⌬ PRIVACY POLICY
LOGIN TERMS REFUNDS CONTACT

◆ PRIVACY POLICY

Effective date: 2026-04-21. Last updated: 2026-04-21.

1. Who controls your data

VIDVOID (the "Service", "we", "us") is operated as a sole proprietorship based in Indiana, United States. We are the data controller for account data you give us when using vidvoid.com. You can reach us at notkmartorders@gmail.com.

2. What we store

  • Account data: your chosen username, email address (used for password reset + account notices), a scrypt-hashed password (never the plaintext), your role (user/mod/host), membership tier, registration timestamp, last-seen timestamp, terms-acceptance timestamp, and any moderator-imposed mute end-time.
  • Billing data: if you subscribe, gift, or tip, we store the Stripe customer ID, subscription ID, subscription tier, subscription start/end dates, and the event history Stripe sends us via webhook (e.g. "subscription renewed", "payment failed"). We never store full card numbers, CVCs, or bank account details — Stripe stores those.
  • Two-factor auth (if enabled): an encrypted TOTP secret and a small set of hashed backup codes.
  • Session cookie: a signed token (or_session) that identifies you while logged in. 30-day lifetime. HttpOnly, Secure, SameSite=Lax. We do not use third-party analytics cookies.
  • Chat messages: stored in a rolling ring buffer of the most recent ~500 entries room-wide. Older messages are deleted automatically.
  • Activity: videos you watched, skip votes you cast, bookmarks you saved, nominations you submitted, achievements you unlocked. Aggregated into per-user counters used for the Stats page and leaderboards.
  • Audit log: moderator actions (kicks, mutes, bans, role changes, subscription events) for transparency and for billing-dispute evidence.
  • Play history: the room's rolling list of what has been played, with metadata from the YouTube Data API (title, view count, likes, comments, duration, upload date, thumbnail).
  • Video metadata cache: basic metadata for videos the room has seen recently, auto-purged after 30 days per YouTube API Services Terms.
  • Server logs: the web server and reverse proxy (nginx) write standard request logs that include IP address, user-agent, URL, and response code. These rotate weekly and are retained for a maximum of 30 days for security / abuse investigation.

3. What we don't store

We do not collect or store: your real name (unless you choose to share it in chat or in Stripe Billing Portal), phone number, precise location, or browsing history outside this site. We do not run advertising networks, analytics trackers, or fingerprinting scripts. We do not sell, rent, or trade your personal data to third parties.

4. Third-party services

We rely on a small number of third-party providers to operate:

  • Stripe, Inc. — processes all payments. When you subscribe, gift, or tip, you are redirected to Stripe Checkout and your payment details are entered on Stripe's own systems. Stripe shares with us only the payment outcome, the customer / subscription IDs, and (optionally) the billing country for tax purposes. See Stripe's Privacy Policy.
  • YouTube / Google LLC — videos play via the YouTube IFrame Player API, which is hosted on Google infrastructure. When a video loads, your browser contacts www.youtube.com and googlevideo.com. Google may set its own cookies in that context. See Google's Privacy Policy.
  • YouTube Data API — we query YouTube server-to-server for video metadata (title, view count, etc.). Your personal data is not sent to YouTube as part of these queries.
  • Google Fonts — we load the VT323 font from Google's CDN. Google may log your IP + user-agent in the process. See Google's Privacy Policy above.
  • Hosting provider (Hostinger) — the server itself runs on a VPS. Our host has access to the server at an infrastructure level but does not process user data on our behalf.

5. Cookies

We use one first-party cookie: or_session, which stores an authentication token. It is strictly necessary for the Service to function (without it you cannot stay logged in). Under the EU ePrivacy Directive and similar laws, strictly-necessary cookies do not require prior consent.

YouTube, loaded inside its embedded player, and Stripe, loaded during checkout, may set their own cookies. Those cookies are governed by their respective privacy policies.

6. How long we keep data

  • Account + billing records: retained while your account is active, and for up to 30 days after deletion.
  • Tax / financial records: retained for up to 7 years as required by US tax law.
  • Chat: rolling ~500-message buffer — older messages are deleted automatically.
  • Video metadata cache: 30 days maximum.
  • Audit log: retained for the life of the Service; we may periodically prune entries older than 2 years.
  • Server logs: rotated weekly, kept a maximum of 30 days.

7. Your rights

You can:

  • View your own activity at /stats and /bookmarks;
  • Delete individual bookmarks from the Bookmarks page;
  • Change your email, password, or enable/disable 2FA at /profile;
  • Cancel any subscription yourself from the Stripe Billing Portal linked on the Membership page;
  • Log out at any time;
  • Request a copy or deletion of all your account data by emailing notkmartorders@gmail.com — we respond within 30 days.

If you are in the EU/EEA, UK, or California (or another jurisdiction with equivalent law), you have additional rights (access, rectification, erasure, portability, restriction, objection, non-discrimination for exercising them). Contact us to exercise any of these.

8. Security

Passwords are hashed with scrypt (N=16384, r=8, p=1). Session cookies are cryptographically signed with HMAC-SHA256. TOTP secrets are encrypted at rest. All traffic is served over HTTPS via a Let's Encrypt certificate. The database is stored on a VPS hardened per our internal checklist; physical security of that VPS is the responsibility of our hosting provider.

We are a small operation and cannot guarantee absolute security. If you believe you've found a vulnerability, email notkmartorders@gmail.com with "Security report" in the subject — please don't publicly disclose until we've had a chance to fix it.

9. Children

The Service is not intended for children under 13, and we do not knowingly collect personal data from them. YouTube's minimum age is 13, which applies here too. Parents or guardians who believe we have inadvertently collected a child's data should email us and we will delete it promptly.

10. International transfers

Our servers are located in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to that transfer.

11. Changes

Material changes will be announced in the room chat and by updating the "Effective date" above. If you disagree with a change, stop using the Service before the effective date.

12. Contact

To exercise your rights or ask privacy-related questions:

VIDVOID is not affiliated with, endorsed by, or sponsored by YouTube LLC, Google LLC, or Stripe, Inc.