Privacy & security
The short version
Listening doesn't require an account, an email address, or anything about you at all — scan a code, listen, done. Hosting requires signing in with Twitch, only to confirm you actually own the channel you're about to share. Almost everything about a session — who joined, chat, listener history — is deleted the moment it ends, not just hidden. There's no ad tracking, no analytics SDK, and no third-party trackers anywhere in this app.
What we store while a session is live
A session's data lives only for as long as it's live: the join code, the host's Twitch channel name, an optional stream name/description, a password (if the host set one, stored as a salted PBKDF2 hash — never the plain text), and a live count of connected listeners. Listeners are identified only by a random token generated when they join — nothing that identifies them personally.
The moment a host ends a session, all of that is deleted outright, not archived or soft-deleted. There's no database of past sessions, no history of who hosted or listened to what, and nothing to hand over even if someone asked for it later — it's simply gone.
The one thing that lives a little longer
If a host opts into publishing at a stable handle link (/join/@yourname), a tiny pointer — just "this channel's current session ID, or nothing" — persists so that link keeps working across sessions. It never holds anything about listeners, and is cleared the moment a session ends. This is the one deliberate exception to the fully ephemeral design described above.
What's saved on your own device
A couple of things are remembered locally, on your own device only, to save you retyping them — never sent to us or anyone else beyond what's needed to actually host/join a session: a host's last-used session settings (stream name, description, image choices — never a password), and a host's sign-in state and current session credentials, so refreshing the page doesn't sign you out or strand a live session. Clearing your browser's site data removes all of it instantly.
Where the actual audio comes from
We never see, store, or relay the audio/video itself. When you listen, your device streams directly from Twitch's own servers — our backend only ever hands out the playback URL, the same way a program guide points you at a channel without being the broadcaster. There's nothing for us to record even if we wanted to.
Security measures
Passwords are hashed with PBKDF2 (SHA-256, 100,000 iterations, a random salt per password) — never stored or logged as plain text. Every join/host credential is either a cryptographically random token or an HMAC-signed, short-lived one — nothing guessable. Everything runs over HTTPS. Custom profile/thumbnail image URLs are validated before use to prevent them from being used as an injection vector. And because there's no long-lived database of past sessions, there's simply nothing sitting around for a future breach to expose.
Who else is involved
Twitch, for sign-in and the actual stream — see Twitch's own privacy policy for what they collect. Cloudflare, who host this app's servers and static site — see Cloudflare's own privacy policy for their side. Neither we nor either of them are paid by or share data with advertisers through this app; there are no ad networks or marketing trackers integrated here at all.
One honest note
This page describes how the software itself behaves — accurately, based on its actual code, not aspirational marketing copy. It isn't a substitute for formal legal advice; whoever is operating a given deployment of this app is responsible for meeting whatever privacy laws apply to them and their audience (GDPR, CCPA, and so on).
Back home