Privacy Policy

This is the privacy policy for StreamDay, a service operated by Virtue Apps (a sole proprietorship based in Ontario, Canada). We take privacy seriously and try to collect as little data about you as possible. This policy explains what we collect, why, and what we do with it, in plain English.

What we collect

From Discord (when you sign in)

Discord is our only login method. When you sign in, two things happen:

We store the following in our application database:

• Your Discord user ID
• Your Discord username
• Your Discord avatar URL

Our authentication provider (Supabase Auth) separately receives and stores your email address from Discord as part of standard authentication and session management. We do not read this email from our application code, we do not store it in our own application database, we do not use it to send you marketing or any other email, and we do not share it with third parties. It exists only to support the authentication system. If you delete your account, this record is also deleted.

We never see or store your Discord password. Authentication happens entirely through Discord.

From you (when you use the service)

• Account name and account code you create
• Event titles, dates, timezones, and schedule blocks
• Streamer participation data you enter
• Streaming channel URLs (YouTube, Twitch) you choose to add
• Avatar images you upload

Automatically (server logs)

When you use the service, our hosting providers (Vercel and Supabase) record standard request data:

• IP address
• Browser type and version
• Device type
• Pages requested and timestamps

These logs are kept by our providers under their default retention. We do not analyse them, build profiles from them, or use them for marketing. We may inspect them when investigating abuse or security issues.

When you pay

Payments are processed by Paddle, who acts as Merchant of Record. This means Paddle, not us, collects your payment information (card details, billing address, and so on) directly. We never see or store your full card number. Paddle gives us:

• Confirmation of successful or failed payments
• A subscription or transaction ID
• Your billing country (used to display correct pricing and meet our records obligations)

Paddle's privacy policy applies to data they collect: paddle.com/legal/privacy

How we use your data

We use the data we collect only to:

• Authenticate you via Discord
• Provide the scheduling service (creating events, generating share links)
• Display your published events on public event pages
• Process payments through Paddle
• Respond to your support requests
• Investigate abuse, fraud, or security issues

We do not:

• Sell your data to anyone
• Share your data with advertisers
• Run analytics or tracking on you
• Profile you for marketing
• Share your data with anyone except the third party services listed below, which are necessary to run the service

What is public versus private

When you publish an event, the event becomes accessible to anyone with the share link. This includes the event title, date, timezone, schedule, listed streamers, and their channel URLs. Anything you have not published stays private to your account.

If you list other streamers in an event, you are responsible for having their permission. Their names and channel URLs will appear publicly on the event page.

Where your data is stored

• Database and uploaded files: Supabase, in their Canada Central region. Supabase runs on AWS infrastructure.
• Web hosting: Vercel, distributed via global CDN. Some request processing may happen at Vercel edge servers in regions outside Canada.
• Authentication: Discord (United States).
• Payments: Paddle (United Kingdom and global infrastructure).

If you are in the EU or UK, your data may be transferred to Canada and other countries. Canada has been recognised by the European Commission as providing adequate protection for personal data transferred from the EU under PIPEDA, our applicable Canadian privacy law.

How long we keep your data

• Active accounts: for as long as your account is active.
• Deleted accounts: when you delete your account, your profile, events, uploaded avatars, and account data are permanently deleted from our database immediately. Deletion cannot be undone.
• Backups: any backups containing your data are overwritten in our providers' normal backup rotation, typically within 30 days.
• Server logs: retained per Vercel and Supabase defaults.
• Payment records: Paddle retains payment records as required by their tax and accounting obligations. We retain transaction IDs for our own accounting and tax obligations as required by law.

Cookies

We use one cookie: a session cookie set by Supabase Auth to keep you signed in. That is it.

We do not use:

• Analytics cookies (we do not run analytics)
• Advertising cookies (we do not advertise)
• Third party tracking pixels
• Cross-site tracking of any kind

Because the only cookie we use is strictly necessary for the service to function, we do not show a cookie consent banner.

Third party services we use

• Discord — OAuth login — discord.com/privacy
• Supabase — Database and file storage — supabase.com/privacy
• Vercel — Web hosting — vercel.com/legal/privacy-policy
• Paddle — Payment processing — paddle.com/legal/privacy

Each of these providers has its own privacy policy. Using StreamDay means your data passes through these providers as needed to run the service.

Your rights

You have the right to:

• Access the data we hold about you
• Correct inaccurate data
• Delete your account and data
• Export a copy of your data
• Withdraw consent for processing (which means deleting your account, since the service cannot function without the data we collect)

Most of these you can do yourself in your account settings, including immediate self-service account deletion. For anything else, contact us and we will respond within 30 days.

If you are in the EU or UK, you have additional rights under the General Data Protection Regulation (GDPR). If you are in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA). The rights listed above cover both.

Data breaches

We minimize the personal information we collect, which limits the impact of any potential breach. If we discover a security incident that exposes personal information and creates a real risk of significant harm, we will:

• Notify affected users as soon as reasonably possible. Where we can contact you directly (for example, through the email Discord provided to our authentication service), we will. Where direct contact is not feasible, we will post a prominent notice within the app and on streamday.gg.
• Notify the Office of the Privacy Commissioner of Canada where the breach meets the threshold for reporting under PIPEDA.
• Notify EU and UK supervisory authorities within 72 hours where GDPR applies.
• Document the breach, the data affected, and our response.

The notice will describe what happened, what information was affected, what we have done to respond, and what you can do to protect yourself.

Not every security incident triggers a legal obligation to notify users. PIPEDA requires us to assess each incident based on the sensitivity of the information, the likelihood of misuse, and other relevant factors. We will make this assessment and document our reasoning for any incident.

Children

StreamDay requires a Discord account to use. Discord's minimum age is 13 globally and 16 in some EU countries. Discord enforces its own age requirements at signup, so anyone reaching StreamDay has already passed Discord's age gate. We do not knowingly collect data from anyone who does not meet Discord's minimum age in their country.

If you believe a child under the applicable minimum age is using our service, please contact us and we will investigate and delete the account if confirmed.

Changes to this policy

We may update this policy. When we do, we will update the "Last updated" date at the top.

For minor changes (typos, clarifications), the updated terms take effect when posted. For material changes (those that meaningfully affect your rights or obligations), we will notify you within the app the next time you visit. If you do not agree with the change, you can delete your account at that time.

If you keep using the service after changes take effect, you accept the updated policy. If you do not agree with the changes, stop using the service and delete your account before they take effect.