Legal

Privacy Policy

Effective date: 2026-05-03

StreamHook is a private coordination product for small groups. This policy explains what we collect, why we collect it, and what choices you have.

Data controller

Data controller: Miguel Angel Aragones Castaneda (Spain). Contact email: hello@streamhook.app.

What we collect

We collect only the data required to run StreamHook: account data (email and optional display name), room and membership data, invite records, shared queue items, per-member title states, and optional per-episode watch states.

We also process technical data needed to operate and protect the app, such as IP-derived country signal, request metadata, and security or error logs.

How we use data

We use data to run StreamHook, secure accounts, prevent abuse, and diagnose reliability issues. We do not sell personal data.

Legal basis (EEA/UK users)

  • Contract performance (GDPR art. 6.1.b): account access, room membership, invites, queue and watch-state features.
  • Legitimate interests (GDPR art. 6.1.f): service security, abuse prevention, reliability, and debugging.
  • Consent (GDPR art. 6.1.a): optional cookie preferences where required.
  • Legal obligations (GDPR art. 6.1.c): compliance duties that may apply to the operator.

Cookies and similar technologies

We use the following cookies:

  • Authentication/session cookies set by Supabase Auth (essential).
  • streamhook-active-space (essential): remembers the currently selected room.
  • streamhook-invite-token (essential): supports explicit invite-acceptance flow.
  • streamhook-cookie-consent (preference): stores cookie consent choice.

Processors and providers

We use only the providers required to operate the service:

  • Supabase (authentication, database, and realtime infrastructure).
  • Resend (invite email delivery and related email processing).
  • TheTVDB (title metadata and artwork metadata).
  • TMDB image CDN (image.tmdb.org) for poster assets.
  • Hosting/edge providers used in the active deployment environment (for example Vercel and/or Cloudflare, if configured by the operator).

Node.js is runtime software used to execute the app and is not a separate data processor by itself.

Third-party content and image notice

Media metadata, artwork, logos, and images shown in StreamHook may be supplied by third-party providers and remain the property of their respective owners and rights holders. StreamHook displays this content only to support private watch-planning features and does not claim ownership of that third-party content.

Retention

We retain data while your account is active and as needed for security and operational purposes. You can request deletion through support.

Invite records and security-relevant logs may be retained for a limited additional period when reasonably necessary to investigate misuse, resolve disputes, or comply with legal obligations.

International transfers

Some providers may process data outside the EEA. Where this happens, transfers are based on an adequacy decision or appropriate safeguards (for example, Standard Contractual Clauses) made available by the relevant provider.

Your rights

Under GDPR/LOPDGDD, you can request access, rectification, erasure, portability, restriction, and objection, and you may withdraw consent at any time for consent-based processing.

You can exercise these rights by contacting hello@streamhook.app. You also have the right to lodge a complaint with your local supervisory authority. In Spain, this is the Agencia Espanola de Proteccion de Datos (AEPD).

Contact

For privacy requests, contact hello@streamhook.app.