Thank you for visiting Plot Explained (“we,” “us,” or “our”). Your privacy matters, and although you can explore our movie-summary catalogue without creating an account or revealing your identity, European, United Kingdom, United States federal and state laws nevertheless require that we explain—in clear and comprehensive language—the limited information that is collected when you browse our pages, the reasons that information is processed, and the rights you may exercise in relation to it.
For ease of reference, the expression “personal data” (also “personal information” under California’s CCPA/CPRA) means any data that, alone or in combination with other available material, can identify or be linked to an individual. Conversely, “pseudonymous analytics data” denotes technical signals such as truncated Internet-Protocol (“IP”) addresses, browser fingerprints, page-load timestamps, and aggregated click events, which we collect solely for statistical and service-improvement purposes and which cannot directly reveal who you are.
We purposely avoid all registration flows, comment boxes, newsletters, or tracking pixels that would gather contact details, demographic attributes, or precise geolocation. Nevertheless, when your browser requests a page, our self-hosted instance of PostHog—running on European servers—records the following pseudonymous logs:
ph_id) unless you have disabled cookies or declined consent
(see Section 4).
No “sensitive personal data” as defined by Article 9 GDPR or by the CPRA is collected, and no “profiling” or “automated decision-making” takes place.
The Service employs a single, first-party cookie set by PostHog to distinguish repeat visits during a rolling 12-month analytics window; the cookie contains a random, pseudonymous string and not your name, email address, or other direct identifier. Pursuant to the EU ePrivacy Directive and subsequent regulatory guidance, we request your consent for this cookie on your first visit from the European Economic Area (“EEA”) or United Kingdom, and we honour the “Do Not Track” signal where supported. If you refuse or later delete the cookie, PostHog falls back to cookieless event hashing, which still cannot personally identify you.
Under Article 6(1)(f) GDPR and the parallel provisions of the UK GDPR, we rely on our legitimate interests in running, securing, and optimising the Service to process the aforementioned analytics events, provided such interests are not overridden by your fundamental rights and freedoms. Where cookies are optional under local law, the lawful basis is instead your consent under Article 6(1)(a) GDPR, which you may withdraw at any time through our cookie banner or your browser settings. We do not process data for personalised advertising; therefore, no lawful basis for marketing is invoked.
We do not “sell” or “share” personal information in the sense used by California’s Consumer Privacy Laws, nor do we disclose analytics logs to third-party ad networks, data brokers, or social-media platforms. Our sole service provider is the hosting platform on which the PostHog server runs; that provider acts under a data-processing agreement that incorporates the European Commission’s Standard Contractual Clauses (“SCCs”) when servers are located outside the EEA. Routine backups are encrypted and stored in the same geographic region, and raw logs never leave the cluster.
We keep raw event logs for no longer than twelve (12) months, after which they are either aggregated or irreversibly deleted, in accordance with the storage-limitation principle set out in Article 5(1)(e) GDPR and the UK Information Commissioner’s Office guidance. Aggregated statistics, which cannot be traced back to an individual, may be retained indefinitely for historical trend analysis.
The Service is delivered exclusively over Transport Layer Security (“TLS”) to protect data in transit, while at rest analytics tables are encrypted and access-controlled behind network firewalls and multi-factor authentication. Our safeguards align with the ISO 27001 framework and its privacy extension ISO 27701, which emphasise risk-based controls, least-privilege access, incident-response logging, and periodic penetration testing. Although no Internet transmission or storage system can be guaranteed 100 percent secure, these measures substantially mitigate foreseeable threats.
Depending on where you reside, you may enjoy one or more of the following rights:
To exercise any of these rights, please send a verifiable request to dominik.r.lasinski@gmail.com.com. We will respond within one month for GDPR requests and within 45 days for CCPA/CPRA requests, subject to permissible extensions.
The Service is directed at a general audience and is not intended for, nor knowingly used by, children under the age of thirteen (13). Should we learn that we have inadvertently collected information that can be considered personal under the Children’s Online Privacy Protection Act (“COPPA”), we will delete such data without undue delay.
We may update this Privacy Policy to reflect changes in technology, legislation, or our data-handling practices. When we make material revisions, we will post a prominent notice on this page and revise the “Effective Date” above at least fourteen (14) days before the amendments take effect, giving you an opportunity to review the updated terms.