Privacy Policy

Effective 2026-05-14 · Policy version 2.0

TL;DR. We collect what we need to provision your IPTV line and bill you — nothing else. Panel partners receive only an opaque UID, never your real email. Payment processors see what they need to process the payment, never your viewing history. Live-chat transcripts are tied to a ticket ID and purged after 90 days. We honour GDPR Articles 12–22 and the equivalent CCPA / CPRA rights for California residents. DM-or-email us at [email protected] with the subject line GDPR request: <right> and we respond within 30 days, usually much faster.

1. Who We Are (Data Controller)

SwishIPTV is operated by an independent operator in Norway. We are the data controller under GDPR Article 4(7) — meaning we decide what personal data is collected from you and why, and we are the entity you direct rights requests and complaints to. Our lead supervisory authority is the Norwegian Datatilsynet. EU / EEA residents may also complain to the DPA of their member state of residence.

Contact: [email protected] (GDPR / CCPA requests) · [email protected] (general).

2. Information We Collect (GDPR Art. 13 / 14)

Categories of personal data we process, why we process them, and how long we keep them:

• Account contact (email): the address you sign up with or open chat from. Purpose: deliver credentials, billing receipts, service notices. Lawful basis: Art. 6(1)(b) contract. Retention: active account + 24 months of inactivity, then deletion.
• Order record: order ID, plan / SKU, currency, amount, status, timestamps, optional discount code. Payment-processor transaction reference (Stripe charge ID or NOWPayments invoice ID) but never card data — we never see card data. Purpose: fulfilment + accounting + dispute resolution. Lawful basis: Art. 6(1)(b) contract + Art. 6(1)(c) bookkeeping law (Norwegian Regnskapsloven, 5-year retention floor).
• Panel credentials: the Xtream Codes username + password issued for your IPTV line. Purpose: stream authorisation. Lawful basis: Art. 6(1)(b) contract. Retention: rotated on regeneration, deleted on account closure.
• Connection / streaming data: IP address, device user-agent, channel request log (which channel slug, which timestamp — not which programme or what you watched in detail). Purpose: abuse prevention, capacity planning, geo-policy enforcement. Lawful basis: Art. 6(1)(f) legitimate interest, balanced against your privacy by a short retention window. Retention: rolling 30 days for raw logs, then aggregated to anonymous counters.
• Live-chat transcripts: messages you send to support via the on-site chat widget, your visitor session ID, IP, and the email you provided. Linked to a ticket ID. Purpose: respond to support, build self-service replies, train staff. Lawful basis: Art. 6(1)(b) contract for billing / technical chats; Art. 6(1)(a) consent for pre-sales chats. Retention: 90 days post-resolution, then deletion.
• Discord agent visibility: when you chat with support on-site, your chat session is mirrored to a private Discord channel where our operator / agent answers from. Your email and message text are visible only to the operator and authorised agents (role-gated). Discord retains its own message history per Discord's terms — after 90 days we no longer reference those archived messages from our system but Discord may. To force-purge from Discord too, request erasure (§7).
• Cookies (functional only): session cookie, magic-link cookie, locale preference, theme preference. No tracking, no analytics, no advertising cookies. See §6.

3. Data Sharing — Sub-processors and Data Flows

We do not sell, rent, or trade your personal information. The following sub-processors receive a strictly necessary subset of your data to operate the service:

• IPTV panel partners (thexpanel.xyz · mobazzz · others as listed at /data-policy): these are the upstream Xtream Codes panels that hold the actual IPTV line and authorise your stream. The only identifier we send upstream is an opaque internal UID (format swsh-xxxxxxxx). Your real email, real name, billing history, support notes, geo, IP, payment data — none of it leaves the VPS. The panel sees a username and a random password and the package you bought. This is a hard rule, not an aspiration.
• Stripe Payments Europe Ltd (IE): processes card payments for the plans that offer card checkout. Receives card data (which we never see), your billing email, the amount, and a SwishIPTV order reference. Governed by Stripe's privacy policy + the Stripe DPA. PCI-DSS scope sits entirely with Stripe.
• NOWPayments OÜ (EE): processes BTC / XMR / LTC crypto payments. Receives the order amount, currency, a SwishIPTV order reference, and (for BTC settlement) the destination wallet address mapped to our gateway. They do NOT receive your email, name, or any identity data — crypto checkout is no-KYC for the customer.
• Resend Inc. (US): sends transactional email (order confirmations, magic links, support replies). Receives your email and the message body. EU-US DPF certified.
• Cloudflare, Inc. (US): CDN, DDoS protection, TLS termination on the edge. Sees request IP, user-agent, and the URL path. No request body for non-API routes. EU-US DPF certified.
• Hetzner Online GmbH (DE / FI): our hosting provider. Stores the encrypted-at-rest application database. No direct access to plaintext customer data.
• Discord, Inc. (US): operator agent comms (see §2). Subject to Discord's own privacy policy.
• Law enforcement / authorities: only on receipt of a valid legal order under Norwegian law. We publish counts in our transparency log (planned 2026 Q3).

A current, dated sub-processor list is also published at /data-policy. Material additions are announced 30 days in advance per §10.

4. Cryptocurrency Payments — What's Actually Stored

For Bitcoin (BTC), Monero (XMR), or Litecoin (LTC) checkouts: we store the order record (amount, currency, status), the NOWPayments invoice ID, and — once the chain confirms the payment — the on-chain transaction ID. We do not store, request, or derive any identity from the wallet address you paid from. XMR is opaque by protocol. BTC / LTC transaction IDs are publicly recordable on the chain regardless of whether we record them, and the wallet identity is not something we resolve or attempt to resolve. Crypto checkouts are no-KYC for the customer — we ask for the contact email so we can deliver credentials, nothing else.

5. Payment Card Data

For card payments routed through Stripe: card numbers, CVCs, and full PANs never touch our infrastructure. The card form is a Stripe-hosted iframe; SwishIPTV servers receive only a tokenised charge ID. We are not in PCI-DSS scope.

6. Cookies and Local Storage

Strictly necessary, first-party only. None for tracking, advertising, fingerprinting, cross-site analytics, or behavioural profiling. The cookies in use:

• swish_player_sid — player session, 30 days, HttpOnly, SameSite=Lax
• swish_admin — operator magic-link session, 24 h, HttpOnly, SameSite=Strict
• swish_chat_visitor — chat-widget continuity, 7 days
• swish_locale, swish_theme — UI preferences

7. Your Rights Under GDPR (Articles 12–22)

Every right below applies regardless of where you live — we extend GDPR-equivalent handling to every customer. California-specific parallel rights appear in §13.

• Art. 13 / 14 — Information at collection. This page is that information. If we acquire your data from a third party (e.g. a reseller refers you), we tell you when we first contact you.
• Art. 15 — Access. Email [email protected] with subject GDPR request: access. We send you a JSON export within 30 days.
• Art. 16 — Rectification. Reply to any of our service emails or email the DPO with the correction. Fixed within 7 days.
• Art. 17 — Erasure (right to be forgotten). Email [email protected] with subject GDPR request: erasure. Completed within 30 days (statutory window), usually within 48–72 hours. The deletion covers our database, panel-partner UID linkage, email suppression list registration, and chat-history records. Bookkeeping records retained for the statutory 5-year Norwegian floor are scrubbed of identifiers and retained as anonymised order amounts only.
• Art. 18 — Restriction. While a complaint or accuracy dispute is pending, you can require us to stop processing — we mark the record and pause everything except storage.
• Art. 19 — Notification to recipients. Where you exercise Art. 16, 17, or 18, we forward the rectification / erasure / restriction to the affected sub-processors in §3, except where impossible or disproportionate.
• Art. 20 — Portability. The JSON export from Art. 15 is machine-readable and you may transmit it to another controller.
• Art. 21 — Objection. You can object to processing based on legitimate interest (§2 connection / streaming data) — we stop unless we can demonstrate compelling overriding grounds. We do not use your data to train any model and we do not allow sub-processors to either where their contracts permit override; if you wish to explicitly object to training-data inclusion, the subject line is GDPR request: object to training.
• Art. 22 — Automated decisions. No solely-automated decision with legal or similarly significant effect is taken about you. Fraud-prevention rules may temporarily flag a request for human review by the operator; the final decision is human.
• Art. 77 — Lodge a complaint. Datatilsynet in Norway, or your own member state's DPA. You don't have to come to us first, but we'd rather you did — we move faster than a regulator.

Identity verification. Before we action a rights request we verify that you're the account holder — typically by sending a confirmation to the email on file and asking you to reply from it. No fee for the first request in a 12-month period; repeat or manifestly unfounded requests may incur a reasonable administrative fee per Art. 12(5).

8. Security

What we actually do (not boilerplate):

• Application secrets encrypted at rest using dotenvx with a private key not stored on disk in plaintext.
• Customer database files (data/customers.json, data/orders.json) are mode 0600 on the host, atomic-write only (tmp + rename) — no partial-write races.
• TLS 1.2+ everywhere; HTTPS-only; HSTS configured at the edge.
• Webhook ingress (Stripe, NOWPayments, Resend) is HMAC-verified before any state mutation.
• Panel partners receive only an opaque UID — your real email and identity never reach a third-party panel admin view.
• Daily off-site encrypted backups with 30-day rolling retention.

What we don't claim: no SOC2 audit (we are not at a scale that justifies the cost yet), no HIPAA (we are not a healthcare service), no PCI-DSS scope (Stripe handles cards). No method of transmission over the internet is 100 % secure.

9. International Transfers

Our application and database run on EEA infrastructure (Hetzner DE / FI). Two sub-processors are US-based (Cloudflare, Resend) — both are EU-US Data Privacy Framework certified, which is the standard transfer mechanism post-Schrems II. Discord, when used for operator agent comms, is also US-based and DPF-certified. Stripe processes through its European Economic Area entity (Stripe Payments Europe Ltd, IE). NOWPayments processes through its Estonian (EE) entity.

10. Changes to This Policy

Material changes (anything affecting what we collect, how long we keep it, or who we share it with) are announced via on-site banner + email to the address on file 30 days before they take effect. You can object or close your account in that window. Wording-only changes are noted in §14 (Change log) without notice.

11. Data Breach Notification

Per GDPR Art. 33 we notify Datatilsynet within 72 hours of becoming aware of a personal data breach likely to result in a risk to your rights and freedoms. Per Art. 34, where the risk is high we notify you directly without undue delay, at the contact email on file. The notification will include what happened, what data was affected, what we are doing about it, and what (if anything) you should do.

12. Children's Privacy

SwishIPTV is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, email the DPO and we will delete the record.

13. California Residents (CCPA / CPRA)

If you are a California resident, the CCPA (as amended by the CPRA) grants you parallel rights, which we extend to every customer regardless of residency:

• Right to know: categories collected (identifiers, commercial information, internet activity), sources (you), purposes (provisioning, billing, fraud prevention), recipients (§3 sub-processors).
• Right to delete: same path as Art. 17 above.
• Right to correct: same path as Art. 16 above.
• Right to portability: same JSON export as Art. 20 above.
• Right to opt out of sale or sharing: Do Not Sell or Share My Personal Information. We do not sell personal information and do not share it for cross-context behavioural advertising. This link is provided because the statute requires it; clicking it confirms a preference that is already our default.
• Right to limit sensitive personal information: we do not collect SPI as defined under CPRA §1798.140(ae) — no SSN, no precise geolocation, no financial-account credentials, no biometric or health data.
• Non-discrimination: exercising any of these rights does not change your service, your pricing, or your access.

14. Change Log

• v2.0 · 2026-05-14. Full GDPR Art. 12–22 article-by-article coverage rewrite. Added panel-partner UID-only commitment in §3 and §8. Added live-chat + Discord agent visibility disclosure in §2. Added CCPA / CPRA section (§13). Added explicit no-training language in Art. 21. Restructured sub-processor list. Removed the unsubstantiated "DPO appointment" claim and consolidated DPO contact into §1.
• v1.0 · April 2026. Initial policy.

15. Contact

Privacy / GDPR / CCPA requests: [email protected] (response within 30 days, usually 48–72 h).

General support: [email protected] or the on-site live chat.