Privacy Policy

The controller responsible for processing personal data on this website is:

tawmae – Thomas Leleko
Spittaler Str. 1A
28359 Bremen
Germany

Email: support@tawmae.xyz

If you have questions about privacy or want to exercise your data protection rights, just contact me at that email address.

This website is hosted by Hetzner Online GmbH in Germany.

When you visit the site, server log data may be processed automatically. This may include:

• IP address
• date and time of the request
• requested page or file
• browser type and version
• operating system
• referrer URL
• transferred data volume

This processing is necessary to ensure the stability, security, and proper operation of the website. The legal basis is Art. 6(1)(f) GDPR.

Log data is stored only as long as necessary for security and troubleshooting purposes and is then deleted or anonymised.

You can sign in on tawmae.xyz using providers such as Twitch or Google, depending on what is offered on the site.

3.1 Data received from sign-in providers

Depending on the provider and the permissions granted, I may receive data such as:

• user ID provided by Twitch or Google
• display name / account name
• profile image
• email address

Your actual login credentials, such as passwords or two-factor authentication codes, are never stored by this website. The login itself happens through the respective provider.

3.2 Purpose and legal basis

This data is processed to create and manage your account, let you sign in, assign purchases and entitlements to the correct account, and protect the site against misuse.

The legal basis is Art. 6(1)(b) GDPR where account use is necessary for the contract or for pre-contractual steps, and Art. 6(1)(f) GDPR for legitimate interests in secure and abuse-resistant platform operation.

3.3 Source of the data

The sign-in data comes directly from the provider you chose during authentication.

If you buy a product, I process the data needed to complete the order and provide the purchased digital content.

This may include:

• account identifier
• ordered product and product ID
• purchase date and time
• price, currency, and payment status
• internal transaction and entitlement data
• refund, chargeback, or dispute information

The legal basis is Art. 6(1)(b) GDPR for contract performance and Art. 6(1)(c) GDPR where tax or accounting retention obligations apply.

Payments may be processed by payment providers such as PayPal. During checkout, you may be redirected to the provider's website or interface.

I do not receive full payment credentials such as your full bank or card details. I typically receive only the information required to confirm and assign the payment, such as a transaction ID, payer status, and payment status.

The legal basis is Art. 6(1)(b) GDPR.

The payment provider processes your data under its own privacy policy.

If you contact me by email, I process your email address, your message, and any information you include so I can reply and handle your request.

The legal basis is Art. 6(1)(b) GDPR where the message relates to a contract or intended contract, and otherwise Art. 6(1)(f) GDPR for the legitimate interest in handling enquiries and support requests.

The data is stored only as long as necessary to process the request and to comply with legal retention obligations.

7.1 Technically necessary technologies

tawmae.xyz may use technically necessary cookies or similar storage technologies, such as local storage, for example to keep you signed in, store basic preferences, or protect the site against misuse.

The legal basis is Art. 6(1)(f) GDPR and, where applicable, § 25 Abs. 2 TDDDG.

7.2 Analytics and optional technologies

If analytics or other optional technologies are used that require consent, they will only be activated after you have given consent, where legally required.

The legal basis is then your consent under Art. 6(1)(a) GDPR and, where applicable, § 25 Abs. 1 TDDDG.

You can withdraw consent at any time with effect for the future.

Many products offered on tawmae.xyz are meant to run locally in your own setup, for example inside Streamer.bot, OBS, or similar tools.

If those products connect to external services such as Twitch, Discord, YouTube, Spotify, or similar platforms, that connection usually happens directly between your local system and the relevant third-party service.

Unless explicitly stated otherwise for a specific product, your credentials for those third-party services and the content processed by them are not received by tawmae.xyz.

tawmae offers Twitch Extensions that run inside the Twitch player or channel page. When you use one of those extensions as a viewer or as a broadcaster, additional data flows apply on top of the rest of this policy.

9.1 What the extension receives from Twitch

The Twitch Extension Helper provides the extension with technical context such as a channel ID, an opaque viewer ID, a signed Twitch JWT, and, where applicable, a Bits transaction receipt JWT. None of those fields contain your Twitch login or password.

Your real Twitch user ID is only made available to the extension if you actively confirm identity sharing via Twitch's Share Identity prompt (the requestIdShare flow). Until you confirm, the extension only sees the opaque ID issued by Twitch for that session.

9.2 Data sent to the tawmae relay

When you interact with a tawmae extension, the extension opens a WebSocket connection to a tawmae-operated relay server on tawmae.xyz. The relay receives only what is needed to route your interaction:

• the channel ID of the broadcaster
• your Twitch user ID, only if you have shared identity
• the panel or action ID you interact with
• any input value the broadcaster's panel asks you to type
• for Bits-paid interactions: the signed Bits transaction receipt JWT issued by Twitch

The relay verifies Bits receipts cryptographically against the extension's shared secret before forwarding the interaction. It does not receive your chat messages, email address, password, payment details, or any other Twitch account data.

9.3 Forwarding to the broadcaster's Streamer.bot

Tawmae extensions are designed so that broadcaster-defined panel buttons trigger actions inside the broadcaster's own Streamer.bot instance running on their PC. The relay forwards the routing data listed above to that broadcaster's Streamer.bot session over an authenticated WebSocket. The broadcaster controls what their Streamer.bot does with that data.

9.4 Bits-in-Extensions

Where an extension supports Bits, the actual Bits transaction takes place inside Twitch via the Twitch Extension Helper. tawmae does not see your Twitch wallet, payment method, or balance. tawmae only receives the signed receipt JWT, the SKU, and the Bits amount, which are used to verify the transaction and unlock the chosen panel action. Bits transactions are handled under Twitch's Terms of Sale and Bits Acceptable Use Policy ; refund and chargeback handling for Bits is governed by Twitch.

9.5 Legal basis and storage

The legal basis for processing extension interaction data is Art. 6(1)(b) GDPR for the contract between the broadcaster and tawmae, and Art. 6(1)(f) GDPR for legitimate interests in operating, securing, and abuse-protecting the relay. Interaction data and Bits receipt metadata are kept only as long as needed to route the interaction, audit abuse, and meet legal retention obligations, then deleted or anonymised.

Signed-in users can upload files (images, audio, video) to a personal storage area on tawmae.xyz. The following information applies to that feature in addition to the rest of this policy.

10.1 What is stored

For each upload, the following data is stored on the tawmae.xyz server (Hetzner, Germany):

• the file content itself,
• for images, an automatically generated thumbnail and, where applicable, a re-encoded version of the original (this also strips embedded metadata such as EXIF, including any location data);
• the original filename and a sanitised copy used on disk,
• the detected MIME type, file size, and (for images and videos) dimensions,
• your account ID and the upload timestamp,
• a randomly generated, unguessable identifier (slug) used in the public URL,
• a short-term log of upload events (account ID and timestamp) used only to enforce rate limits.

Server access logs (IP address, timestamp, requested URL, etc.) are covered by the general hosting section above and apply equally to uploads and downloads.

10.2 Public access via link

Each file is reachable under a public URL of the form tawmae.xyz/files/... that includes the random slug. Anyone in possession of the URL can retrieve the file. The URL is not advertised in any public listing on tawmae.xyz.

10.3 Purpose and legal basis

The data is processed to provide the file hosting feature (Art. 6(1)(b) GDPR), to operate, secure, and protect the service against misuse such as malware uploads or quota abuse (Art. 6(1)(f) GDPR), and to comply with statutory obligations where applicable (Art. 6(1)(c) GDPR).

10.4 Storage period

Uploaded files and the associated metadata are stored until you delete the file from your account, until your account is deleted, or until I remove the file in line with the Terms of Service (for example because of a justified takedown notice). After deletion, files are removed from the live filesystem immediately; residual copies in operational backups are removed in the normal backup rotation.

The internal upload event log used for rate limiting is kept only for a short technical window (typically the rate-limit period of one hour) and is then deleted automatically.

10.5 Recipients

Files and metadata are not shared with third parties as part of the regular operation of this feature, beyond the hosting infrastructure described in this policy. Anyone who fetches the public URL receives the file via the same hosting infrastructure; the request itself appears in the standard server logs of the hosting provider.

10.6 Your responsibility for content

You decide what to upload and to whom you send the resulting URL. You are responsible for the personal data of third parties that may be contained in files you upload (for example faces in photographs or names in documents) and for having an appropriate legal basis to upload and share that data.

Personal data may be disclosed to service providers where this is necessary for hosting, authentication, email communication, payment processing, IT security, bookkeeping, or similar operational needs.

Where such providers act as processors, they are engaged under Art. 28 GDPR where required.

Data may also be disclosed where I am legally obliged to do so.

Some providers used for sign-in, payment, or infrastructure may be located outside the EU/EEA or may process data there.

If personal data is transferred to a third country, this is done only on the basis of an adequacy decision or other appropriate safeguards, such as Standard Contractual Clauses, where required.

Personal data is stored only as long as necessary for the purposes described in this Privacy Policy or as long as statutory retention obligations require it.

Business and tax-related records may need to be stored for longer due to legal retention periods. After that, the data is deleted or anonymised, unless further storage is legally required.

Some data is necessary if you want to create an account, place an order, receive digital content, or contact support about a purchase.

If you do not provide the required data, some services may not be available or the contract may not be performable.

Under the GDPR, you have the following rights where the legal requirements are met:

• right of access (Art. 15 GDPR)
• right to rectification (Art. 16 GDPR)
• right to erasure (Art. 17 GDPR)
• right to restriction of processing (Art. 18 GDPR)
• right to data portability (Art. 20 GDPR)
• right to object (Art. 21 GDPR)
• right to withdraw consent at any time (Art. 7(3) GDPR)

You also have the right to lodge a complaint with a supervisory authority.

I may update this Privacy Policy where necessary, for example if the website changes, new services are added, or legal requirements are updated.

The version published on this page is the current version.