← Back

Privacy Policy

Last updated: 2026-05-25

CRWDS is a campaign-management and delivery platform for brand advertising inside livestreams, operated by Hyped, Lda. This Privacy Policy explains what personal data we collect, why, how long we keep it, and the rights you have under the General Data Protection Regulation (GDPR).

Who we are

The data controller responsible for the personal data described in this policy is:

• Hyped, Lda
• NIPC 514727926
• Rua António Correia Calhatro, nº 11, 4700-126 Braga, Portugal
• Email: crwds@goinghyped.com

Data Protection Officer

Hyped, Lda has assessed Article 37(1) GDPR and concluded that appointment of a Data Protection Officer is not mandatory at current scale and processing model. Our core activities involve aggregation of publicly available streaming platform data (viewer counts, follower counts, stream metadata via Twitch/YouTube/TikTok public APIs) combined with minimal private data (operator emails, encrypted payout IBAN). We do not engage in large-scale systematic monitoring of data subjects or processing of special categories of personal data under Article 9. We will reassess this position annually or when material scale or processing-model changes occur.

Privacy enquiries: crwds@goinghyped.com.

What we collect

• Streamer identity — the OAuth-verified platform handle and immutable platform user id (Twitch, X, Instagram, TikTok, YouTube) you authorise CRWDS to link to your CRWDS account.
• Follower / subscriber counts — fetched from each linked platform's public API at link time and refreshed on a daily schedule.
• OAuth access and refresh tokens — encrypted at rest with platform-isolated symmetric keys. The plaintext exists only in CRWDS's process memory at request time and is never logged.
• Profile fields you provide voluntarily — legal name, phone number, tax identification number (NIF), residential address, postal code, and country of residence. The identity-document fields are encrypted at rest.
• Payout information — IBAN (encrypted at rest), account holder name and tax country.
• Campaign delivery data — overlay impressions, viewer-hour aggregates, and per-campaign statistics generated while a campaign is active on your stream.
• Operational metadata — login timestamps, session activity, and audit-trail rows for sensitive actions (e.g. IBAN changes).

Why we collect it

• Campaign delivery — rendering brand overlays on your stream and tracking the resulting impressions.
• Analytics — surfacing per-campaign performance to both the streamer and the brand customer.
• Payouts — manual SEPA payouts to the IBAN you provide on a monthly reconciliation cycle.
• Identity verification — confirming that the streamer linking each platform account owns the underlying handle.
• Tax and accounting compliance — under Portuguese commercial law (see retention below).

Third-party services

CRWDS uses the following platform APIs and complies with each platform's developer terms:

• YouTube — CRWDS's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. The youtube.readonly scope is used solely to verify the streamer's channel identity and to read public subscriber counts.
• Instagram — CRWDS adheres to the Meta Platform Terms and the Instagram Platform Policy. The instagram_business_basic scope is used solely for identity verification and reading the public follower count.
• TikTok — CRWDS adheres to the TikTok Developer Terms of Service. The user.info.basic, user.info.profile and user.info.stats scopes are used for identity verification and reading public follower counts. We store only the streamer's handle, opaque platform user id, and follower count. The API request queries additional public fields (following count, likes count, video count) which are not retained — only the follower count is stored as the REACH metric.
• X (Twitter) — the streamer manually enters their @handle and follower count via the streamer portal. CRWDS does not access the X API, does not request OAuth, and does not store any tokens. Only the manually-entered handle and self-reported follower count are stored.
• Twitch — CRWDS adheres to the Twitch Developer Services Agreement. The user:read:email scope is used for streamer-portal login and identity verification; the moderator:read:followers scope is used solely to read the total follower count for the REACH metric. No individual follower data is fetched or stored — only the aggregate count.

CRWDS does not post, message, follow, or take any action on the streamer's behalf on any of these platforms. The OAuth scopes above are read-only.

Your GDPR rights

You can exercise the following rights at any time by emailing crwds@goinghyped.com:

• Access — receive a copy of the personal data CRWDS holds about you.
• Rectification — correct any inaccurate or outdated personal data.
• Deletion — request deletion of your account and personal data. See the Data Deletion page for the process and timelines.
• Portability — receive your personal data in a structured, machine-readable format.
• Restriction and objection — restrict or object to specific processing activities.
• Withdrawal of consent — disconnect any linked OAuth account at any time from the streamer portal; doing so revokes the stored tokens.
• Complaint — lodge a complaint with the Portuguese data-protection authority (CNPD) or the supervisory authority in your country of residence.

Retention

Personal data is retained for as long as your CRWDS account is active. After account deletion or termination:

• Account-linked PII (profile fields, OAuth tokens, social-link records) is deleted within 30 days.
• Campaign performance data and payout records (including IBAN) are retained for 10 years from the end of the relevant fiscal year, in alignment with Portuguese commercial law (Código Comercial Art.40 + RGCT) and tax record-keeping obligations.
• Internal audit-trail entries (e.g. IBAN changes, OAuth-token rotation) are retained for 5 years in non-identifying form.
• Error-tracking provider and log-aggregation provider records are retained for 90 days by default.
• Anonymised aggregate statistics (no PII) may be retained indefinitely for operational reporting.

Security

Sensitive fields (IBAN, OAuth access and refresh tokens, tax identification number, residential address lines) are encrypted at rest by our database provider with symmetric keys. Plaintext values exist only in CRWDS's process memory at request time and are never written to records hosted at our error-tracking provider or log-aggregation provider. Access to production data is restricted to the operator and audited.

Children

The CRWDS service is not directed to children under 16 years of age (GDPR Article 8 default). We do not knowingly collect personal data from children under this age. If we become aware that we have collected personal data from a child under 16 without verifiable parental or guardian consent, we will terminate the account and delete the data.

Changes to this Policy

We may update this Privacy Policy from time to time. Legally significant changes are communicated by email to affected data subjects. The effective date at the top of this page reflects the current revision.

Annex A — Sub-processors

The following sub-processors process personal data on behalf of Hyped, Lda under written contracts complying with GDPR Article 28. Cross-border transfers are governed by Standard Contractual Clauses (SCCs, EU 2021/914) where applicable.

• Neon — database (EU where available; SCCs apply where applicable).
• Vercel — hosting for admin and brand portals (EU where available; SCCs apply where applicable).
• Cloudflare R2 — object storage (EU where available; SCCs apply where applicable).
• Better Stack — log aggregation (EU, eu-fsn-3).
• Google — OAuth identity provider (global; SCCs apply).
• Microsoft Entra ID — OAuth identity provider (global; SCCs apply).
• Twitch — public-API metadata source and streamer-portal sign-in (global; public-API consumer).
• YouTube — public-API metadata source (global; public-API consumer).
• TikTok — public-API metadata source (global; public-API consumer).
• X (Twitter) — public-API metadata source (global; public-API consumer).
• Instagram (Meta) — public-API metadata source (global; public-API consumer).

Contact

Questions about this policy or about how CRWDS handles your data: crwds@goinghyped.com.