yastream.com

Privacy policy

The yastream.com privacy policy explains account, streaming, billing, support, and necessary browser storage data.

Controller

This privacy policy applies to website visits, account creation and use, live-streaming, viewer, collaboration, recording and billing functions, and contact with us.
We process personal data only where necessary for operation, contract performance, security, billing, support or legal obligations.

When the website is accessed, the server processes technically necessary connection data, in particular IP address, date and time, requested URL, referrer, user agent, status code and transferred data volume.
We use this data to deliver the website, analyze errors, detect misuse and attacks, and operate the service securely.
The legal bases are Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR.

When an account is created or used, we process email address, optional names, password hash where password login is used, Google account identifiers where Google sign-in is used, security and two-factor data, account role, plan, usage limits, login token hashes, Stripe customer and subscription IDs, and billing-related metadata.
Google sign-in is optional. Users may choose email/password login instead.
If a user selects Continue with Google, the browser is redirected to Google for authentication and then returns to yastream.com.
Google does not receive stream keys, recordings, viewer links, billing usage data or account session tokens from Yastream through this login flow.
Passwords are not stored in plain text; new password hashes are generated with Argon2id.

For live streams we process stream and viewer IDs, stream status, ingest logs, connection data, IP addresses, technical quality values, viewer reports, optional stream passwords, viewer names, collaboration data such as laser pointer events, branding files and audit logs.
Recording is optional. If the user starts or enables recording, we store recording files, metadata, download links, and deletion or expiry dates according to the plan and retention rules shown in the product.
Recording files are stored in Cloudflare R2 object storage configured for the European Union jurisdiction.

As of June 30, 2026, yastream.com does not use analytics, marketing, retargeting or third-party tracking cookies.
The website does not load external webfonts or external analytics, advertising, social media or chat scripts.
The application uses first-party localStorage and sessionStorage only for necessary or explicitly requested functions such as account sessions, theme, checkout state, pricing period, support chat, watch aspect overlay, optional viewer names, local test API token and viewer sessions.
Because no consent-requiring tracking or marketing cookies are used, yastream.com currently does not use a cookie banner.

If the support chat is used, we process submitted messages, optional name and email address, page URL, time stamps, IP address, user agent and the technical visitor token needed to show replies in the same browser.
The chat is operated by yastream.com itself; no bot or AI answers visitor messages.
New visitor messages may trigger a Slack notification to the team.
Support chat conversations are retained for 90 days by default unless deleted earlier from the admin inbox.

The service is designed for data minimization: no analytics tools, no advertising networks, no retargeting, no social plugins, no external webfonts and no external chat widgets on normal page views.
Security measures include signed playback and publish URLs, optional stream passwords, hidden ingest credentials, WHIP bearer tokens, bearer-protected admin and API endpoints, account roles, optional two-factor authentication, password hashes instead of plain text passwords, server-side token hashes, restricted access to operational data and private metrics endpoints.
Current production service providers include netcup GmbH for hosting in Nuremberg, Germany; Cloudflare R2 for optional recording object storage configured for the European Union jurisdiction; Google for optional account authentication; Stripe for checkout, customer portal, payment processing, invoices and subscription events; and Slack for optional internal support notifications.

If browser publishing is used, the browser asks for access to camera, microphone or screen.
Media streams are transmitted only after active permission.

Application hosting is located in Germany.
Cloudflare, Google, Stripe, Slack and their subprocessors may process account, support, billing or operational data outside the EU/EEA where necessary for their services, governed by appropriate safeguards such as data processing agreements, EU Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework.

Personal data is stored only as long as necessary for the relevant purpose, statutory retention obligations apply, or legitimate interests such as security, error analysis and legal defense require retention.
Account data is generally stored for the duration of the account.
Payment and invoice data is retained according to commercial and tax-law obligations.
Support chat conversations are retained for 90 days by default unless deleted earlier.
Recordings and downloads follow the plan and retention rules shown in the product.

Data subjects have GDPR rights to access, rectification, erasure, restriction of processing, data portability and objection to processing based on legitimate interests.
Where processing is based on consent, consent may be withdrawn at any time with effect for the future.
Requests can be sent to yastream@remoteroom.io.

You have the right to lodge a complaint with a data protection supervisory authority.
For Hamburg, the competent authority is the Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 20459 Hamburg, email: mailbox@datenschutz.hamburg.de.

We do not make decisions based solely on automated processing within the meaning of Art. 22 GDPR that have legal effects or similarly significant effects.
Plan and usage limits may be applied technically and automatically, but are based on the booked plan, security rules or contractual usage limits.

We update this privacy policy when functions, service providers, legal bases or technical processes change.