Privacy Policy
Last updated: 15 May 2026
1. Who we are
Hayven ("we", "us") is a Twitch bot and viewer-engagement platform. The data controller is the platform operator. You can reach us at [email protected].
2. What data we collect
We collect only what is necessary to run the service. The table below describes each category.
| Category | Examples | Source |
|---|---|---|
| Twitch account data | Twitch user ID, display name, profile picture URL | Twitch OAuth login |
| Discord account data | Discord user ID, username, discriminator | Discord OAuth login (optional) |
| Google / YouTube data | Google email, YouTube channel ID and name | Google OAuth login (optional) |
| OAuth tokens | Access and refresh tokens for Twitch, Discord, and YouTube | OAuth flows - encrypted at rest using AES-256-GCM |
| Activity data | Viewer streaks, redemption counts, channel points events, gifted subscriptions | Twitch EventSub / chat events while the bot is active in a channel |
| Session data | A session cookie that keeps you signed in | Set when you log in |
We do not collect payment information, precise location data, or any data from minors knowingly.
3. How we use your data (Art. 13 / 14 GDPR)
- To provide the service - powering chat commands, streak tracking, leaderboards, and goal progress. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
- To connect to Twitch, Discord, and YouTube on your behalf - using OAuth tokens to call their APIs. Legal basis: performance of a contract.
- To keep you signed in - the session cookie. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
- To improve the platform - reviewing aggregated, non-personal usage patterns. Legal basis: legitimate interests.
We do not sell your data, share it with advertisers, or use it for automated decision-making.
4. Cookies
We use a single session cookie (SESSION) to keep you logged in. This is a strictly functional cookie - it is not used for tracking or advertising. No third-party tracking scripts are loaded.
Because we use only strictly necessary cookies, no consent banner is legally required under GDPR or the ePrivacy Directive. This notice fulfils our transparency obligation.
5. Data retention
Your data is kept for as long as your account exists on the platform. Viewer activity data (streaks, redemption counts) is kept for as long as the associated channel is active on the platform. You can request deletion at any time (see Section 7).
6. Data sharing
We use the following processors:
- Hetzner Cloud - server hosting (Germany/EU). Your data is stored on servers in an EU data centre.
- Cloudflare - DNS and DDoS protection (US). Cloudflare processes request metadata but does not have access to your stored account data.
No other third parties receive your personal data. If we are ever required to disclose data by law, we will notify you to the extent legally permitted.
7. Your rights
Under GDPR you have the right to:
- Access - request a copy of the data we hold about you.
- Rectification - ask us to correct inaccurate data.
- Erasure - request deletion of your account and associated data ("right to be forgotten").
- Restriction - ask us to pause processing while a dispute is resolved.
- Portability - receive your data in a machine-readable format.
- Objection - object to processing based on legitimate interests.
To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority (e.g., ICO in the UK, BfDI in Germany).
8. Security
OAuth access and refresh tokens are encrypted at rest using AES-256-GCM before being stored in the database. Connections to the server are encrypted via TLS (HTTPS). We follow the principle of least privilege for database access.
9. Changes to this policy
If we make material changes we will update the "Last updated" date at the top of this page. For significant changes, we will notify active streamers via Discord or email.
10. Contact
Questions about this policy: [email protected]