Privacy Policy

This Privacy Policy explains how we collect, use, and disclose personal information when you use our website, including features such as livestream, clips, XP and rewards, games, ideas, announcements, and Twitch integrations. We respect your privacy and are committed to protecting your personal data.

We may collect the following types of information:

- Account Information: Username, email address, password, and email verification status.

- IP Address: We collect and store your IP address when you register and when you use our services. IP addresses may be used for security purposes, including IP banning for policy violations. Your email address and IP address are stored encrypted at rest. For operational security and moderation purposes (e.g., removing fraudulent accounts, enforcing bans, addressing abuse, and complying with legal obligations), the site owner may access decrypted email and IP information strictly on a need-to-know basis. Access is limited to the owner role and protected by technical safeguards, including role-based access control and two-factor authentication (2FA).

- Usage Information: Pages visited, actions taken (e.g., submitting ideas, managing rewards/games, viewing clips), device and browser characteristics, and timestamps.

- Twitch Information (if you connect your Twitch account): Twitch ID, username, profile picture, email address (if provided by Twitch), and OAuth token/refresh token used to enable Twitch features (e.g., chat integration, livestream page features). You can disconnect Twitch at any time from your account settings.

- Communications: Messages and notifications sent via the site's messaging features. System emails (e.g., verification, password reset, deletion reminders) are tracked for rate limiting.

- Moderation Records: Username changes, idea submission bans, and account deletion scheduling (including reason and timing where applicable). We maintain audit trails of moderation actions.

We minimize data exposure and retain personal data only as long as necessary for the purposes described in this policy. We do not sell your personal information.

We use the information we collect for various purposes, including:

- To provide and maintain our services and features (livestream, clips, XP, rewards/games, ideas, announcements)

- To authenticate users and enable role-based access (viewer, moderator, streamer, owner)

- To integrate with Twitch when you connect your account (including sending/receiving chat via our UI where available)

- To communicate with you, including important transactional messages

- To protect our services, enforce policies, and prevent abuse (including rate limiting and IP bans)

- To comply with legal obligations

Where required by law (e.g., GDPR), our legal bases include: contract (providing the services you request), legitimate interests (security, moderation, fraud prevention, service integrity), and legal obligations (responding to lawful requests). Owner-only access to decrypted email/IP is grounded in legitimate interests and performed with strict safeguards.

If you connect Twitch, we may process limited data necessary to enable features such as viewing or sending chat messages and showing livestream information. Access tokens are stored securely and used only to provide the agreed features. Chat content may be processed transiently to render it in the UI and may be cached briefly. We do not sell your Twitch information.

To ensure system stability and prevent abuse, system-generated emails (including verification, password reset, account deletion notifications and reminders) and certain in-app notifications are rate-limited per user per email/notification type over a cooldown period. Your requested actions will still be processed even if additional emails are suppressed during the cooldown.

We retain your personal data only as long as necessary for the purposes described. If you request account deletion, your account is deleted after 30 days unless you cancel within that period.

- Moderation-initiated deletions: Moderators may schedule viewer accounts for deletion for policy violations. Scheduled deletions take effect after a 3-day notice period. Once scheduled, deletions cannot be cancelled by the user. If you believe a deletion was scheduled in error, contact a moderator before it takes effect.

- Owner-initiated deletions: The site owner may immediately suspend or delete any account, content, or access in cases of fraud, security risks, legal obligations, or other serious violations. Owner-initiated deletions cannot be cancelled by the user; if you believe an owner-initiated deletion was in error, contact the site owner.

We implement appropriate security measures to protect your personal information. However, no method of transmission or storage is 100% secure. We recommend using secure connections (HTTPS). In production environments, HTTPS is enforced.

We do not use cookies at this time. If essential cookies become required in the future (e.g., for login sessions), this policy will be updated.

We integrate with Twitch for login and user identification. When you connect Twitch, we access your Twitch ID, username, profile picture, email (if available), and a token to enable chat and related integrations. These services have their own privacy policies, which we do not control. Please review Twitch's Privacy Policy. We do not use your Twitch information for marketing purposes or sell it to third parties.

For security and policy enforcement, we may restrict access by IP address. If your IP is banned, access to features will be blocked until the ban expires (if temporary) or is removed.

You have the right to access, update, or delete your personal information. You may also request restriction or objection to certain processing, and portability where applicable.

Our services are not directed to children under 13. If you are under 16, you should have permission from a parent or legal guardian to use the site. We do not knowingly collect personal data from children under 13. If you believe a child has provided us personal data, please contact us so we can delete it.

We are a data controller under the GDPR. If you are in the EEA, you may lodge a complaint with your local data protection authority.

Data may be stored and processed within the European Economic Area (EEA) or in other regions, with safeguards consistent with applicable laws.

We may update this Privacy Policy from time to time. Updates will be posted here and the “Last Updated” date will be changed.

You have the right to access and receive a copy of the personal data we hold about you. You can request this export from your account dashboard after confirming your password. The export is provided in JSON format (machine-readable).

What the export includes:

- Account details: username, XP, profile picture, Twitch identifiers, email verification status, account deletion flags and timestamps, moderation/ban flags, and created/updated timestamps.

- Your personal information (PII): your email address and IP address, shown in plain text for your visibility. These are stored encrypted at rest within our systems.

- Role information: description of your role.

- Rewards and settings: your reward/settings record if present.

- Ideas you submitted: ID, title, description, anonymity setting, status, moderation/deletion timestamps, and created/updated timestamps.

- XP logs: ID, action, amount, description, created_at.

- Notifications: messages you sent and received, with ID, content, read status, and timestamps.

- Moderation records:

As a target: ID, action, reason, created_at.

If you are a moderator: actions you performed with ID, action, reason, created_at.

- IP bans:

For your current IP (matched internally): ID, reason, banned_at, expires_at, is_active.

If you are the site owner: bans you created with the same fields.

- Summary counts: totals for major sections (e.g., number of ideas submitted, notifications, etc.).

What the export does not include:

- Password hashes, tokens, or other security secrets. Instead, the export shows whether such a secret exists (true/false).

- Identifiers of other users who may appear in your records.

- Internal system identifiers or hashes used for security.

- Session records (we do not store or export session data).

- Data that has already expired or been purged (e.g., short-lived logs).

Frequency of requests:

For system stability, data access requests are limited to one request per 24-hour period by default (configurable by the site owner via environment/configuration settings).

For privacy inquiries or data requests, use the in-site messaging (when logged in) or email the owner at thexanos.site@gmail.com.