Privacy Policy

Vivimate ("Vivimate", "we", "us", or "our") is operated by Vivimate OÜ, a company registered in Estonia under company number 16289437, with its registered office at Lõõtsa tn 8, 11415 Tallinn, Estonia.

We are the data controller responsible for the personal data we collect about you. This Privacy Policy explains what we collect, why we collect it, how long we keep it, who we share it with, and what rights you have over it.

This policy applies to personal data we collect through:

• ✓Our website at vivimate.io
• ✓Our customer dashboard at panel.vivimate.io
• ✓Email, phone, or chat correspondence with our support team
• ✓Any other channel through which we interact with you

If you have any questions, contact our data protection contact at [email protected] or by phone on +1 (939) 699-3536.

We collect the minimum amount of data needed to operate the service. The categories are:

We do not collect special-category data (race, religion, health, political opinions, sexual orientation) and we ask that you do not send us any.

We process your personal data only for clearly defined purposes:

• ✓To deliver the service: provisioning your subscription, sending your Xtream Codes credentials, authenticating you to our servers, and routing your stream requests to the right edge location
• ✓To manage your account: letting you log in, change your plan, view invoices, and update your details
• ✓To process payments: completing transactions, reconciling chargebacks, issuing refunds, and meeting our tax and accounting obligations
• ✓To provide support: answering your questions, fixing issues you report, and following up afterwards
• ✓To keep the platform safe: detecting and blocking fraud, abuse, account takeover, credential sharing, and brute-force attacks
• ✓To improve the service: identifying performance bottlenecks, prioritising bug fixes, and informing product decisions through anonymised, aggregated usage analysis
• ✓To comply with the law: responding to lawful requests from regulators, courts, and law enforcement
• ✓To send service notices: letting you know about renewals, security incidents, downtime, or important changes to these policies
• ✓To send marketing material: strictly when you have opted in for it explicitly, with an opt-out option always available

Your personal data is never put up for sale, rent, swap or trade by us, and we never share it onward with ad networks or with data brokers.

If you are in the European Economic Area, United Kingdom, or Switzerland, we rely on the following Article 6 GDPR lawful bases:

• ✓Performance of a contract, where processing is necessary to deliver the subscription you bought
• ✓Legitimate interests, where processing is needed to protect the platform, prevent fraud, improve the product, and run our business, and where your fundamental rights do not override those interests
• ✓Legal obligation, where we are required by tax, accounting, anti-money-laundering, or other laws to keep certain records
• ✓Consent, in cases where you have opted in explicitly — examples include marketing emails alongside non-essential cookies. You can withdraw that consent whenever you wish, without affecting the lawful basis for any prior processing already completed

For special situations (responding to a regulatory request, defending a legal claim, protecting someone's vital interests), we may rely on the additional bases in GDPR Article 9.

We share data only with carefully chosen processors who help us deliver the service. Every recipient is bound by a written data processing agreement that limits them to acting on our instructions.

Payment processors: Stripe Payments Europe Ltd and PayPal (Europe) S.à r.l. process card and PayPal payments under their own published privacy policies.

Email and messaging: transactional email providers send your welcome email, password resets, invoices, and support replies.

Hosting and CDN: cloud infrastructure providers operate our servers and edge network.

Customer support tools: live-chat, helpdesk, and ticketing platforms that store your support conversations.

Identity verification and fraud-prevention vendors: where required to confirm a refund request or investigate suspected fraud.

Professional advisors: our accountants, auditors, and lawyers, where they need limited access for a specific engagement.

Public authorities: courts, regulators, and law enforcement, but only where we are legally compelled, and we always evaluate whether the request is lawful and proportionate before responding.

Whenever any of those recipients sit outside the EEA, the European-Commission-approved Standard Contractual Clauses go in place alongside whichever supplementary safeguards the Schrems II decision calls for.

We keep your data only as long as we have a clear reason to. The schedule below is our default; we may keep data longer if we are required to by law or if we need to defend a legal claim.

• ✓Active account information: for the life of the subscription, plus 90 days after expiry so you can reactivate without re-entering details
• ✓Closed account information: anonymised or deleted within 90 days of account closure, except where retention is required for the items below
• ✓Invoices and payment records: 7 years from the date of the transaction, to satisfy Estonian and EU accounting law
• ✓Anti-money-laundering and fraud records: 5 years from the date of the event
• ✓Support tickets and email correspondence: 2 years from the date of the last message
• ✓Server access logs: 90 days
• ✓Marketing-consent records: until you withdraw consent, then 1 year more to evidence the prior consent
• ✓CCTV (we operate no physical premises open to the public, this is N/A)

You can ask us to delete data earlier than the schedule above by emailing [email protected]. We will comply unless one of the legal retention rules above applies, in which case we will tell you which rule and how long the data is locked for.

Under the GDPR, UK GDPR, and most equivalent regimes, you have the following rights:

• ✓Access: ask for a copy of the personal data we hold about you
• ✓Rectification: ask us to correct inaccurate or incomplete data
• ✓Erasure: ask us to delete your data ("the right to be forgotten")
• ✓Restriction: ask us to pause processing while we investigate a complaint or correction
• ✓Portability: ask for your data in a structured, machine-readable format that you can give to another provider
• ✓Objection: object to processing based on legitimate interests, including direct marketing (we will stop direct marketing immediately on request)
• ✓Withdraw consent: at any time, for any processing based on consent
• ✓Lodge a complaint: with the data-protection authority in your country of residence, or with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), which is our lead supervisory authority

To exercise any right, email [email protected] or call +1 (939) 699-3536. We respond within 30 calendar days, free of charge. If your request is manifestly unfounded or excessive we may charge a reasonable fee or refuse the request, and we will explain why.

If you are a resident of California, you have additional rights under the CCPA/CPRA including the right to know what we collect, the right to delete, the right to correct, and the right to opt out of "sharing" (we do not "sell" personal data as that term is defined in California law).

We use cookies and similar technologies on vivimate.io and panel.vivimate.io. Full details, including the categories of cookies we set and how to control them, are in our Cookie Policy at vivimate.io/cookies.

In short: strictly necessary cookies are set without consent (without them the site cannot function), and analytics or marketing cookies are only set after you have given explicit, granular consent through the cookie banner.

Vivimate serves customers in over 150 countries. To deliver streams quickly, our infrastructure is distributed across multiple regions, including locations outside the EEA. Where we transfer your personal data outside the EEA or UK, we use one of the following safeguards:

• ✓An adequacy decision by the European Commission or the UK Information Commissioner
• ✓The latest version of the EU Standard Contractual Clauses, plus any supplementary measures (encryption in transit and at rest, access controls, transparency reports) required by the Schrems II ruling
• ✓Your explicit consent, in the rare cases where neither of the above applies

You can ask us for a copy of the safeguard relied on for any specific transfer by emailing [email protected].

We use a layered set of technical and organisational measures to keep your data secure:

• ✓TLS 1.3 protecting every byte travelling between your device and our origin infrastructure
• ✓AES-256 encryption at rest for sensitive fields in our databases (passwords are stored as bcrypt hashes, never in clear text)
• ✓Role-based access control with the principle of least privilege, plus mandatory multi-factor authentication for every staff account
• ✓A formal incident response plan that requires us to notify supervisory authorities within 72 hours of a confirmed personal data breach, and to notify affected customers without undue delay where the breach is likely to result in a high risk to their rights
• ✓Annual third-party penetration testing and continuous automated vulnerability scanning
• ✓Background checks and confidentiality agreements for all staff and contractors with data access

No transmission over the internet is ever 100% secure. We do everything reasonable to protect your data, but we cannot give an absolute guarantee.

Vivimate is not directed at children under the age of 16 and is not designed for them. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe your child has given us data, contact [email protected] and we will delete it promptly.

For US users: we comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal data from children under 13 without verifiable parental consent.

We use automated systems to detect fraud, payment risk, and abuse (for example, credential sharing across many simultaneous countries within a short window). These systems may temporarily suspend a stream or flag an account for human review.

You always have the right to ask a human to review any automated decision that has a legal or similarly significant effect on you. Contact [email protected] to request a review.

From time to time we revise this policy to track changes in how we operate, what we ship, the tools we run on, or the law that governs us. Whenever that happens we will:

• ✓Refresh the "Last updated" timestamp shown at the head of this page
• ✓For substantive changes, notify the email address tied to your account at least fourteen days ahead of the change taking effect
• ✓Hold every prior version of the policy on record, available on request

If a change does not sit right with you, you can close the account and ask for deletion under section 7 before the change becomes operative.

For any privacy-related question, complaint, or rights request:

Email: [email protected] Phone: +1 (939) 699-3536 Postal address: Vivimate OÜ, Lõõtsa tn 8, 11415 Tallinn, Estonia

We aim to respond to every privacy enquiry within 30 calendar days. If you believe we have handled your data unlawfully you also have the right to complain directly to your local data protection authority, or to the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) which acts as our lead supervisory authority.