Privacy Policy
Effective Date: June 1, 2026
Version: 1.0.0
Last Reviewed: June 1, 2026
What this is
This Privacy Policy covers all DarkHorse properties — DarkHorse.Codes, DarkHorse Media, and any other service we operate under the DarkHorse brand. It explains what we collect, why, who we share it with, and how to exercise your rights.
What you should know first
- We collect what we need to run the Service and bill you. Nothing more.
- We do not sell your data. Ever.
- We do not use your data to train AI models.
- We do not share for cross-context behavioral advertising.
- You can request access, correction, or deletion at any time: privacy@darkhorse.codes
- For EU/UK residents: GDPR rights apply, summarized in §8
- For California residents: CCPA-equivalent rights apply, summarized in §15.2
§1 — Who We Are
The controller of your personal information is:
DarkHorse (also known as DarkHorse Codes and Dark Horse Media)
Operated by Tommy R Hudson Jr
1242 Elco Ave
Maumee, OH 43537, USAPrivacy contact: privacy@darkhorse.codes
We do not have a designated Data Protection Officer (DPO) under GDPR Article 37 — the requirement does not apply at our current scale. Privacy inquiries are handled by Tommy R Hudson Jr directly.
§2 — What We Collect
Account Information:
- Name (if you provide one)
- Email address (required)
- Username
- Encrypted password hash (we never see your actual password)
Payment Information:
- Billing name and billing address
- Card details — tokenized by Stripe; we never see actual card numbers
- Subscription tier and billing history
Service Usage Information:
- Login times and IP addresses
- Watch history (titles played, duration, completion) — DarkHorse Media only
- Device type and player used
- Service preferences (subtitles, audio language, etc.)
- Content requests submitted — DarkHorse Media only
Communications:
- Support emails you send us
- Notifications we send you (delivery confirmations, billing receipts)
Server Logs:
- Request URLs and timestamps
- Browser / client user agent
- HTTP response codes
- Connection IPs (for security monitoring)
Custom Build Specific (for Custom Build engagements only):
- Whatever data is described in the applicable Statement of Work
We do not collect:
- Government IDs (SSN, passport, driver's license)
- Health or medical information
- Biometric data
- Precise GPS location
- Information about minors (we don't knowingly serve users under our minimum age)
§3 — How We Use It
Purposes and Lawful Basis (for EU/UK residents)
| Purpose | Data Used | Lawful Basis (GDPR Art. 6) |
|---|---|---|
| Provide the Service | Account, payment, service usage | Contract performance (Art. 6(1)(b)) |
| Bill your subscription | Payment info | Contract performance |
| Send transactional emails | Email, name | Contract performance |
| Maintain security | Server logs, IP | Legitimate interest (Art. 6(1)(f)) |
| Improve the Service | Watch history, usage stats | Legitimate interest |
| Respond to your support inquiries | Communications | Contract performance |
| Detect fraud and abuse | Account, usage, IP | Legitimate interest |
| Comply with legal obligations (tax, DMCA, court orders) | Various | Legal obligation (Art. 6(1)(c)) |
| Send promotional content | Consent (Art. 6(1)(a)) — opt-in only |
What We Do NOT Do With Your Data
- Sell or rent to advertisers or data brokers
- Train AI models — your data is not used as training input
- Profile you for cross-context advertising
- Share with marketing partners
- Use for any purpose not described in this Policy
§4 — Who We Share It With
We share data only with third-party services that make DarkHorse work. Each is bound by contractual obligations to protect your data.
| Provider | Data Shared | Purpose | Location | Safeguard |
|---|---|---|---|---|
| Stripe, Inc. | Name, email, address, tokenized payment | Payment processing | USA | Stripe DPA, Standard Contractual Clauses |
| Cloudflare, Inc. | IP address, request metadata | DNS, security, CDN | USA + EU edge | DPA, SCCs |
| Google LLC (Workspace) | Email addresses, message content | Email delivery | USA | DPA, SCCs |
| Real-Debrid | None of your direct PII; your individual RD account (if used) is separate | Content cache infrastructure | France | EU-EU (no transfer needed) |
| VPS Mart (hosting provider) | All server-processed data | Server hosting | USA | DPA, SCCs |
We may also share data:
- In response to valid legal process (court orders, subpoenas)
- To protect rights, property, or safety of DarkHorse, our Subscribers, or the public
- As part of a business transition (acquisition, merger) — you'll be notified before any transfer
- For DMCA compliance — see our DMCA Policy
§5 — How Long We Keep It
| Data Category | Retention Period | Reason |
|---|---|---|
| Account profile | While account is active + 12 months | Customer service follow-up |
| Billing records | 7 years | Tax / regulatory requirement |
| Watch history | 90 days after last activity | Service improvement, recommendations |
| Server logs | 30 days | Security investigation |
| Email correspondence | 2 years | Customer service history |
| DMCA-related records | 3+ years | Required by 17 U.S.C. § 512 |
| Marketing consent records | Until revoked + 3 years | Demonstrating compliance |
| Custom Build deliverables | Per applicable SOW | Contract requirement |
After the retention period:
- Personal identifiers are deleted
- Aggregate or anonymized data may be retained for service analytics
- Backups are purged on the standard backup rotation (30-90 days)
§6 — Where Your Data Goes
DarkHorse infrastructure is located in:
- USA — Stripe, Cloudflare, Google, VPS Mart (primary hosting)
- France — Real-Debrid
For data transfers involving EU residents to US-based processors, we rely on Standard Contractual Clauses (SCCs) executed by our processors as the primary transfer mechanism.
§7 — Security
We protect your data with:
- TLS 1.3 encryption for all data in transit
- Encrypted password storage (bcrypt or equivalent)
- Stripe for tokenized payment processing — we never see card numbers
- Access controls limiting staff access to your data (currently: only Tommy R Hudson Jr)
- Network segmentation between services
- Monitoring for unusual access patterns
- Regular security review of infrastructure configuration
We cannot guarantee absolute security. No system is completely secure. If something goes wrong, we'll let you know per §12.
§8 — Your Rights
Regardless of where you live, you have the following rights with respect to your data:
Right to Access. You can request a copy of the data we have about you.
Right to Correct. You can ask us to fix inaccurate data.
Right to Delete. You can request deletion of your data. Exceptions apply (billing records we must retain, ongoing legal obligations, etc.).
Right to Object. You can object to certain uses of your data (e.g., legitimate-interest processing).
Right to Restrict. You can ask us to limit how we use your data.
Right to Portability. You can request your data in a machine-readable format.
Right to Withdraw Consent. Where we rely on consent (like promotional emails), you can withdraw it anytime.
Right to Complain. You can complain to a supervisory authority. For EU residents: your local data protection authority. For California residents: California Attorney General.
We do not engage in automated decision-making that produces legal effects on you, so GDPR Article 22 rights do not apply.
§9 — How to Exercise Your Rights
Email privacy@darkhorse.codes. Include:
- Your name and the email associated with your account
- Which right you're exercising
- Details of your request
We respond within 14 days. For requests covered by GDPR, EU subscribers have a statutory right to a response within 30 days; we generally beat that.
We may need to verify your identity before processing a request, particularly for access or deletion requests. This protects you against someone else attempting to obtain or delete your data.
§10 — Cookies & Tracking
Essential cookies: Used for login sessions, security, and to make the Service work. Cannot be disabled.
Functional cookies: Remember your preferences (language, subtitle defaults, audio language).
Analytics cookies: Anonymized usage statistics to help us understand and improve the Service.
We do not use:
- Advertising cookies
- Cross-site tracking cookies
- Third-party marketing cookies
- Behavioral profiling cookies
For EU residents, our cookie banner allows opt-in to non-essential cookies. You can change cookie preferences anytime via the footer link.
§11 — Children's Privacy
DarkHorse is not intended for children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has provided us with information, contact privacy@darkhorse.codes and we will delete it.
For EU residents, the minimum age is 16, or 13-15 with verified parental consent (we ask at signup).
§12 — Breach Notification
If we discover a breach affecting your personal data:
- We assess the impact within 24 hours
- For EU residents: we notify the relevant supervisory authority within 72 hours, if required by GDPR
- We notify you without undue delay if the breach poses a high risk to your rights
- We provide details about what was affected, what we're doing, and what you can do
§13 — Updates to This Policy
We may update this Policy. Material updates:
- Posted with new effective date and version at darkhorse.codes/privacy
- Announced via email to active Subscribers at least 14 days before taking effect
- Prior versions preserved in our public git repository
Non-material updates (typos, clarifications) may happen without separate notice but always with a new version number and effective date.
§14 — Contact
| Purpose | |
|---|---|
| Privacy requests, GDPR / CCPA inquiries | privacy@darkhorse.codes |
| General support | support@darkhorse.codes |
| Legal inquiries | legal@darkhorse.codes |
| DMCA notices | dmca@darkhorse.codes |
§15 — Region-Specific Provisions
§15.1 — For EU and UK Residents
Under GDPR / UK GDPR, you have all the rights in §8, plus:
- The right to lodge a complaint with your local supervisory authority
- The right to know the source of any data we collected indirectly (we collect directly from you, so this is moot for most data)
We do not have an EU or UK representative — the requirement does not apply at our current scale. Direct your inquiries to privacy@darkhorse.codes.
Lawful Basis Map is in §3 above.
Data Transfers Outside EEA: Standard Contractual Clauses with each US-based processor. See §4 for the list.
§15.2 — For California Residents
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) may not technically apply at our current scale, but we honor CCPA-equivalent rights for all California residents as a matter of practice.
Right to Know: Categories of personal information collected, sources, purposes, and recipients are detailed throughout this Policy.
Right to Delete: Submit deletion requests per §9.
Right to Opt-Out of Sale/Sharing: We do NOT sell your personal information. We do NOT share it for cross-context behavioral advertising. No opt-out is needed because we don't engage in these activities.
Right to Correct: Submit corrections per §9.
Right to Limit Sensitive Personal Information Use: Email privacy@darkhorse.codes. We collect account credentials (subject to this right) and IP address (also subject), but no other sensitive PI categories.
Right to Non-Discrimination: Exercising any of these rights does not affect your service or pricing.
Categories of personal information collected in the last 12 months (per CCPA categorization):
- Identifiers (name, email, IP)
- Customer records (account info, billing history)
- Internet/network activity (logs, watch history)
- Inferences (preferences derived from usage)
§15.3 — For Other Jurisdictions
If you reside in a jurisdiction with applicable privacy law not specifically called out above (LGPD in Brazil, PIPEDA in Canada, etc.), we apply equivalent protections as a matter of practice. Contact privacy@darkhorse.codes with specific inquiries.
§16 — OMERTA App & Instagram Platform Data
This section applies when you interact with our Instagram presence powered by our O.M.E.R.T.A. application (Meta App ID 1553420016281952) — for example, when you comment on one of our posts, send our account a direct message, or tap a link that opens a conversation with us.
What the app receives from Meta
- Your Instagram username and user ID
- The text and timestamps of comments you leave on our posts
- The text and timestamps of direct messages you send to our account
- The interaction context needed to respond (e.g., which post you commented on)
The app does not receive your password, your email address, your follower list, or access to your private account content.
How we use it
- To reply to your comments and messages — including automated replies you explicitly request, such as receiving a link or a free guide
- To keep follow-up messages relevant to what you asked about
- To measure, in aggregate, which content people engage with
Retention
Conversation and comment data held by the app is retained for up to 12 months from your last interaction, or until you request deletion — whichever comes first. Standard website and click data is governed by §5 and §10 above.
How to Delete Your Data
Send the word DELETE as a direct message to our Instagram account, or email privacy@darkhorse.codes with your Instagram username. We will delete your conversation and comment data held by the app within 30 days and confirm when complete. This also satisfies Meta Platform data-deletion requirements.
Related Documents
- Terms of Service — darkhorse.codes/terms
- DarkHorse Media Terms — darkhorse.codes/media-terms
- DMCA Policy — darkhorse.codes/dmca
- Support — darkhorse.codes/support
Version History
- v1.0.0 — June 1, 2026 — Initial publication
- v1.1.0 — July 6, 2026 — Added §16: OMERTA app & Instagram Platform data (collection, use, retention, deletion instructions)
© DarkHorse · Silent · Controlled · Inevitable