GDPR Compliance
Last updated: March 31, 2026
Fynstream is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR). This page explains how we comply with GDPR requirements and outlines your rights as a data subject.
1. Our Role
Fynstream acts as both a data controller and a data processordepending on the context:
- Data Controller: When we collect and process your personal data to provide our services (e.g., account information, billing data, usage analytics).
- Data Processor: When we process data on behalf of our customers, such as viewer analytics, stream recordings, and content uploaded by our customers.
2. Lawful Basis for Processing
We process personal data under the following lawful bases:
| Purpose | Lawful Basis |
|---|---|
| Account registration and management | Contract performance |
| Billing and payment processing | Contract performance |
| Service delivery (streaming, VOD, player) | Contract performance |
| Security monitoring and fraud prevention | Legitimate interest |
| Platform analytics and improvement | Legitimate interest |
| Service-related notifications | Contract performance |
| Marketing communications | Consent |
| Compliance with legal obligations | Legal obligation |
3. Your Rights Under GDPR
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights regarding your personal data:
3.1 Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you. We will provide this within 30 days of your request.
3.2 Right to Rectification (Article 16)
You can request correction of inaccurate or incomplete personal data. You can update most information directly through your dashboard settings.
3.3 Right to Erasure (Article 17)
You can request deletion of your personal data. Upon receiving a valid request, we will delete your data within 30 days, except where we are legally required to retain it (e.g., financial records for tax compliance).
3.4 Right to Restrict Processing (Article 18)
You can request that we limit how we process your data while a dispute or request is being resolved.
3.5 Right to Data Portability (Article 20)
You can request your data in a structured, commonly used, machine-readable format (JSON or CSV) so you can transfer it to another service.
3.6 Right to Object (Article 21)
You can object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds.
3.7 Right to Withdraw Consent (Article 7)
Where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
4. Data We Collect
We collect the following categories of personal data:
- Identity data: Name, email address, organization name.
- Account data: Login credentials (passwords are hashed, never stored in plain text).
- Billing data: Payment method type, billing address, transaction history. Full card details are processed by Stripe/PayPal and never stored on our servers.
- Technical data: IP address, browser type, device information, access logs.
- Usage data: Features used, streams created, API calls made, viewer analytics.
- Content data: Stream recordings, uploaded videos, thumbnails (uploaded by you).
5. Data Processing Agreements
As a data processor for our customers, we offer a Data Processing Agreement (DPA) that covers:
- The nature and purpose of processing.
- Categories of data subjects and personal data.
- Our obligations as a processor, including security measures.
- Sub-processor management and notification.
- Data breach notification procedures.
- Assistance with data subject rights requests.
Enterprise customers can request a signed DPA by contacting info@fynstream.com.
6. Sub-Processors
We use the following sub-processors to deliver our services:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Backblaze B2 | Cloud storage for media files | United States / EU |
| Cloudflare | CDN, DDoS protection, security | Global (edge nodes) |
| Stripe | Payment processing | United States / EU |
| PayPal | Payment processing | United States / EU |
| OAuth authentication | United States / EU |
We will notify customers at least 30 days before adding new sub-processors. Enterprise customers with a DPA can object to new sub-processors.
7. International Data Transfers
When personal data is transferred outside the EEA, we ensure adequate protection through:
- EU-U.S. Data Privacy Framework certification of our sub-processors.
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Adequacy decisions where applicable.
8. Data Security
We implement appropriate technical and organizational measures including:
- TLS 1.3 encryption for all data in transit.
- AES-256 encryption for data at rest.
- Bcrypt password hashing with salt.
- Two-factor authentication (TOTP) for all accounts.
- Role-based access control with principle of least privilege.
- Regular security audits and penetration testing.
- Automated vulnerability scanning.
- Comprehensive audit logging of all administrative actions.
9. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware.
- Notify affected data subjects without undue delay when the breach is likely to result in a high risk.
- Document all breaches, including their effects and remedial actions taken.
10. Data Retention
- Account data: Retained while your account is active, deleted within 30 days of account closure.
- Billing data: Retained for 7 years for tax and legal compliance.
- Usage logs: Retained for 90 days, then anonymized.
- Stream recordings and VOD: Deleted when you remove them or within 30 days of account termination.
- Support tickets: Retained for 2 years after resolution, then anonymized.
11. Data Protection Officer
For any GDPR-related inquiries or to exercise your rights, contact our Data Protection team:
- Email: info@fynstream.com
- Visit our Contact page
12. Supervisory Authority
You have the right to lodge a complaint with your local data protection supervisory authority if you believe we are not processing your personal data in accordance with GDPR. We encourage you to contact us first so we can address your concerns directly.