Omiros places great importance on protecting the personal data of its users. This Privacy Policy is intended to inform users of the processing carried out, in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and the French Data Protection Act.

The data controller is the operator designated in the Legal Notice.

1.1 Registration and authentication

• Email: collected in plaintext, used for authentication, transactional communications, and service notifications. Legal basis: performance of contract.
• Password: never stored in plaintext or retained in memory beyond the hashing operation. Stored as an Argon2id hash with a random salt (64 MB memory, 4 threads, 32-byte key, PHC format). Legal basis: performance of contract.
• Google identifier (Google sub): collected upon sign-in via Google OAuth. Email and Google identifier stored in plaintext. No Google token is retained by Omiros. Legal basis: performance of contract.

1.2 Twitch data (OAuth connection)

Upon Twitch connection or integration, the following data is collected from the Twitch API and stored in Omiros's database:

• Twitch ID, login, display name, account type, broadcaster type, channel description, profile image URL, offline image URL, view count — stored in plaintext.
• Twitch access token and refresh token: encrypted via an additional AES-256-GCM layer applied by Omiros before storage, in addition to Twitch's native encryption. The encryption key is a private key managed by Omiros. These tokens are accessible only to Omiros's backend service for the purposes of operating the Service. Legal basis: performance of contract, OAuth consent.

The Twitch OAuth scopes requested vary according to the User's plan. The exhaustive list of permissions is presented to the User at each consent request before any authorisation is granted.

1.3 Public profile data (Bento Page)

• Display name, bio, social and sponsor links, custom modules, uploaded images and media — stored and displayed publicly according to the User's chosen settings. Legal basis: performance of contract, consent for public publication.

1.4 Connection and security data

• IP address: collected and stored in the database in INET format. Purposes: session management, rate limiting, detection of suspicious sessions, and potentially geoblocking in the future. Legal basis: legitimate interest (service security).
• Session data: technical information necessary for managing authentication sessions. Legal basis: performance of contract.

1.5 Technical data (logs)

• Error and activity logs are generated by the infrastructure (Render). These logs are used for debugging and maintenance purposes. They are not stored in Omiros's database and are subject to Render's retention policies.

1.6 Billing data

• Omiros retains technical Stripe identifiers (payment session ID, subscription ID, status, price ID). No banking data is stored by Omiros. The full billing history is accessible from the operator's Stripe dashboard. Legal basis: legal obligation (10-year accounting retention).

1.7 Discord integration data

• Discord server identifier (guild_id), announcement channel identifier, clips channel identifier, bot status, notification status, invitation date, secure technical invitation token. Legal basis: performance of contract, consent.

• Omiros uses analytics services provided by Cloudflare (network analytics) and Vercel (frontend performance analytics). These tools collect anonymised or pseudonymised browsing data (geographic region, device type, traffic, loading performance) for the purpose of improving the Service.
• This browsing data is processed by Cloudflare and Vercel and is not transmitted to other third parties by Omiros. By accepting these terms upon registration, the User consents to this limited processing.
• The User's personal data (account, Twitch, Google, Discord, links) remains within Omiros's ecosystem and is never transmitted to third parties for commercial or advertising purposes.

Omiros uses the following sub-processors for the provision of the Service:

• Render Services, Inc. (USA) — backend and bot hosting
• Vercel Inc. (USA) — frontend hosting and analytics
• Neon Inc. (USA) — PostgreSQL database
• Cloudflare, Inc. (USA) — DNS, R2 storage, network analytics
• Stripe, Inc. (USA) — payment processing
• Google LLC (USA) — OAuth authentication
• Twitch Interactive, Inc. (USA) — OAuth integration and API

These transfers to third countries (United States) are governed by the Standard Contractual Clauses (SCC) adopted by the European Commission, or by equivalent transfer mechanisms recognised by the CNIL.

• Account data (email, OAuth identifiers, profile): retained until the account is deleted by the User or by Omiros for cause.
• Bento Page content: deleted immediately upon account deletion.
• IP address: retained for the active duration of the account. Deleted within minutes following account deletion.
• Twitch tokens (access/refresh): deleted upon Twitch disconnection or account deletion, with explicit revocation to Twitch.
• Discord data: deleted upon disconnection of the Discord Bot or account deletion.
• Stripe billing data (technical identifiers): retained for 10 years in accordance with French accounting legal obligations.
• Infrastructure logs (Render): subject to Render's policy, not retained by Omiros.

Upon account deletion, Omiros carries out the following within minutes of the request:

• Complete deletion of personal data from the database.
• Auto-removal of the Discord Bot from connected servers and deletion of Discord data.
• Complete deletion of the Bento Page and all its modules.
• Explicit revocation of Twitch and Google connections with the respective services.
• Deletion of encrypted Twitch tokens.

Certain data may be retained beyond this period solely where a legal obligation applies (billing data, ongoing investigation into an offence).

In accordance with the GDPR, the User has the following rights over their personal data:

• Right of access (Art. 15 GDPR): obtain confirmation of processing and a copy of the data.
• Right to rectification (Art. 16 GDPR): have inaccurate data corrected.
• Right to erasure (Art. 17 GDPR): request deletion of data, subject to legal retention obligations.
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR).
• Right to object (Art. 21 GDPR): object to processing based on legitimate interest.

These rights are exercised by email at the address indicated in the Legal Notice. Omiros undertakes to respond within one month.

The User also has the right to lodge a complaint with the CNIL (www.cnil.fr).

Omiros implements the following technical and organisational measures to protect data:

• Password encryption using Argon2id with robust parameters.
• Double encryption of Twitch tokens (native Twitch encryption + AES-256-GCM on Omiros's side with a private key).
• Secure communications via HTTPS/TLS.
• IP-based rate limiting to prevent brute-force attacks.
• Detection of suspicious sessions via analysis of connection IP addresses.
• Service separation (backend, database, storage) with restricted access.
• Access to user files (images, media) exclusively via signed Cloudflare R2 URLs — Omiros's backend never accesses files directly.

In the event of a data breach likely to result in a risk to the rights and freedoms of the individuals concerned, Omiros undertakes to notify the CNIL within 72 hours and the affected users as soon as possible.

The Service is accessible to persons aged at least 13 years. For users aged 13 to 15 inclusive, the consent of the legal representative is required for the processing of personal data, in accordance with Article 8 of the GDPR. Omiros has no age verification mechanism and cannot be held liable for a false declaration.

Omiros reserves the right to amend this Privacy Policy at any time. Any material change will be notified to users by email and/or via a notification within the Service.