Privacy Policy

Last updated: 2026-05-18

This Privacy Policy describes how streamoverlay.app ("we", "us", or "the service") collects, uses, and protects information when you use our overlay platform, bot, designs gallery, control deck, and tipping features.

1. What we collect

When you sign in with Twitch (and in future, YouTube, Kick, TikTok), we receive from the platform's OAuth flow:

• Your platform user ID, login name, display name, and profile image URL
• Your email address, if you have authorized it
• An encrypted refresh token that lets us call platform APIs on your behalf for the scopes you granted

When you use the service we additionally store:

• Your overlays, designs, bot configuration, loyalty data, redemption store, song queue, and deck layouts
• A session cookie that identifies your browser to our worker (HttpOnly, Secure, SameSite=Lax)
• An audit log of significant account actions (logins, overlay rotations, etc.) retained for up to 90 days
• Tip records (amount, currency, optional tipper name and message) processed via Stripe

We do not store passwords. Authentication is handled entirely by your streaming platform.

2. What we don't do

• We do not sell, rent, or trade your personal information to anyone, ever.
• We do not run advertising, behavioural profiling, or third-party tracking pixels.
• We do not read or process your microphone or webcam audio. The PNGtuber overlay analyses your mic locally in your browser — audio never leaves your machine.
• We do not share your viewers' data with anyone. Viewer chat, loyalty, and tip records stay scoped to your channel.

3. How we use what we collect

• To authenticate you and run the platform's features (overlays, bot, loyalty, etc.)
• To call Twitch and other streaming platform APIs on your behalf using the scopes you authorized
• To process tips through Stripe (we never see card details — Stripe handles all payment data directly)
• To improve the service via aggregate, non-identifying usage stats
• To comply with legal obligations, when required

4. Processors and sub-processors

We use these third-party services to operate streamoverlay.app:

• Cloudflare — hosting, edge compute (Workers), object storage (R2), database (D1), key-value (KV). Your data is processed and stored within Cloudflare's infrastructure.
• Stripe — payment processing for tipping. Subject to Stripe's Privacy Policy.
• Twitch — OAuth provider and event source. Subject to Twitch's Privacy Notice.
• Giphy — GIF search proxied through our worker. Search queries you type into the Giphy picker are forwarded to Giphy.

5. Security

Refresh tokens are encrypted at rest with AES-GCM. Session cookies are HttpOnly, Secure, and SameSite=Lax. Overlay tokens are HMAC-signed JWTs. We follow defense-in-depth practices and review for vulnerabilities regularly. No system is perfect — if you discover a security issue, please report it via our Discord.

6. Your rights

You can at any time:

• Log out — this invalidates your session cookie immediately
• Delete your overlays, designs, commands, redemptions, and other data via the dashboard
• Request full account deletion by contacting us through Discord. All your records are removed within 30 days.
• Export your data (loyalty points, command list, etc.) via the dashboard's CSV exports

7. Cookies

We use one essential cookie: session, which keeps you signed in. We do not use tracking, advertising, or analytics cookies.

8. Children's privacy

The service is not directed to children under 13. We do not knowingly collect data from anyone under 13.

9. Changes

We may update this policy. Material changes will be announced on the platform and via our Discord. Continued use after changes constitutes acceptance.

10. Contact

Questions or requests: reach us via the streamoverlay.app Discord.

Note: this is plain-language summary of our practices. It is not legal advice. We recommend reviewing the policy yourself and reaching out with any concerns.