Privacy Policy

Last updated: April 15, 2026

Fynstream ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our live streaming and video on demand platform, website, and related services (collectively, the "Service").

1. Information We Collect

1.1 Information You Provide at Sign-up

• Account information: name, email address, organization name, and password when you create an account.
• Authentication factors: if you enable two-factor authentication, we store either an encrypted TOTP secret (for authenticator apps) or a flag recording that email one-time codes are active. Recovery codes (where offered) are stored hashed.
• Billing information: payment method details processed securely through PayPal. We do not store full card numbers on our servers. For manually invoiced enterprise customers, we may hold billing contact information provided by you.

1.2 Information You Provide During Verification (KYC)

Before you can publish live streams, upload video, or configure multistream destinations, you complete a verification request. This collects:

• Business or trading name and country.
• Contact phone number in E.164 format.
• Website URL or primary social presence (optional but strongly recommended).
• Description of your intended use case and the type of content you plan to stream.
• Expected peak concurrent viewers.
• An optional reason for expedited review and a verifiable event date.

1.3 Information You Provide While Using the Service

• Content: live streams, video uploads, thumbnails, poster images, titles, descriptions, SEO metadata, and chat messages (where chat is enabled).
• Branding: organization logo, player customization options, and custom domain CNAME targets.
• Team information: names, emails, and role assignments for users you invite to your tenant.
• Support communications: messages, attachments, and metadata from support tickets or emails you send us.

1.4 Information Collected Automatically

• Signup and verification signals: IP address, derived geographic region, user-agent string, and automated risk flags (for example, disposable email domains, blocklist matches). These are captured at account creation and at verification submission to help reviewers make decisions.
• Usage data: pages visited, features used, dashboard interaction patterns, and administrative actions.
• Stream and VOD analytics: aggregated concurrent viewer counts, geographic distribution of viewers, playback quality metrics, watch time, and completion rates.
• Live viewer heartbeats: when a viewer watches a stream on a public watch page or embedded player, the player sends a periodic heartbeat containing a random per-session viewer ID. We use these heartbeats (stored in short-lived Redis sorted sets) to compute live viewer counts; they are not joined to any account profile.
• Log data: API request metadata, server access logs, error traces, and media-server event logs (publish, unpublish, play, stop, HLS segment generation).
• Activity and audit logs: dashboard actions are written to an activity log visible to you, and internal administrative actions are written to a separate audit log visible only to Fynstream staff. Older log rows are periodically archived to encrypted storage.

1.5 Cookies, Sessions, and Tracking

• Authentication cookies: httpOnly refresh token cookies maintain your dashboard login. A separate short-lived cookie guards the superadmin dashboard.
• Watch session cookies: after you pass the Turnstile challenge on a public watch page, a signed HMAC cookie (fyn_watch_session) is set for up to 2 hours so you are not re-challenged on every request.
• Bot protection: Cloudflare Turnstile is used on login, registration, password reset, and public playback. Turnstile processes limited signals (IP, browser fingerprint, interaction metadata) under Cloudflare's privacy policy.
• Analytics cookies: we may use first-party analytics cookies to understand product usage. You can control cookie preferences through your browser settings.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, secure, and improve the Service.
• Process transactions, generate invoices, apply account credit, and send related billing notifications.
• Authenticate your identity, manage your account, and enforce two-factor authentication.
• Evaluate verification requests and decide whether to approve, request more information, reject, or ban an account.
• Provide stream analytics, VOD analytics, and live viewer metrics on your dashboard.
• Send service-related notifications (stream alerts, storage and bandwidth usage warnings, subscription status, invoice receipts, verification decisions).
• Respond to support requests and communicate with you about the Service.
• Detect, investigate, and prevent fraud, abuse, copyright violations, and security threats.
• Enforce our Terms of Service and comply with legal obligations.

3. How We Share Your Information

We do not sell your personal information. We share information only with:

• Service providers we rely on to operate the platform:
  • Backblaze B2 for encrypted object storage (video, thumbnails, logos, invoice PDFs, backups).
  • PayPal for payment processing on self-serve subscriptions.
  • Cloudflare for Turnstile bot protection and, optionally, DNS or CDN services.
  • Email delivery provider for transactional email (invoices, verification outcomes, alerts).
  • GeoIP lookup provider for approximate location on signup signals, viewer analytics, and geo-blocking.
  • Cloud infrastructure and media-server hosts that ingest your RTMP and deliver HLS to viewers.
• Multistream destinations you configure: when you add RTMP destinations (YouTube, Twitch, Facebook, Kick, X, LinkedIn Live, TikTok, or custom RTMP), we relay your stream to those platforms. Your content and stream keys are shared with them by your own configuration.
• Legal requirements: when required by law, regulation, subpoena, court order, or other legal process, and to protect the rights, property, or safety of Fynstream, our users, or the public.
• Business transfers: in connection with a merger, acquisition, financing, or sale of assets. We will notify you before personal data is transferred and becomes subject to a different privacy policy.
• With your consent: when you explicitly authorize sharing (for example, a public testimonial or case study).

4. Data Storage and Security

Your data is stored on secure servers with encryption at rest and in transit. We implement industry-standard security measures including:

• TLS/SSL encryption for all data in transit, including HLS playback URLs.
• Signed, short-lived playback URLs to prevent hotlinking and embed scraping.
• Encrypted storage for sensitive data (passwords hashed with bcrypt, TOTP secrets encrypted, API keys stored as SHA-256 hashes).
• Encrypted database backups (AES-256-GCM) stored separately from production.
• Role-based access controls for internal staff, with a separate admin authentication system and audit logging of administrative actions.
• Two-factor authentication (TOTP or email OTP) available on all accounts.
• Regular security reviews and dependency updates.

5. Data Retention

5.1 Account data

We retain your account information for as long as your account is active. When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or compliance purposes (for example, invoices and tax records).

5.2 Content

Stream recordings, uploaded VOD, and thumbnails are retained for as long as your subscription is active and you have not removed them. Upon cancellation, your content is preserved for 30 days to allow resubscription, then deleted.

5.3 Verification PII

Personally identifiable information provided as part of verification (business name, phone, website, use case details, IP address, user-agent) is automatically purged 90 days after a final decision (approved, rejected, or banned). After purge only the decision, high-level metadata, and hashed (one-way) identifiers remain.

5.4 Repeat-offender blocklist

For accounts rejected or banned for serious policy violations, we may retain one-way hashes of identifiers (email, phone, IP) indefinitely in a dedicated blocklist. These hashes cannot be reversed to reveal the original value; they are used only to detect attempts to re-register under a new account.

5.5 Logs and analytics

Server logs, activity logs, and audit logs are retained in live storage for a rolling window (typically 90 days), after which older entries are archived to encrypted long-term storage. Aggregated analytics (viewer counts, bandwidth, storage usage) may be retained indefinitely in de-identified form for capacity planning and product metrics.

6. Your Rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your personal data (right to erasure).
• Export your data in a portable format.
• Object to or restrict certain processing activities.
• Withdraw consent where processing is based on consent.

To exercise any of these rights, contact us at the email address provided below. We will respond to your request within 30 days. We may need to verify your identity before releasing or deleting information. Note that the right to erasure does not extend to the hashed blocklist identifiers described in Section 5.4, which we retain on a legitimate interest basis to protect the integrity of the Service.

7. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including where our service providers (Backblaze, PayPal, Cloudflare, email delivery) are based. We ensure appropriate safeguards are in place for such transfers in compliance with applicable data protection laws.

8. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately so we can delete it.

9. Third-Party Services

The Service may contain links to, or integrations with, third-party services (social media platforms for multistreaming, payment providers, analytics tools). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

10. Viewer Privacy

Viewers who watch public or embedded streams are subject to the automatic data collection described in Section 1.4 (IP address, user-agent, playback metrics, heartbeat-derived viewer counts). As a streamer, you are the controller of any additional data you collect from viewers (for example chat nicknames, form submissions overlaid on your player). You are responsible for providing your own privacy notice to your viewers where required by law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

• Email: info@fynstream.com
• Through the support ticket system in your dashboard