Privacy Policy

Effective: 2026-05-14 · Last updated: 2026-05-14

1. Overview

Spectator (referred to as the Service, we or us) is an invite-only Twitch chat bot and web dashboard. It provides:

• Custom chat commands and built-in commands
• Automated moderation (link filter, repeat detection, word lists)
• Watch-time tracking and chat-activity analytics
• Follower, raid, sub and channel-point event handling
• Song requests with overlay playback
• Browser-source overlays for OBS

This policy explains what personal data we process, why, on what legal basis, how long we keep it, and how you can exercise your rights under the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

Unlike many comparable Twitch chat bots, Spectator is operated in Germany under EU law. Your channel record, OAuth tokens and configuration stay on infrastructure inside the European Union. See section 6 for details.

If you do not agree with this policy, please do not authorise or use the Service.

2. Controller

The data controller responsible for the processing described here is:

MBFHL Systems
c/o MDC#3681
Welserstraße 3
87463 Dietmannsried
Germany

• E-mail: hey@mutebefehl.de
• Operated privately, no separate company entity
• Below the statutory threshold for a designated Data Protection Officer; no DPO appointed
• All privacy requests handled directly by the controller

3. Categories of data we process

3.1 Account data from Twitch

When you log in with Twitch OAuth, Twitch shares the following with us:

• Numeric Twitch user id
• Login name and display name
• Profile image URL
• OAuth access token, refresh token, scopes granted, and token expiry timestamp

We request only the scopes necessary for the features you enable. Typical scopes:

• Reading and sending chat messages
• Managing chat (timeouts, bans, message deletion)
• Reading follower and subscription events
• Reading channel-point redemptions

You can review and revoke the granted scopes at any time at twitch.tv/settings/connections.

3.2 Configuration you provide

• Custom chat commands, including their response templates and per-command settings
• Auto-moderation rules (link filter, repeat detection, word lists)
• Timer messages and intervals
• Song-request settings and per-source toggles (YouTube, SoundCloud, Spotify)
• Overlay configuration (alert styles, sounds, positions)
• Manager invitations and access grants for other Twitch accounts
• Quotes, counters, and other content you create through the dashboard

3.3 Operational data generated by use

• Watch-time counters per Twitch user id in your channel, incremented while a user is active in chat during your live stream
• First-seen timestamps for chatters in your channel
• Aggregated stream sessions: start and end time, peak viewer count, average viewers, top chatters per session
• Counts and timestamps of moderation actions taken by the bot
• Channel-point redemption events you have configured to react to
• Follower and raid event records for analytics and overlay alerts

We do not store full chat transcripts. Individual chat messages are processed in memory only and discarded as soon as they have been evaluated.

3.4 Authentication and security logs

• A server-side session record after successful login (random session id, channel id, creation and expiry timestamps)
• One HTTP-only session cookie (sid) set in your browser, with SameSite=Lax and a 30-day lifetime
• A login audit log containing the Twitch login, IP address, user agent, status (success, blocked, code rejected, etc.) and timestamp for each authentication attempt
• Server access logs (timestamp, request path, response status, IP, user agent) generated by the hosting layer

3.5 Integrations you connect

If you connect optional integrations from the dashboard, additional data is processed:

• Spotify: the client id and client secret you supply for your own Spotify developer app, plus the OAuth tokens issued by Spotify once you authorise the connection. Used to show now-playing information and to skip or pause tracks via overlay controls.
• YouTube and SoundCloud: no account connection is required; the song-request feature uses public metadata and embedded players.
• Discord (operator side): if a Discord webhook URL is configured by the operator, security and uptime events are forwarded to that webhook. No subscriber chat content is sent.

4. Purposes and legal bases

We process the categories above for the following purposes. The legal basis under Art. 6 (1) GDPR is noted for each.

• Providing the contracted Service (chat commands, moderation, overlays, dashboards): Art. 6 (1)(b) GDPR, performance of a contract you initiated by authorising the bot.
• Maintaining secure access (session cookies, server-side sessions, login audit log): Art. 6 (1)(b) GDPR and our legitimate interest in protecting the Service from misuse and account takeover, Art. 6 (1)(f) GDPR.
• Abuse prevention and rate limiting (IP logging, login throttling, block lists): Art. 6 (1)(f) GDPR, legitimate interest in protecting the Service and other users.
• Diagnostics and stability (server access logs, uptime monitoring): Art. 6 (1)(f) GDPR.
• Aggregate analytics for your channel (peak viewers, top chatters): Art. 6 (1)(b) GDPR; data is presented only to you and your authorised managers.
• Optional integrations (Spotify, Discord webhook): Art. 6 (1)(a) GDPR, your explicit consent at the time of connection. You may withdraw consent at any time by disconnecting the integration.

5. Recipients and third parties

We do not sell your data and we do not pass it on for advertising purposes. Data is transmitted to the following recipients strictly to the extent required to operate the feature you have enabled.

• Twitch Interactive, Inc.: required at all times. We exchange data through the Helix API, IRC chat, and EventSub WebSockets and webhooks. See Twitch Privacy Notice.
• Spotify AB: only if you connect Spotify. See Spotify Privacy Policy.
• Google Ireland Ltd. (YouTube): only when an overlay loads an embedded YouTube player for a song request. See Google Privacy Policy.
• SoundCloud Global Ltd. & Co. KG: only when an overlay loads an embedded SoundCloud player. See SoundCloud Privacy Policy.
• Hosting provider (Germany): a dedicated server in Germany processes all requests and stores the database and logs. The provider acts as a processor under Art. 28 GDPR.
• Discord, Inc.: only if the operator has configured a Discord webhook for security or uptime alerts.
• Authorities: where required by law, court order, or to investigate abuse of the Service.

6. Hosting and international data transfers

Spectator itself is operated in Germany. Many comparable Twitch chat bots are operated entirely from the United States; Spectator deliberately is not. What stays inside the EU:

• The application server
• The database with your channel record and OAuth tokens
• Your configuration, custom commands and auto-mod rules
• Watch-time counters and stream analytics
• Audit and server access logs

None of this is copied or replicated to servers outside the EU. Data leaves the EU only where the feature itself requires it:

• Twitch (USA): chat, moderation, follower events and OAuth are operated by Twitch Interactive, Inc. Without this transfer the Service cannot function. Twitch is the joint controller for the data you exchange with Twitch directly.
• Optional integrations you connect (Spotify, YouTube, SoundCloud, Discord webhook): operated by their respective providers, some of which are based outside the EU. Disabling an integration in the dashboard stops the corresponding transfer.

Where transfers to third countries are necessary, they rely on the providers' own safeguards, including, where applicable, the EU-US Data Privacy Framework and the EU Standard Contractual Clauses under Art. 46 GDPR.

7. Cookies

Spectator sets one cookie of its own and it is required for the Service to function. We do not use analytics, marketing, or third-party advertising cookies.

• sid: HTTP-only, SameSite=Lax, Secure in production, lifetime 30 days. Stores the random identifier that links your browser to your server-side session. Without this cookie you cannot stay logged in.

Embedded players for YouTube, SoundCloud, Spotify or other third parties may set their own cookies inside the overlay frame. These cookies are governed by the respective provider's privacy policy and are loaded only when the corresponding overlay is opened.

8. Retention

We keep personal data only for as long as it is needed for the purpose it was collected for, unless a longer retention period is required by law.

• Channel record, OAuth tokens, custom commands and configuration: kept as long as your channel exists. Deleted within 30 days after account removal.
• Watch-time counters and stream sessions: kept while your channel exists. You can reset them in the dashboard at any time.
• Login audit log: 90 days, then anonymised or deleted.
• Server access logs (hosting layer): up to 14 days, then rotated and deleted.
• Session records: 30 days from last activity, then expired and purged.
• Avatar URL cache and user id lookups: 30 to 60 minutes in memory only.

Backups of the database are encrypted at rest and overwritten on a rolling basis (most recent 7 daily backups, no longer).

9. Security

• All traffic to the Service is encrypted with TLS.
• OAuth tokens are stored server-side and never exposed in your browser.
• The login flow is rate-limited and protected against CSRF via a per-request OAuth state token.
• Session cookies are HTTP-only and same-site Lax to mitigate XSS and cross-site request risks.
• Administrative access to the server is restricted to the controller and protected by SSH key authentication.
• A Content Security Policy and standard hardening headers are applied to every page.
• Security issues can be reported confidentially via the Responsible Disclosure page.

10. Your rights

Under the GDPR you have the following rights regarding personal data we process about you. Contact: hey@mutebefehl.de. We respond within 30 days.

• Access (Art. 15 GDPR): a copy of the data we hold about you.
• Rectification (Art. 16 GDPR): correction of inaccurate data.
• Erasure (Art. 17 GDPR): deletion of your data, subject to legal retention obligations.
• Restriction (Art. 18 GDPR): limit how we use your data.
• Portability (Art. 20 GDPR): receive your data in a machine-readable format.
• Objection (Art. 21 GDPR): object to processing based on legitimate interest.
• Withdrawal of consent (Art. 7 GDPR) for any processing based on consent, effective for the future.
• Complaint (Art. 77 GDPR): lodge a complaint with a supervisory authority. The competent authority for the controller is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

To exercise your rights, write from the e-mail address associated with your Twitch account, or include verification information that lets us match the request to your channel.

11. Account deletion

You can leave Spectator at any time. Two steps for a clean exit:

• Revoke OAuth at twitch.tv/settings/connections. Stops Spectator from acting on your behalf immediately, but does not delete stored data.
• Request deletion via e-mail to hey@mutebefehl.de from your registered Twitch e-mail address. Deletion is completed within 30 days and covers the channel record, OAuth tokens, configuration, watch-time data and audit log.

12. Children

Spectator follows Twitch's own minimum-age rules. The Service is not directed at children below the age allowed to use Twitch in their country. If you become aware that a minor has provided personal data to Spectator, contact us and we will delete it without delay.

13. Automated decision making

Auto-moderation rules you configure may take automatic actions in chat (deleting messages, timing out users) based on the criteria you set. These actions are limited to the chat function and do not produce legal effects within the meaning of Art. 22 GDPR. You define the rules and can disable or override them at any time.

14. Changes to this policy

We may update this policy when the Service changes or when legal requirements change. The "Last updated" date at the top will be revised accordingly. For material changes that affect how we process your data, we will notify channels through the dashboard before the change takes effect.

15. Contact

Questions about this policy or about how your data is processed: hey@mutebefehl.de