Privacy Policy
Last updated: April 13, 2026
1. Overview
StreamForge (“we,” “us,” or “our”), operated by Siklab Innovations (trading as BifrostLive), operates the StreamForge platform at streamforge.bifrostlive.com, a SaaS tool for live streamers to track community engagement, manage VIP rewards, run interactive events, and view real-time statistics. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information.
By using StreamForge, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the service.
2. Data We Collect
We collect information necessary to provide and improve our services:
- Account Information: Email address, display name, and authentication credentials provided during sign-up (via email/password, Twitch OAuth, or Google OAuth).
- Twitch Data: When you connect your Twitch account, we access your Twitch username, avatar, user ID, and stream events (subscriptions, bits, raids, chat messages) through the Twitch API and EventSub webhooks.
- Viewer Activity Data: Twitch viewer activity such as chat messages, subscriptions, gift subs, bits, raids, and channel point redemptions may be tracked and displayed on public leaderboards when enabled by the streamer.
- Discord Data: When you connect your Discord server, we access guild information, channel lists, and role lists to manage VIP role assignments and post leaderboard embeds.
- Usage Data: We collect information about how you interact with StreamForge, including pages visited, features used, and actions taken within the dashboard.
- Billing Data: Payment processing is handled by Paddle. We store your Paddle customer ID and subscription status but do not directly handle credit card numbers or payment method details.
- Support Information: Name, email address, category, and message content submitted through our contact form.
- Username History: When a Twitch viewer changes their username, we record the change to maintain continuity in community engagement records and enable searching by historical names.
- Cross-Platform Identity: When viewers link their Discord and Twitch accounts (via self-service bot command or streamer mapping), we store the association between their Discord user ID and Twitch account.
- Temporary Verification Codes: Short-lived verification codes used during account linking are automatically deleted after use or expiration (within minutes).
- VIP Designation: Streamers may designate viewers as Permanent VIPs with an optional reason note.
- StreamElements Data: When you connect your StreamElements account, we store your JWT token (encrypted at rest) and access your channel ID, display name, and historical tip/donation data through the StreamElements API.
- User Notifications: We store in-app notifications including notification type, title, message, and read status. Notifications are automatically deleted after 90 days. You can control which notification types you receive in your notification preferences.
- Data Access Requests: When you request a data export, we store the request metadata (status, timestamps, download count) for compliance audit purposes. Download tokens and encrypted files are automatically deleted after 7 days. We do not retain copies of your data export after expiration.
3. How We Use Data
We use collected data to:
- Provide, operate, and maintain the StreamForge platform
- Calculate community engagement points based on configurable rules
- Evaluate and grant VIP status to qualifying community members
- Display leaderboards and analytics dashboards, including public-facing leaderboards that show viewer usernames, display names, avatars, and engagement scores when enabled by the streamer
- Manage your subscription and billing
- Send transactional emails (billing alerts, platform announcements)
- Improve our services through aggregated, anonymized analytics
- Respond to support requests and communicate about your account
- Link viewer identities across Twitch and Discord to enable cross-platform VIP role management
- Generate AI-powered narrative summaries for community recaps using aggregate engagement statistics
4. Third-Party Services
StreamForge integrates with third-party services to provide its functionality:
- Supabase: Database hosting, authentication, and real-time subscriptions. Data is stored on Supabase-managed PostgreSQL infrastructure.
- Twitch (Amazon): OAuth authentication and stream event data. Subject to the Twitch Developer Agreement.
- Discord: Bot integration for role management and notifications. Subject to the Discord Developer Terms of Service.
- Google: OAuth authentication provider. When you sign in with Google, we receive your email address, display name, and profile picture from your Google account. We do not access any other Google services or data. Subject to Google's Privacy Policy.
- Paddle: Payment processing and subscription management. Subject to Paddle's Privacy Policy.
- Vercel: Application hosting and edge deployment.
- Sentry: Error tracking and performance monitoring (when performance cookies are enabled).
- OpenAI:We use OpenAI's API to generate AI-powered narrative summaries for community recaps. Only aggregate community statistics and public Twitch display names are sent to OpenAI. No private messages, email addresses, or other personal data are transmitted.
- StreamElements: Tip/donation data import and synchronization. StreamForge stores an encrypted JWT token to access your StreamElements account data. You can disconnect at any time from Settings.
5. Data Retention
We retain your data for as long as your account is active or as needed to provide our services. When you delete your account:
- Your personal profile data is deleted within 30 days
- Aggregated, anonymized analytics data may be retained indefinitely
- Billing records are retained as required by applicable tax and financial regulations
- Twitch and Discord OAuth tokens are revoked and deleted immediately upon disconnection
- Deletion requests also remove username history and Discord identity links
- StreamElements JWT tokens are deleted immediately upon disconnection
- User notifications: 90 days
- Data access request records: retained as long as necessary for legal compliance, audit, fraud prevention, and dispute resolution
- Data export files: 7 days after generation
6. Your Rights (GDPR)
If you are a resident of the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate personal data.
- Right to Erasure: Request deletion of your personal data.
- Right to Restriction: Request restriction of processing of your data.
- Right to Data Portability:Request transfer of your data in a machine-readable format. You can request a complete copy of your data by submitting a “Data Access Request” support ticket. We aim to prepare data exports quickly (typically within 48 hours in normal conditions) and respond within applicable legal timelines. Your data is delivered as an AES-256 encrypted ZIP file containing CSV files, a README, and a list of our third-party data processors. The download link and password are sent to your registered email in separate messages for security. Downloads are limited to 5 per export and expire after 7 days. Our third-party data processors include: Supabase (database hosting), Vercel (application hosting), OpenAI (AI features), and Paddle (billing processing).
- Right to Object: Object to processing of your personal data.
To exercise any of these rights, please contact us at the address listed in the Contact section below.
7. Your Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with the following rights:
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete: You may request deletion of personal information we have collected from you.
- Right to Opt-Out: You may opt out of the sale of personal information. StreamForge does not sell personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
9. Children's Privacy
StreamForge is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information promptly. If you believe a child under 13 has provided us with personal data, please contact us.
10. Security Measures
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS) and at rest
- Row-Level Security (RLS) policies ensuring tenant data isolation
- OAuth token encryption at rest via Supabase Auth
- CSRF protection and webhook signature verification
- Rate limiting on public-facing endpoints
- Regular security reviews and dependency updates
While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the “Last updated” date. We encourage you to review this policy periodically. Continued use of StreamForge after changes constitutes acceptance of the updated policy.
12. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at:
- Data Controller: Siklab Innovations (trading as BifrostLive)
- Email: privacy@streamforge.bifrostlive.com
- Platform: StreamForge — streamforge.bifrostlive.com
We will respond to data rights requests within 30 days of receipt.
Public Leaderboard Removal: Viewers may request removal from public leaderboards by contacting privacy@streamforge.bifrostlive.com.