VODPilot
How it worksPricingFeaturesFAQ
Sign inStart free
Legal

Privacy Policy

This policy explains what personal data VODPilot processes, on which legal basis, how long it is kept, which third parties receive it, and which rights you have under the GDPR.

Last updated: June 4, 2026

1. Controller

The controller for data processing on this website and inside VODPilot is Michael Ketzer, Rotkehlchenweg 51, 40789 Monheim am Rhein, Germany. VODPilot is operated by Michael Ketzer. You can reach us at support@vodpilot.com.

2. Data protection officer

A separate data protection officer has not currently been designated.

3. Categories and sources of personal data

  • Account data such as email address, account identifiers, session information, and sign-in verification data.
  • Workspace and service data such as member roles, channel connections, stream session records, VOD metadata, review status, and storage usage.
  • Twitch API data such as connected channel IDs, logins, display names, avatar URLs, stream and channel status, titles, categories, tags, VOD metadata, muted-segment information, stream keys for replay playout, chat command/message data, EventSub delivery records, token metadata, scopes, expiry information, and connection audit logs.
  • Uploaded and processed content data such as media files, thumbnails, object-storage keys, file names, metadata, categories, titles, timestamps, review notes, processing status, and related technical identifiers.
  • Payment and subscription data such as Paddle customer IDs, invoices, subscription status, transaction references, and billing period records.
  • Cancellation, withdrawal, report, rights-complaint, and legal-request data submitted through VODPilot forms or support channels.
  • Communication data when you contact support.
  • Security, audit, and abuse-prevention data such as IP-derived request information, logs, device and browser information, authentication events, upload events, moderation decisions, abuse reports, enforcement records, and evidence needed to investigate suspected misuse.
  • AI-assisted metadata cleanup inputs and outputs, such as stream titles sent to Google Gemini when title cleaning is configured.
  • We collect personal data directly from you, from connected services such as Twitch, and from payment-related events sent by Paddle.

4. Purposes and legal bases

  • Account creation, authentication, connected-channel management, subscription handling, and service delivery are processed under Art. 6(1)(b) GDPR.
  • Tax, accounting, invoicing, and mandatory record-keeping are processed under Art. 6(1)(c) GDPR.
  • Cancellation handling, withdrawal handling, and legally required consumer communications are processed under Art. 6(1)(b) and Art. 6(1)(c) GDPR.
  • IT security, fraud prevention, abuse prevention, content-safety enforcement, illegal-content investigation, evidence preservation, service stability, and support handling are processed under Art. 6(1)(f) GDPR based on our legitimate interest in operating VODPilot securely and reliably and protecting users, third parties, rights holders, connected providers, and the public.
  • Where processing or disclosure is necessary to comply with legal obligations, lawful requests, court orders, regulator requests, or legally required reports, the legal basis is Art. 6(1)(c) GDPR.
  • Where processing is necessary to establish, exercise, or defend legal claims, the legal basis is Art. 6(1)(f) GDPR. If special categories of data or data relating to alleged offences are involved, we process that data only where necessary and permitted by applicable law.
  • If we request consent for a specific processing activity, the legal basis is Art. 6(1)(a) GDPR. Consent can be withdrawn at any time for the future.

5. Recipients and processors

  • Vercel: hosting, deployment, serverless runtime, cron execution, and platform logs.
  • Neon: database infrastructure for application data.
  • Paddle: payments, subscriptions, invoicing, and refund handling.
  • Resend: transactional email delivery such as sign-in codes.
  • Twitch: OAuth account connection, Twitch API calls, EventSub webhooks, channel identity data, stream state, replay-channel actions, and public preview images loaded from static-cdn.jtvnw.net.
  • Cloudflare R2: object storage for media-related files.
  • Pusher: realtime operational events used for playout and worker coordination.
  • Google Gemini: optional AI-assisted title cleanup for stream metadata when configured.
  • Competent authorities, law enforcement, courts, regulators, child-protection organizations, abuse-reporting hotlines, legal advisers, rights holders, and affected platform providers where necessary and permitted for illegal-content reports, safety escalations, rights complaints, legal claims, or compliance with law.

6. Twitch connections and API data

  • Twitch sign-in may use the user:read:email permission so VODPilot can authenticate your account and keep the account email current.
  • When you connect a main channel for tracking, VODPilot stores channel identity data and creates EventSub subscriptions for stream.online, stream.offline, and channel.update events. The main channel connection is used to detect live/offline state and channel metadata; replay automation is not performed on the main channel.
  • When you connect a replay channel, VODPilot requests the permissions needed for replay playout and automation: channel:manage:broadcast, channel:read:stream_key, user:read:chat, user:write:chat, channel:bot, user:bot, and moderator:manage:chat_messages. If you enable optional raid, ad-break, or replay-vote features, VODPilot may also request channel:manage:raids, channel:edit:commercial, or channel:manage:polls.
  • VODPilot may use the replay-channel permissions to fetch the stream key for playout, update replay title/category/tags, send and pin chat messages, read chat events needed for commands, start commercials when enabled, create Twitch polls when replay voting is enabled, and raid the main channel when the optional raid feature is enabled.
  • Connected Twitch tokens, scopes, expiry data, validation timestamps, EventSub subscription records, and related audit logs are stored so VODPilot can operate the connection, validate it at least hourly where required by Twitch, detect revoked tokens, and ask you to reconnect when needed.
  • Disconnecting a Twitch channel removes local access/refresh tokens and related EventSub subscriptions from active use. Some audit logs, backups, security records, or legal-report evidence may be preserved for the limited retention purposes described in this policy.
  • The public VODPilot homepage embeds public Twitch preview images for showcased channels from static-cdn.jtvnw.net. When those images load, your browser may contact Twitch's CDN directly.

7. International transfers

Some of the providers used by VODPilot may process personal data outside the EU or EEA, including in the United Kingdom and the United States. Where a recipient is located in a country without an adequacy decision, transfers are intended to be based on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, together with any supplementary measures offered by the relevant provider.

8. Retention periods

  • Account and workspace data is generally kept for the duration of the customer relationship and then for up to three years for defence against legal claims, unless longer retention is legally required.
  • Billing, invoice, and tax-relevant records are retained for the statutory retention period, generally up to ten years.
  • Commercial and support correspondence may be retained for up to six years where required by commercial or tax law, otherwise for as long as necessary to handle the request and any follow-up.
  • Verification codes are retained only until expiry or use.
  • Connected-service data and stored content are retained until deletion, disconnection, account closure, or expiry of any mandatory retention obligations. Twitch disconnection removes local access/refresh tokens and related EventSub subscriptions from active use, subject to backup, security-log, legal-report, and statutory retention limits.
  • Security logs, audit records, moderation records, abuse reports, enforcement history, and evidence related to suspected illegal activity, prohibited content, fraud, rights infringement, or service abuse may be retained for as long as necessary to investigate, prevent repeat abuse, cooperate with competent authorities, comply with legal obligations, or establish, exercise, or defend legal claims.
  • Content that is disabled or deleted from normal product access may still be preserved in backups, logs, evidence stores, or authority reports for the limited purposes described in this policy.

9. Provision of data

Providing personal data is necessary where it is required to create an account, authenticate you, connect third-party services, process subscriptions, or provide support. If required data is not provided, VODPilot may not be able to conclude or perform the contract.

10. Cookies and similar technologies

VODPilot uses essential technologies required for authentication, security, fraud prevention, workspace selection, upload progress, import indicators, dismissed notices, and session continuity. These may include HTTP-only session cookies, OAuth state cookies, localStorage, and sessionStorage. Public Twitch preview images on the homepage are loaded from Twitch's CDN and may create a direct browser request to Twitch. We do not currently describe optional marketing or advertising cookies because they are not part of the present implementation.

11. Your rights

  • You may request access to your personal data.
  • You may request correction or deletion where applicable.
  • You may request restriction of processing or object to certain processing.
  • You may request data portability where applicable.
  • You may withdraw consent at any time where processing is based on consent.
  • Some requests may be limited where necessary to protect other people, prevent abuse, preserve evidence, comply with legal obligations, or avoid interfering with an investigation or legal claim.
  • You may lodge a complaint with a competent data protection authority.

12. Supervisory authority

The competent supervisory authority for VODPilot in North Rhine-Westphalia is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestraße 2-4, 40213 Düsseldorf, Germany, email: poststelle@ldi.nrw.de.

13. Automated decision-making

VODPilot does not currently use solely automated decision-making, including profiling, within the meaning of Art. 22 GDPR.

14. Security

We use reasonable technical and organizational measures to protect personal data, including access controls and operational safeguards for media storage, authentication, logs, and support access. No internet-based service can guarantee absolute security, but we aim to minimize unauthorized access, loss, misuse, and alteration.

15. Changes to this policy

We may update this privacy policy when the product, legal requirements, or third-party processing arrangements change. The current version is always the one published on this page.

16. Business customer DPA

Where VODPilot processes personal data on behalf of a business customer, the Data Processing Addendum describes processor obligations, sub-processors, assistance, deletion, and audit handling.