Privacy Policy | YaaliStream

YaaliStream ("we", "us", "our") is operated by YaaliStream Technologies. This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use the YaaliStream platform ("Service"), including our website at yaalimail.com, dashboard, APIs, and related services.

By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

Account Registration: Full name, email address, password, organization name, and organization slug when you create an account.
Billing Information: Payment method details (credit/debit card, UPI, net banking) processed through Razorpay. We do not store your full card numbers — Razorpay handles this as a PCI-DSS compliant payment processor.
Support Communications: Any information you provide when contacting us via email, contact forms, or support channels.
Viewer Accounts: When you create viewer accounts for your end-users, we store their name, email address, and hashed password.
API Keys: When you create API keys, we store the key name, permissions, and a SHA-256 hash of the key value. We do not store plaintext API keys after initial generation.

1.2 Information Collected Automatically

Usage Metrics: Storage usage (bytes), bandwidth consumption (bytes), video count, asset count, viewer count, API call counts, and public request counts. These are recorded per billing period (monthly) to enforce plan limits.
Content Metadata: File names, file sizes, MIME types, upload timestamps, video duration, encoding status, and unique slugs assigned to your media. We do not access, view, analyze, or process the actual content of your files.
Log Data: IP addresses, browser user-agent strings, request URLs, HTTP methods, response status codes, and timestamps. These are collected for security monitoring, abuse detection, and debugging.
Session Data: Authentication tokens (JWT) stored as HTTP-only secure cookies to maintain your login session.
Audit Logs: Actions performed on the platform (uploads, deletions, access grants, settings changes, API key creation) with timestamps, user identity, and IP address. These are stored for security and compliance purposes.

1.3 Information from Third Parties

Razorpay: Subscription status, payment success/failure events, and subscription IDs via webhooks.
Bunny.net: Video encoding status, video duration, and storage metrics via webhooks and API.

2. How We Use Your Information

Service Delivery: To host, transcode, cache, and deliver your media content to authorized viewers through our CDN infrastructure.
Account Management: To create and manage your account, organizations, team memberships, and viewer accounts.
Billing & Payments: To process subscription payments, generate invoices, and manage plan upgrades/downgrades through Razorpay.
Plan Enforcement: To monitor and enforce plan limits including storage quotas, bandwidth caps, viewer counts, asset limits, and API key limits.
Security & Protection: To detect and prevent fraud, unauthorized access, abuse, content piracy, rate limit violations, and denial-of-service attacks.
Dynamic Watermarking: To overlay viewer identification (email, IP, timestamp) on video playback as a piracy deterrence measure, when enabled by you.
Transactional Emails: To send essential communications including account verification, password reset, billing confirmations, security alerts, and plan limit notifications via Resend.
Platform Improvement: To analyze aggregate, anonymized usage patterns to improve performance, reliability, and feature development. We do not use your content for training AI models.
Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

3. Data Storage & Infrastructure

3.1 Where Your Data Is Stored

Account & Application Data: PostgreSQL database hosted on Supabase with PgBouncer connection pooling. Data is encrypted at rest and in transit.
Video Content: Stored and delivered via Bunny.net Stream, a global video CDN with edge servers in 100+ locations. Videos are transcoded into adaptive bitrate formats (HLS) for optimal playback.
Images & Files: Stored on Cloudflare R2 (S3-compatible object storage) with global edge caching via Cloudflare's CDN network (300+ data centers).
Application Hosting: The platform is hosted on Vercel's edge network with automatic global distribution.

3.2 Security Measures

Encryption in Transit: All connections use TLS 1.2+ encryption. HTTPS is enforced on all endpoints.
Password Security: User and viewer passwords are hashed using bcrypt with salt rounds before storage. Plaintext passwords are never stored or logged.
API Key Security: API keys are hashed using SHA-256 before storage. The plaintext key is shown only once at creation and cannot be retrieved later.
Signed URLs: Video playback URLs are cryptographically signed with expiration timestamps (typically 1 hour) to prevent unauthorized access or URL sharing.
Session Security: Authentication uses HTTP-only, Secure, SameSite cookies with JWT tokens. Tokens have configurable expiration.
Access Controls: Role-based access control (Owner, Admin, Member) within organizations. Viewer access is granted per-media or per-group with optional expiration dates.
Rate Limiting: API endpoints are rate-limited per key using sliding window algorithms to prevent abuse.
Content Protection: Screen capture prevention, dynamic watermarking, and DRM-ready delivery to protect your intellectual property.

4. Data Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

We share information only in the following circumstances:

4.1 Service Providers (Sub-processors)

We use the following third-party service providers to operate the platform. Each processes data only as necessary for their specific function:

Razorpay — Payment processing, subscription management, and billing. Processes payment method details and transaction data. PCI-DSS Level 1 compliant.
Resend — Transactional email delivery. Processes recipient email addresses and email content for verification, password reset, and notification emails.
Bunny.net — Video storage, transcoding, and CDN delivery. Processes video files and delivery metadata. Servers distributed globally.
Cloudflare — Object storage (R2) and CDN for images/files. Processes uploaded files and delivery metadata. Global network with 300+ data centers.
Supabase — Database hosting (PostgreSQL). Processes all application data including accounts, organizations, media metadata, and usage records.
Vercel — Application hosting and deployment. Processes HTTP requests, responses, and server-side rendering.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal processes, including:

Court orders or subpoenas
Government or regulatory agency requests with proper legal authority
To enforce our Terms of Service
To protect the rights, property, or safety of YaaliStream, our users, or the public

4.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information.

5. Your Rights & Choices

You have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you and your organization.
Correction: Request correction of inaccurate or incomplete personal data through your dashboard settings or by contacting us.
Deletion: Request deletion of your account and all associated data. This includes media files, viewer accounts, API keys, audit logs, and usage records. Deletion is processed within 30 days of the request.
Objection: Object to certain processing activities where we rely on legitimate interests.
Restrict Processing: Request that we limit how we process your data in certain circumstances.
Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@yaalimail.com. We will respond within 30 days.

6. Cookies & Tracking

6.1 Cookies We Use

Authentication Cookie: An HTTP-only, Secure, SameSite cookie containing an encrypted JWT token. Essential for maintaining your login session. Expires based on session settings.
Viewer Authentication Cookie: Similar to above, used for viewer access to protected content on the watch page.

6.2 What We Don't Use

We do not use third-party tracking cookies
We do not use advertising cookies or pixels
We do not use analytics cookies (e.g., Google Analytics)
We do not use social media tracking scripts
We do not use fingerprinting technologies for tracking

7. Data Retention

Active Accounts: Your data is retained for as long as your account is active and your subscription is current.
Cancelled Subscriptions: If you cancel your paid subscription, your account reverts to limitations and your data remains accessible. Media files and data are not deleted upon subscription cancellation.
Account Deletion: Upon account deletion request, all personal data, media files, viewer accounts, API keys, and usage records are permanently deleted within 30 days. Backups containing your data are purged within 90 days.
Audit Logs: Retained for 12 months from creation for security and compliance purposes, then automatically purged.
Server Logs: Retained for 30 days for security monitoring and debugging, then automatically purged.
Billing Records: Retained for 7 years as required by Indian tax law (Income Tax Act, GST regulations).

8. Children's Privacy

YaaliStream is a business-to-business (B2B) service and is not directed at children under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@yaalimail.com and we will promptly delete such information.

9. International Data Transfers

Your data may be processed and stored in locations outside India due to our use of globally distributed infrastructure providers (Cloudflare, Bunny.net, Vercel). By using the Service, you consent to the transfer of your data to these locations. We ensure that all service providers maintain appropriate security measures and data protection standards.

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify affected users via email within 72 hours of becoming aware of the breach
Provide details about the nature of the breach, the data affected, and steps we are taking to mitigate it
Report the breach to relevant regulatory authorities as required by applicable law
Provide guidance on steps you can take to protect yourself

11. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you interact with.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

We will notify you via email to the address associated with your account
We will update the "Last updated" date at the top of this page
For significant changes, we will provide a prominent notice on our dashboard
Continued use of the Service after changes constitutes acceptance of the updated policy

13. Grievance Officer

In accordance with the Information Technology Act, 2000 and the rules made thereunder, the contact details of the Grievance Officer are provided below:

Name: YaaliStream Grievance Officer
Email: grievance@yaalimail.com
Response Time: Within 30 days of receiving the complaint

14. Contact Us

For any questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:

Email: privacy@yaalimail.com
General Inquiries: contact@yaalimail.com