titlomat
Log inTry for free

Privacy Policy

Privacy Policy

Version 2.0 · 10 May 2026.

1. Introduction and purpose of this Policy

1.1This Privacy Policy (hereinafter: the “Policy”) explains how the company LumiVerse Ltd. (hereinafter: “LumiVerse”, “we”, “us” or “our”) collects, processes, stores and protects personal data in connection with the operation of the Titlomat service (hereinafter: the “Platform” or “Titlomat”) available at the internet address https://titlomat.com.

1.2 The Policy is intended for the following categories of data subjects:

  • Users of the Platform, natural persons who open a user account, purchase a subscription and use Titlomat for the automated processing and translation of subtitles for their own videos (hereinafter: “Users”);
  • visitors to the Platform’s marketing pages who do not open a user account but only stay on the publicly accessible pages;
  • persons who contact us via email, the contact form or other support channels;
  • third parties whose voice or likeness appears in content that Users upload for processing, within the limits and restrictions described in chapter 6 of this Policy.

1.3The Policy has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/18), as well as the guidelines of the European Data Protection Board (EDPB) and the Croatian Data Protection Agency (AZOP).

1.4 The Policy forms an integral part of the contractual relationship between the User and LumiVerse and shall be read together with the Terms of Use of the Platform. By accessing the Platform or opening a user account, you confirm that you have familiarised yourself with this Policy.

1.5Particular attention in this Policy is given to the processing arising from the integration with the YouTube API service of Google LLC, because Titlomat delivers its core functionality by retrieving audio recordings from YouTube and uploading multilingual subtitles back to the User’s channel. All processing arising from that integration is aligned with the requirements of the Google API Services User Data Policy, including the requirements of the so-called “Limited Use” policy (see in particular chapters 4.5 and 7).

2. Controller and contact details

The controller of personal data is:

2.1. Data Protection Officer (DPO)

2.1.1 LumiVerse has not currently appointed a Data Protection Officer (DPO). Based on an analysis of Article 37 of the GDPR and the related guidelines of the European Data Protection Board (WP243), we have assessed that the current scope and nature of processing on the Platform do not require the mandatory appointment of a DPO, having in mind in particular that:

  • we do not process special categories of personal data under Article 9 of the GDPR, nor data on criminal convictions under Article 10 of the GDPR, as a core activity;
  • our core activity does not include extensive and systematic monitoring of data subjects within the meaning of Article 37(1)(b) of the GDPR;
  • the scope of the user base and the number of processing transactions do not currently reach the level of “large scale processing” according to the criteria used by the EDPB.

2.1.2 Notwithstanding the above, we review that assessment regularly and undertake to appoint a Data Protection Officer at the moment any of the following conditions occur: a significant increase in the scope or risk of processing, an extension of processing to special categories of data, a complaint or instruction from a supervisory authority, or a change in regulations extending that obligation to companies of our size or activity.

2.1.3 For all questions relating to the processing of personal data and the exercise of data subject rights, until a DPO is appointed, you may contact us at the email address info@lumiverse.hr. We handle requests within the deadlines provided by the GDPR (one month, with the possibility of extension by a further two months in the case of complex or numerous requests, with prior notice to the applicant).

3. Key terms

For the sake of clarity, this Policy uses the following terms with the meanings given to them in the GDPR:

  • Personal data, any information relating to an identified or identifiable natural person (Article 4(1) of the GDPR).
  • Processing, any operation or set of operations performed on personal data (collection, recording, storage, adaptation, retrieval, transmission, erasure and similar).
  • Controller, a natural or legal person which, alone or jointly with others, determines the purposes and means of processing (in the context of this Policy this is LumiVerse Ltd., except in the cases described in chapter 6).
  • Processor, a third party which processes personal data on behalf of the controller (for example, providers of cloud infrastructure, ASR and machine translation, payment processing).
  • Data subject, a natural person to whom the personal data relate.
  • Consent, any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of their personal data.
  • Profiling, any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.
  • EEA, the European Economic Area, comprising the Member States of the European Union as well as Iceland, Liechtenstein and Norway.

4. Data we collect

The categories of personal data we collect vary depending on the nature of your relationship with the Platform. Below we describe all relevant categories in detail.

4.1. Identification and contact data

  • email address, which also serves as your username on the Platform;
  • first and last name if you enter them yourself in the account settings or when an invoice is issued;
  • company name and OIB of the business entity if you subscribe to a business plan and an invoice is issued to a legal person or sole trader;
  • password, which is stored only as a cryptographic hash with a random “salt” (bcrypt algorithm). The Platform never stores nor sees the original plain-text password;
  • interface language, time zone and other basic account preferences.

4.2. Usage and technical data

  • IP address from which you access the Platform;
  • device and browser data (browser type and version, operating system, browser language);
  • date, time and duration of access, as well as data about actions within the Platform (for example, which videos you sent for processing, which languages you selected for translation);
  • session identifiers and internal system logs;
  • error and performance data (error logs that help with diagnostics).

4.3. Financial and transactional data

  • data required for issuing invoices in accordance with the accounting and tax regulations of the Republic of Croatia (name or business name of the payer, address, OIB of the legal entity where applicable);
  • history of subscriptions, payments and issued invoices;
  • type and tier of the agreed plan and consumption within the plan (number of minutes processed, number of language variants generated and similar).

Note: full payment card data or other payment instrument data is processed exclusively at our payment service provider (Stripe), which is certified to the PCI-DSS standard. LumiVerse itself does not store and cannot see the card number, expiry date or security codes.

4.4. Communication data

  • content of emails, messages and tickets sent to our customer support;
  • feedback, suggestions, complaints and objections;
  • technical communication metadata (date and time of sending, email headers and similar).

4.5. Data from the integration with the YouTube API service

4.5.0 Sign-in with Google. If a User signs in via the “Sign in with Google” button on the sign-in or sign-up pages, LumiVerse receives only basic profile data: the email address, profile name and the unique Google account ID (`sub`). For this sign-in we do NOT request access to Gmail, Drive, contacts, the YouTube channel, or any other Google service. Access to the YouTube channel (described in 4.5.1 below) is requested through a separate, later consent, which the User may refuse and still use the Platform in demo mode.

4.5.1The Platform’s functionality requires the User to connect their Google account and the corresponding YouTube channel with Titlomat via the standard OAuth 2.0 protocol. As part of that connection, the following categories of data are stored and processed on the LumiVerse side:

  • OAuth tokens, the access token and the refresh token issued by Google. We store these tokens only in encrypted form using the AES-256-GCM cryptographic algorithm, and encryption is performed with a key that is not stored in the same storage as the encrypted tokens;
  • the unique identifier and name of the connected YouTube channel and publicly available channel metadata (number of publicly published videos, name, description);
  • identifiers and basic metadata of individual videos that the User selects for processing (video title, description, source language, duration, publication status);
  • statuses of subtitle uploads back to the User’s channel (success or failure, time, list of languages).

4.5.2The access that Titlomat requests is limited to the scope strictly necessary for providing the agreed functionality, that is, reading metadata of videos that the User selects and uploading (and modifying) subtitles on the User’s own videos. The exact OAuth scope we request is https://www.googleapis.com/auth/youtube.force-ssl. This is the minimum scope Google offers for the captions.insert and captions.update operations we perform; no narrower scope exists. From the YouTube API service we do not retrieve and do not store:

  • comments below videos or replies to comments;
  • data about channel viewers (their email addresses, identifiers, viewing history);
  • detailed YouTube Analytics statistics beyond the minimum needed to display them to the User within the Platform;
  • content from other Google services (Gmail, Drive, Calendar, Photos, Contacts, Maps and similar);
  • data from other YouTube channels that are not connected to the account;
  • videos and channels that the User has not explicitly selected for processing.

4.5.3 The use of data obtained through the YouTube API service is fully compliant with the requirements of the Google API Services User Data Policy, including its Limited Use requirements. Data obtained through the YouTube API service is used exclusively to:

  • provide the Platform’s functionality that is visible to the User and that the User has activated;
  • we do not sell, license or share it with third parties for advertising purposes;
  • we do not use it for serving or targeting advertisements, building advertising profiles or advertising segments;
  • we do not use it to train generalised or publicly available machine learning or deep learning models, nor do we permit our processors to do so;
  • we do not allow humans (employees, contractors) to read it, except in the narrow exceptions provided for in the above Google policy: with your explicit consent, for security, to prevent abuse, or to comply with a legal obligation.

Google’s own handling of data we transmit during the OAuth flow is governed by Google’s Privacy Policy at https://policies.google.com/privacy.

4.5.4The User may at any time revoke consent for access to YouTube data, either through the Titlomat settings (the “Disconnect channel” button) or directly through the security permissions page in the Google account at https://myaccount.google.com/permissions. Upon revocation of consent, or upon successful disconnection of the channel from the Platform, the stored OAuth tokens are irrevocably deleted from our system without undue delay.

4.6. Audio and AI-derived content

4.6.1 For selected YouTube videos we temporarily retrieve and store the audio track for the purpose of performing automatic transcription (speech-to-text, ASR) and machine translation (MT) into the target languages selected by the User.

4.6.2 The audio recording is retained only for as long as is necessary for processing and basic quality control of the results, and for no longer than 30 (thirty) days from the completion of processing, after which it is automatically deleted from the production infrastructure.

4.6.3 From the audio recording, derived content is generated which is retained for a longer period (see chapter 11):

  • transcripts of the original (text with time-stamped segments);
  • machine translations of the transcripts into the selected target languages;
  • additional linguistic transformations and language corrections (grammatical and stylistic refinement of the text with the help of large language models);
  • subtitle files (for example, in SRT or VTT format) ready for upload to YouTube.

4.6.4 Audio recordings and AI-derived content are not used to train AI models of LumiVerse or of third parties. This obligation is contractually imposed on every processor of ours that technically participates in the processing.

4.7. Data from the contact form and marketing

4.7.1 If you contact us via the contact form, email or a similar channel, we process your name, email address, message content and technical metadata (time of sending, headers). The legal basis is our legitimate interest (Article 6(1)(f) of the GDPR) or, if the inquiry relates to the conclusion of a contract, taking steps at your request prior to entering into a contract (Article 6(1)(b) of the GDPR). We retain communication for no longer than 3 (three) years from the last message exchanged, after which we delete or anonymise it, unless longer retention is justified for the purpose of legal claims.

4.7.2 If in the future we introduce a newsletter or other marketing communication, it will be based exclusively on your prior explicit consent (Article 6(1)(a) of the GDPR), which you will be able to withdraw at any time, without giving reasons and without any negative consequences for your use of the Platform. Before any such communication is launched, this Policy will be supplemented with a corresponding description of the processing.

5. Purposes and legal bases of processing

5.1 We process all personal data only on the basis of one of the legal grounds set out in Article 6 of the GDPR, namely:

  • performance of a contract (Article 6(1)(b) of the GDPR), for the data in sections 4.1, 4.3, 4.5 and 4.6, which are necessary to open an account, charge the subscription, process the selected videos and deliver the subtitles;
  • legitimate interest (Article 6(1)(f) of the GDPR), for the data in section 4.2 (logs, technical data) for the purposes of Platform security, preventing abuse and improving service quality, as well as for internal reporting at an aggregated level;
  • consent (Article 6(1)(a) of the GDPR), for non-essential cookies (chapter 13) and any marketing communication (section 4.7.2);
  • legal obligation (Article 6(1)(c) of the GDPR), for data we must retain to comply with accounting, tax and other regulations of the Republic of Croatia.

5.2 For every processing based on legitimate interest we have carried out a documented balancing test (Legitimate Interest Assessment, LIA) by which we have assessed the relationship between our interests and the rights and freedoms of data subjects. A summary of the assessment is available to the supervisory authority and to a data subject who reasoned requests it by writing to info@lumiverse.hr.

6. Content of user videos and persons appearing in them

6.1 Videos processed through the Platform are selected and uploaded by the User from their own YouTube channel. Such videos may feature the voice, likeness or other personal identifiers of third parties (interviewees, guests, incidental passers-by and similar).

6.2 For the content of their videos, the User is the controller within the meaning of the GDPR. The User is responsible for ensuring an appropriate legal basis (consent, contract, legitimate interest or another basis) for processing the personal data of third parties appearing in their videos, as well as for fulfilling their information obligations toward such persons.

6.3LumiVerse, in the part in which, at the User’s request, it processes the content of the User’s videos (transcription, translation, subtitle generation), acts as a processor within the meaning of Article 28 of the GDPR. In that capacity we process the data exclusively on the documented instructions of the User arising from the Terms of Use and this Policy, and we apply the technical and organisational protection measures described in chapter 12.

6.4 The Platform does not carry out biometric processing of faces or voices within the meaning of Article 9 of the GDPR. It does not identify individuals by comparing biometric features, nor does it build biometric templates. The speech-to-text machine model that we use serves solely for generating text and does not associate the spoken speech with the identity of a specific person.

6.5 A third party who considers that their data is being processed through the Platform contrary to applicable regulations may contact us at info@lumiverse.hr. Since access to the content, context and legal basis of processing rests primarily with the User, we will as a rule forward such requests, without undue delay, to the User as controller, with notice to the applicant.

7. Automated processing, AI and transcription

The Platform fundamentally relies on automated processing and artificial intelligence. Given the significance of this area for the rights of data subjects, we openly describe how AI operates within the Platform and what its limitations are.

7.1. What AI does on the Platform

  • Automatic Speech Recognition (ASR), converting speech from the audio recording into text in the source language, with time-stamped segments.
  • Machine Translation (MT), translation of the transcript into the target languages selected by the User.
  • Language refinement, optional polishing of the text with the help of large language models for better readability, punctuation correction and similar surface-level corrections.
  • Segmentation and formatting, adapting the text for display as a subtitle (line length, duration of an individual segment, characters per second).

7.2. Limitations and shortcomings

The AI systems we use, and AI systems in general, have inherent limitations that we openly acknowledge and that we inform Users about:

  • Transcription errors, models may misrecognise strong accents, regional language variants, proper names, technical terms, voices in noise or speech from multiple speakers at the same time.
  • Hallucinations, large language models occasionally generate words or sentences that are not present in the source audio. With that in mind, the derived texts should be reviewed critically.
  • Bias in translation, statistical translation models carry biases from the corpora on which they were trained. Gender, register and cultural references may be systematically shifted.
  • Contextual errors, the same term may be mistranslated due to the absence of broader context (for example, domain, irony, sarcasm).
  • Need for human review, for content where an incorrect subtitle could have legal, financial, health or other serious consequences, we explicitly recommend human review of the results before publication.

7.3. Legal status, automated decision-making

7.3.1 LumiVerse does not make automated decisions which produce legal effects on data subjects or similarly significantly affect them within the meaning of Article 22 of the GDPR. Transcripts, translations and generated subtitles are an informational product and do not by themselves lead to a decision about a data subject.

7.3.2 If the User, or another person based on content generated by the Platform, makes a decision that significantly affects a data subject (for example, a decision on employment, cooperation, public publication), that decision remains, in the GDPR sense, the responsibility of that person, who, in relation to the data subject, has their own independent obligations under the GDPR.

7.4. Use of external AI providers

7.4.1 For certain functionalities (in particular ASR, MT and language refinement) we use services of third-party AI providers. We choose providers that process data within the EEA whenever possible, and in the case of transfers outside the EEA we apply the safeguards from chapter 9.

7.4.2 With each such provider we have concluded a Data Processing Agreement compliant with Article 28 of the GDPR, by which the provider undertakes, among other things, to:

  • process the data only on our instructions;
  • not use the data for its own purposes, in particular not for training generalised models;
  • apply appropriate technical and organisational measures;
  • notify us without undue delay of any personal data breach;
  • delete or return all personal data upon termination of the service.

7.4.3 To external AI providers we send only the minimum data that is strictly necessary for the performance of a specific functionality (for example, an audio segment or text for translation), applying the principle of data minimisation set out in Article 5(1)(c) of the GDPR.

8. Recipients of the data and processors

8.1 We may share personal data with the following categories of recipients, always on the basis of an appropriate Data Processing Agreement (Article 28 of the GDPR) and applying the principle of minimisation:

  • cloud infrastructure and hosting providers, for storing, serving and running the Platform;
  • AI service providers, for automatic speech recognition, machine translation and language refinement, with a contractual prohibition on training on user data (section 7.4);
  • payment service providers, Stripe Payments Europe, Limited, which processes card and transaction data in accordance with the PCI-DSS standard;
  • Google LLC / Google Ireland Limited, as the provider of the YouTube API service we integrate with, only to the extent described in section 4.5;
  • transactional email providers, for sending system and transactional messages (registration confirmation, password reset, notice of completion of video processing, invoices);
  • analytics and telemetry tool providers, for pseudonymised monitoring of Platform usage and error diagnostics;
  • accounting services and auditors, for keeping business books and fulfilling tax obligations;
  • lawyers, advisers and insurers, when necessary to protect our legal interests or exercise rights;
  • competent authorities and courts, solely on the basis of a valid legal ground (official order, statutory disclosure obligation and similar).

8.2 An up-to-date list of key processors (sub-processors) is maintained internally. Upon a reasoned request from a data subject or User, we will provide the list and basic information on the processing location and the protection mechanism for transfers outside the EEA.

8.3 LumiVerse does not sell personal data to third parties, does not exchange it for marketing purposes and does not share it with advertisers.

9. Transfers of data outside the EEA

9.1 We seek to perform basic processing and storage of data within the European Economic Area.

9.2 To the extent that individual processors (in particular providers of AI infrastructure and certain cloud technologies) carry out processing outside the EEA, we ensure one of the following legal bases for transfer set out in Chapter V of the GDPR:

  • a decision of the European Commission on an adequate level of protection for the third country in question (Article 45 of the GDPR);
  • Standard Contractual Clauses (SCC) approved by the European Commission (Article 46 of the GDPR), with additional technical and organisational measures where we assess it necessary;
  • other appropriate safeguards provided for in Articles 46 to 49 of the GDPR.

9.3 A data subject may at any time request information about the protection mechanism applied to a specific transfer by sending a request to info@lumiverse.hr.

10. Your rights as a data subject

In accordance with the GDPR, you have the following rights, which you may exercise at any time:

  • Right of access (Article 15), the right to obtain confirmation as to whether we are processing your personal data and, if so, access to that data and information about the purposes of processing, categories of data, recipients and retention periods.
  • Right to rectification (Article 16), the right to request correction of inaccurate and completion of incomplete personal data.
  • Right to erasure / right to be forgotten (Article 17), the right to request the deletion of personal data when they are no longer necessary for the original purpose, when you withdraw consent, when you lodge a justified objection, or in other cases set out in the GDPR. The right is not absolute and may be limited by statutory retention obligations (chapter 11).
  • Right to restriction of processing (Article 18), the right to request a temporary halt of processing, for example while we verify the accuracy of the data or the lawfulness of the processing.
  • Right to data portability (Article 20), the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller, where the processing is based on consent or contract and is carried out by automated means.
  • Right to object (Article 21), the right to lodge an objection to processing based on legitimate interest, for reasons related to your particular situation. For direct marketing the objection is absolute and we honour it without further assessment.
  • Right not to be subject to automated decision-making (Article 22), as explained in chapter 7, we do not make such decisions; if we were to introduce them, we would notify you separately.
  • Right to withdraw consent, where processing is based on consent, you have the right to withdraw it at any time, without affecting the lawfulness of processing carried out on the basis of consent before its withdrawal.

Right to lodge a complaint with a supervisory authority. If you consider that the processing of your personal data is contrary to the GDPR, you may lodge a complaint with:

  • Croatian Data Protection Agency (AZOP)
  • Selska cesta 136, 10000 Zagreb, Republic of Croatia
  • Web: www.azop.hr

10.1. How to exercise your rights

10.1.1 You may submit a request by email to info@lumiverse.hr or by post to LumiVerse’s registered office. The request may be drafted in free form, but for efficient handling we ask that you state your identification details, indicate which right you are exercising and provide a short description of your request.

10.1.2 We will provide our response within one month of receipt of the request. In the case of complex or numerous requests, we may extend that period by a further two months, with prior notice to the applicant and a statement of reasons for the extension.

10.1.3 The exercise of rights is as a rule free of charge. For manifestly unfounded or excessive requests (in particular because of repetition), we may charge a reasonable administrative fee or refuse to act, with a statement of reasons and information on the right to lodge a complaint with the supervisory authority.

10.1.4 To prevent unauthorised disclosure of data and possible misuse, before acting on a request we may ask for additional information necessary to unambiguously identify the applicant.

11. Data retention periods

We retain personal data only for as long as is necessary to fulfil the purpose of processing or to comply with statutory obligations. The indicative retention periods apply as follows:

  • User account data (section 4.1), for the duration of the account and a reasonable technical buffer of up to 90 days after account deletion, after which the data is deleted or anonymised, except for data we must retain for accounting and tax purposes.
  • Accounting data (section 4.3), 11 (eleven) years from the end of the business year, in accordance with Croatian accounting regulations.
  • YouTube OAuth tokens (section 4.5), up to the moment when the User disconnects the channel, withdraws consent through Google security settings or deletes the user account; upon the occurrence of any such event, the tokens are irrevocably deleted without undue delay.
  • Audio recordings (section 4.6.2), for no longer than 30 (thirty) days from the completion of processing, after which they are automatically deleted.
  • Transcripts, translations and subtitle files (section 4.6.3), for the duration of the user account and a reasonable technical buffer of up to 90 days after account deletion.
  • Technical logs (section 4.2), as a rule up to 12 (twelve) months, with the possibility of longer retention in narrow cases (security incidents, legal proceedings).
  • Support communication (section 4.4), for no longer than 3 (three) years from the last message exchanged.
  • Backups, retained in a shorter rotation cycle (as a rule up to 35 days), after which older versions are overwritten.

12. Security measures

We implement technical and organisational measures appropriate to the risk of processing personal data, in accordance with Article 32 of the GDPR.

12.1. Technical measures

  • encryption of traffic between the User and the Platform via the TLS protocol (HTTPS), including sign-in, OAuth flows and all calls to the YouTube API;
  • storage of passwords only as cryptographic hashes with a random “salt” (bcrypt algorithm). The Platform never stores or sees the original password;
  • encryption of OAuth tokens at rest using the AES-256 algorithm in GCM mode, with the key kept separately;
  • restricted access to the database, infrastructure resources and administrative interfaces, granted only to those staff whose work expressly requires it (principle of least privilege);
  • regular backups of data at secure locations with our infrastructure providers;
  • regular monitoring and updating of security patches on all components of the operating system and the application stack;
  • use of cloud infrastructure providers that maintain industry-recognised security standards and certifications (for example, ISO/IEC 27001, SOC 2);
  • anomaly detection mechanisms, detection of suspicious sign-ins and rate limiting to defend against abuse.

12.2. Organisational measures

  • principle of least privilege, access to personal data is granted only to persons for whom it is necessary in order to perform their work tasks;
  • confidentiality agreements (NDAs) and Data Processing Agreements with all processors and contractors who, in the course of their work, may come into contact with personal data;
  • regular maintenance of an up-to-date level of knowledge of employees and contractors regarding GDPR obligations, EDPB and AZOP guidelines;
  • internal procedures for the identification, reporting and resolution of security incidents and personal data breaches;
  • periodic review of security and organisational measures in line with the development of the Platform and the evolution of threats.

12.3. Personal data breaches

12.3.1 In the event of a personal data breach that may pose a risk to the rights and freedoms of data subjects, we will report the breach to the Croatian Data Protection Agency within 72 hours of becoming aware of it, in accordance with Article 33 of the GDPR.

12.3.2 If the breach is likely to result in a high risk to the rights and freedoms of data subjects, we will also notify the affected data subjects without undue delay, in accordance with Article 34 of the GDPR, in clear and plain language, with an indication of the measures we recommend they take to mitigate possible consequences.

13. Cookies and similar technologies

13.1. What cookies are

Cookies are small text files that are stored on your device when you visit the Platform. We use them for the basic operation of the Platform, to remember your settings and to understand how the Platform is used.

13.2. Categories of cookies we use

  • Strictly necessary cookies, always active because they are essential to the operation of the Platform (sign-in session, security checks, load balancing). No consent is required for them under the applicable rules.
  • Functional cookies, enable us to remember your settings (interface language, display preferences). They are activated with your consent.
  • Analytics cookies, help us understand how the Platform is used and to improve it (aggregated, pseudonymised data). They are activated with your consent.
  • Marketing and advertising cookies, we do not use third-party marketing or advertising cookies on the Platform.

13.3. Consent management and settings

13.3.1We collect consent for non-essential cookies through a consent banner displayed on your first visit to the Platform. You may change your consent at any time through the “Cookie settings” link available in the Platform footer.

13.3.2 You may also block or delete cookies through your browser settings. Note that blocking strictly necessary cookies may affect the basic functionality of the Platform (for example, the ability to sign in).

14. Obligation to provide data

14.1 Providing the data from sections 4.1, 4.3, 4.5 and 4.6 is necessary in order to conclude and perform the contract for the use of the Platform. Without that data we cannot open a user account, charge the subscription, connect the YouTube channel or process videos.

14.2 Providing data for non-essential cookies, any marketing communication and other forms of processing based on consent is voluntary. The failure to provide such data, or the refusal of consent, has no consequences for basic use of the Platform.

15. Target audience of the Platform and persons under 18

15.1 The Titlomat Platform is intended for adults, primarily authors of YouTube channels and business entities that authorise their representatives to use the Platform. The Platform is not designed nor marketed to persons under 18.

15.2 We do not knowingly collect personal data of persons under 18. If we become aware that we have processed the data of a minor without an appropriate legal basis, we will delete such data without undue delay.

15.3 If you believe that a minor in your environment has used the Platform or has left data, please notify us at info@lumiverse.hr so that we may take appropriate action.

16. Changes to this Policy

16.1 We may amend the Policy from time to time due to development of the Platform, new functionality, changes in regulations or in the practice of the supervisory authority.

16.2 We will notify Users of significant changes via email and/or a prominent notice within the Platform at least 30 (thirty) days before they take effect. The date of the latest amendment is always stated in the header of this document.

16.3 For processing based on your consent, significant changes will require new consent. Existing consent will not, in such a case, be automatically extended to the new scope of processing.

17. Contact

For all questions, requests and complaints relating to the protection of personal data and this Policy, please contact us: