Last Updated: May 19, 2026

1. Introduction

This Privacy Policy ("Policy") describes how BMDRM ("BMDRM," "we," "our," or "us") collects, uses, discloses, and protects information when you access or use our secure video hosting, encryption, and DRM streaming platform, including our websites, dashboards, APIs, SDKs, plugins, mobile applications, desktop applications, embedded players, and any related services (collectively, the "Services").

BMDRM provides enterprise-grade video infrastructure that helps businesses, educational institutions, media organizations, and creators host, protect, encrypt, package, manage, and securely stream video content. We are committed to handling personal data responsibly, transparently, and in accordance with applicable data protection laws, including the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and the California Consumer Privacy Act ("CCPA"), where applicable.

By using the Services, you acknowledge that you have read and understood this Policy.

2. Scope of This Policy

This Policy applies to:

  • Visitors of our public websites and documentation.
  • Account holders and authorized users of the BMDRM platform.
  • Administrators and developers using our APIs, SDKs, and plugins.
  • End users who view content delivered through BMDRM (only where personal data may be incidentally processed for playback security and analytics).

This Policy does not govern:

  • Third-party services that integrate with BMDRM, which are subject to their own privacy notices.
  • Content uploaded by customers, which is handled under our Data Processing terms (see Section 9 and the Data Processing & Security Overview).

3. Data We Collect

3.1 Account and Customer Data

We collect information you provide directly when creating and managing a BMDRM account, including:

  • Name, business name, and job title.
  • Email address and contact details.
  • Authentication credentials and security settings.
  • Billing information, tax identifiers, and payment method metadata (processed via PCI-compliant payment processors).
  • Communication and support correspondence.

3.2 Usage and Telemetry Data

When you use the Services, we automatically collect:

  • IP address, device identifiers, browser type, and operating system.
  • API request logs, dashboard activity, and feature usage metrics.
  • Playback telemetry (e.g., session duration, buffering events, geographic region at the country level, device class).
  • Error reports and diagnostic data.

3.3 Integration and OAuth Data

When you connect a third-party storage provider (such as Google Drive, Microsoft OneDrive, Dropbox, FTP/SFTP servers, or S3-compatible storage), BMDRM accesses only the files and folders you explicitly authorize. We collect:

  • OAuth access tokens and refresh tokens (stored encrypted at rest).
  • Metadata of selected files and folders (file names, sizes, MIME types, modification dates).
  • The content of files you explicitly select for import.

We do not scan, read, or index files outside of the scope you authorize.

3.4 Customer Content

"Customer Content" means video files, audio, subtitles, thumbnails, metadata, watermark configurations, and any other materials uploaded or imported into the Services by you or your authorized end users. We process Customer Content solely as a Data Processor on your behalf and in accordance with your instructions.

3.5 Cookies and Similar Technologies

We use cookies and similar technologies as described in our Cookie Policy.

4. How We Use Information

We use information for the following purposes:

PurposeLegal Basis (GDPR)
Provide, operate, and maintain the ServicesPerformance of a contract
Authenticate users and secure accountsLegitimate interests; legal obligation
Import, transcode, encrypt, package, host, and stream Customer ContentPerformance of a contract
Provide playback analytics and operational dashboardsPerformance of a contract; legitimate interests
Detect, prevent, and respond to fraud, abuse, and security incidentsLegitimate interests; legal obligation
Communicate service updates, security notices, and support responsesPerformance of a contract; legitimate interests
Comply with legal, regulatory, and contractual obligationsLegal obligation
Send marketing communications (where permitted)Consent; legitimate interests

5. What We Do Not Do

We want to be explicit about the limits of our data handling:

  • We do not sell your personal data or your Customer Content.
  • We do not use imported files or Customer Content for advertising.
  • We do not scan uploaded or imported content for marketing, profiling, or behavioral advertising purposes.
  • We do not use Customer Content to train machine learning models that are made available to third parties.
  • We do not access cloud storage files or folders beyond what you explicitly authorize.

6. Cloud Storage Integrations

BMDRM offers connectors to third-party storage providers including, but not limited to, Google Drive, Microsoft OneDrive, Dropbox, Amazon S3-compatible storage, and FTP/FTPS/SFTP servers.

When you connect an integration:

  • Access is initiated only by you through an authenticated OAuth flow or credential entry.
  • BMDRM requests the minimum scopes necessary to provide the functionality you select.
  • BMDRM accesses only the files and folders you explicitly select for import or synchronization.
  • Imported files are used solely to import, process, transcode, encrypt, package, host, and securely stream the content you authorize.
  • You may revoke access at any time through the BMDRM dashboard or through the third-party provider's account settings.
  • Upon revocation or account deletion, associated access tokens are securely destroyed.

For Google API-specific disclosures, please review our Google API Services User Data Disclosure.

7. How We Share Information

We share information only as described below:

  • Service Providers / Sub-processors: We engage vetted third parties (cloud infrastructure, content delivery networks, payment processors, monitoring providers, customer support tooling) under written agreements that require confidentiality and adequate data protection.
  • Affiliates: With BMDRM-affiliated entities for the purposes described in this Policy.
  • Legal and Safety: When required by law, court order, or to protect the rights, property, or safety of BMDRM, our customers, or the public.
  • Business Transfers: In connection with a merger, acquisition, financing, or sale of assets, subject to customary confidentiality protections.

We do not share information with advertisers, data brokers, or for purposes of independent profiling.

8. International Data Transfers

BMDRM operates globally. Where personal data is transferred outside your country of residence, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and other lawful transfer mechanisms.

9. Data Controller and Data Processor Roles

  • BMDRM acts as a Data Controller for account, billing, and platform usage data that we collect directly from customers and visitors.
  • BMDRM acts as a Data Processor for Customer Content and any personal data contained within it, processing such data solely on your documented instructions.

A Data Processing Agreement ("DPA") is available to customers on request and is incorporated by reference into our customer agreements where applicable.

10. Data Retention

We retain personal data only as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements:

  • Account data: retained for the duration of the account plus a reasonable archival period.
  • Customer Content: retained according to your configuration; deleted upon your instruction or account termination, subject to short backup retention windows.
  • Logs and telemetry: retained for operational, security, and audit purposes, typically no longer than 24 months.
  • OAuth tokens: retained while the integration is active; destroyed upon revocation.

11. Security

We maintain a comprehensive information security program, including:

  • TLS encryption for data in transit.
  • Strong encryption at rest for stored content, credentials, and tokens.
  • Role-based access controls and least-privilege principles.
  • Audit logging and infrastructure monitoring.
  • Secure key management practices.
  • Regular vulnerability management and security assessments.

Additional detail is available in the Data Processing & Security Overview.

12. Your Rights

Subject to applicable law, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data.
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with a supervisory authority.

To exercise these rights, contact us at [email protected]. If you are an end user of a BMDRM customer, please direct requests to the customer that controls the relevant content.

13. Children's Privacy

The Services are not directed to children under 16. We do not knowingly collect personal data from children. If we learn we have collected such data, we will delete it promptly.

14. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated through the Services or by email. The "Last Updated" date at the top reflects the most recent revision.

15. Contact Us

For privacy questions, data subject requests, or to request a copy of our Data Processing Agreement, contact:

BMDRM Privacy Team Email: [email protected]