Privacy Policy

Streampal.tv is a free stream management platform built for content creators. References to "we", "us", or "our" in this policy refer to Streampal.tv and its operators. If you have any questions about this policy, contact us at [email protected].

We collect the following information when you use Streampal.tv:

Your Twitch user ID, display name, and profile picture, obtained when you log in via Twitch OAuth.

Your stream title and live status, used to power go-live announcements.

Chat messages sent in your channel that are processed by the Streampal bot, used to handle commands and moderation rules you have configured.

Song request data including track titles, artists, and the usernames of chatters who requested them.

TikTok gift events, including the sender's username and gift name. When a streamer enables gift-gating, we track in-memory (not persisted to disk) which TikTok viewers have sent a qualifying gift during the current stream session, solely to determine song request eligibility.

TikTok follow events, used to display follower notifications in the streamer's live chat panel.

Bot settings and custom commands you configure in the Dashboard.

Session metadata for each login, including your IP address (stored encrypted), browser user agent (stored encrypted), and approximate geographic location (country and city, derived offline from your IP). This is used to show your active sessions in the Dashboard and to help you identify unrecognised logins.

If you enable two-factor authentication: your TOTP secret key (stored encrypted at rest) and hashes of any backup codes you generate. The backup codes themselves are never stored, only their hashes.

Public profile content you choose to publish via My Page, including your bio, display links, and custom panels.

If you create a viewer account: your email address, display name, and hashed password (if using email sign-in), or your Twitch user ID and display name (if using Twitch sign-in). A 6-digit verification code is generated at registration and stored temporarily for up to 15 minutes to verify your email address, then deleted.

Audio files you upload to the soundboard feature, stored on our servers for as long as you keep them. These files are permanently deleted when you remove them individually or delete your account.

Basic usage data such as feature interactions, used to understand how the service is being used and to improve it.

We do not collect payment information. Streampal.tv is free and we do not process payments directly.

We process your personal data on the following legal bases under UK GDPR:

Contract performance (Article 6(1)(b)) — the majority of data we collect is necessary to provide the service you have signed up for. This includes your account details, session data, bot settings, commands, and song request data.

Legitimate interests (Article 6(1)(f)) — we log session metadata (IP address, browser, approximate location) to help protect your account and detect unauthorised access. We believe this is proportionate to the privacy impact and is in both our and your interests. We also retain anonymised usage data to improve the service.

Legal obligation (Article 6(1)(c)) — we may process or retain data where required to comply with applicable law, including responding to valid legal requests or DMCA takedown notices.

We do not rely on consent as a lawful basis for processing, except where you explicitly opt in to optional features. Where consent is used, you may withdraw it at any time by contacting us or adjusting your settings.

The information we collect is used exclusively to:

Authenticate you and maintain your session via a secure HttpOnly cookie.

Operate the chatbot and overlay features on your behalf.

Store and display your configured commands, moderation rules, and bot settings.

Show song request history and queue data on your overlay and dashboard.

Send go-live announcements in your chat when your stream starts.

Display your active sessions in the Dashboard so you can review and revoke them.

Verify your identity when you use two-factor authentication.

Render your public profile page at streampal.tv/[username].

Authenticate viewer accounts and maintain viewer sessions via a secure HttpOnly cookie.

Send email verification codes to newly registered viewer accounts.

Improve and debug the service.

We do not use your data for advertising, and we do not share it with third parties for marketing purposes.

Streampal.tv connects to third-party platforms including Twitch, TikTok, YouTube, and Spotify. When you connect an account, those platforms share certain information with us under their own OAuth scopes. Your use of those platforms is governed by their own privacy policies.

We use the Twitch API to read chat messages and post bot messages in your channel. We use it only for features you have enabled. We do not access your Twitch account beyond the permissions you grant during sign-in.

Spotify is an optional connection. If you choose to connect your Spotify account, we use it solely to read your currently playing track so that song metadata can be displayed on your stream overlay. We do not access your Spotify library, playlists, or listening history beyond the currently playing track. You can disconnect Spotify at any time from Settings.

We use Cloudflare Turnstile on the viewer account registration form to prevent automated abuse. Turnstile is a privacy-preserving challenge that does not use advertising cookies or behavioural tracking. See Cloudflare's privacy policy for details on how it processes data.

Your data is stored on secure servers. We take reasonable technical and organisational measures to protect your information against unauthorised access, loss, or disclosure.

Sensitive fields (including IP addresses, browser user agents, and TOTP secrets) are encrypted at rest using AES-256-GCM. Authentication tokens are hashed with SHA-256 and the raw token is never stored. Backup codes are stored only as hashes and cannot be recovered once generated. Viewer account passwords are hashed using bcrypt; the plaintext password is never stored.

Session authentication is handled via a secure, HttpOnly, SameSite cookie. This prevents the token from being accessed by JavaScript or transmitted in URLs.

You can further protect your account by enabling two-factor authentication from the Security section of your Dashboard Settings.

Streampal.tv is currently in Early Alpha. While we take security seriously, no system is completely immune to risk. We recommend not storing sensitive personal information beyond what is required to use the service.

We retain your account data for as long as your account is active. Song request history and chat logs processed by the bot are retained for a limited period to provide the service and are not stored indefinitely.

Session records are retained until they are revoked by you or expire through inactivity. You can view and delete individual sessions at any time from the Dashboard. If you enable 2FA, your encrypted TOTP secret and backup code hashes are retained until you disable 2FA or delete your account.

If you delete your account, we will remove your personal data (including session records, 2FA data, and public profile content) from our systems within a reasonable timeframe. Some anonymised or aggregated data may be retained for analytical purposes.

Depending on your location, you may have the following rights regarding your personal data:

The right to access the personal data we hold about you.

The right to request correction of inaccurate data.

The right to request deletion of your data.

The right to object to certain types of processing.

The right to data portability.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Streamers can delete their Streampal.tv account at any time from the Dashboard. Viewers can delete their viewer account by contacting us at [email protected]. On deletion, your account data, settings, and associated personal information will be removed from our systems.

Streampal.tv uses HttpOnly, Secure, SameSite cookies to maintain authenticated sessions. One cookie is used for streamer accounts and one for viewer accounts. Neither cookie contains personal information; each holds only a session token that is hashed and stored server-side. We do not use cookies for tracking or advertising purposes. You can disable cookies in your browser settings, but doing so will prevent you from logging in.

Streampal.tv is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will take steps to remove it.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of the service after changes are posted constitutes your acceptance of the revised policy.

We will make reasonable efforts to notify users of significant changes, but it is your responsibility to review this policy periodically.

If you have any questions, concerns, or requests relating to this Privacy Policy, please get in touch: