Privacy Policy and Data Protection

1. DATA CONTROLLER

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and Organic Law 3/2018 of 5 December on Personal Data Protection and guarantee of digital rights (LOPDGDD), the controller is:

• Controller: Francesc Murcia Mila • Tax ID (NIF): 77835505D • Address: Carrer Àngel Guimerà 22, 43480 Vila-seca (Tarragona), Spain • Email: info@stream-pro.app

2. PERSONAL DATA WE PROCESS

The Owner processes only the minimum data necessary to provide the contracted service:

• Identification data: email address, used as account identifier and for service communications. • Technical data: IP address (used solely for fraud prevention, security, and compliance with legal obligations) and device type and operating system. • User configuration data (Cloud Sync): M3U/M3U8/Xtream playlist URLs provided by the User and application configuration preferences. This data is stored encrypted and has the sole technical purpose of enabling synchronisation between the User's own devices. • Payment data: managed entirely by Stripe, Inc. The Owner does not access or store credit or debit card data on its own systems.

3. PURPOSE AND LAWFUL BASIS OF PROCESSING

Personal data are processed for the following purposes:

• Registration and account access management: lawful basis, performance of the service contract (Art. 6(1)(b) GDPR). • Provision of cloud sync (Cloud Sync): lawful basis, performance of the contract (Art. 6(1)(b) GDPR). • Payment processing and subscription management: lawful basis, performance of the contract (Art. 6(1)(b) GDPR). • Fraud prevention and platform security: lawful basis, legitimate interest of the Owner (Art. 6(1)(f) GDPR). • Compliance with legal obligations (tax, accounting, etc.): lawful basis, legal obligation (Art. 6(1)(c) GDPR). • Service communications (changes, updates, incidents): lawful basis, legitimate interest (Art. 6(1)(f) GDPR). The User may object at any time.

4. SPECIAL PROCESSING: PLAYLIST URLs (CLOUD SYNC)

Playlist URLs added by the User are stored with the following technical and organisational safeguards:

• Encryption at rest: URLs are stored encrypted in the Supabase database (playlists.url_encrypted). • Access restricted by design: the system implements Row Level Security (RLS) policies ensuring each User can only access their own data. Administrative technical access, when strictly necessary for maintenance, requires higher-level credentials and is logged in system logs. • No content analysis: the Owner does not access, view, analyse, index, or commercialise URLs or list content from any User. • Temporary access via signed URLs: configuration JSON stored in the private Supabase Storage bucket is accessible only via signed URLs with a maximum expiry of 1 hour, after which the link expires automatically. • Direct data flow: audio and video streams are transmitted directly from the origin server to the User's device, without intermediation by the Owner's servers.

This architecture is equivalent to an encrypted personal configuration storage service, similar to settings sync in iCloud Drive or Google Drive. The Owner acts as technical custodian of the User's configuration, not as a content intermediary.

5. DATA RETENTION

Personal data will be retained while the User's account remains active. Once the User requests account closure and deletion, all associated data — including synchronised URLs and configuration preferences — will be permanently and irreversibly deleted from the Owner's systems and technology providers within a maximum of 72 hours of receiving the request.

Tax and accounting data linked to transactions may be retained for the legally required period (currently 5 years under Spanish tax law), even after account deletion.

6. DISCLOSURE OF DATA TO THIRD PARTIES

The Owner does not sell, rent, or transfer personal data to third parties for commercial purposes. Data are only shared with the following technology providers, who act as processors and offer sufficient guarantees of GDPR compliance:

• Supabase, Inc.: database and cloud storage infrastructure. Data processed: account configuration, encrypted URLs, preferences. Compliance: GDPR, standard contractual clauses. • Stripe, Inc.: secure payment processing. Data processed: billing and payment data. Compliance: GDPR, PCI DSS, standard contractual clauses.

The Owner may disclose personal data when required by law or by a competent authority, in which case it will limit disclosure to strictly necessary information and, where legally possible, will notify the User of such circumstances.

7. INTERNATIONAL DATA TRANSFERS

Supabase and Stripe are companies based in the United States. Transfers of data to these providers are made on the basis of standard contractual clauses approved by the European Commission, which provide adequate safeguards under Article 46 GDPR.

8. USER RIGHTS (ARCO+)

In accordance with the GDPR and LOPDGDD, the User may exercise the following rights regarding their personal data at any time:

• Right of access: obtain confirmation as to whether data concerning them are processed and access such data. • Right to rectification: request correction of inaccurate or incomplete data. • Right to erasure ("right to be forgotten"): request deletion of data when no longer necessary for the purposes for which they were collected. • Right to restriction of processing: request suspension of processing in certain cases provided for in the GDPR. • Right to data portability: receive data in a structured, commonly used, machine-readable format and transmit them to another controller. • Right to object: object to processing on grounds relating to their particular situation, or unconditionally where processing is for direct marketing purposes. • Rights related to automated decisions: not to be subject to decisions based solely on automated processing that produce significant legal effects.

To exercise any of these rights, the User must send a written request to info@stream-pro.app, accompanied by a copy of their identity document or passport. The Owner will respond within one month of receipt, extendable by two further months in cases of particular complexity.

If the User considers that processing does not comply with applicable law, they have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

9. SECURITY MEASURES

The Owner has adopted appropriate technical and organisational measures to ensure the security and integrity of personal data, including: encryption at rest and in transit (TLS/HTTPS), row-level access control policies (RLS), administrative access audit logs, and periodic review of implemented security measures.

10. COOKIES

The website may use technical cookies strictly necessary for the operation of the service (session management, authentication). Tracking or third-party analytics cookies are not used without the User's prior consent.

The User may configure their browser to reject or delete cookies, although this may affect correct operation of the platform.

11. UPDATES TO THIS POLICY

The Owner reserves the right to update this Privacy Policy to reflect legislative, case-law, or product changes. Material changes will be communicated to the User by email or via notice on the platform with sufficient advance notice.