Privacy Policy
Last updated: 15 May 2026 · v1.0.
0. Controller
The controller of personal data processed through casi is Terminal Data Solutions (eenmanszaak, KvK 80519687), Spanjaardstraat 121 D, 3025 TM Rotterdam, Netherlands. Contact for GDPR matters: privacy@casi.gg. See the Imprint for full operator details.
1. Data we collect
- Streamers: email, display name, avatar, overlay slug, payout wallet address (if you connect Solana), and Stripe Connect account identifier (if you connect Stripe). The Stripe Connect account identifier is a reference — your bank details and KYC documents are held by Stripe, not by us.
- Viewers: a display name you choose, the text and media you submit, and — if you tip — whatever Stripe or your Solana wallet discloses to us about the transaction (never your card number).
- Wallet addresses: if you connect a Solana wallet, the public address. Public addresses are pseudonymous, not anonymous; on-chain activity tied to that address is public by nature of the blockchain.
- Technical: IP address (hashed for abuse prevention and rate-limit enforcement), browser user-agent, timestamps, and structured error logs from your client.
2. Why we process it (lawful basis)
| Operating the overlay, processing bookings, displaying content | Performance of contract (GDPR Art. 6(1)(b)) |
|---|---|
| Card payments via Stripe / on-chain escrow on Solana | Performance of contract (GDPR Art. 6(1)(b)) |
| Authentication cookies, essential local storage | Strictly necessary, ePrivacy Art. 5(3) |
| Rate limiting, captcha, content moderation | Legitimate interests (GDPR Art. 6(1)(f)) — fraud and abuse prevention |
| Responding to abuse / DMCA / law enforcement requests | Legal obligation (GDPR Art. 6(1)(c)) |
3. Third-party processors
- Supabase — database, authentication, storage. Servers in the EU.
- Stripe — card payments, payouts, and connected-account KYC. Stripe is the controller for the KYC data you submit to them; we never see it.
- Vercel — hosting and edge functions. Some processing occurs in the United States; covered under EU–US Data Privacy Framework adequacy.
- Helius — Solana RPC and webhook delivery for on-chain events.
- Solana RPC providers — public-blockchain transactions (on-chain data is public by nature of the blockchain).
Each processor receives only the minimum data needed to perform their function.
4. Cookies and local storage
We use essential cookies for authentication (Supabase session) and browser localStorage to remember your chosen Viewer name and theme preferences. We do not use advertising or third-party analytics cookies. Because we use only strictly-necessary cookies, no consent prompt is required under ePrivacy Art. 5(3); we still surface a notice on first visit.
5. Retention
- Account data: for as long as the account exists, plus a short grace period after deletion.
- Bookings and tips: retained for tax and legal-reporting purposes, typically 7 years (Dutch Algemene Wet inzake Rijksbelastingen, Art. 52).
- IP hashes for abuse prevention: up to 90 days.
- Uploaded images and videos: deleted automatically when the booking expires or is denied, and on request.
- Server logs: 30 days for routine logs, longer for security incidents.
6. Your rights (GDPR / UK GDPR)
If you are in the EU, UK, or EEA you have the rights to access (Art. 15), rectify (Art. 16), erase (Art. 17), restrict (Art. 18), port (Art. 20), and object to (Art. 21) processing of your personal data, and to withdraw consent where consent is the lawful basis. Email privacy@casi.gg with your request — we respond within 30 days as required by Art. 12(3).
You also have the right to lodge a complaint with the Dutch supervisory authority, Autoriteit Persoonsgegevens: autoriteitpersoonsgegevens.nl, or with the supervisory authority of your EU/EEA country of residence.
7. International transfers
Vercel processes data in the United States. Transfers to the US are covered under the EU–US Data Privacy Framework adequacy decision (European Commission Decision (EU) 2023/1795). Stripe operates globally; transfers outside the EEA are covered by Standard Contractual Clauses.
8. Children
The service is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has submitted Content, email abuse@casi.gg and we will remove it.
9. Security
We use TLS everywhere, hash passwords via Supabase Auth, keep service-role credentials server-side, and hash IP addresses before storing them. No system is perfectly secure; report vulnerabilities to security@casi.gg.
10. Changes
We may update this policy. Material changes will be announced via the site or email at least 30 days before they take effect.
11. Contact
Privacy questions: privacy@casi.gg. Operator details: Imprint.