Skip to main content

Privacy Policy

Last Updated: November 9, 2025

Privacy at a Glance

We know legal documents can be dense. Here are the most important things you need to know about how we handle your data:

  • We Use Your Data to Provide the Service. We process your Twitch chat in real-time to find “gems.” We do not store the full content of your chat logs long-term.
  • You Are in Control. You can request, update, or delete your personal data at any time from your dashboard or by contacting us.
  • We Do Not Sell Your Data. We are not in the business of selling your personal information. We only share it with trusted partners like Stripe (for payments) and Supabase (our database) who are essential to run Needle Gem.
  • We Use Twitch & AI Securely. We use Twitch’s official API to access your chat. Your chat messages are sent to our AI provider (OpenRouter) for curation and are not used to train their models.

Introduction

Needle Gem AI (“we”, “our”, or “us”) is committed to protecting your privacy and ensuring GDPR compliance. This Privacy Policy explains how we collect, use, process, and protect your personal data when you use our service.

This Privacy Policy is part of our Terms of Service and should be read in conjunction with our Cookie Policy and Refund Policy.

Data Controller

Needle Gem AI is the data controller for the personal data we process through our service.

Contact: For privacy inquiries, please contact us at needlegem@proton.me

What Data We Collect

1. Account Information

  • Email address (for authentication)
  • User ID (generated automatically)
  • Account creation and update timestamps
  • Subscription status and billing information

2. Twitch Integration Data

  • Twitch user ID, username, and display name
  • Twitch profile image URL
  • Connection timestamp and token expiration
  • Authorized OAuth scopes

3. Service Usage Data

  • Chat messages from your Twitch channel: These messages are processed in real-time by our AI system to identify high-value content. We do not store the raw history of your chat logs in our database.
  • AI token usage and quota information
  • Feature usage statistics and timestamps
  • WebSocket connection status

4. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate our Service. For detailed information, please see our dedicated Cookie Policy.

Summary:

  • Essential Cookies: Required for authentication and core functionality (always active, no consent required)
  • Vercel Analytics: Cookieless web analytics (always active, no consent required)

Vercel Analytics: We use Vercel Analytics to understand how visitors use our site. This helps us answer questions like:

  • How many visitors come from our email campaigns?
  • What is our conversion rate from landing page to completed applications?
  • Which pages perform best?

Important: Vercel Analytics is completely cookieless - it does NOT use cookies or track personal identifying information. It collects only anonymous page views, referrer data, and basic device/browser information. Since it’s cookieless and privacy-focused, it does not require consent under the ePrivacy Directive.

Legal Basis for Processing

GDPR Article 6(1) - Lawfulness of Processing

Contract (Article 6(1)(b)): Processing necessary to provide our core services (account management, AI curation, overlay generation)

Consent (Article 6(1)(a)): Marketing communications (explicit opt-in required)

Legitimate Interest (Article 6(1)(f)): Service optimization, security monitoring, fraud prevention

Your GDPR Rights

Under the General Data Protection Regulation (GDPR), you have the following rights:

Right of Access

You have the right to request a copy of all personal data we hold about you. Export your data from your dashboard or contact us at needlegem@proton.me

Right to Rectification

You can update your account information and settings at any time through your dashboard.

Right to Erasure (“Right to be Forgotten”)

You can request deletion of your account and all associated data by contacting us at needlegem@proton.me. Canceled accounts are automatically anonymized after 90 days.

Right to Restriction of Processing

You can limit how we process your data by:

  • Rejecting optional cookies
  • Disconnecting your Twitch account
  • Pausing or canceling your subscription

Right to Data Portability

Export your data in machine-readable JSON format via the dashboard data export feature.

Right to Object

You have the right to object to certain types of data processing, particularly when based on legitimate interests. You can exercise this right by:

  • Disconnecting your Twitch account to stop chat data collection
  • Canceling your subscription to cease service usage data collection
  • Using browser extensions to block analytics (uBlock Origin, Privacy Badger)
  • Contacting us at needlegem@proton.me for other objections

Note: Objecting to processing necessary for contract performance (core service features) may prevent us from providing the service.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state where you reside, work, or where the alleged infringement occurred.

Data Retention

Data TypeRetention PeriodNotes
Raw Twitch Chat MessagesNot storedProcessed in real-time only
Account InformationActive + 90 daysRetained while account is active, then 90 days after cancellation
Token Usage Records365 daysThen anonymized for statistical analysis
Consent Records730 days2 years for legal compliance
OAuth Temporary Data24 hoursAutomatic cleanup

Important Notes:

  • Token Usage Records: We retain token usage records linked to your account for 365 days for billing and support purposes. After this period, we may retain this data in a fully anonymized and aggregated form for long-term statistical and business analysis.
  • Automated Cleanup: Data retention periods are enforced through automated cleanup processes that run daily at 2:00 AM UTC.

Third-Party Services

Services We Use

  • Supabase: Database and authentication infrastructure (GDPR compliant)
  • Stripe: Payment processing (PCI-DSS and GDPR compliant)
  • OpenRouter: AI model API provider (data processing agreement in place)
  • Twitch: OAuth authentication and chat access (per your authorization)
  • Vercel Analytics: Privacy-focused, cookieless web analytics (GDPR compliant, no consent required)

All third-party services we use are GDPR-compliant and have appropriate data processing agreements (DPAs) in place.

International Data Transfers

Your personal data may be transferred to and processed in countries outside of the European Economic Area (EEA). We ensure all such transfers comply with GDPR requirements through appropriate safeguards.

Data Storage Locations

  • Supabase (Database): Data stored in AWS data centers. Supabase offers EU region hosting options and complies with GDPR requirements. We use Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers.
  • Stripe (Payments): Payment data processed globally with EU-US Data Privacy Framework compliance and GDPR-certified data processing.
  • OpenRouter (AI Processing): AI processing may occur in US data centers. Data is processed under appropriate data processing agreements and security measures.
  • Twitch (OAuth & Chat): Twitch data is processed according to Twitch’s Privacy Policy and GDPR-compliant terms.
  • Vercel Analytics (Analytics): Anonymous, cookieless analytics data processed by Vercel (US-based). Vercel is GDPR-compliant and participates in the EU-US Data Privacy Framework. Does not process personal data.

Legal Basis for Transfers

Standard Contractual Clauses (SCCs): We use Standard Contractual Clauses approved by the European Commission (Decision 2021/914) for transfers to third countries. These clauses ensure your data receives equivalent protection outside the EEA.

Adequacy Decisions: Where possible, we use service providers in countries recognized by the European Commission as providing adequate data protection (e.g., UK, Switzerland, and countries covered by adequacy decisions).

EU-US Data Privacy Framework: Some of our US-based processors participate in the EU-US Data Privacy Framework, providing additional safeguards for transatlantic data transfers.

You can request copies of the safeguards we have in place (e.g., Standard Contractual Clauses) by contacting us at needlegem@proton.me.

Security Measures

  • All data is encrypted in transit (HTTPS/TLS) and at rest
  • Twitch tokens are stored in Supabase Vault (encrypted key storage)
  • Regular security audits and updates
  • Role-based access control (RBAC) for internal systems
  • Row-level security (RLS) policies on all database tables
  • Input validation and SQL injection prevention

Children’s Privacy

Needle Gem AI is not intended for users under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at needlegem@proton.me so we can delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via email or through a prominent notice on our service. The “Last Updated” date at the top of this page indicates when the policy was last revised.

Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

Email: needlegem@proton.me

Dashboard: Manage your privacy settings

Questions about this document?

If you have any questions or concerns about this policy, please don't hesitate to contact us.

✉️ needlegem@proton.me