Privacy Policy

1. Introduction

At Riot+, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, and safeguard your data when you use our premium streaming platform services. We comply with applicable data‑protection laws including the General Data Protection Regulation (GDPR) for users in the European Union and similar privacy laws worldwide.

2. Data Controller

Riot+ acts as the Data Controller for the personal information we collect and process. This means we determine the purposes and means of processing your personal data.

3. Information We Collect

We collect information you provide directly to us during account registration and service usage:

• Email address – Required for account login and communications
• Device information – Device type, browser, operating system for service optimisation
• Usage data – Content accessed, viewing preferences, platform interaction data
• Support communications – Messages sent through our support channels

4. Data Processing by Third Parties

In accordance with GDPR Article 28, we have Data Processing Agreements (DPAs) in place with all third-party processors listed below. These agreements establish the rights and obligations of each party concerning the processing of personal data.

We utilise bunny.net as our data processor for content delivery and infrastructure services. Bunny.net processes certain data on our behalf, including:

• IP addresses – Anonymised (last octet removed) for load balancing and DDoS protection
• Network traffic data – For content delivery optimisation
• Geographic data – For EU‑only server routing (all traffic routed through EU data centres)

Bunny.net does not have access to your content, viewing history, or account details. For bunny.net’s privacy practices, see bunny.net Privacy Policy and bunny.net GDPR Compliance.

Stripe – Payment Processing

We use Stripe to handle all invoicing and subscription payments. When you submit a payment, the following information is **sent to Stripe**:

• Name – as entered on the payment form
• Email address – used for receipts and communication
• Billing address – if you provide one (street, city, country)
• Payment token – a secure, PCI‑DSS‑compliant token generated by Stripe that represents your card details

Stripe stores the actual card data (card number, expiration date, CVC, card‑holder name, etc.) and additional metadata such as a payment‑method ID, card fingerprint, and 3‑D Secure status. **We never store raw card numbers, CVC codes, or any other sensitive payment details on our servers.**

Stripe processes this information solely for the purpose of completing the transaction, fraud detection, and regulatory compliance. Stripe’s own privacy practices can be reviewed at https://stripe.com/privacy.

After a transaction is completed, the Stripe token we receive is **immediately deleted** from our logs and databases. We retain only the non‑financial data you voluntarily provide (name, email, optional address) for account and invoicing purposes.

Invoice Ninja (self‑hosted) – Invoicing Platform

We run a self‑hosted installation of Invoice Ninja to generate and deliver invoices. Because the software runs on our own servers, we have full control over the data it stores.

The only information that Invoice Ninja retains from each invoice is the data you voluntarily provide:

• Name
• Email address
• Billing address (if you enter one)
• Invoice details – description of goods/services, amount, invoice date, and payment status

We never store raw payment‑card information (card number, CVC, expiration date, card‑holder name, etc.) in our Invoice Ninja database. When you pay an invoice, the payment data is sent directly to our payment processor (e.g., Stripe) via a secure, PCI‑DSS‑compliant integration. Invoice Ninja receives only a confirmation that the invoice was paid; it does not see the card details.

Because the instance is self‑hosted, you can review the exact data model and source code yourself. The public repository and its documentation describe the tables that hold invoice data and confirm that no credit‑card fields exist in the default schema.

For further technical details, see the Invoice Ninja open‑source project: GitHub – Invoice Ninja README.

5. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract – Processing necessary to provide our streaming services to you
• Legitimate interest – Improving our services and ensuring platform security
• Consent – For optional communications and features

6. Special Categories of Data

We do not collect or process any special categories of personal data (health, racial/ethnic origin, political opinions, religious beliefs, etc.).

7. Cookies and Tracking Technologies

Our platform uses essential cookies provided by Jellyfin media server for:

• Session management and authentication
• Content delivery optimisation
• Platform functionality and user preferences

These cookies are necessary for the platform to function and cannot be disabled without affecting core functionality. We do not use analytics, marketing, or tracking cookies.

8. Information Sharing and Third Parties

We do not sell, trade, or share your personal information with third parties except:

• bunny.net – Data processor for content delivery infrastructure
• Stripe – Payment processor for invoicing and subscription billing; stores card details and related metadata on its own systems
• Invoice Ninja (self‑hosted) – Stores only invoice‑related contact data (name, email, optional address) and payment status. No credit‑card information is retained.
• Legal requirements – When required by law or to protect our legal rights
• Service providers – Only with your explicit consent

9. Data Security

We implement robust security measures including:

• Server disk encryption – All data stored on encrypted drives
• TLS encryption – All communications protected with HTTPS/TLS 1.3
• Access controls – Strict internal access policies
• Regular security audits – Ongoing monitoring and updates

10. Data Retention

We retain your personal data only as long as necessary:

• Account data – Retained while your account is active
• Usage data – Retained for service improvement (maximum 2 years)
• Support communications – Retained for 3 years for quality assurance

Data is manually deleted when you notify us that you’d like to close your account or after the retention period expires.

11. Your Rights (GDPR Compliance)

As a data subject, you have the following rights:

• Right of Access – Request information about data we hold about you
• Right to Rectification – Correct inaccurate personal data
• Right to Erasure – Request deletion of your personal data
• Right to Restriction – Limit how we process your data
• Right to Data Portability – Receive your data in a structured format
• Right to Object – Object to certain data‑processing activities
• Right to Lodge a Complaint – You have the right to lodge a complaint with your relevant data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. EU users may contact their national Data Protection Authority.

12. Exercising Your Rights

To exercise any of your rights, please contact us via our Data Protection Officer email (see section 17 below). We will respond to your request within 30 days as required by GDPR.

13. Data Breach Response

In the event of a data breach affecting your personal information, we will:

• Notify you without undue delay and in any case within 72 hours of becoming aware of the breach
• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Take immediate steps to mitigate the breach and prevent recurrence

14. International Data Transfers

All user data is processed exclusively within the European Union. We do not transfer personal data outside the EU/EEA. Users from outside the EU are automatically routed through our EU infrastructure, ensuring all data remains within EU borders.

15. Children and Minors

Our services are intended for users aged 13 and above. We do not knowingly collect personal information from children under 13. If we become aware of such collection, we will delete the information immediately.

16. Changes to This Policy

We review and update this Privacy Policy monthly. Material changes will be communicated to users at least 30 days before taking effect. Users will be notified via email and platform announcements.

17. Contact Information

18. Compliance

Riot+ complies with:

• GDPR (General Data Protection Regulation) – EU Regulation 2016/679
• ePrivacy Directive – EU Directive 2002/58/EC
• UK GDPR – UK data‑protection law post‑Brexit
• CCPA – California Consumer Privacy Act (for California users)