StreamerStats

Privacy Policy

Effective Date: March 8, 2026

Last Updated: July 10, 2026

StreamerStats ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you visit our website https://streamerstats.com (the "Website"). Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Website.

1. Information We Collect

1A. Account Information

  • Registration data: Email address, hashed password, and display name when you create an account.
  • OAuth connections: If you link your Twitch or Kick account, we receive and store your platform user ID, username, and OAuth tokens.

1B. Streaming & Chat Data

We collect publicly available data from the Twitch and Kick platforms, including:

  • Stream metadata: Stream titles, categories, viewer counts, start/end times, and broadcast settings.
  • Chat messages: Messages sent in public chat channels on Twitch and Kick. These are publicly visible on the respective platforms.
  • Engagement events: Subscriptions, gift subscriptions, followers, raids, bits (Twitch), kicks (Kick), and host events.
  • Category statistics: Viewer counts, active channels, and rankings per content category.

Verified channel owners can opt out of having their chat data displayed via Settings > Privacy Controls.

1C. Device & Browser Information

  • Network: IP address, connection type.
  • Browser/OS: User agent, browser type and version, operating system.
  • Hardware: Screen resolution, color depth, language, timezone, CPU core count, device memory, and GPU information via WebGL.

1D. TLS & Network Fingerprints

When your browser connects to our servers, we extract information from the TLS (HTTPS) handshake, including:

  • JA3 and JA4 fingerprints: Hashes derived from your browser's TLS ClientHello message, including supported cipher suites, extensions, and elliptic curves.
  • TLS metadata: TLS version, selected cipher suite, and Server Name Indication (SNI).

These fingerprints are combined into a SHA-256 composite visitor identifier used to detect automated (bot) traffic. They do not identify you personally but can distinguish your browser configuration from others.

1E. Client-Side Fingerprints

Our Website executes JavaScript in your browser to generate device fingerprints for bot detection. These techniques include:

  • Canvas fingerprinting: Drawing specific patterns on an invisible HTML canvas element and hashing the rendered output. Subtle differences in how your device renders graphics produce a device-specific identifier.
  • Audio fingerprinting: Creating an audio processing context and analyzing frequency response characteristics, which vary by hardware and software configuration.
  • Font detection: Measuring text rendering to detect which fonts are installed on your device.
  • WebGL fingerprinting: Querying your GPU hardware details through the WebGL API.

These fingerprints are combined into a composite device identifier and cross-referenced with server-side TLS fingerprints to detect anomalies indicative of bot activity.

1F. Behavioral Data

  • Request timing: Timestamps and intervals between your API requests.
  • Navigation patterns: Whether you browse in breadth-first or depth-first patterns, and how you navigate between pages.
  • API velocity: The frequency and rate of requests to our API endpoints.

This data is analyzed in real time to distinguish human visitors from automated bots. It is not used for advertising or user profiling beyond security purposes.

1G. Usage Data

  • Pages visited and API endpoints accessed.
  • HTTP methods, response status codes, and request duration.
  • Session duration and referral source.

2. How We Use Your Information

  • Account management: To create, maintain, and authenticate your user account.
  • Service delivery: To provide streaming analytics, leaderboards, channel profiles, category statistics, and search functionality.
  • Security and anti-bot protection: To detect and prevent automated abuse, bot traffic, and fraudulent activity using the fingerprinting, behavioral analysis, and challenge systems described in this policy.
  • Analytics and improvement: To analyze usage patterns and improve our Website's performance and reliability.
  • Error monitoring: To detect, diagnose, and fix software errors using session recordings and error reports.
  • Transactional communication: To send email verification, password reset, and account security notifications. We do not send marketing emails.

3. Cookies and Local Storage

We use the following cookies and browser storage:

  • Authentication session cookie: Maintains your login session. Essential for account functionality.
  • Security session cookie (security_session): Identifies your security session for anti-bot verification. Contains no personal information.
  • Device identity cookie (__Secure-ss-did): Strictly necessary (security / fraud prevention). Purpose: recognise your browser to protect the service against automated abuse. Duration: 180 days. Not used for advertising, analytics, or personalisation.
  • Sentry cookies: Used for error tracking and session replay functionality.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. You can instruct your browser to refuse cookies, but some features may not function correctly without them.

4. Security System (Anti-Bot Protection)

Every request to our API passes through an automated security pipeline designed to protect the Website from bots, scrapers, and abuse. This system includes the following mechanisms:

  • Proof-of-Work (PoW) challenges: Your browser may be required to solve a cryptographic puzzle before accessing certain resources. This takes less than one second and uses your device's CPU. It verifies that requests come from a real browser, not a script.
  • HMAC signature verification: Requests are signed with a cryptographic key to verify they originate from our Website and have not been tampered with.
  • Risk scoring: Each request receives a risk score from 0 to 100 based on fingerprint consistency, behavioral patterns, and historical activity. High-risk requests may be challenged, delayed, or blocked.
  • Rate limiting: Requests are subject to sliding window and budget-based rate limits to prevent abuse.
  • Blocklist: Known malicious fingerprints, IP addresses, and user agents may be blocked from accessing the service.
  • Security event logging: All security decisions (allow, challenge, delay, block) and associated metadata are logged to our analytics database for security monitoring and improvement.

5. Session Recording

We use Sentry Session Replay to record browsing sessions on our Website for the purpose of error detection and debugging. This includes:

  • What is recorded: Mouse movements, clicks, scrolls, page navigation, and form interactions. A visual reproduction of your session is created.
  • Recording rate: 100% of sessions are recorded.
  • Data masking: Password inputs are automatically masked in recordings.
  • PII included: IP addresses and user identifiers are sent alongside recordings to correlate errors with affected users.
  • Data transmission: Session replay data is sent through a /monitoring route on our domain, which tunnels data to Sentry's servers.
  • Storage: Recordings are stored on Sentry's servers in the United States, subject to Sentry's data retention policies.

6. Third-Party Services

We share data with the following third-party service providers:

  • Sentry — Error tracking, performance monitoring, and session replay. Receives: IP addresses, user agents, page URLs, JavaScript errors, performance data, session recordings, and user identifiers.
  • Cloudflare — DNS, CDN, DDoS protection, and network tunneling. Receives: all network traffic, IP addresses, and request metadata.
  • Resend — Transactional email delivery. Receives: email addresses and email content for verification and password reset emails.
  • Twitch / Kick — OAuth authentication and public API data sourcing. Receives: OAuth authorization codes. Provides: user profile data for linked accounts and publicly available streaming data.

Each third-party provider operates under its own privacy policy. We encourage you to review their policies.

7. Data Storage and Retention

  • Account data: Retained until you delete your account.
  • Security data (fingerprints, sessions, request logs): Retained for security analysis and threat detection.
  • Streaming analytics and chat data: Retained indefinitely as part of our core analytics dataset.
  • Redis cache: Temporary data with TTLs of 60 seconds to 15 minutes. Automatically expires.
  • Session recordings: Subject to Sentry's retention policies.

8. Data Sharing and Disclosure

We do not sell your personal information. We do not share your data with advertisers. We may disclose your information in the following circumstances:

  • Service providers: With the third-party services listed in Section 6, solely for the purposes described.
  • Legal obligations: If required by law or in response to valid requests by public authorities.
  • Protection of rights: To protect and defend our rights, property, and safety.
  • Business transfers: In connection with any merger, sale of company assets, financing, or acquisition.
  • Public data: Streaming analytics and public chat messages are displayed on our Website as part of our service. Channel owners can opt out via Privacy Controls.

9. International Data Transfers

StreamerStats is operated from the United States. Your information may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from your jurisdiction. By using our Website, you consent to the transfer of your information to these countries.

10. Your Rights and Controls

  • Privacy Controls (in-app): Verified channel owners can hide their chat activity from search and hide their profile from search results via Settings > Privacy Controls.
  • Account deletion: You can delete your account via Settings. This removes your account data, authentication tokens, and linked OAuth connections.
  • Access and correction: You can access and update your account information at any time through your account settings. For data access requests beyond your account settings, contact us at [email protected].
  • Data portability: You may request an export of your personal data by contacting us at the email above.
  • OAuth revocation: You can disconnect linked Twitch or Kick accounts via Settings > Connected Accounts.

11. European Users (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Legal Bases for Processing

  • Consent: Where you have given explicit consent (e.g., creating an account, linking OAuth accounts).
  • Legitimate interests: Security and anti-bot protection, error monitoring, and service improvement. We have assessed that these interests do not override your fundamental rights.
  • Contractual necessity: Processing required to provide the services you have requested.

Device Identity Cookie (__Secure-ss-did)

We set the __Secure-ss-did device identity cookie on the legal basis of legitimate interest under Article 6(1)(f) GDPR, for the sole purpose of security and fraud prevention. It is never used for any purpose outside security. You have the right to object to this processing under Article 21 GDPR by contacting us at [email protected]; objections are reviewed by a human, not decided by an automated system. Retention: the cookie expires after 180 days, and the associated server-side security log is retained for up to 90 days.

Your GDPR Rights

  • Right of access to your personal data.
  • Right to rectification of inaccurate data.
  • Right to erasure ("right to be forgotten").
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent at any time.
  • Right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

12. California Users (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

Categories of Personal Information Collected

  • Identifiers (email, IP address, user IDs).
  • Internet or electronic network activity (browsing history, device fingerprints, API usage).
  • Geolocation data (derived from IP address and timezone).

Your CCPA Rights

  • Right to know: You can request details about the personal information we have collected about you.
  • Right to delete: You can request deletion of your personal information, subject to certain exceptions.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
  • No sale of personal information: We do not sell personal information to third parties.

13. Children's Privacy

Our services are not directed to individuals under the age of 13 (or 16 in jurisdictions where applicable). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us at [email protected].

14. Security of Your Information

We implement the following security measures to protect your data:

  • Password security: All passwords are hashed using industry-standard algorithms. We never store plaintext passwords.
  • Request integrity: API requests are verified using HMAC-SHA256 cryptographic signatures.
  • Encryption: Sensitive security data is encrypted using AES-256-GCM.
  • Account lockout: Accounts are temporarily locked after 10 failed login attempts for 15 minutes.
  • Rate limiting: Login attempts are limited to 5 per minute and account signups to 3 per hour.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (if you have an account) or by posting a prominent notice on the Website prior to the change becoming effective. Your continued use of the Website after any changes indicates your acceptance of the updated Privacy Policy.

16. Contact Us and Governing Law

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at [email protected].

This Privacy Policy is governed by the laws of the State of North Carolina, United States, without regard to its conflict of laws principles. This policy covers all services provided through streamerstats.com and its subdomains.