Privacy Policy
Last updated: 4 July 2026
This Privacy Policy explains how bySurf Studios (“we”, “us”, “our”) processes personal data when you use bySurf TV (the “Service”), including our website, streaming platform, account area, and related features.
1. Controller
bySurf Studios
Jubaydur Rahman
Kolonnenstr. 8, 10827 Berlin, Germany
Email: contact@bysurf.studio
Details about our business are available in our Imprint.
2. Scope
This policy applies to personal data processed through bySurf TV and related account, billing, and community features operated by us. It does not apply to third-party websites or services we link to (for example YouTube, Discord, or social media platforms), which have their own privacy policies.
3. Who may use the Service
bySurf TV is intended only for persons who are at least 18 years old. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it.
4. Personal data we process
Depending on how you use the Service, we may process the following categories of data:
- Account data: email address, display name, password (stored in hashed form by our authentication provider), profile avatar (if uploaded), account role and membership status, and whether optional two-factor authentication is enabled on your account.
- Two-factor authentication (2FA) data: if you enable 2FA, our authentication provider stores the enrollment data needed to verify your account (for example a TOTP secret linked to your account). One-time codes from your authenticator app are used only to verify a login or sensitive action and are not stored by us. We do not receive, store, or have access to the codes generated by your app after verification.
- Usage data: watch progress, playlists or history where enabled, likes/dislikes on videos, comments and replies, and moderation records relating to your account.
- Billing data: subscription status, Stripe customer and subscription identifiers, billing period dates, and cancellation status. Payment card details are processed directly by Stripe; we do not store full card numbers.
- Technical data: IP address, browser/device information, approximate country derived from IP or network headers (used for currency display estimates), session tokens, and server logs needed to operate and secure the Service.
- Communications: messages you send to us for support (for example by email or Discord), and account-related emails we send at your request or to help you recover access (for example password reset or signup confirmation messages).
5. Purposes and legal bases (GDPR)
We process personal data for the following purposes:
- Providing the Service (Art. 6(1)(b) GDPR): creating and managing your account, authenticating you (including optional two-factor authentication), delivering video content, saving watch progress, enabling comments, and operating membership features.
- Payments and subscriptions (Art. 6(1)(b) GDPR): processing Producer membership through Stripe, managing renewals, cancellations, and billing support.
- Security and abuse prevention (Art. 6(1)(f) GDPR): protecting accounts, detecting fraud or misuse, enforcing our Terms, maintaining platform integrity, and providing account recovery support where appropriate.
- Legal compliance (Art. 6(1)(c) GDPR): fulfilling tax, accounting, and other legal obligations where applicable.
- Improving the Service (Art. 6(1)(f) GDPR): troubleshooting, analytics in aggregated or pseudonymized form, and improving reliability and performance.
Where we rely on legitimate interests, we balance those interests against your rights. You may object to processing based on legitimate interests as described in Section 10.
6. Cookies and local storage
We use cookies, local storage, or similar technologies where necessary to:
- keep you signed in to your account;
- remember preferences and session state;
- protect the Service against unauthorized access.
Third-party providers embedded in the Service (for example Stripe Checkout or the video player) may set their own cookies. Please refer to their privacy policies for details.
7. Recipients and processors
We use trusted service providers to operate bySurf TV. They process data on our behalf only as needed to provide their services:
- Supabase — authentication, database, and backend infrastructure.
- Stripe — payment processing and subscription management.
- Mux — video hosting, encoding, and streaming delivery.
- Cloudflare R2 — storage and delivery of images and other media assets.
- IP geolocation and exchange-rate services — approximate country detection and localized price estimates (for example ipwho.is, ipapi.co, and open.er-api.com).
- Font and CDN providers — delivery of fonts and JavaScript libraries (for example Google Fonts and jsDelivr).
We may disclose data if required by law, court order, or to protect the rights, safety, and security of users, ourselves, or others.
8. International transfers
Some of our processors are located outside the European Economic Area (EEA), including in the United States. Where data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms offered by our providers, unless an adequacy decision applies.
9. Retention
We retain personal data only as long as necessary for the purposes described above:
- Account data is kept while your account exists and for a reasonable period afterward for legal, tax, or dispute-resolution purposes.
- Billing records may be retained as required by German commercial and tax law.
- Comments and community content may remain visible until deleted by you or us, or until your account is deleted, subject to moderation and backup retention limits.
- Server logs are retained for a limited period necessary for security and troubleshooting.
10. Your rights
If you are in the EEA or another jurisdiction with similar rights, you may have the right to:
- access your personal data;
- request correction of inaccurate data;
- request deletion (“right to be forgotten”) where applicable;
- request restriction of processing;
- object to processing based on legitimate interests;
- data portability, where applicable;
- withdraw consent at any time, where processing is based on consent (without affecting prior lawful processing);
- lodge a complaint with a supervisory authority. In Germany, you may contact the authority responsible for your place of residence or work.
To exercise your rights, email contact@bysurf.studio. We may need to verify your identity before responding.
11. Comments and public profile information
If you post comments, your display name and avatar (if set) may be visible to other users. Do not post personal information you do not want to be public. We may remove comments that violate our Terms or applicable law.
12. Security
We implement appropriate technical and organizational measures to protect personal data. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
You may optionally enable two-factor authentication (2FA) in your account settings. 2FA uses a time-based one-time password (TOTP) compatible with authenticator apps such as Google Authenticator, Microsoft Authenticator, Authy, 1Password, or any other app that supports the same standard setup flow we provide. You choose and manage the app on your own device; we do not operate or control that third-party app, and its use is subject to that app’s own terms and privacy policy.
When 2FA is enabled, you will be asked for a code from your authenticator app when signing in and for certain sensitive account actions. Authorized administrators may see whether 2FA is enabled on your account (for example when handling a support request). They cannot view your one-time codes, your authenticator app, or the secret stored for your enrollment.
If you contact us because you cannot access your account, we may assist after verifying your identity. Authorized administrators can trigger a password reset email to your registered email address, resend a signup confirmation email where applicable, or disable 2FA on your account if you have lost access to your authenticator app. We do not know or store your password in plain text and cannot tell you what it is; password changes are completed by you through the secure reset flow we send to your email. We may refuse or limit account recovery if we cannot reasonably verify that you are the account holder.
13. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top will reflect the latest version. Material changes may also be communicated through the Service where appropriate.
14. Contact
bySurf Studios
Email: contact@bysurf.studio
Imprint: imprint.html