MADlogotype

Privacy Policy

Effective Date: 27 April 2026

Last Updated: 27 April 2026

Madstream Sp. z o.o. (“MadStream,” “we,” “us,” or “our”) is a company incorporated under the laws of the Republic of Poland, with its registered office at Chodakowska 55/57 m. 22A, 03-816 Warsaw, Poland. MadStream owns, operates, and distributes general-entertainment streaming channels and Free Ad-Supported Television (FAST) applications across Connected TV (CTV) platforms worldwide.

This Privacy Policy applies to all applications and services published by MadStream on any CTV platform, including but not limited to Roku, Amazon Fire TV, Google TV (Android TV), Samsung Smart TV (Tizen), LG Smart TV (webOS), VIDAA, Vizio SmartCast, and any other platform on which our applications may be distributed (collectively, the “Services”).

MadStream is the data controller responsible for processing your personal data under applicable data protection legislation, including the EU General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act and California Privacy Rights Act (“CCPA/CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the UK Data Protection Act 2018, Brazil’s Lei Geral de Proteção de Dados (“LGPD”), and all other applicable privacy and data protection laws.

By accessing or using any of our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please discontinue use of our Services immediately.

1. Information We Collect

We collect the minimum information necessary to operate, improve, and monetize our Services. We do not require user accounts, login credentials, or registration to use our applications. The categories of data we collect are described below.

1.1 Device and Technical Information

  • Device type, model, manufacturer, and hardware specifications
  • Operating system type and version (e.g., Roku OS, Fire OS, Tizen, webOS, Android TV)
  • CTV platform and app-store identifiers (e.g., Roku Channel ID, Amazon ASIN, bundle ID)
  • Platform-issued device identifiers, including advertising identifiers (Roku RIDA, Amazon Ad ID, Google GAID, Samsung PSID/TIFA, LG Ad ID) and non-resettable identifiers only where required by the platform for app operation
  • IP address and coarse geolocation derived therefrom (city-level or less precise; we do not collect GPS coordinates)
  • Language and locale settings, display resolution, time zone, and network connection type (Wi-Fi, Ethernet)
  • Firmware version and supported media codecs

1.2 Viewing and Usage Data

  • Session timestamps, durations, and frequency of use
  • Content titles, categories, and channels viewed; playback durations and completion rates
  • User interactions such as channel navigation, search queries, pause, play, fast-forward, and rewind actions
  • Application error logs, crash diagnostics, and performance metrics

1.3 Advertising Data

  • Ad request metadata (placement, ad unit, channel context)
  • Ad impression, view, quartile completion, skip, and click events
  • Advertiser and campaign category metadata
  • Consent and opt-out signals, including IAB Transparency and Consent Framework (TCF) strings, IAB US Privacy String (USP), Global Privacy Platform (GPP) signals, and platform-level Limited Ad Tracking (LAT) flags
  • Viewability and invalid traffic (IVT) measurement data collected by authorized verification vendors on behalf of advertisers

1.4 Voluntarily Provided Information

  • Email address or other contact details submitted through support or feedback channels
  • Survey responses or promotional contest entries, where applicable

We do not collect: names, postal addresses, phone numbers, financial or payment information, biometric data, precise geolocation, health data, Social Security numbers, or any government-issued identifiers through our CTV applications.

2. How We Collect Data

  • Automatically through our application code when you launch and use our Services
  • Through proprietary and third-party software development kits (SDKs) integrated in our applications for analytics, ad serving, and performance monitoring
  • Via secure server-side API calls and HTTP request/response logs
  • Through consent management platforms (CMPs) deployed within our applications to collect, store, and transmit your privacy preferences
  • Through tracking pixels, impression beacons, and VAST/VPAID/OMSDK tags embedded in ad creatives delivered by demand partners
  • From CTV platform APIs that provide device-level identifiers and settings in accordance with platform policies

3. Purposes of Data Processing

We process personal data for the following purposes:

  • Service delivery and operation: to load, display, and stream video content; manage channel libraries; and ensure application stability across platforms.
  • Advertising: to serve, measure, and optimize advertisements, including contextual and (where consented or permitted) interest-based advertising, and to attribute ad performance for our own channels and for third-party demand partners.
  • Analytics and improvement: to understand viewing patterns, content preferences, and application performance in order to improve our Services and develop new features.
  • Fraud prevention and security: to detect and prevent invalid traffic (IVT), ad fraud, unauthorized access, and other security threats.
  • Compliance: to satisfy legal obligations, respond to lawful requests from public authorities, enforce our terms, and protect our rights.
  • Consent management: to process and honor your privacy choices and consent signals across sessions and platforms.

4. Legal Bases for Processing (EEA/UK Users)

Where the GDPR or UK GDPR applies, we rely on one or more of the following legal bases:

  • Consent (Article 6(1)(a)): for personalized advertising and the placement of non-essential tracking technologies. You may withdraw consent at any time via the consent management controls within the application or by contacting us.
  • Legitimate interests (Article 6(1)(f)): for contextual advertising, analytics, fraud prevention, and service optimization. We have conducted balancing tests to ensure our interests do not override your fundamental rights.
  • Contractual necessity (Article 6(1)(b)): where processing is required to deliver the video streaming service to you.
  • Legal obligation (Article 6(1)(c)): where processing is required by applicable law, regulation, or court order.

5. Sharing and Disclosure of Data

We may share your data with the following categories of recipients, and only to the extent necessary for the stated purposes:

  • Advertising demand partners and ad networks: to facilitate programmatic ad transactions via real-time bidding (OpenRTB), direct deals, and programmatic guaranteed arrangements. These partners receive device identifiers, IP-derived geolocation, and ad-interaction data as part of bid requests and ad serving.
  • Ad verification and measurement vendors: to measure viewability, detect invalid traffic, and provide brand safety assessments (e.g., DoubleVerify, IAS, MOAT, Pixalate, HUMAN).
  • Analytics service providers: to aggregate and analyze usage patterns for content and product optimization.
  • CTV platform operators: Roku, Amazon, Google, Samsung, LG, and other platform operators may independently collect data through their own operating systems. We share information with platforms as required by their developer agreements and certification requirements.
  • Cloud infrastructure and hosting providers: under data processing agreements that include appropriate security and confidentiality obligations.
  • Legal, regulatory, and governmental authorities: when required by applicable law, subpoena, court order, or governmental regulation, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
  • Corporate transaction parties: in connection with a merger, acquisition, divestiture, reorganization, or sale of assets, your data may be transferred as part of the transaction, subject to standard confidentiality arrangements.

We do not sell personal data as defined under the CCPA/CPRA. We do not share personal data for cross-context behavioral advertising except where you have provided affirmative consent or where such sharing is performed through mechanisms that do not constitute a “sale” or “share” under applicable law.

6. International Data Transfers

Your personal data may be processed in countries other than the country in which you reside, including the United States and other jurisdictions where our partners and infrastructure providers operate. When transferring personal data outside the European Economic Area (EEA), Switzerland, or the United Kingdom, we implement the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914) and/or the UK International Data Transfer Agreement/Addendum
  • EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework certifications, where the recipient is certified
  • Binding data processing agreements with all subprocessors and demand partners that include obligations regarding data security, confidentiality, and onward transfer restrictions
  • Adequacy decisions issued by the European Commission or UK Secretary of State, where applicable

7. Your Rights

7.1 Rights Under the GDPR / UK GDPR

If you are located in the EEA or the United Kingdom, you have the right to: access your personal data; request rectification of inaccurate data; request erasure (“right to be forgotten”); restrict processing; object to processing based on legitimate interests; receive your data in a portable format; withdraw consent at any time without affecting the lawfulness of prior processing; and lodge a complaint with your local supervisory authority (for Poland: Urząd Ochrony Danych Osobowych, UODO).

7.2 Rights Under the CCPA / CPRA (California Residents)

California residents have the right to: know what personal information is collected and how it is used; request deletion of personal information; opt out of the sale or sharing of personal information; limit the use of sensitive personal information; and not be discriminated against for exercising privacy rights. We do not use or disclose sensitive personal information for purposes other than those permitted under the CPRA.

7.3 Rights Under Other U.S. State Privacy Laws

Residents of Virginia, Colorado, Connecticut, and other states with applicable privacy legislation may have similar rights to access, correct, delete, and opt out of targeted advertising and profiling. We will honor all verifiable consumer requests in accordance with the requirements of each applicable jurisdiction.

7.4 Rights Under the LGPD (Brazil)

Brazilian users may exercise rights including confirmation of processing, access, correction, anonymization, portability, deletion, and revocation of consent under the LGPD.

7.5 Exercising Your Rights

To exercise any of the above rights, please contact us at privacy@madstream.net. We will verify your identity before processing any request and will respond within the time frames required by applicable law (generally 30 days under the GDPR and 45 days under the CCPA/CPRA). You may also exercise certain rights directly through the privacy settings on your CTV device or through the in-app consent management interface.

8. Advertising Opt-Out and Consent Controls

You can manage your advertising preferences through several mechanisms:

  • In-app consent management: where available, our applications include a consent management interface allowing you to grant, deny, or withdraw consent for personalized advertising.
  • Platform-level controls: most CTV platforms provide device-level settings to limit ad tracking (LAT), reset your advertising identifier, or opt out of interest-based advertising. Please refer to your device manufacturer’s instructions (e.g., Roku “Limit Ad Tracking,” Amazon “Disable Interest-Based Ads,” Samsung “Interest-Based Advertising Service,” LG “Advertisement” settings, Google TV “Ads” settings).
  • Industry opt-out tools: you may use DAA (Digital Advertising Alliance) opt-out tools at optout.aboutads.info and NAI (Network Advertising Initiative) opt-out at optout.networkadvertising.org where applicable.

When we detect a LAT flag or receive a valid opt-out signal, we will cease serving personalized advertisements and will not pass your advertising identifier to demand partners for interest-based targeting. You will continue to receive contextual (non-personalized) advertisements.

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy or as required by law. Our standard retention periods are:

Data Category

Retention Period

Ad event logs (impressions, clicks, completions)

Up to 13 months

Device and session logs

6–12 months

Aggregated analytics data

Up to 24 months (anonymized)

Consent records and opt-out preferences

Duration of service relationship + 3 years

User support correspondence

Up to 2 years after resolution

Fraud and IVT investigation records

Up to 3 years

After the applicable retention period, personal data is securely deleted or irreversibly anonymized.

10. Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:

  • Encryption of data in transit using TLS 1.2 or higher and HTTPS for all API communications
  • Encryption of personal data at rest in our databases and storage systems
  • Role-based access controls, multi-factor authentication, and principle of least privilege for all personnel and systems with access to personal data
  • Regular vulnerability assessments, penetration testing, and security audits
  • Data minimization, pseudonymization, and anonymization techniques applied wherever possible
  • Incident response procedures and breach notification protocols compliant with GDPR Article 33/34 requirements
  • Documented data processing agreements with all subprocessors containing security obligations

11. Children’s Privacy

Our Services are general-entertainment channels intended for a general audience. They are not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction, such as 16 in certain EEA member states).

We do not knowingly collect personal data from children. We comply with the Children’s Online Privacy Protection Act (COPPA) in the United States, the Age Appropriate Design Code in the United Kingdom, and equivalent protections under the GDPR for minors.

Where required by platform policies, our applications transmit COPPA-compliant flags (e.g., coppa=1 in ad requests, childDirected tags in platform manifests) to ensure that no behavioral or interest-based advertising is served to child audiences. We do not engage in interest-based advertising targeting known child audiences under any circumstances.

If we learn that we have inadvertently collected personal data from a child, we will promptly delete such data. If you believe we may have collected data from a child, please contact us at privacy@madstream.net.

12. Third-Party Platforms and Links

Our applications run on CTV platforms operated by third parties (Roku, Amazon, Google, Samsung, LG, and others). Each platform operator has its own privacy policy governing data it collects through its operating system, app store, and device services. We are not responsible for the privacy practices of these platform operators. We encourage you to review the privacy policies of the relevant platform.

Our Services may contain links to third-party websites or services (for example, advertiser landing pages). We are not responsible for the content, privacy practices, or security of any third-party site or service.

13. Automated Decision-Making and Profiling

We may use automated processes to determine which advertisements to display based on contextual signals (content genre, time of day, geographic region) and, where consented, device-level interest signals. These processes do not produce legal effects or similarly significant effects on you. You have the right to object to such processing or to request human review as described in Section 7.

14. Do Not Track and Global Privacy Control

We recognize and honor Global Privacy Control (GPC) signals transmitted by your browser or device as valid opt-out requests for the sale or sharing of personal information under applicable state privacy laws. We also honor platform-specific Limited Ad Tracking (LAT) settings. At present, there is no uniform standard for Do Not Track (DNT) signals in the CTV environment; however, we respect equivalent opt-out mechanisms provided by each platform.

15. Limitation of Liability

To the fullest extent permitted by applicable law, MadStream, its directors, officers, employees, agents, and affiliates shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including without limitation loss of profits, data, goodwill, or other intangible losses, arising out of or relating to:

  • any unauthorized access to or use of our servers, systems, or any personal data stored therein;
  • any interruption, cessation, or malfunction of our Services;
  • any bugs, viruses, or similar harmful components transmitted through our Services by any third party;
  • the actions, omissions, or privacy practices of third-party CTV platform operators, advertising demand partners, measurement vendors, or any other third parties;
  • your reliance on any information provided through or in connection with our Services.

This limitation applies regardless of the legal theory under which damages are sought (contract, tort, strict liability, or otherwise), even if MadStream has been advised of the possibility of such damages. In jurisdictions that do not allow the exclusion or limitation of certain damages, our liability shall be limited to the greatest extent permitted by law.

16. Indemnification

By using our Services, you agree to indemnify, defend, and hold harmless MadStream, its parent companies, subsidiaries, affiliates, officers, directors, employees, agents, licensors, and service providers from and against any claims, liabilities, damages, losses, costs, expenses, or fees (including reasonable attorneys’ fees) arising out of or relating to your violation of this Privacy Policy, your misuse of the Services, or your violation of any applicable law or the rights of a third party.

17. Governing Law and Dispute Resolution

This Privacy Policy and any dispute arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Republic of Poland, without regard to its conflict-of-law provisions. Any disputes shall be submitted to the exclusive jurisdiction of the competent courts in Warsaw, Poland, except where mandatory consumer protection laws of your jurisdiction provide otherwise.

Nothing in this section limits your right to lodge a complaint with a data protection supervisory authority in the EEA member state of your habitual residence.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will update the “Last Updated” date at the top of this Policy and, where feasible, provide notice through the application interface or other reasonable means.

We encourage you to review this Privacy Policy periodically. Your continued use of our Services after any changes constitutes your acceptance of the revised Policy. If a change materially and adversely affects your rights, we will use commercially reasonable efforts to notify you in advance.

19. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact:

Madstream Sp. z o.o.

Data Protection Inquiries

Chodakowska 55/57 m. 22A

03-816 Warsaw, Poland

Email: privacy@madstream.net