Privacy Policy

• Account data: username, email, password hash, and terms acceptance timestamp.
• Security data: TOTP secrets, recovery codes, passkeys/WebAuthn credentials (encrypted at rest), authentication events, IP addresses, and user-agent strings.
• Session data: active session records so you can review and revoke sessions.
• OAuth link data: linked provider accounts (42, Google, GitHub, Discord) and provider email when available.
• Profile data: first name, last name, profile image, and account preferences.
• Application data: watched-state markers, comments, and related metadata.
• Operational logs for reliability, abuse prevention, and incident response.

• Provide account features and core Hypertube functionality.
• Protect users and platform integrity (security, anti-abuse, audit trail).
• Comply with legal obligations and process user rights requests.

Data is retained only as long as required for operation, security, and legal obligations. Audit and security logs are retained for a limited period and then deleted.

Only strictly necessary cookies are used. No advertising cookies are used.

• Authentication cookies (access + refresh tokens): HttpOnly and Secure in production.
• CSRF cookie : protects against cross-site request forgery attacks.
• OAuth state cookies : temporary cookies used during OAuth flows.
• Cookie-consent preference : stores your banner choice state.

Data is not sold. It may be processed by providers strictly required to run the project (hosting, email delivery, infrastructure operations).

• Access, rectification, deletion, restriction, and portability of your personal data.
• Objection to processing based on legitimate interest.
• Withdraw consent (where applicable) without affecting prior processing.
• View and revoke active sessions from the settings page.
• Export your account data in machine-readable JSON format.
• Lodge a complaint with your supervisory authority (Belgian Data Protection Authority / APD-GBA).

For privacy requests, contact [email protected].