Privacy Policy

1.1 The Operator of the Service, and the party that determines the purposes and means of the processing described in this policy, is SRTLA Hub. Contact details are set out in Clause 11.

2.1 Identity data from Twitch. When you sign in through Twitch OAuth we receive your Twitch user ID, login name, display name, and profile image URL. We do not receive your Twitch password.

2.2 Session data. We issue an unguessable, randomly generated session cookie to keep you signed in; it is transmitted only over HTTPS and is inaccessible to scripts. We store session records to operate your session: the session identifier is stored server-side in hashed form, and the associated access token issued by Twitch is encrypted at rest.

2.3 Network data. We record IP addresses in connection with sign-in, programme interface requests, rate limiting, abuse prevention, and security logging.

2.4 Streaming data. We generate and store your stream key; records of your streaming sessions (start and end times, receiving node, bitrate, viewer counts, and quality metrics); daily bandwidth usage (bytes received and transmitted, durations); and stream incident events (such as disconnects and bitrate drops).

2.5 Notification data. If you enable push notifications we store your browser's push subscription endpoint and the associated delivery keys, together with your chosen notification categories.

2.6 Administrative records. Actions taken in the dashboard are recorded in an audit log containing the actor's identity, the action, its target, the originating IP address, and a timestamp. Infrastructure telemetry (receiver node CPU, memory, disk, and throughput) is collected from receiver nodes and is not personal data about Users, though it may appear alongside the records above.

2.7 Usage-cost records. We maintain a ledger of usage-cost records derived from your bandwidth and streaming activity (the period concerned, the quantities used, the applicable rates, and the resulting amounts), associated with your account, for the quota-administration and billing purposes described in Clause 3.

3.1 We collect and use the data described above for the following purposes: (a) operating the Service, including authentication, stream ingest and relay, monitoring, and notifications you have requested; (b) protecting the Service and its Users, including rate limiting, abuse detection, and security investigation; (c) administering quotas and, where agreed, usage-based billing; (d) maintaining accountability of administrative actions through audit records; and (e) complying with obligations applicable to the Operator.

3.2 We do not use your personal data for advertising, profiling, or automated decision-making producing legal or similarly significant effects, and we do not use it for any purpose not set out in this policy without first informing you.

4.1 We do not sell personal data. We disclose personal data only: (a) to Twitch, as inherent in the OAuth sign-in flow; (b) to Cloudflare, whose tunnelling and content delivery infrastructure carries traffic between your browser and the Service; (c) to Discord, where operator alert notifications are delivered to an administrative channel (these may reference node names and metric values, not your streaming identity); (d) to your browser vendor's push notification service, where you have enabled push notifications; (e) to the hosting providers on whose infrastructure the Service's receiver nodes and servers run, as inherent in operating that infrastructure; and (f) where disclosure is required by a lawful demand that the Operator is obliged to honour.

4.2 The Service is operated on receiver nodes and hosting infrastructure located in multiple regions. The personal data described in Section 2 may accordingly be processed on, and transferred between, infrastructure in regions other than your own; the safeguards described in this policy apply wherever the data is processed.

5.1 Personal data is retained only as long as necessary for the purposes above, under retention policies enforced by automated deletion: infrastructure metrics are retained for no more than thirty days; bandwidth and audit records for no more than three hundred and sixty-five days; and streaming session and incident records for no more than three hundred and sixty-five days. Each automated deletion pass is itself recorded so that retention is verifiable. If the operative retention periods change, this clause will be updated accordingly.

5.2 Session records expire and are deleted automatically. Upon deletion of your account, the personal data associated with it — including push subscriptions, streaming session records, and incident records — is deleted, with two exceptions: audit records are retained for the remainder of the retention period stated in Clause 5.1; and bandwidth and usage-cost records are retained for the remainder of their retention period to preserve billing integrity, after which they are deleted.

6.1 We apply technical and organisational measures appropriate to the data we hold, including: encryption of traffic in transit (HTTPS); encryption of stored session access tokens; storage of session identifiers in hashed form; strict origin checks on realtime connections; server-side request safeguards; per-route rate limiting; and role-based access controls separating administrative functions from ordinary accounts.

6.2 No security measure is absolute. Clause 10 describes how incidents are handled.

7.1 We take reasonable steps to keep personal data accurate; identity data is refreshed from Twitch upon each sign-in. We use personal data only for the purposes stated in Clause 3, and access within the Operator's administration is limited to what each role requires.

8.1 You may request: (a) confirmation of whether we hold personal data about you and a copy of it; (b) correction of inaccurate personal data; (c) deletion of your account and associated personal data, subject to Clause 5; and (d) cessation of any particular use of your personal data, on reasonable grounds. Requests may be made through the contact route in Clause 11 and will be acted upon within a reasonable period, ordinarily not exceeding one month; if we need longer, we will tell you and explain why.

9.1 The Service uses only strictly necessary first-party cookies: the session cookie described in Clause 2.2 — an unguessable, randomly generated value, transmitted only over HTTPS, inaccessible to scripts, scoped to the Service, and expiring automatically — and two short-lived (five-minute) cookies used solely to secure the sign-in handshake. No advertising or cross-site tracking cookies are used.

10.1 If the Operator becomes aware of an incident affecting the confidentiality or integrity of personal data, it will assess the incident, take reasonable remedial steps, and notify affected Users without undue delay where the incident is likely to result in significant harm.

10.2 Complaints about the handling of personal data may be raised through the contact route in Clause 11 and will be investigated in good faith. This does not limit any other remedy available to you.

11.1 Requests and enquiries concerning this policy may be directed to [email protected].

12.1 The Operator may amend this policy from time to time. The current version, together with its effective date, will be published on this page, and material changes will, where practicable, be notified through the dashboard before they take effect. A change that introduces a new purpose of use or a new category of disclosure will in every case be notified through the dashboard before it takes effect.