StreamSuite

┌── legal ──┐

Privacy Policy

Effective 2026-05-16 · what we collect, why, and what we never do.

What we collect

Account data: email address (from Stripe checkout or GitHub OAuth), name (if provided at checkout), GitHub user ID and login (if you sign in with GitHub), API key, operator ID.

Billing data: Stripe customer ID, subscription ID, and the tier you're subscribed to. Stripe handles your card directly — we never see or store card numbers.

Usage data: nginx access logs capture timestamp, IP, RPC method name, response code, response time, and bytes for every authenticated request. We use this for service analytics on your dashboard, billing accuracy, and abuse prevention. Logs are retained for 30 days by default.

Session data: when you sign in, we set an httpOnly cookie containing a random opaque session token. The token maps to your email in our database. Cookie expires after 30 days of inactivity.

What we never collect

  • Card numbers (Stripe handles those)
  • Private keys, wallet seeds, or signed transaction contents beyond what your RPC calls relay through us
  • Personally identifiable information beyond what's listed above
  • Cookies from third parties — no Google Analytics, no Facebook pixels, no advertising trackers

Why we collect it

  • To deliver the service you paid for (auth, billing, RPC routing)
  • To show you analytics on your own usage
  • To detect and respond to abuse (key sharing, attacks)
  • To send you operational emails (welcome, payment failed, security notices)

Who we share it with

A short list, by necessity only:

  • Stripe — billing. We send your email and a tier identifier. Stripe's own privacy policy applies to what they collect.
  • Resend — transactional email. We send your email address and message bodies (welcome, payment failed, etc.).
  • GitHub — only if you sign in with GitHub. Standard OAuth scopes (`read:user`, `user:email`) get your basic profile and verified emails.
  • Hostinger and our colocation provider — infrastructure hosting. They don't see your data above the disk-encryption layer.

We do not sell data. We do not give it to advertisers. We respond to lawful legal requests but will notify you unless prohibited.

How long we keep it

  • Account + billing data: as long as your subscription is active, plus 7 years after cancellation for tax/compliance reasons
  • nginx access logs: 30 days rolling
  • Session cookies: 30 days from last use
  • Magic-link tokens: 15 minutes (login) or 7 days (welcome email), then deleted

Your rights

You can:

  • See your data — most of it is visible on your dashboard. For the rest, email us.
  • Export your data — email us, we'll send a JSON dump within 14 days.
  • Delete your account — cancel via Stripe, then email us to delete the remaining row. We'll keep billing records for tax purposes (see above).
  • Rotate your API key — one click in the dashboard.

EU / UK users

GDPR/UK-GDPR applies. We process your data under the "contract" lawful basis (delivering the service you paid for). For a DPA, email us.

Security

We use HTTPS everywhere, store passwords nowhere (passwordless auth only), and isolate the customer database to a single host with regular off-host backups. If we have a breach affecting your data, we'll notify you within 72 hours of confirmation.

Contact

Privacy questions, data requests, breach reports: support@streamsuite.io.

v1.0 · last updated 2026-05-16