Privacy Policy

Last updated: April 30, 2026

This Privacy Policy explains how Streamloop ("we", "us", "our") collects, uses, and protects your personal information when you use our service at streamloop.app.

1. Data Controller

The data controller responsible for your personal data is Streamloop. For privacy inquiries, contact us at contact@streamloop.app.

2. Information We Collect

Information you provide

• Account information: email address, display name, avatar
• Authentication credentials: passkeys, OAuth tokens (Google)
• Payment information: processed by Stripe (card payments) and third-party cryptocurrency processors — we do not store card numbers or wallet keys

Information collected automatically

• Usage data: stream metadata (quality, duration, timestamps), credit balance and transaction history
• Device information: IP address, browser type and version, operating system
• Platform data: YouTube channel names, video metadata, viewership data when you connect a streaming platform

We do not set any cookies. Authentication is handled via secure session tokens.

3. Legal Basis for Processing (GDPR)

We process your data based on:

• Contract performance: to provide the Service, manage your account, process billing
• Legitimate interests: to improve the Service, detect fraud, ensure security
• Consent: for optional features like marketing communications (you may withdraw at any time)
• Legal obligation: to comply with applicable laws and regulations

4. How We Use Your Information

• Provide the Service: run your streams, manage your account, process credit purchases
• Billing: track credit usage, generate invoices, process top-ups
• Communication: send account-related emails (verification, security alerts, billing receipts)
• Security: detect fraud, prevent abuse, protect accounts
• Improvement: analyze aggregate, anonymized usage patterns to improve the Service

5. Data Sharing

We do not sell your personal information. We share data with:

• Stripe: to process card payments (PCI-DSS compliant)
• Cryptocurrency processors: to process crypto payments
• Hetzner: EU-based cloud infrastructure for hosting and running streams
• Legal requirements: law enforcement when required by law, court order, or to protect our rights

6. Data Storage and Transfers

All data is stored on servers located in the European Union (Hetzner, Germany/Finland). We do not transfer personal data outside the EU except where necessary to provide the Service (e.g. payment processing), in which case adequate safeguards are in place in compliance with GDPR.

7. Data Retention

• Account data: retained while your account is active
• Usage records: retained for 12 months for billing and dispute resolution
• Server logs: retained for 30 days for security and debugging
• Account deletion: upon request, your data is deleted within 30 days, except where retention is required by law

8. Your Rights

GDPR Rights (EU/EEA residents)

You have the right to:

• Access your personal data
• Rectify inaccurate data
• Erase your data ("right to be forgotten")
• Restrict processing of your data
• Data portability — receive your data in a structured, machine-readable format
• Object to processing based on legitimate interests
• Withdraw consent at any time for consent-based processing
• Lodge a complaint with your local data protection authority

We respond to GDPR requests within 30 days.

CCPA Rights (California residents)

You have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale of personal information — we do not sell personal data
• Non-discrimination for exercising your rights

To exercise any of these rights, contact us at contact@streamloop.app.

9. Google API Services and YouTube Data

9.1 Scopes we request

When you connect a YouTube account to Streamloop, we request the following Google OAuth 2.0 scopes — and only these:

We do not request any other Google scope. We never access Gmail, Drive, Calendar, Contacts, Photos, Search history, location data, or any other Google service.

9.2 How we use this data

• youtube: to programmatically schedule and run the live broadcasts you initiate from Streamloop, on the channel you selected. A YouTube broadcast is created the moment you start a stream from Streamloop and is bound to a Streamloop encoder that ingests your pre-recorded video.
• youtube.readonly: only for the channel picker shown when you first connect a YouTube account, and for refreshing channel metadata when you reconnect or rename a channel on YouTube.
• openid / email / profile: only to label the connection inside Streamloop ("connected as you@example.com"). Never used for advertising, profiling, behavioural analytics, or sale.

9.3 How we store this data

We do not store any video content, comments, viewer data, or analytics from your YouTube channel. We do not run any background process that reads channel data when you're not actively using Streamloop, with one exception: a periodic poll of broadcast status while a stream you started is live, so we can show you accurate up/down state.

9.4 Whether we share this data

We do not sell, transfer, lease, or otherwise disclose data obtained from Google API Services to any third party. We do not share it with advertisers, data brokers, marketing platforms, or analytics vendors. The only places this data leaves Streamloop's infrastructure are:

• YouTube/Google itself, when we make the broadcast and livestream API calls on your behalf using your access token.
• Sub-processors we engage solely to host, store, encrypt, or transmit the data on our behalf (for example, our cloud-infrastructure and key-management providers). These sub-processors are bound by contract to use the data only as necessary to provide their service to us, and never see your Google refresh or access tokens in cleartext.

We will only disclose Google user data to comply with applicable law, valid legal process, or to protect the rights, property, or safety of Streamloop, our users, or the public — and in any such case we will notify affected users where permitted.

9.5 Limited Use compliance

Streamloop's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

1. We use Google user data only to provide or improve user-facing features that are prominent in Streamloop's user interface. The only feature that uses Google user data is the YouTube broadcasting feature: we use the data to create the broadcast on the channel you selected, run it for the duration of your Streamloop stream, and show you the channel picker and connection state.
2. We do not transfer Google user data to others except as necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets — and only after the new owner continues to honour this policy or with notice to affected users.
3. We do not use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising. We also do not use Google user data to train, fine-tune, or evaluate machine-learning or AI models, do not use it to build databases for resale or other purposes, and do not sell, license, or transfer it to data brokers, information resellers, credit bureaus, or any party that would use it for any of these purposes.
4. We do not allow humans to read Google user data, except (a) with your affirmative agreement for specific data, (b) when necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised for internal operational reporting.

9.6 Where to find this policy and how to revoke access

• This Privacy Policy is published at https://streamloop.app/privacy and is linked from the footer of every page on streamloop.app, including the YouTube connection screen.
• The same URL is configured as the Privacy Policy URL in our Google Cloud OAuth consent screen.
• Before the OAuth consent flow begins, the in-product "Connect YouTube" screen shows a one-line summary of the scopes we will request and a link back to this section.

You can disconnect your YouTube account at any time:

• Inside Streamloop, on the Destinations page, click Disconnect on the connected YouTube identity.
• Or revoke Streamloop directly from your Google account at https://myaccount.google.com/permissions.

Either action deletes our stored refresh token within 24 hours; ongoing broadcasts using the disconnected identity are stopped immediately.

10. Security

We implement industry-standard security measures including:

• Encryption in transit (TLS/SSL)
• Passkey and OAuth authentication
• Secure credential storage
• Access controls and monitoring

11. Children

We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the Service. The "Last updated" date at the top indicates when the policy was last revised.

13. Contact

For privacy-related questions or to exercise your rights, contact us at contact@streamloop.app.