Privacy Policy

1. Controller

The controller for data processing is Dennis Senske, operating under StreamRelay, c/o COCENTER, Koppoldstr. 1, 86551 Aichach, Deutschland, email: support@stream-relay.de.

2. Data we process

Depending on how you use the service, we process in particular account data (e.g. email address and login data), billing data (e.g. name and country for invoicing), usage and configuration data for your endpoints, technical access data, and usage data from reach measurement.

If you activate the corresponding add-on features, we additionally process: access credentials for third-party platforms you choose (in particular stream keys for Twitch or YouTube), which we need to forward your streams and store in encrypted form only, as well as recorded stream content (recordings) including the associated metadata, where you book the recording feature.

We process personal data only to the extent necessary to operate the website, handle enquiries, perform contracts, manage billing, ensure security, or improve our services.

3. Website access and server log files

When you access this website, the hosting provider processes technically required connection data. This includes in particular the IP address, date and time of access, the requested page, referrer, browser and device information, and status and error messages.

This processing is used to deliver the website, ensure stability and security, and diagnose errors. This data is not combined with other data sources. The legal basis is Article 6(1)(f) GDPR.

4. Use of the ingest service and connection data

When a stream is sent to or pulled from our SRT/RTMP ingest endpoints, we process the connection data required for authentication and operation, in particular the IP address of the connecting device, the protocol used, the action (publish or read), and the stream path.

This data is used to authenticate the connection, prevent abuse and disruption, and ensure reliable operation. It is processed solely in technical system logs with a short retention period and is not permanently stored in a database.

If you involve third parties (e.g. additional contributors) in your stream, you are responsible for informing them about the processing of their connection data. The legal basis is Article 6(1)(b) GDPR (performance of contract) and Article 6(1)(f) GDPR (security and abuse prevention).

Forwarding to third-party platforms: If you activate the feature to forward your stream to a third-party platform of your choice (e.g. Twitch or YouTube), you provide the stream key required for this. We store this key in encrypted form; decryption takes place exclusively server-side and solely for the purpose of forwarding your stream to your chosen target platform. With forwarding, your stream content is transmitted to the respective platform, which processes it under its own privacy terms as an independent controller; this may involve a transfer to a third country (in particular the USA) (see the section “International data transfers”). You are responsible for ensuring that you are authorized to use the stream key you provide. You can change or remove the stream key at any time in the dashboard. The legal basis is Article 6(1)(b) GDPR.

Recording feature: If you book the optional recording feature, we record the streams you select and store the recordings, including the associated metadata (e.g. time, duration, assigned endpoint), on our infrastructure within the EU so that you can access and manage them via the dashboard. You are responsible for the content of your recordings and for informing any third parties shown in the stream about the recording and obtaining any required consents. Recordings are deleted when you delete them, end the feature, or delete your account, but no later than the retention period stated in the dashboard or service description. The legal basis is Article 6(1)(b) GDPR; where we merely store recordings technically on your behalf, we act as a processor in this respect.

5. Contact by email

If you contact us by email, we process the data you send us, in particular your email address, the content of your message, and any other information you voluntarily provide, in order to handle your request.

The legal basis is Article 6(1)(b) GDPR where the request relates to a contract or pre-contractual steps, and otherwise Article 6(1)(f) GDPR.

For receiving and storing emails sent to our mailboxes, we use the email hosting service mailbox.org provided by Heinlein Hosting GmbH (Germany). A data processing agreement under Article 28 GDPR is in place with the provider; processing takes place within the EU.

6. Customer account, dashboard and billing

If you use our dashboard or related account functions, we process the data required for that purpose, in particular contact and login data, selected plans, endpoint configurations, usage information, billing data, and support requests.

If you enable two-factor authentication, we process the security credentials required for it solely to protect your account. To improve our checkout process, we also analyse, to a limited extent, data about completed and abandoned orders; such data is anonymized after no later than 90 days.

So that the paid digital service can begin immediately, we obtain your express consent during checkout for us to begin performance before the withdrawal period expires, together with your acknowledgment that your right of withdrawal lapses prematurely as a result (§ 356(5) BGB). We log this consent for evidentiary purposes, including the time and the IP address. Further details on the retention of these records can be found in the section “Security and activity logs”.

This processing is necessary for contract performance and billing. The legal basis is Article 6(1)(b) and (c) GDPR. Where data is needed for support, operation, and improvement, we also rely on Article 6(1)(f) GDPR.

7. Sign-in via Google or Twitch

You can sign in via single sign-on with Google or Twitch. If you choose this option, we receive from the respective provider the data required for sign-in (in particular a unique identifier and your email address) in accordance with the permissions shown at the time of connection.

We do not store any passwords of these providers, only the identifier required to associate your account. The privacy notices of Google or Twitch additionally apply.

The legal basis is Article 6(1)(b) GDPR. Signing in via Google or Twitch may involve processing in the USA; details of the safeguards are set out in the “International data transfers” section.

8. Payment processing via Stripe

Payments are processed via Stripe. Stripe receives the information required for payment handling, such as payment status, transaction data, and billing-related information. Full payment or card details are not stored on our systems.

Invoices are generated by Stripe and made available in the Stripe customer portal. Stripe processes data partly as an independent controller and partly as a processor. Stripe’s own privacy information applies. Processing may take place outside the EEA, in particular in the United States (see “International data transfers”).

The legal basis is Article 6(1)(b) GDPR.

9. Transactional email delivery

To provide our services, we send transactional emails, e.g. to confirm your email address, reset your password, or notify you of changes to your subscription. In doing so we process in particular your email address, the subject and content of the message, and the sending and delivery status.

These emails are not advertising but contractually or legally required notices and cannot be unsubscribed from. Technical delivery is handled via Scaleway (France). The corresponding logs are deleted after no later than 90 days.

The legal basis is Article 6(1)(b) GDPR and, with regard to delivery monitoring, Article 6(1)(f) GDPR.

10. Newsletter and marketing emails

We send promotional emails only if you have expressly consented. The legal basis is Article 6(1)(a) GDPR in conjunction with § 7 UWG.

You can withdraw your consent at any time with effect for the future, e.g. via the unsubscribe link in the respective email or in your account settings. The lawfulness of processing carried out before the withdrawal remains unaffected.

11. Spam and bot protection (Cloudflare Turnstile)

To protect our forms (e.g. sign-in and registration) against automated abuse, we use Cloudflare Turnstile. In doing so, technical connection and device information is processed in order to distinguish human from automated access.

The provider is Cloudflare; processing may take place in the USA (see “International data transfers”). The use is necessary for the secure provision of these functions; consent under § 25(2) TDDDG is not required for this. The legal basis is Article 6(1)(f) GDPR.

12. Security and activity logs

To ensure security and the traceability of security-relevant events, we log certain activities in your account, in particular sign-ins and security-relevant actions. In doing so we process, among other things, the IP address, information about the device or browser used, and the type of action.

To a limited extent, our staff may work with a view of your account when providing support (support access); such access is logged. Information derived from the IP address (e.g. the country or region of sign-in) is used to classify security-relevant events.

The full IP address is retained in these logs only for a limited period of 180 days, which is necessary to prevent abuse and fraud. After that, it is automatically truncated and thereby anonymized (for IPv4 the last address segment is removed, for IPv6 accordingly), so that the exact connection can no longer be identified; the remaining log data is not affected by this.

We otherwise retain security-relevant activity and audit logs for up to three years for security, evidentiary, and abuse-prevention purposes. The legal basis is Article 6(1)(f) GDPR (security, abuse and fraud prevention).

Records of a waiver of the right of withdrawal declared during checkout (in particular the time of consent and the IP address) are additionally retained on a permanent basis with a personal reference, in order to demonstrate the conditions for the premature lapse of the right of withdrawal (§ 356(5), § 357 BGB) and to assert, exercise, or defend any claims. The legal basis is Article 6(1)(f) GDPR in conjunction with Article 17(3)(e) GDPR (assertion, exercise, or defense of legal claims).

13. Error and stability monitoring

To detect and resolve errors, we use a self-hosted error monitoring system (GlitchTip) on our own infrastructure within the EU. This may generate technical error data that, in individual cases, contains personal information such as an IP address, a user identifier, or request data.

The processing takes place on our own servers in the EU; no transfer to a third country occurs for this purpose. The legal basis is Article 6(1)(f) GDPR (stability and security of the service).

14. Cookies and local storage

We use exclusively technically necessary cookies or local storage mechanisms required for sign-in and operation of the service (e.g. session and authentication cookies). These are exempt from consent under § 25(2) no. 2 TDDDG.

Our basic reach measurement with Umami (page views, referrers, campaign parameters from UTM links, and technical performance metrics in the sense of Core Web Vitals) works without cookies and without accessing your device. It is exempt from consent under § 25(2) TDDDG and relies on our legitimate interest in a data-minimizing analysis and optimization of our offering (Art. 6(1)(f) GDPR). No consent is required for this. The measurement scripts are delivered, and the measurement data transmitted, via Cloudflare’s CDN/reverse proxy; processing may take place in the USA (see “International data transfers”).

Only with your explicit consent do we additionally enable an extended measurement via the same self-operated Umami service: anonymized click and scroll heatmaps and session recordings (session replay). Session replay records mouse movements, clicks, scrolling, and page navigation; input fields are masked so that content entered there is not captured. The duration of individual recordings is technically limited.

The legal basis for this extended measurement is your consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG). The recording script required for this is only loaded after you have agreed in the consent banner. We store your decision in a strictly necessary cookie ("sr_consent") so that we do not have to ask you again on every visit; this cookie itself is exempt from consent under § 25(2) TDDDG. Heatmap and replay data are retained for 30 days and then automatically deleted.

You can withdraw your consent at any time with effect for the future — just as easily as you gave it — via the "Tracking settings" link in the footer. Processing based on the consent remains lawful until withdrawal.

15. International data transfers

For some services, processing may take place outside the EU/EEA, in particular in the USA with Stripe, Cloudflare (Turnstile) and – in the case of sign-in via Google or Twitch – with the respective providers. If you forward your stream to a third-party platform (e.g. Twitch or YouTube) using the forwarding feature, the stream content is transmitted to the respective provider, which processes it as an independent controller and possibly outside the EEA (in particular in the USA).

Where such a transfer occurs, we base it on an adequacy decision (in particular the EU-US Data Privacy Framework) and/or on standard contractual clauses pursuant to Article 46(2)(c) GDPR. You can request a copy of the relevant safeguards from us.

The delivery of transactional emails via Scaleway (France) as well as the receipt and storage of emails via mailbox.org (Germany) take place within the EU and do not constitute a transfer to a third country.

16. Account deletion

You can request the deletion of your account. When you trigger deletion, your account is first deactivated (sign-in is blocked) and retained for a grace period of 30 days. This grace period serves to allow an accidental or unauthorized deletion to be reversed and to complete pending processes. After the 30 days have elapsed, the personal data associated with your account is permanently deleted or anonymized, where full deletion is not possible for security, evidentiary, or legal reasons.

As part of the final deletion, security and delivery logs are anonymized or cleansed of personal content; stored stream keys and any existing recordings are removed. Payment and invoice data held at Stripe cannot be fully deleted insofar as Stripe, acting as an independent controller, is subject to statutory retention obligations (in particular under tax and commercial law); to that extent such data is retained for the duration of the statutory periods, and otherwise deletion is initiated. Data subject to statutory retention obligations, as well as records of a declared waiver of the right of withdrawal (see the section “Security and activity logs”), are retained in restricted form until the respective periods expire or for as long as necessary to assert, exercise, or defend legal claims. The legal basis is Article 17 GDPR.

17. Recipients and processors

To provide our services, we use the following service providers. We operate our reach measurement (Umami) and error monitoring (GlitchTip) ourselves on our own infrastructure within the EU. Details on the processing by each provider can be found in their respective privacy policy:

• Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
  Hosting, server and data center operation (EU) · Privacy policy
• IP-Projects GmbH & Co. KG, Am Vogelherd 14, 97295 Waldbrunn, Germany
  Hosting (EU) · Privacy policy
• netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany
  Hosting (EU) · Privacy policy
• Scaleway SAS, 8 rue de la Ville l’Évêque, 75008 Paris, France
  Delivery of transactional emails (EU) · Privacy policy
• Heinlein Hosting GmbH (mailbox.org), Schwedter Str. 8/9B, 10119 Berlin, Germany
  Email mailboxes, receipt and storage (EU) · Privacy policy
• Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA
  Spam and bot protection and CDN/reverse proxy for delivering the reach measurement (third country USA) · Privacy policy
• Stripe Payments Europe, Ltd., 25-28 North Wall Quay, Dublin 1, Ireland
  Payment processing and invoicing (EU/USA) · Privacy policy
• Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland
  Sign-in (single sign-on), EU/USA · Privacy policy
• Twitch Interactive, Inc., 350 Bush Street, 2nd Floor, San Francisco, CA 94104, USA
  Sign-in (single sign-on), third country USA · Privacy policy

If you use the recording feature, recordings are stored on our infrastructure within the EU. If you use forwarding to a third-party platform, your stream content is transmitted to the provider you choose (e.g. Twitch or YouTube).

Where service providers act as processors, we have data processing agreements under Article 28 GDPR or equivalent arrangements in place. Stripe and the sign-in providers act partly as independent controllers. For transfers to third countries and the safeguards used, see the section “Transfer of data to third countries”. We only disclose data to other recipients if this is legally permitted or if you have consented.

18. Retention

We retain personal data only for as long as necessary for the relevant purpose or as required by statutory retention obligations. Transactional email logs and data used to improve the checkout process are deleted or anonymized after no later than 90 days; technical system log files after a short time (usually 14 days). We retain security-relevant activity and audit logs for up to three years; the full IP address contained in them is, however, automatically truncated and anonymized after just 180 days. Records of a declared waiver of the right of withdrawal (time, IP address) are retained permanently for as long as necessary to defend legal claims (Article 17(3)(e) GDPR). If you delete your account, it is first deactivated for a grace period of 30 days and only then permanently deleted or anonymized. Stream keys you provide for forwarding are stored in encrypted form until you remove them, end the forwarding feature, or delete your account. Recordings are stored until you delete them, end the recording feature, or delete your account, but at most for the retention period stated in the dashboard or service description.

Invoices are generated and held by Stripe. Where we are subject to our own tax and commercial retention obligations (e.g. for income and accounting records under § 147 AO), we retain the relevant documents for the legally prescribed period.

19. Your rights

You have the right to access, rectify, erase, restrict processing, and to data portability. Where processing is based on your consent, you can withdraw it at any time with effect for the future (Article 7(3) GDPR).

You also have the right to object at any time, on grounds relating to your particular situation, to processing based on a legitimate interest (Article 6(1)(f) GDPR) (Article 21 GDPR). No automated decision-making, including profiling within the meaning of Article 22 GDPR, takes place.

You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement. The competent authority is that of the federal state in which the controller is established.

20. Security

We implement appropriate technical and organizational measures under Article 32 GDPR to protect your data against loss, misuse, and unauthorized access. Particularly sensitive credentials such as stored stream keys are kept encrypted (encryption at rest) and decrypted exclusively server-side to provide the respective feature.

These security measures are updated continuously to reflect the state of the art.