viewer.rent Privacy Policy

Updated: 2026-05-05

This Privacy Policy (the “Policy”) governs the processing of personal data of users of the viewer.rent service (the “Service”). The data controller within the meaning of Regulation (EU) 2016/679 (the “GDPR”) is {LEGAL_ENTITY} (the “Operator”). By using the Service the User confirms that they have read this Policy and consent to the processing of their personal data in the volume and for the purposes set out below. Provisions referencing the GDPR apply to all Users resident in the European Economic Area.

1. Definitions

“Personal data” means any information relating to an identified or identifiable natural person.

“Processing” means any operation or set of operations performed on personal data: collection, recording, organisation, storage, retrieval, use, transfer, erasure.

“Controller” means the Operator, who determines the purposes and means of processing.

“Data subject” means the User to whom the personal data relate.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.

2. Categories of data processed

The Operator collects and processes the following categories of personal data:

(a) Account data: email address; Telegram username and/or Telegram User ID.

(b) Technical data: IP address of the device used at registration and at subsequent login sessions; session and operation timestamps; user-agent string (browser, operating system); preferred interface locale.

(c) Channel-link data: identifiers (slug, user_id) of Kick and Twitch channels; OAuth access tokens issued by those platforms, used solely to confirm the User's rights to the channel; type, duration and target parameters of launched Campaigns.

(d) Financial data: the fact, amount and time of cryptocurrency top-ups; the payer-wallet address as a technical identifier. The Operator does not receive payment-card details or any other personal payment-instrument data.

3. Legal bases for processing (Article 6 GDPR)

Processing of personal data is carried out on the following legal bases:

(a) Performance of a contract, Article 6(1)(b) GDPR — to provide the Service in accordance with the Terms of Service: account data, technical session data, Campaign data, financial data.

(b) Compliance with a legal obligation, Article 6(1)(c) GDPR — for anti-money-laundering, tax and accounting compliance: financial data, IP addresses.

(c) Legitimate interests, Article 6(1)(f) GDPR — for fraud prevention, multi-account detection and information-security purposes: IP addresses, fingerprints, technical data. The legitimate interest has been balanced against data subjects' rights and freedoms.

(d) Consent, Article 6(1)(a) GDPR — for non-transactional Telegram messages. Consent may be withdrawn via the /unsubscribe command in the Telegram bot.

4. Purposes of processing

The Operator processes personal data only for the following purposes:

(a) Creating and maintaining the User's Account;

(b) Operating the Service (billing, analytics, abuse protection);

(c) Communicating with the User regarding the Account and Campaigns;

(d) Compliance with applicable law;

(e) Protecting the rights and legitimate interests of the Operator, including in dispute resolution.

Use of personal data for purposes not specified in this Section is not permitted without the User's explicit consent.

5. Retention periods

The Operator observes the following retention periods:

(a) Account data of an active Account — for the lifetime of the Account plus 12 (twelve) months after its closure (to enable dispute resolution and legal claims);

(b) Registration IP addresses — 24 (twenty-four) months from registration (anti-fraud window);

(c) Detailed Campaign logs — 6 (six) months;

(d) Aggregated, anonymised Campaign logs — indefinitely;

(e) Financial transactions — 5 (five) years, as required by accounting and tax legislation;

(f) Telegram authentication sessions — 5 (five) minutes from creation, after which they are automatically deleted.

Upon expiry of the periods set out above the relevant data is deleted or anonymised in a way that excludes identification of the User.

6. Sharing with third parties

6.1. The Operator does not sell personal data and does not share it with marketing or advertising networks.

6.2. Personal data is shared only with the following processors, whose services are necessary for the Service to function:

(a) Cryptadium — for cryptocurrency payment acceptance. Shared: payment amount, transaction identifier, payer-wallet address;

(b) Telegram Messenger Inc. — for sending notifications and authentication confirmations through the Telegram bot. Shared: Telegram User ID, message text;

(c) Residential IP-address providers — for the technical delivery of virtual viewers. Shared: anonymised channel slugs only; no User personal data;

(d) Hetzner Online GmbH — server-infrastructure hosting provider (Germany).

6.3. Disclosure to state authorities is made only on a valid legal basis (court order, reasoned request from a competent authority in the form prescribed by law).

6.4. Each processor listed above is bound to the Operator by an agreement that ensures a level of data protection no lower than that provided by this Policy and applicable law, including by way of Standard Contractual Clauses where necessary.

7. International data transfers

7.1. Part of the Service infrastructure is hosted within the European Union (Germany, Finland). Within the EU/EEA, data is transferred under the GDPR's free-movement regime.

7.2. Where data is transferred outside the EU/EEA, the Operator relies on appropriate safeguards under Article 46 GDPR, primarily Standard Contractual Clauses approved by the European Commission.

8. Data subject rights

8.1. With respect to their personal data the User has the following rights under the GDPR:

(a) Right of access (Article 15) — obtain confirmation of processing and a copy of the personal data;

(b) Right to rectification (Article 16) — request correction of inaccurate or incomplete data;

(c) Right to erasure / right to be forgotten (Article 17) — request deletion of data on the grounds set out in the Article;

(d) Right to restriction of processing (Article 18);

(e) Right to data portability (Article 20) — receive data in a structured machine-readable format;

(f) Right to object (Article 21) — to processing based on legitimate interests;

(g) Right not to be subject to a decision based solely on automated processing (Article 22). The Service does not engage in fully automated decision-making producing legal effects on the User or significantly affecting them.

8.2. Rights are exercised by request to @viewerrent_bot on Telegram or by email to privacy@viewer.rent. The response period is up to 30 (thirty) calendar days from receipt of the request; this may be extended by 60 days for complex requests, with notice to the data subject.

8.3. Right to lodge a complaint. Users resident in the EU have the right to lodge a complaint with the data-protection supervisory authority of their place of residence. Contact details for supervisory authorities are published on the European Commission website (edpb.europa.eu).

9. Cookies and similar technologies

9.1. The Service uses only functional cookies necessary for its operation:

(a) `streamer_session` (HttpOnly, Secure, SameSite=Lax) — JWT authentication-session token; retained for 30 days;

(b) `tg_auth_token` (Session Storage, not a cookie) — temporary Telegram-login session identifier; retained until the browser tab is closed or for 5 minutes.

9.2. The Service does not use analytics, advertising cookies or third-party trackers.

9.3. Because the use of functional cookies is strictly necessary for the provision of the Service, no consent is required pursuant to Article 5(3) of the ePrivacy Directive.

10. Data security

10.1. The Operator implements organisational and technical safeguards appropriate to the state of the art and the nature of the data processed, including:

(a) Encryption of data in transit using TLS 1.2/1.3;

(b) Password hashing with bcrypt and per-user salt;

(c) Session-token signing with HMAC-SHA256;

(d) Database-level role isolation;

(e) Daily backups with a 14-day retention cap;

(f) Logging of critical operations and periodic log review.

10.2. In the event of a personal-data breach giving rise to a risk to the rights and freedoms of data subjects, the Operator will notify the competent supervisory authority within 72 (seventy-two) hours of becoming aware of the breach and, where the risk is high, will also notify affected data subjects without undue delay, in accordance with Articles 33-34 GDPR.

11. Age restrictions

11.1. The Service is intended exclusively for individuals who have reached 18 years of age.

11.2. The Operator does not knowingly collect personal data from individuals under 18.

11.3. Where it is established that a minor's data has been processed, the Operator will promptly delete that data and close the corresponding Account.

12. Changes to the Policy

12.1. The Operator may amend this Policy by publishing an updated version on the Service's website.

12.2. Material changes affecting the rights of data subjects are announced at least 7 (seven) calendar days in advance via a banner on the website and a notification in the Telegram bot.

12.3. The current version of the Policy, the date of last revision and an archive of prior versions are published on the Service's website.

13. Contact information and Controller details

Data Controller: {LEGAL_ENTITY}

Correspondence address: {LEGAL_ADDRESS}

Email for personal-data matters: privacy@viewer.rent

Support: @viewerrent_bot on Telegram

Effective date: 5 May 2026.

HomePrivacyTerms