Privacy Policy

This is the privacy policy for StreamDay, a service operated by Virtue Apps (a sole proprietorship based in Ontario, Canada). We take privacy seriously and try to collect as little data about you as possible. This policy explains what we collect, why, and what we do with it, in plain English.

What we collect

From Discord (when you sign in)

Discord is our only login method. When you sign in, two things happen:

We store the following in our application database:

• Your Discord user ID
• Your Discord username
• Your Discord avatar URL

Our authentication provider (Supabase Auth) separately receives and stores your email address from Discord as part of standard authentication and session management. We do not read this email from our application code, we do not store it in our own application database, we do not use it to send you marketing or any other email, and we do not share it with third parties. It exists only to support the authentication system. If you delete your account, this record is also deleted.

We never see or store your Discord password. Authentication happens entirely through Discord.

From you (when you use the service)

• Account name and account code you create
• Event titles, dates, timezones, and schedule blocks
• Streamer participation data you enter
• Streaming channel URLs (YouTube, Twitch, Kick) you choose to add
• Avatar images you upload
• Stream schedule entries you enter manually
• Which platforms (YouTube, Twitch, Kick) you are streaming each event on

From Twitch and YouTube (if you connect your account)

If you connect a Twitch or YouTube account to import your scheduled streams automatically, we receive and store:

• Your channel name and ID on that platform
• Your scheduled stream titles, times, and descriptions
• An access token and refresh token from that platform, used only to keep your schedule in sync

A background process syncs your scheduled streams from these platforms on a recurring schedule for as long as your account is connected.

Connecting an account is optional. You can use StreamDay entirely manually if you prefer. You can disconnect a connected account at any time from your settings, which deletes the tokens and stops the sync.

Kick does not currently offer an API for this, so Kick is manual only. You can mark events as also streaming on Kick, but there is no automatic sync.

Automatically (server logs)

When you use the service, our hosting providers (Vercel and Supabase) record standard request data:

• IP address
• Browser type and version
• Device type
• Pages requested and timestamps

These logs are kept by our providers under their default retention. We do not analyse them, build profiles from them, or use them for marketing. We may inspect them when investigating abuse or security issues.

Payment and subscription data

Payments are processed by Paddle, who acts as our Merchant of Record. This means Paddle, not us, sells the subscription to you, collects your payment information (card details, billing address, and so on) directly, and applies the appropriate regional sales tax (such as VAT, GST, HST, or local sales tax) based on the location you declare at checkout. We never see or store your full card number.

If you start a free trial, your payment details are collected by Paddle up front, at the start of the trial, even though no charge is made until the trial ends. We never see or store these details at any point. Paddle gives us:

• Confirmation of successful or failed payments
• A subscription or transaction ID
• Your subscription status (active, cancelled, expired)
• Your billing country (used to display correct pricing and meet our records obligations)

Paddle retains records of your transactions and personal information as required by their own legal, accounting, and tax obligations. Paddle's privacy policy and terms apply to data they collect and hold:

• Privacy policy: paddle.com/legal/privacy
• Buyer terms: paddle.com/legal/checkout-buyer-terms

If you want to exercise data rights specifically against Paddle (for example, requesting deletion of payment records they hold), you can contact Paddle directly using the details in their privacy policy. See "Your rights" below for how this works in practice.

How we use your data

We use the data we collect only to:

• Authenticate you via Discord
• Provide the scheduling service (creating events, generating share links, publishing your stream schedule)
• Import scheduled streams from Twitch and YouTube when you have connected those accounts
• Display your published events and schedules on public pages
• Process payments and manage subscriptions through Paddle
• Respond to your support requests
• Investigate abuse, fraud, or security issues

We do not:

• Sell your data to anyone
• Share your data with advertisers
• Run analytics or tracking on any page inside the app
• Profile you for marketing
• Share your data with anyone except the third party services listed below, which are necessary to run the service

What is public versus private

When you publish a stream schedule or event, the page becomes accessible to anyone with the share link, and is also indexed by search engines like Google. This means your published page may appear in search results when people search for your name, your channel, or related terms. The content visible on a published page includes the title, date, timezone, schedule, listed streamers, and their channel URLs.

If you list other streamers in an event, you are responsible for having their permission to do so. Their names and channel URLs will appear publicly on the event page and may be indexed in search results as well.

Anything you have not published stays private to your account.

Links to third-party sites

If you add custom links to your published page, those links point to third-party websites we have no relationship with. When a visitor clicks one of those links, they leave StreamDay and the destination site's own privacy practices apply. We do not control, monitor, or take responsibility for the content, privacy practices, or behaviour of those third-party sites.

Where your data is stored

• Database and uploaded files: Supabase, in their Canada Central region. Supabase runs on AWS infrastructure.
• Web hosting: Vercel, distributed via global CDN. Some request processing may happen at Vercel edge servers in regions outside Canada.
• Authentication: Discord (United States).
• Payments: Paddle (United Kingdom and global infrastructure).

If you are in the EU or UK, your data may be transferred to Canada and other countries. Canada has been recognised by the European Commission as providing adequate protection for personal data transferred from the EU under PIPEDA, our applicable Canadian privacy law.

How we protect your data

We take reasonable steps to protect your data:

• All data is transmitted over encrypted connections (HTTPS/TLS)
• Database and file storage are managed by Supabase, which encrypts data at rest
• Authentication is handled by Discord and Supabase Auth, both of which use industry-standard token-based security
• Twitch and YouTube access tokens are stored securely and used only by our background sync process
• We minimize the data we collect, which limits the impact of any potential security incident
• Access to our production systems is restricted and protected by strong authentication

No system is perfectly secure. If you suspect a security issue, please contact us.

How long we keep your data

• Active accounts: for as long as your account is active.
• Deleted accounts: when you delete your account, everything we hold about you (profile, events, stream schedule entries, uploaded avatars, account data, and Twitch/YouTube tokens) is permanently deleted from our database immediately. Deletion cannot be undone. When you delete your account, or when you unpublish a stream schedule or event, we remove the content from our systems immediately. However, copies indexed by search engines (such as cached Google search results) are outside our control and may take some time to clear, depending on when each search engine next crawls the page. You can request faster removal directly from search engines: for Google, see Google's Remove Outdated Content tool.
• Backups: any backups containing your data are overwritten in our providers' normal backup rotation, typically within 30 days.
• Server logs: retained per Vercel and Supabase defaults.
• Payment records: Paddle retains payment records as required by their tax and accounting obligations. We retain transaction IDs for our own accounting and tax obligations as required by law. These records do not contain your card number or other sensitive payment details.

Cookies

We use one cookie: a session cookie set by Supabase Auth to keep you signed in. That is it.

We do not use:

• Analytics cookies (the analytics tool we use is cookieless, see below)
• Advertising cookies (we do not advertise)
• Third party tracking pixels
• Cross-site tracking of any kind

Because the only cookie we use is strictly necessary for the service to function, and our analytics tool does not set cookies, we do not show a cookie consent banner.

Analytics

We use Vercel Analytics, a server-side, cookieless, privacy-respecting analytics service provided by our hosting provider, to measure traffic on our public web pages. This includes our marketing pages and any public stream schedules or event pages that users have chosen to publish.

We use these analytics only to understand the impact of our marketing efforts and how people discover StreamDay. We do not run analytics on any page inside the app, whether or not you are logged in.

Vercel Analytics:

• Runs server-side, so no analytics script is loaded in your browser
• Does not set cookies on your device
• Does not track you across other websites
• Does not collect or store personal information about individual visitors
• Does not build profiles of visitors over time

What it does collect, in aggregate: page URLs visited, referring URL (where you came from), and a derived country from your IP address. The IP itself is not stored.

Because Vercel Analytics is server-side, does not collect personal data, and does not set cookies, no consent banner is required under GDPR, the UK ICO's guidance, or PIPEDA.

Vercel's privacy practices are described in their privacy policy.

How we use data from Google services (YouTube)

When you connect your YouTube account, StreamDay's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We use data received from the YouTube API only to:

• Import your scheduled streams into your StreamDay schedule
• Keep your imported schedule in sync with changes you make on YouTube
• Display your imported schedule to you within the app and to viewers of any schedules you choose to publish

We do not, and will not, use data received from the YouTube API for:

• Targeted or personalised advertising of any kind
• Training generative artificial intelligence or machine learning models
• Determining creditworthiness or for lending purposes
• Selling or transferring to data brokers, information resellers, or any third party
• Any purpose unrelated to providing or improving StreamDay's user-facing features

We do not allow human access to YouTube API data except where:

• You give us explicit consent to access specific data
• It is necessary for security purposes (such as investigating abuse)
• It is necessary to comply with applicable law
• The data is aggregated and used for internal operations in accordance with the Google API Services User Data Policy

Your YouTube data and revocation

You can revoke StreamDay's access to your YouTube account at any time:

• Within StreamDay, by disconnecting your YouTube account in your settings (this deletes the tokens we hold and stops the background sync)
• Through Google directly, by visiting Google's third-party permissions page and removing StreamDay's access

When you disconnect, we delete the YouTube access and refresh tokens we hold. Previously imported schedule data will remain in your StreamDay schedule until you remove it manually or delete your account.

By connecting your YouTube account to StreamDay, you also agree to the YouTube Terms of Service.

Third party services we use

• Discord — OAuth login — discord.com/privacy
• Supabase — Database and file storage — supabase.com/privacy
• Vercel — Web hosting and server-side analytics (public pages only) — vercel.com/legal/privacy-policy
• Paddle — Payment processing (Merchant of Record) — paddle.com/legal/privacy
• Cloudflare — Optional, used only if you run the speed test on our public bitrate calculator — cloudflare.com/privacypolicy
• Twitch — Optional, used if you connect your Twitch account to import scheduled streams — twitch.tv/p/legal/privacy-notice
• YouTube — Optional, used if you connect your YouTube account to import scheduled streams — policies.google.com/privacy

Each of these providers has its own privacy policy. Using StreamDay means your data passes through these providers as needed to run the service.

Your rights

You have the right to:

• Access the data we hold about you
• Correct inaccurate data
• Delete your account and data
• Export a copy of your data
• Withdraw consent for processing (which means deleting your account, since the service cannot function without the data we collect)

Most of these you can do yourself in your account settings, including immediate self-service account deletion. When you delete your account, we immediately and permanently delete everything we hold about you from our systems, including your Discord username, your stream schedule data, your events, and any tokens we hold for connected Twitch or YouTube accounts.

For anything you cannot do yourself, contact us and we will respond within 30 days.

Paddle and payment data

If you are a paying subscriber, Paddle (our Merchant of Record) holds payment records about you. We do not control that data: Paddle holds it on their own behalf as the seller of record, and they are legally required to retain transaction and tax records for set periods.

If you submit a deletion request to us, we will:

1. Immediately delete your data from our systems as described above
2. Pass your deletion request on to Paddle on your behalf

After that, any further communication about payment-record deletion is between you and Paddle directly, on the timeline their legal obligations allow. Paddle's contact details and process for handling these requests are in their privacy policy.

If you are in the EU or UK, you have additional rights under the General Data Protection Regulation (GDPR). If you are in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA). The rights listed above cover both.

Data breaches

We minimize the personal information we collect, which limits the impact of any potential breach. If we discover a security incident that exposes personal information and creates a real risk of significant harm, we will:

• Notify affected users as soon as reasonably possible. Where we can contact you directly (for example, through the email Discord provided to our authentication service), we will. Where direct contact is not feasible, we will post a prominent notice within the app and on streamday.gg.
• Notify the Office of the Privacy Commissioner of Canada where the breach meets the threshold for reporting under PIPEDA.
• Notify EU and UK supervisory authorities within 72 hours where GDPR applies.
• Document the breach, the data affected, and our response.

The notice will describe what happened, what information was affected, what we have done to respond, and what you can do to protect yourself.

Not every security incident triggers a legal obligation to notify users. PIPEDA requires us to assess each incident based on the sensitivity of the information, the likelihood of misuse, and other relevant factors. We will make this assessment and document our reasoning for any incident.

Children

StreamDay requires a Discord account to use. Discord's minimum age is 13 globally and 16 in some EU countries. Discord enforces its own age requirements at signup, so anyone reaching StreamDay has already passed Discord's age gate. We do not knowingly collect data from anyone who does not meet Discord's minimum age in their country.

If you believe a child under the applicable minimum age is using our service, please contact us and we will investigate and delete the account if confirmed.

Changes to this policy

We may update this policy. When we do, we will update the "Last updated" date at the top.

For minor changes (typos, clarifications), the updated terms take effect when posted. For material changes (those that meaningfully affect your rights or obligations), we will notify you within the app the next time you visit. If you do not agree with the change, you can delete your account at that time.

If you keep using the service after changes take effect, you accept the updated policy. If you do not agree with the changes, stop using the service and delete your account before they take effect.