Privacy & Data Processing Policy

DIT Media Management System · Operated by Reelir Studios AB · Last updated: 2026-01-10

Back to homeView Data Processing Agreement

Executive summary

Reelir Studios AB provides a professional media intake and custody management system designed for film and television productions.

The system is built to support secure handling of production media, verifiable chain of custody, and professional accountability throughout the media lifecycle.

Reelir Studios AB acts as a Data Processor, processing personal data on behalf of production companies acting as Data Controllers. Data is processed solely for operational, audit, and delivery purposes and is never used for marketing, tracking, or profiling.

Operational audit records include identifiable information about staff actions and are retained in identifiable form to preserve evidentiary integrity. Audit records are not anonymized, as anonymization would undermine chain-of-custody verification and professional accountability.

Primary data storage is located within the European Union. Where supporting infrastructure involves processing outside the EU, appropriate legal and technical safeguards are applied.

Full policy

1. Controller and Processor roles

This service is operated by Reelir Studios AB, a company registered in Sweden.

Company details
Legal name: Reelir Studios AB
Registered office: Sweden
Role: Data Processor

In the context of this service, the production company using the service is the Data Controller, determining the purposes and means of processing personal data. Reelir Studios AB acts as the Data Processor, processing personal data solely on behalf of and under the instructions of the Data Controller.

2. Scope

This policy describes how personal data is processed in connection with secure media intake, custody tracking, verification, reporting, and delivery services. It applies to production companies, operators, camera crew, and other individuals whose data may be processed as part of operational workflows.

3. Purposes of processing

  • Secure receipt and handling of production media
  • Maintenance of an auditable chain of custody
  • Backup, integrity verification, and reporting
  • Operational coordination and delivery confirmation
  • Professional accountability, audit, and dispute resolution
  • Compliance with contractual, insurance, and legal requirements

Personal data is not processed for marketing, profiling, analytics, or advertising purposes.

4. Categories of personal data processed

  • Operational and technical data: job identifiers, production references, pouch codes, media labels, timestamps, status changes, backup/verification metadata.
  • Contact data (minimal): names and phone numbers provided at intake, used strictly for operational communication.
  • Audit and accountability data: names and roles of operators performing actions, immutable audit events documenting what was done, when, and by whom.

The service is not intended for processing special categories of personal data under Article 9 GDPR.

5. Legal basis

Processing is based on contractual necessity (Article 6(1)(b) GDPR) where required to perform services agreed with the Data Controller, and legitimate interests (Article 6(1)(f) GDPR) including secure handling of production media, chain of custody, professional accountability, auditability, evidentiary integrity, and dispute resolution.

Consent is not relied upon as the primary legal basis, as the service operates in a professional, contractual production context.

6. Audit logs and non-anonymization

Operational audit logs generated by the service are append-only and may include identifiable information about operator actions (names and roles). Audit records are retained in identifiable form and are not anonymized or altered, as doing so would undermine evidentiary value and chain-of-custody integrity.

Requests for deletion or anonymization of audit records may be refused where retention is required for legal, contractual, or professional accountability purposes.

7. Retention

  • Job records and audit logs: up to 36 months
  • Reports and delivery evidence: up to 36 months
  • Communication logs (SMS / WhatsApp): up to 12 months

Retention may be extended where required by law, contractual obligations, or ongoing disputes.

8. Sub-processors and service providers

We use trusted providers strictly to deliver the service:

  • Supabase - database, authentication, and audit logging (EU regions where selected)
  • MEGA S4 Object Storage - report and audit file storage (EU region configured)
  • Railway - application hosting infrastructure (transient processing may occur outside the EU)
  • MessageBird - SMS / WhatsApp delivery notifications (routing may involve global telecommunications networks)
  • Discord - internal operational visibility and redundant message mirroring (non-authoritative; not a system of record)

Where personal data is processed outside the EU, appropriate safeguards are applied, including Standard Contractual Clauses (SCCs) and technical/organizational measures.

9. Security measures

  • Role-based access control
  • Server-side enforcement of writes
  • Append-only audit logging
  • Encryption in transit and at rest (where supported by providers)
  • Separation of file storage and metadata
  • Principle of least privilege

10. Data subject rights

Data subjects have rights under GDPR, including the right to access and rectify personal data. As Reelir Studios AB acts as a Data Processor, requests relating to specific productions should be directed to the relevant production company acting as Data Controller. Where requests are received directly, Reelir Studios AB will cooperate with the Data Controller to facilitate lawful handling.

11. Contact

For privacy-related questions or data protection inquiries, contact Reelir Studios AB at trausti@reelir-studios.com.