, reports, and blocks | For the time necessary to process the notification and, where applicable, for the statute of limitations period for any legal actions that may arise. |
| Data from the Internal Reporting System (Ethics Channel) | In accordance with the provisions of Article 32 of Law 2/2023: the time necessary for the investigation and, at most, ten years, under the terms set forth in said provision. |
| Accounting, tax, and commercial data | Time limits established by applicable regulations: six years (Article 30 of the Commercial Code) and the applicable tax statute of limitations. |
| Commercial communications | Until the data subject revokes consent or objects. |
| Defense against claims | For the duration of the statute of limitations for the corresponding legal actions. |
11. Security measures
SIROKO implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. In particular, and without prejudice to the necessary confidentiality regarding architecture and configuration, SIROKO implements: encryption of data in transit (TLS) and, where applicable, at rest; role-based access control and the principle of least privilege; password policies and strong authentication for administrative profiles; logical segmentation of production environments; periodic backups with restoration verification; logging and monitoring of access to critical systems; formalized procedures for incident management and security breach notification in accordance with Articles 33 and 34 of the GDPR; and periodic staff training on data protection and information security. SIROKO undergoes periodic audits and reviews to verify the adequacy and effectiveness of these measures.
12. Commercial Communications
SIROKO may send the user commercial communications regarding its services and content when the user has given their consent or, in the case of customers, when the circumstances set forth in Article 21.2 of the LSSI-CE apply. The user may object at any time to the sending of commercial communications, either through their profile on the Platform or via the unsubscribe link included in each communication, without prejudice to the sending of service or transactional communications necessary for the provision of the service.
13. Social Media Marketing
SIROKO may use the custom audience features or other marketing tools offered by the social media platforms on which it has a presence, exclusively when the user has provided their informed consent for this purpose via the cookie banner or other enabled mechanisms. The user may withdraw their consent at any time.
14. Cookies
The use of cookies and similar technologies is governed by the Cookie Policy, accessible at all times from the footer of the Platform and from the banner’s settings panel. The Cookie Policy forms an integral part of this Privacy Policy and sets forth, in accordance with Article 22.2 of the LSSI-CE, the information, purposes, types, and durations applicable to each cookie.
15. Minors
Access to the Platform and registration as a User is reserved exclusively for persons over the age of eighteen (18), as established in the General Terms of Use. SIROKO does not knowingly collect data from minors under that age. If the improper registration of a minor is detected, the account will be immediately closed and the associated data deleted, unless mandatory regulations require its retention. If the parent or legal guardian of a minor becomes aware of an improper registration, they may contact the DPO at gdpr@siroko.com for urgent processing.
16. Single Point of Contact for DSA Matters
For the purposes set forth in Articles 11 and 12 of Regulation (EU) 2022/2065 (DSA), SIROKO designates the email address gdpr@siroko.com as the single point of contact for both authorities and service recipients. Communications will be handled in Spanish and English.
17. Rights of the data subject
The data subject may exercise the following rights, in accordance with the provisions of Articles 15 to 22 of the GDPR and Articles 11 to 18 of the LOPDGDD:
- Right of access to their personal data and to information regarding its processing.
- Right to rectification of inaccurate or incomplete data.
- Right to erasure, also known as the right to be forgotten, in the cases provided for in Article 17 of the GDPR.
- Right to restriction of processing, in the cases provided for in Article 18 of the GDPR.
- Right to data portability, in accordance with Article 20 of the GDPR.
- Right to object to processing, including the right to object to direct marketing and the profiling associated with it.
- Right not to be subject to automated individual decision-making that produces legal effects or significantly affects you, in accordance with Article 22 of the GDPR.
- Right to withdraw consent, without this affecting the lawfulness of processing prior to withdrawal.
The exercise of these rights is free of charge and shall be carried out by submitting a request to the DPO at gdpr@siroko.com, indicating the right being exercised and providing, when necessary to verify the applicant’s identity, a copy of an identification document. SIROKO will respond to the request within a maximum of one month from receipt, extendable by two additional months in particularly complex cases, informing the data subject of such circumstance (Article 12.3 GDPR).
18. Complaint to the supervisory authority
Without prejudice to any other administrative remedy or legal action, the data subject has the right to lodge a complaint with the competent supervisory authority, which in Spain is the Spanish Data Protection Agency (AEPD), located at C/ Jorge Juan, 6, 28001 Madrid, and with the email address www.aepd.es. The data subject is advised to first contact the DPO to attempt to resolve the issue raised.
19. Contact
Any questions or inquiries regarding the processing of personal data or the exercise of rights may be directed to the DPO at gdpr@siroko.com.
20. Changes to this Policy
SIROKO may amend this Privacy Policy to adapt it to new legislative, jurisprudential, technological, or service-related developments. The amendments will be published at this same link. If the changes are substantial, SIROKO will notify the user through the usual channels with reasonable notice prior to their entry into effect.
21. Version and Date of Update
SIROKO TV Privacy Policy. Version 2. Date updated: April 2026.