Legal

Privacy Policy

Last updated: 29 April 2026

This Privacy Policy explains how A. DEMS LTD processes personal data collected through flex-ip.tv and the FlexIPTV Smart TV application. We comply with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and Cypriot data-protection law.

1. Data Controller

The data controller responsible for your personal data is:
A. DEMS LTD
Stadiou 11, 2103 Aglantzia/Nicosia, Cyprus
VAT: CY60137615U
Contact for privacy requests: {email}

2. Personal data we collect

We collect only the minimum personal data needed to deliver the service. Specifically:
  • Account / activation — your device ID (8-character code), email address.
  • Payment — purchase amount and order ID. The full card / PayPal data is processed by our payment providers and is never stored on our servers.
  • Technical — IP address, device type, browser type, timestamps, error logs (kept for security and debugging only).
  • Playlist data — the M3U URL or Xtream credentials you submit, stored encrypted on our servers and used solely to push the playlist to your device.
  • Communications — content of messages you send through the contact form.

3. Legal bases (Art. 6 GDPR)

We process your data on the following bases:
  • Performance of a contract (Art. 6(1)(b)) — activation, playlist management, email confirmations.
  • Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, debugging.
  • Legal obligation (Art. 6(1)(c)) — accounting and tax records (Cypriot law).
  • Consent (Art. 6(1)(a)) — when you explicitly agree to a processing not covered above.

4. Why we process your data

We use your personal data only to: (a) deliver the {brand} service you ordered, (b) process payments through our partners, (c) send transactional emails (activation confirmation, support replies), (d) detect and prevent fraud and abuse, (e) comply with our legal obligations (accounting, tax). We do not use your data for marketing, profiling, or advertising.

5. Recipients & processors

We share data only with the following processors, strictly for the purposes above:
  • Hetzner Online GmbH (Germany / Finland) — server hosting.
  • Cloudflare, Inc. (USA, with EU presence) — CDN, anti-bot protection, Turnstile captcha. Bound by Standard Contractual Clauses (SCCs) for any US transfer.
  • PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) — payment processing for PayPal transactions.
  • MyPos AD (Bulgaria, EU) — payment processing for credit-card transactions.
  • OVH SAS (France, EU) — outgoing email (SMTP).
We do not sell or share your data with anyone else.

6. International transfers

Cloudflare may process data in the United States. Such transfers rely on the EU Commission's Standard Contractual Clauses (SCCs) and Cloudflare's participation in the EU-US Data Privacy Framework. All other processors store data within the EU/EEA.

7. How long we keep data

  • Account / activation — for the duration of your license + 5 years (Cypriot tax law).
  • Payment records — 7 years (mandatory accounting retention).
  • IPN/payment logs — 90 days, then deleted.
  • Technical logs — 30 days, rotated.
  • Contact form messages — up to 24 months after the last reply.
  • Playlist data — until you delete it or the license expires.

8. Your rights under GDPR

You have the following rights regarding your personal data:
  • Right to access (Art. 15) — get a copy of the data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate data.
  • Right to erasure (Art. 17) — request deletion when no longer needed.
  • Right to restriction (Art. 18) — limit processing in specific cases.
  • Right to data portability (Art. 20) — receive your data in a structured machine-readable format.
  • Right to object (Art. 21) — to processing based on legitimate interests.
  • Right to withdraw consent (Art. 7(3)) — at any time, where consent is the basis.
  • Right not to be subject to automated decision-making (Art. 22) — we do not use such decision-making.

9. How to exercise your rights

Send your request to {email} with the device ID linked to your license. We respond within one month (Art. 12(3) GDPR). We may extend this period by two months for complex requests, after notifying you.

10. Right to lodge a complaint

If you believe we mishandle your personal data, you have the right to lodge a complaint with the Cypriot supervisory authority: Office of the Commissioner for Personal Data Protection, 1, Iasonos Street, 1082 Nicosia, Cyprus — www.dataprotection.gov.cy. You may also complain to your local DPA in your EU country of residence.

11. Security

We use industry-standard technical and organisational measures to protect your data: TLS encryption in transit, at-rest encryption of sensitive fields (AES-256-CBC), access controls, secrets stored outside the web root, request rate-limiting, anti-bot protection (Cloudflare + Turnstile), and audit logging. No method of transmission or electronic storage is 100% secure, but we apply reasonable care.

12. Cookies

We use only strictly-necessary cookies for security (Cloudflare anti-bot) and to remember your form drafts. We do not use analytics, marketing, or tracking cookies. Therefore no consent dialog is required under GDPR/ePrivacy. A small information banner is shown on first visit; dismissing it is acknowledged but not consent (none being needed).

13. Changes to this policy

We may update this Privacy Policy occasionally. The "Last updated" date at the top reflects the most recent revision. Material changes are announced via email to active customers.

14. Contact

For any privacy question: {email}, or write to A. DEMS LTD, Stadiou 11, 2103 Aglantzia/Nicosia, Cyprus.