Privacy Policy
Last updated: 18 June 2026
This Privacy Policy explains how Sleipnir collects, uses, and protects personal data. We are committed to protecting your privacy and processing your data lawfully under UK and EU data protection law.
Sleipnir is a trading name of Ryan C, a sole trader registered in the United Kingdom, with correspondence address: Belfast BT1 1AA. For the purposes of UK GDPR and the Data Protection Act 2018, the data controller is Ryan C trading as Sleipnir.
For all privacy-related enquiries, contact: [email protected].
1. About this Policy
This Policy applies to personal data we collect when you:
- Visit sleipnir.tv
- Create an account on Sleipnir
- Use Sleipnir to relay streams to third-party platforms
- Pay for a Sleipnir subscription
- Contact us by email
If you do not agree with this Policy, please do not use the Service. Use of the Service constitutes acknowledgement of this Policy.
This Policy does not cover:
- Third-party platforms you stream to (Twitch, YouTube, Kick, etc.) — they have their own privacy policies that govern their handling of your account and viewers
- Third-party services that process data on our behalf — listed in Section 4 below
2. Personal data we collect
We collect the following categories of personal data:
2.1 Information you provide directly
| Data | When collected | Why |
|---|---|---|
| Email address | At signup, password reset | Authentication, account recovery, service notifications |
| Name | At signup | Personalisation of emails and dashboard greeting |
| Password (as Argon2id hash) | At signup, password reset | Authentication. We never store your plaintext password and cannot retrieve it. |
| Stream key (auto-generated) | At signup | Authenticates your encoder when you publish a stream. Treated as a credential — not exposed in dashboard responses by default. |
| Destination configurations | When you add a streaming destination | Forwarding your stream to the destination. Destination URLs may include your third-party platform's stream keys, which we store securely (see Section 10). |
| Support correspondence | When you email us | Responding to your enquiry |
2.2 Information collected automatically
| Data | When collected | Why |
|---|---|---|
| IP address | Every request, especially signup, login, stream publish | Authentication, rate limiting, abuse detection, security logging |
| Browser user agent | Every request | Compatibility and abuse detection |
| Session cookie | When you log in | Maintaining your authenticated session |
| Stream session metadata | When you publish a stream | Enforcing plan limits, generating dashboard usage data, detecting abuse. Includes session start time, end time, duration, peak/average bitrate, end reason, destinations forwarded to. |
| Bitrate kick records | When a stream exceeds your plan's bitrate cap | Enforcing repeat-violation rules and account suspension thresholds |
2.3 Information from third parties
| Data | Source | Why |
|---|---|---|
| Stripe customer ID and subscription details | Stripe | Linking your account to your subscription and plan limits |
| Google account email and basic profile data | Google (only if you sign in with Google) | Creating or linking your Sleipnir account when you choose Sign in with Google |
| Twitch profile data and IRC chat messages | Twitch (only if you connect Twitch for combined chat) | Reading your channel's chat to display in your combined chat dashboard |
| YouTube channel data and live chat messages | YouTube / Google (only if you connect YouTube for combined chat) | Reading your channel's live chat to display in your combined chat dashboard |
| Kick channel data and chat messages | Kick (only if you connect Kick for combined chat) | Reading your channel's chat to display in your combined chat dashboard |
2.4 Combined chat data
If you connect a Twitch, YouTube, or Kick account to enable the combined chat feature, we additionally collect and process the following data:
- OAuth access and refresh tokens for the platform, stored encrypted at rest (see Section 10).
- Your channel ID or username on the platform.
- Chat messages sent in your channel, by you or your viewers, while you are actively connected. These messages may contain personal data of third parties (your viewers) — including display names, message text, and platform-internal user IDs.
We use this data solely to display your combined chat feed in your Sleipnir dashboard. We do not analyse, profile, or share chat content with any third party other than the originating platform.
You can disconnect any platform at any time from your Account page. Disconnection deletes the stored OAuth tokens immediately. Captured chat messages are retained for the period stated in Section 6 and then automatically deleted; you may also request earlier deletion by contacting us.
We have no technical means to access chat messages in channels you have not explicitly connected to Sleipnir.
Streamer.bot integration: Sleipnir provides an optional integration with Streamer.bot, a third-party chatbot you may run on your own computer. If you choose to enable this integration, Streamer.bot uses an API token (which you generate on your Account page) to periodically poll Sleipnir's servers for new chat messages, fetching the combined chat data to your local machine so that Streamer.bot can act on it (for example, to trigger sound effects, scene changes, or run automated commands). This flow is initiated and controlled entirely by you: Sleipnir does not send chat data to Streamer.bot unsolicited, we do not have any data-sharing relationship with the makers of Streamer.bot, and your API token can be regenerated or revoked at any time from your Account page — which immediately stops Streamer.bot from receiving further data. The chat messages transmitted through this integration are the same messages already captured under Section 2.4; we are not collecting additional data, only making the existing combined chat feed available to software running under your control.
We do not collect special category data (such as data revealing race, ethnicity, political opinions, religious beliefs, health, biometric, or sexuality) and we do not knowingly process data of users under 16.
We do not record, store, or analyse the audio or video content of your streams. We process only the metadata listed above.
2.5 StreamTeam (team profiles and public pages)
If you create or join a StreamTeam, we process additional data to operate that feature:
- Team information you provide, including the team name, display name, description, any banner image you upload, and your membership of the team.
- Public visibility. StreamTeam includes public team pages (at sleipnir.tv/team/...) and a public team board. When you create or join a team, the following becomes publicly visible to anyone, including people who are not logged in: your display name or chosen nickname, your live or offline status, which streaming platforms you are currently live on, links to your channels on those platforms, and the team's branding. Please do not create or join a team if you do not want this information shown publicly. You can leave a team at any time from your dashboard, which removes your information from that team's public page.
- Follower relationships. If you follow a team, we record that association so that we can display follower counts and operate the feature.
- Team page analytics. We record a count of daily visitors to each team page. Visitors are identified only by a salted hash derived from request attributes. We do not store raw visitor IP addresses for this purpose, and the count cannot be used to re-identify individual visitors.
- Activity timing. We display when a team was last active, derived from stream session timing, on the public team board.
3. How we use your personal data and our lawful basis
Under UK GDPR, we must have a lawful basis for each purpose for which we process your personal data. The basis depends on the purpose:
| Purpose | Lawful basis |
|---|---|
| Creating and authenticating your account | Contract performance (Article 6(1)(b)) |
| Forwarding your streams to your configured Destinations | Contract performance |
| Processing your subscription payments | Contract performance + Legal obligation |
| Enforcing plan limits (hours, bitrate, destinations) | Contract performance |
| Sending you transactional emails | Contract performance |
| Rate-limiting signups by IP address | Legitimate interests (Article 6(1)(f)) |
| Detecting and preventing abuse, fraud, or violation of our Terms | Legitimate interests |
| Auto-suspending accounts that repeatedly violate bitrate caps | Contract performance + Legitimate interests (see Section 9) |
| Sending operator-internal monitoring alerts | Legitimate interests |
| Responding to copyright complaints | Legal obligation |
| Tax and accounting records | Legal obligation (UK statutory record-keeping) |
| Operating StreamTeam public team pages and the team board | Contract performance (Article 6(1)(b)) for the member who opts in, and Legitimate interests (Article 6(1)(f)) in providing discovery and display |
| Counting team page visitors (salted hash, not re-identifiable) | Legitimate interests (Article 6(1)(f)) in understanding feature usage |
| Recording team follower relationships | Contract performance |
We do not process your personal data for marketing, advertising, or profiling purposes. We do not sell or rent your personal data to anyone.
4. Who we share your personal data with (subprocessors)
We use the following third-party services to operate Sleipnir. Each is bound by data processing terms requiring them to protect your data and use it only to provide their service to us.
4.1 Subprocessors
| Subprocessor | Role | Data shared | Location |
|---|---|---|---|
| Hetzner Cloud GmbH | Hosting (server infrastructure, database) | All data stored by Sleipnir is on Hetzner servers | Germany (EU) |
| Stripe Payments UK, Ltd. (with US-based infrastructure operated by Stripe, Inc.) | Payment processing | Email address, Stripe customer ID, subscription metadata. Card details are entered directly into Stripe's secure form and never reach our servers. | UK contracting entity; US-based infrastructure (transfer covered by adequacy mechanism — see Section 5) |
| Resend Inc. | Outbound transactional email (verification, password reset, quota warnings, suspension notices, etc.) | Email address, your name, the email content | United States |
| Cloudflare, Inc. | DNS hosting, reverse proxy and CDN for web traffic, Web Application Firewall (WAF), inbound email forwarding, domain registrar | DNS queries (IP address only). All HTTP/HTTPS requests to sleipnir.tv pass through Cloudflare's network — they see request URLs, headers (including IP addresses), and response bodies in order to proxy traffic to our origin server. They also apply default DDoS protection and WAF rules. Inbound email content forwarded to operator. Cloudflare does not have access to data stored in our database — only data in transit through the proxy. | Global infrastructure with UK and EU presence |
| Google LLC | OAuth Sign-in (only if you choose "Sign in with Google") | We request the following Google API scopes: openid, email, and profile (your verified user ID, email address, display name and profile picture URL). We do not request access to your Google Drive, Gmail, Calendar, or any other Google service. |
United States |
| Twitch Interactive, Inc. | Twitch chat ingestion (only if you connect Twitch for combined chat) | We request the chat:read scope, which lets us read messages in your channel's chat. We do not request scopes for posting, moderation, channel editing, or any other action. |
United States |
| Google LLC (YouTube Data API) | YouTube live chat ingestion (only if you connect YouTube for combined chat) | We request the youtube.readonly scope, which lets us read your channel's live chat during active broadcasts. We do not request scopes for posting, channel editing, or any other action. |
United States |
| Kick.com (Kick API) | Kick chat ingestion (only if you connect Kick for combined chat) | We request the user:read, events:subscribe, and chat:write scopes. These let us read your channel's chat events to display in your dashboard and, when you send a message from the combined chat dashboard, post it to your Kick chat on your behalf. We do not request moderation, channel-editing, or other scopes. |
United States |
4.2 When we share data outside subprocessors
We may share personal data outside this list only:
- When required by law, court order, or other valid legal process
- To respond to copyright takedown notices (the user identified in the notice may be informed; the complainant receives only what is necessary to acknowledge the notice)
- To protect our legal rights, the rights of users, or to investigate fraud or safety threats
- In connection with a sale, merger, or transfer of the Service (for example, formation of a successor UK Ltd company operating Sleipnir) — in which case we will notify users in advance
We do not share your personal data with advertisers, data brokers, or analytics providers.
4.3 YouTube API Services
Sleipnir's combined chat feature uses YouTube API Services. When you connect a YouTube channel to Sleipnir, your use of that feature is also subject to the YouTube Terms of Service, and any data accessed through the YouTube API is handled in accordance with the Google Privacy Policy. You can revoke Sleipnir's access to your YouTube account at any time by disconnecting it on your Sleipnir Account page, or through your Google security settings at myaccount.google.com/permissions.
5. International data transfers
Sleipnir is operated from the United Kingdom and most processing happens in the EU (Hetzner Cloud, Germany). Some of our subprocessors are based in the United States:
- Stripe (payment processing) — UK contracting entity, US infrastructure
- Resend (outbound email)
- Google (OAuth sign-in)
When data is transferred to these subprocessors in the United States, the transfer is protected by:
- The UK extension to the EU-US Data Privacy Framework (where the subprocessor is certified), or
- Standard Contractual Clauses approved by the UK Information Commissioner's Office, where the framework does not apply
Cloudflare's infrastructure is global; their UK and EU presence handles UK-originated traffic by default. Hetzner Cloud's infrastructure is in Germany.
You may request a copy of the safeguards applied to international transfers by contacting [email protected].
6. How long we keep your personal data
We keep different categories of data for different periods:
| Data | Retention period |
|---|---|
| Account record (email, name, password hash, stream key) | Until you delete your account, then permanently deleted within 30 days |
| Destination configurations | Until you delete them or your account |
| Stream session metadata | 12 months from session start, then automatically deleted (or sooner if you delete your account) |
| Captured chat messages (Twitch / YouTube / Kick) | 7 days from receipt, then automatically deleted |
| OAuth tokens (Twitch / YouTube / Kick) | Until you disconnect the platform or delete your account |
| Encrypted database backups | 30 days, rolling. Stored in a separate Hetzner facility in Nuremberg, Germany. |
| Bitrate kick records | Until you delete your account |
| Email verification tokens | 24 hours, then automatically deleted |
| Password reset tokens | 1 hour, then automatically deleted |
| Session cookies | Up to 24 hours of inactivity; deleted on logout or expiry |
| IP-based rate limit records (signups) | Held only in process memory; reset every 24 hours and on every container restart. Not persisted to the database. |
| Stripe customer and subscription records on our side | Until you delete your account |
| Stripe payment records on Stripe's side | Per Stripe's retention; outside our control |
| Financial records (invoices, payments) | 6 years from end of relevant tax year (UK HMRC) |
| Support correspondence | Up to 3 years, then deleted unless ongoing matter |
| StreamTeam membership, team name, description, and banner image | Until the team is disbanded, you leave the team, or you delete your account |
| Team follower relationships | Until you unfollow, the team is disbanded, or you delete your account |
| Team page visitor counts (salted hash) | Retained as aggregate daily counts, not linked to identifiable visitors |
Account deletion is initiated by you from the Account page in your dashboard, with a typed-confirmation step to prevent accidental deletion. After confirmation, your account and associated data are queued for deletion. Deletion completes within 30 days. Financial records required by UK tax law are retained beyond account deletion as required by HMRC (~6 years), but in a separated form not linked to active service identifiers.
7. Cookies and similar technologies
Sleipnir uses cookies and similar technologies for essential functionality only. We do not use any analytics, advertising, or tracking cookies.
| Cookie | Set by | Purpose | Lifetime |
|---|---|---|---|
| Session cookie | Sleipnir | Keeps you logged in to your dashboard | 24 hours of inactivity |
| Stripe checkout cookies | Stripe | Necessary for processing payments during the checkout flow | Set by Stripe; varies |
The session cookie is HTTP-only (not accessible to JavaScript), Secure (transmitted only over HTTPS), and uses SameSite=Lax scope.
We do not currently use Google Analytics, Facebook Pixel, or any other tracking technology. If we add a privacy-respecting analytics service in future (such as Plausible Analytics, which does not use cookies and does not track individual users), we will update this Policy and notify users.
8. Your rights
Under UK GDPR, you have the following rights regarding your personal data. To exercise any of them, contact [email protected]. We will respond within one calendar month.
8.1 Right of access
You can request a copy of the personal data we hold about you. Most of this is already visible in your dashboard (account info, destinations, usage history). For a full export including data not visible in the dashboard, email us.
8.2 Right to rectification
You can correct inaccurate personal data. Most fields are editable directly from the dashboard (name, password, destinations). For email address changes, email us.
8.3 Right to erasure ("right to be forgotten")
You can delete your account at any time from the Account page in your dashboard. This removes your personal data within 30 days, except for financial records required by UK tax law.
If you would like erasure of specific data without deleting your whole account, email us.
8.4 Right to restrict processing
You can ask us to limit how we process your data in specific situations (for example, while we investigate a rectification request). Email us to request this.
8.5 Right to data portability
You can request a machine-readable export of personal data you provided to us (email, name, destinations, stream history). Email us to request this; we will provide it within one month, in JSON or CSV format. We are working on a self-serve export feature for the dashboard; once available, this will replace the email-based process.
8.6 Right to object
You can object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds that override your rights. Email us to object.
8.7 Right not to be subject to automated decision-making
See Section 9 below.
8.8 Right to withdraw consent
Where we rely on consent (which is rare in our processing — most is contract-based), you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
8.9 Right to lodge a complaint
If you believe we have not handled your personal data correctly, you have the right to complain to the UK supervisory authority:
0303 123 1113
ico.org.uk
We would appreciate the chance to address your concern first — please email [email protected] before contacting the ICO.
9. Automated decision-making
Sleipnir uses one form of automated decision-making that may significantly affect you: automatic account suspension after 10 bitrate-violation kicks within a 24-hour rolling window.
This is a fully automated decision. When triggered, your account is suspended (you cannot publish streams), and you and the operator are both notified by email. The decision is based on objective measurements (your stream's bitrate compared to your plan's cap, recorded by our enforcement system).
Under Article 22 of UK GDPR, you have the right to:
- Obtain human intervention. If you believe the suspension was triggered in error, contact [email protected]. The operator will review the suspension manually and reactivate your account if appropriate.
- Express your point of view. Your email response is your opportunity to provide context (e.g., "my encoder was misconfigured, I've fixed it now").
- Contest the decision. If you disagree with the suspension after human review, you may contest the decision and we will investigate further.
We do not use any other form of automated decision-making, profiling, or AI-based decision systems for processing your personal data.
10. Security
We take reasonable technical and organisational measures to protect your personal data:
- All web traffic between you and Sleipnir is encrypted using HTTPS (TLS). Stream ingest (the connection from your broadcasting software to Sleipnir) is encrypted using RTMPS (TLS-protected RTMP). RTMPS is the recommended ingest endpoint shown in your dashboard. We also accept plain RTMP as a fallback for older encoders that don't support RTMPS, but recommend RTMPS whenever possible.
- Passwords are hashed with Argon2id, a memory-hard password hashing function. We never store plaintext passwords.
- Hetzner Cloud's data centre infrastructure includes physical security, network protection, and full-disk encryption on storage volumes — so all data we hold benefits from infrastructure-level protection at rest.
- Database access is restricted to the operator and the Sleipnir application service. The database is not exposed to the public internet.
- The session cookie is HTTP-only, Secure, and SameSite=Lax to mitigate cross-site attacks.
- We rate-limit failed login attempts to defend against brute-force attacks.
- We rate-limit signups per IP address to defend against bot abuse.
- Stripe payment card details never reach our servers; they are entered directly into Stripe's secure form.
OAuth token handling. Access and refresh tokens for connected third-party platforms (Twitch, YouTube, Kick, Google) are encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256). The encryption key is held in environment variables on our server, separate from the database itself. Tokens are decrypted in memory only when needed to contact the platform's API on your behalf.
Encrypted off-site backups. Database backups are taken daily, encrypted with OpenPGP (ECDH-Curve25519) on the primary server before transfer, and stored in a separate Hetzner facility in Nuremberg, Germany — different from the Falkenstein facility where the primary database lives. Backups are retained for 30 days, then permanently deleted. The decryption key never leaves our control; even Hetzner cannot read the backup files.
Stream-key handling. Your inbound Sleipnir stream key and the outbound destination URLs you configure (which may contain third-party stream keys) are encrypted at rest in our database using application-level Fernet encryption (AES-128-CBC + HMAC-SHA256). The encryption key is held in environment variables on our server, separate from the database itself. Stream keys are additionally stored as a SHA-256 hash to enable lookup during stream authentication; the hash is one-way and cannot be reversed to recover the original key. We treat all stream keys as sensitive credentials regardless of encryption — if you suspect any have been compromised, rotate them via your dashboard (Sleipnir keys) or at the third-party platform (destination keys).
No security measure is perfect. If we become aware of a personal data breach affecting you, we will notify you and the UK ICO as required by UK GDPR (within 72 hours of becoming aware, where the breach is likely to result in a risk to your rights).
11. Children
Sleipnir is not intended for use by children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child, please contact [email protected] and we will delete it.
By creating an account, you confirm that you are at least 16 years old. Accounts identified as belonging to users under 16 may be terminated.
12. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top of the page reflects when changes took effect.
For material changes — those that meaningfully affect how we process your personal data — we will notify you by email at least 30 days before the change takes effect. Continued use of the Service after that date constitutes acknowledgement of the updated Policy.
For non-material changes (clarifications, formatting, contact-detail updates), the updated Policy takes effect when posted.
We will keep an archive of previous versions of this Policy available on request.
13. Contact
For all privacy-related enquiries:
- Email: [email protected]
Belfast BT1 1AA
United Kingdom
(Sleipnir is a trading name of Ryan C. The data controller is Ryan C. Correspondence may be addressed to "Sleipnir" at the above address.)
For copyright complaints (a separate process from privacy), see Section 11 of our Terms of Service.
For complaints to the UK supervisory authority, see Section 8.9.