OpenCreators
Sign inCreate account

Legal

Privacy Policy

Last updated: March 2026

This English translation is provided for convenience only. In the event of any discrepancy, the French version shall prevail.

1. Data Controller

The data controller for personal data collected on OpenCreators is [ENTITY NAME — to be completed], with its registered office at [ADDRESS — to be completed].

For any questions regarding your personal data: contact@opencreators.io

OpenCreators has not appointed a Data Protection Officer (DPO), as the appointment is not required given the nature and volume of the processing carried out.

In accordance with Article 30 of the GDPR, OpenCreators maintains a record of its processing activities.

2. Data Collected

2.1 Registration Data

  • Email address
  • Password (stored in hashed form, never in plain text)
  • Platform role (Streamer or Brand)
  • Language preference (French or English)
  • Notification preferences

2.2 Streamer Profile Data

  • Channel handle (username)
  • Primary and secondary platforms (Twitch, YouTube, TikTok, Kick)
  • Follower count (retrieved automatically via the Twitch and/or YouTube APIs)
  • Accepted delivery zone
  • Profile picture (avatar)
  • Twitch and/or YouTube OAuth technical identifiers (user ID, tokens)

2.3 Brand Profile Data

  • Brand name
  • Website
  • Description
  • Logo

2.4 Gift-Related Data

  • Delivery address (provided by the Streamer when accepting a gift)
  • Shipment tracking information (carrier, tracking number, tracking URL)
  • Promotion proofs (image or video files uploaded by the Streamer)
  • Messages exchanged between Brands and Streamers in connection with a gift

2.5 Browsing Data

We collect standard technical data through server logs (IP address, browser, pages visited) for security and proper platform operation purposes. We do not use advertising or third-party tracking cookies.

2.6 Data Collected via the YouTube (Google) API

If you connect your YouTube account via OAuth, we access the following data through the YouTube API (scope youtube.readonly):

  • Your YouTube channel identifier (channel ID)
  • Your channel name
  • Subscriber count
  • Channel profile picture (avatar)

Purpose: this data is used exclusively to display your profile on the platform and verify your subscriber count. We do not access any videos, comments, playlists, or analytics data from your channel.

Storage: YouTube access and refresh tokens are stored securely in our database (never exposed client-side) and are used solely to update your subscriber count. They are deleted when you disconnect your YouTube account or delete your account.

Our use of data received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

2.7 Administration Data

Administrative actions performed on the platform (brand approval or rejection, promotion verification, account suspension or reactivation) are recorded in an audit log including the date, action type, and identifier of the account concerned.

3. Purposes and Legal Bases for Processing

PurposeLegal Basis
User account creation and managementPerformance of contract
Connecting Brands with StreamersPerformance of contract
Transmitting the delivery address to the BrandPerformance of contract
Sending transactional emails (gift, delivery, promotion notifications)Performance of contract
Automatic follower count synchronization via Twitch / YouTube APIsConsent (OAuth)
Displaying Streamer profiles to approved Brands and administratorsLegitimate interest
Security and fraud preventionLegitimate interest
Account moderation and administration (audit log)Legitimate interest
Internal statistics and service improvementLegitimate interest
Collection and retention of server logs (IP address, technical data)Legitimate interest (security, abuse prevention)
Compliance with legal obligationsLegal obligation

Where processing is based on our legitimate interest, this consists of ensuring platform security, preventing abuse, and enabling the connection between Brands and Streamers, while respecting your fundamental rights and freedoms.

4. Data Sharing with Third Parties

We never sell your personal data. We share it only in the following cases:

  • With the relevant Brand: the Streamer's delivery address is shared only when the Streamer accepts a gift. The Brand undertakes to use it solely for shipping purposes. The Brand acts as an independent data controller for the personal data it receives and undertakes to process it in accordance with the GDPR.
  • Supabase (database hosting and file storage) — servers hosted in the European Union (Germany), GDPR compliant.
  • [Application host — to be completed upon deployment] — HTTP request processing and website hosting.
  • Resend (transactional email delivery) — used solely for notifications related to platform activity (confirmations, delivery alerts, etc.).
  • Twitch (OAuth API) — read-only access to follower count and profile information, with your explicit consent at the time of connection.
  • YouTube / Google (YouTube API, scope youtube.readonly) — read-only access to subscriber count, channel name, and avatar, with your explicit consent at the time of OAuth connection. No videos, comments, or analytics data is accessed. See section 2.6 for details on collected data.
  • Legal authorities: if required by law or court order.

Some of our sub-processors are located outside the European Union. Transfers are governed as follows:

Sub-processorCountryTransfer Mechanism
SupabaseGermany (EU)No transfer outside EU
ResendUnited StatesStandard Contractual Clauses (SCCs)
Twitch (Amazon)United StatesEU-US Data Privacy Framework
YouTube / GoogleUnited StatesEU-US Data Privacy Framework

We have entered into a Data Processing Agreement (DPA) with each of our sub-processors in accordance with Article 28 of the GDPR. You may obtain further information and a copy of the applicable safeguards upon request at contact@opencreators.io.

5. Data Retention

  • Account data: retained for the duration of the active account, then deleted within 30 days of account closure.
  • Delivery addresses: retained for 30 days after the delivery confirmation of the relevant gift, then deleted.
  • Messages (gift Q&A): retained for the duration of the active account, then deleted within 30 days of account closure.
  • Promotion proofs: retained as long as the Streamer keeps them active on their profile, then deleted upon account closure.
  • Audit log (administrative actions): 24 months maximum.
  • Server logs and browsing data: 12 months maximum.
  • OAuth tokens (Twitch / YouTube): retained as long as the account is active and the platform is connected. Deleted immediately upon disconnection of the relevant platform or account deletion.

6. Your Rights (GDPR)

In accordance with the General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Libertés), you have the following rights:

  • Right of access: obtain a copy of your personal data.
  • Right to rectification: correct inaccurate or incomplete data.
  • Right to erasure: request the deletion of your data ("right to be forgotten").
  • Right to data portability: receive your data in a structured, machine-readable format.
  • Right to object: object to certain processing based on legitimate interest.
  • Right to restriction: request the temporary suspension of processing.
  • Right to withdraw consent: particularly for the Twitch / YouTube OAuth connection, at any time from your settings.

Exercising these rights is free of charge. To exercise your rights, contact us at contact@opencreators.io. We will respond within a maximum of 1 month, extendable by two additional months for complex requests (in which case you will be notified).

Revoking YouTube / Google Access

You can revoke OpenCreators' access to your YouTube data at any time:

  • From OpenCreators: in your settings, disconnect your YouTube account. Your tokens will be immediately deleted from our database.
  • From Google: go to myaccount.google.com/permissions and remove OpenCreators' access.

Under French law (Article 85 of the Data Protection Act), you may issue directives regarding the retention, erasure, and disclosure of your data after your death by contacting us at contact@opencreators.io.

You also have the right to lodge a complaint with the CNIL (French Data Protection Authority) or any other competent supervisory authority in the European Union.

7. Automated Decision-Making and Profiling

The verified follower count (retrieved automatically via the Twitch and YouTube APIs, or entered by an administrator after manual verification for TikTok and Kick) is used to determine the visibility of your profile to Brands. A minimum threshold of 30,000 verified followers is required to appear in the Brand search directory.

This criterion is applied automatically, transparently, and identically for all Streamers. It does not produce any legal effect: Streamers below this threshold retain their account, dashboard, and all platform features. Only their visibility in the search directory is affected. You can update your follower count at any time from your settings.

This threshold does not constitute automated decision-making within the meaning of Article 22 of the GDPR (it produces no legal effect nor any similarly significant effect). Nevertheless, for any questions, you may contact us at contact@opencreators.io.

8. Data Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or disclosure:

  • Encrypted communications (HTTPS/TLS)
  • Passwords stored in hashed form using industry-standard algorithms
  • Granular database access controls
  • OAuth tokens stored securely, never exposed client-side
  • Administrator access restricted to authorized personnel

9. Cookies

OpenCreators uses only cookies strictly necessary for the operation of the platform. We do not use advertising cookies, behavioral tracking, or third-party analytics.

CookiePurposeDuration
Authentication sessionMaintain your connection to the platformSession / 7 days
Language preferenceRemember your language choice (FR/EN)1 year

As these cookies are strictly necessary for the operation of the service, no prior consent is required in accordance with the ePrivacy Directive.

10. Data Breach Notification

In accordance with Articles 33 and 34 of the GDPR, in the event of a personal data breach likely to result in a risk to your rights and freedoms, we undertake to:

  • Notify the competent supervisory authority (CNIL) within 72 hours of becoming aware of the breach.
  • Inform you without undue delay if the breach is likely to result in a high risk to your rights and freedoms, by email or in-app notification.
  • Document any breach in accordance with Article 33(5) of the GDPR.

11. Minors

Use of the platform is restricted to persons aged at least 16 years. This threshold is an internal policy choice above the French legal minimum of 15 years provided by Article 45 of the French Data Protection Act (and in compliance with Article 8 of the GDPR). By creating an account, the user declares that they are at least 16 years old.

If we become aware that a user is under 16 years of age, their account will be deleted and their personal data erased without undue delay.

12. Changes to This Policy

We reserve the right to modify this policy at any time. In the event of a substantial change, you will be notified by email at the address associated with your account at least 15 days before the changes take effect.

← Terms of ServiceBack to home