◆ Privacy Policy
What we collect, why, and your rights.
Plain-language privacy policy. We collect the minimum needed to run the service, never sell data, and let you delete your account at any time. Last updated May 2026.
GDPR / KVKK
compliant by design
AES-256-GCM
encryption at rest
No tracking
no ad cookies, ever
1. Who we are
DigitalScenary ("we", "us", "our") operates digitalscenary.com and the related dashboard, where streamers buy and configure stream-overlay widgets. We act as the data controller for personal information processed through this site. If you need to reach us about anything in this policy, write to hello@digitalscenary.com.
2. What we collect
We collect only what we need to deliver the service. From your account: name, email address, and a salted password hash (we never see your plaintext password — authentication runs on Supabase Auth). From your purchases: order id, total, and the list of products you bought; payment card details are handled exclusively by Lemon Squeezy and never reach our servers. From optional integrations: if you choose to connect Twitch, we store your Twitch user id, login, granted scopes, and access/refresh tokens (encrypted at rest with AES-256-GCM). From technical traffic: IP address (for rate limiting and fraud prevention) and standard request logs.
3. Why we collect it
We process the information above to: create and maintain your account; fulfil and deliver the digital products you purchase; send order confirmations, download links, and customer-service replies; subscribe to the streaming events your widgets need (Twitch bits, follows, subs, raids); detect and prevent abuse; and meet our tax/accounting obligations. We do not use your data for advertising, profiling, automated decision-making, or training third-party AI models.
4. Lawful bases (GDPR / UK GDPR)
Your account and purchases are processed on the basis of "performance of a contract" (Art. 6(1)(b)). Marketing emails — if you subscribed to the newsletter — rely on your explicit consent (Art. 6(1)(a)), which you can withdraw at any time through the unsubscribe link. Logs and rate-limit counters rely on our "legitimate interest" in keeping the service running and abuse-free (Art. 6(1)(f)). If you connect Twitch, that processing relies on your consent given at the OAuth screen.
5. Who we share data with
We share the minimum necessary with the third-party processors that run the service: Supabase (database, authentication); Lemon Squeezy (payment processing, invoicing, EU VAT compliance); Resend (transactional email delivery); Cloudflare R2 (file storage); Vercel (hosting and DDoS protection); Twitch (only when you explicitly connect, only the scopes you grant). We do not sell or rent your data to anyone. We disclose data to law-enforcement only when compelled by a valid legal order from a competent jurisdiction.
6. International transfers
Some of our processors store data in the United States. Where we transfer data outside the EEA/UK, we rely on the European Commission's Standard Contractual Clauses or adequacy decisions (e.g. the EU-US Data Privacy Framework) executed with each processor. By using the service you consent to these transfers.
7. How long we keep it
Account data is retained as long as your account exists. Purchase records are kept for at least 10 years after the order date, as required by accounting and tax law. Webhook idempotency logs are pruned after 30 days. Encrypted Twitch tokens are deleted within minutes of you disconnecting Twitch. Rate-limit counters expire within minutes. Customer-service emails are kept for 24 months.
8. Your rights
Under GDPR, UK GDPR, KVKK, and equivalent laws you have the right to access the personal data we hold about you, ask us to correct it, ask us to delete it (subject to our retention obligations), restrict or object to specific processing, withdraw any consent you have given, receive a copy in a machine-readable format (portability), and lodge a complaint with your local data-protection authority. To exercise any of these, email hello@digitalscenary.com from the address on your account. We respond within 30 days.
9. Cookies and similar technologies
We use a small set of strictly-necessary cookies: ds_customer and ds_customer_refresh (httpOnly, encrypted session cookies that keep you signed in); ds_twitch_state (a 10-minute CSRF token used only during the Twitch OAuth handshake). We do not use any third-party analytics, advertising, fingerprinting, or tracking cookies, so we don't show a consent banner. The Lemon Squeezy checkout, when opened, may set its own cookies; those are governed by Lemon Squeezy's privacy policy.
10. Children
The service is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Security
All traffic is encrypted in transit with TLS 1.2+. Sensitive tokens (Twitch OAuth) are encrypted at rest with AES-256-GCM. Passwords are never stored in plaintext. Production keys are kept exclusively in our hosting provider's encrypted secret store and are rotated when compromised. We follow the principle of least privilege internally. No system is unbreakable, but we patch reported vulnerabilities promptly — please report any to hello@digitalscenary.com.
12. Changes to this policy
We may update this policy from time to time. Material changes (new data uses, new categories of data, new recipients) are announced by email to all active customers at least 14 days before they take effect. The current effective date is shown at the top of this page.
Questions about your data?
We reply to every privacy request within 30 days — usually within one.
Contact Privacy Team