CRWDS Streamers Portal — Privacy Policy
Last updated: 2026-05-29
The CRWDS Streamers Portal is the streamer-facing surface of CRWDS, a campaign-management and delivery platform for brand advertising inside livestreams, operated by Hyped, Lda. This Privacy Policy explains what personal data we collect from streamers, why, how long we keep it, and the rights you have under the General Data Protection Regulation (GDPR).
Who we are
The data controller responsible for the personal data described in this policy is:
- Hyped, Lda
- NIPC 514727926
- Rua António Correia Calhatro, nº 11, 4700-126 Braga, Portugal
- Email: crwds@goinghyped.com
Data Protection Officer
Hyped, Lda has assessed Article 37(1) GDPR and concluded that appointment of a Data Protection Officer is not mandatory at current scale and processing model. Our core activities involve aggregation of publicly available streaming-platform data (viewer counts, follower counts, stream metadata via Twitch / YouTube / TikTok public APIs) combined with minimal private data (operator emails, encrypted payout IBAN). We do not engage in large-scale systematic monitoring of data subjects or processing of special categories of personal data under Article 9. We will reassess this position annually or when material scale or processing-model changes occur.
Privacy enquiries: crwds@goinghyped.com.
What we collect
- Streamer identity — the platform handle and immutable platform user id (Twitch, X, Instagram, TikTok, YouTube) you link to your CRWDS account. For OAuth platforms the handle and id are returned by the platform; for X (manual mode) you enter the handle yourself.
- Follower / subscriber counts — fetched from each linked platform's public API at link time and refreshed on a daily schedule for OAuth platforms; entered manually by you for X.
- OAuth access and refresh tokens — for OAuth-linked platforms, encrypted at rest with platform-isolated symmetric keys. The plaintext exists only in CRWDS's process memory at request time and is never logged. No tokens are stored for X (manual mode).
- Profile fields you provide voluntarily — legal name, phone number, tax identification number (NIF), residential address, postal code, and country of residence. The identity-document fields are encrypted at rest.
- Payout information — IBAN (encrypted at rest), account holder name and tax country.
- Campaign delivery data — overlay impressions, viewer-hour aggregates, and per-campaign statistics generated while a campaign is active on your stream.
- Operational metadata — login timestamps, session activity, and audit-trail rows for sensitive actions (for example, IBAN changes).
Why we collect it
- Campaign delivery — rendering brand overlays on your stream and tracking the resulting impressions.
- Analytics — surfacing per-campaign performance to both you and the brand customer.
- Payouts — manual SEPA payouts to the IBAN you provide on a monthly reconciliation cycle.
- Identity verification — confirming that the streamer linking each platform account owns the underlying handle.
- Tax and accounting compliance — under Portuguese commercial law (see retention below).
Third-party services and per-platform data
CRWDS uses the following platform APIs and complies with each platform's developer terms. For each linked account we store only the streamer's handle, the opaque platform user id, and the follower / subscriber count. We do not store a display name or avatar URL on the social-link record.
- Twitch (sign-in) — the
user:read:emailscope is used for streamer-portal login and identity verification. The verified email confirms identity at sign-in and is not retained on the social-link record. - Twitch (account linking) — when you link Twitch as a social account, CRWDS adheres to the Twitch Developer Services Agreement and requests
user:read:emailplusmoderator:read:followers. The second scope is used solely to read your total follower count for the REACH metric. No individual follower data is fetched or stored — only the aggregate count. The OAuth access and refresh tokens are stored encrypted at rest so the daily refresh worker can update the count without re-driving you through OAuth. - YouTube — CRWDS's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. The
https://www.googleapis.com/auth/youtube.readonlyscope is used solely to verify the streamer's channel identity and to read the public subscriber count. We store the channel handle, channel id, and subscriber count; OAuth access and refresh tokens are stored encrypted at rest. - Instagram — CRWDS adheres to the Meta Platform Terms and the Instagram Platform Policy. The
instagram_business_basicscope is used solely for identity verification and reading the public follower count. We store the username, platform user id, and follower count; the access token is stored encrypted at rest. - TikTok — CRWDS adheres to the TikTok Developer Terms of Service. The
user.info.basic,user.info.profileanduser.info.statsscopes are used for identity verification and reading public follower counts. We store only the streamer's handle, opaque platform user id, and follower count. The API request queries additional public fields (following count, likes count, video count) which are not retained — only the follower count is stored as the REACH metric. OAuth access and refresh tokens are stored encrypted at rest. - X (Twitter) — the streamer manually enters their @handle and follower count via the streamer portal. CRWDS does not access the X API, does not request OAuth, and does not store any tokens. Only the manually-entered handle and self-reported follower count are stored.
CRWDS does not post, message, follow, or take any action on your behalf on any of these platforms. The OAuth scopes above are read-only.
Your GDPR rights
You can exercise the following rights at any time by emailing crwds@goinghyped.com:
- Access — receive a copy of the personal data CRWDS holds about you.
- Rectification — correct any inaccurate or outdated personal data.
- Deletion — request deletion of your account and personal data. See the Data Deletion page for the process and timelines.
- Portability — receive your personal data in a structured, machine-readable format.
- Restriction and objection — restrict or object to specific processing activities.
- Withdrawal of consent — disconnect any linked account at any time from the streamer portal; doing so revokes any stored tokens.
- Complaint — lodge a complaint with the Portuguese data-protection authority (CNPD) or the supervisory authority in your country of residence.
Retention
Personal data is retained for as long as your CRWDS account is active. After account deletion or termination:
- Account-linked PII (profile fields, OAuth tokens, social-link records) is deleted within 30 days.
- Campaign performance data and payout records (including IBAN) are retained for 10 years from the end of the relevant fiscal year, in alignment with Portuguese commercial law (Código Comercial Art.40 + RGCT) and tax record-keeping obligations.
- Internal audit-trail entries (for example, IBAN changes, OAuth-token rotation) are retained for 5 years in non-identifying form.
- Log-aggregation provider records are retained for 90 days by default.
- Anonymised aggregate statistics (no PII) may be retained indefinitely for operational reporting.
Security
Sensitive fields (IBAN, OAuth access and refresh tokens, tax identification number, residential address lines) are encrypted at rest with symmetric keys. Plaintext values exist only in CRWDS's process memory at request time and are never written to our log-aggregation provider. Access to production data is restricted to the operator and audited.
Children
The CRWDS Streamers Portal is not directed to children under 16 years of age (GDPR Article 8 default). We do not knowingly collect personal data from children under this age. If we become aware that we have collected personal data from a child under 16 without verifiable parental or guardian consent, we will terminate the account and delete the data.
Changes to this Policy
We may update this Privacy Policy from time to time. Legally significant changes are communicated by email to affected data subjects. The effective date at the top of this page reflects the current revision.
Annex A — Sub-processors
The following sub-processors process personal data on behalf of Hyped, Lda under written contracts complying with GDPR Article 28. Cross-border transfers are governed by Standard Contractual Clauses (SCCs, EU 2021/914) where applicable.
- Neon — database (EU where available; SCCs apply where applicable).
- Vercel — hosting for the streamer portal (EU where available; SCCs apply where applicable).
- Cloudflare R2 — object storage (EU where available; SCCs apply where applicable).
- Better Stack — log aggregation (EU, eu-fsn-3).
- Twitch — sign-in identity provider + public-API metadata source (global; public-API consumer).
- YouTube / Google — public-API metadata source (global; SCCs apply).
- TikTok — public-API metadata source (global; public-API consumer).
- Instagram (Meta) — public-API metadata source (global; public-API consumer).
Contact
Questions about this policy or about how CRWDS handles your data: crwds@goinghyped.com.