HypeVault
← Back to home

Privacy Policy

Last updated: June 6, 2026

Plain-English summary: We collect what we need to run the platform — your account info, OAuth tokens from streaming platforms you connect, payment details processed by Stripe, and stream-event data routed through our overlays. Streamer payments flow directly to the streamer's Stripe Connect account at the moment of purchase. We do not sell your data. You can export or delete your account anytime.

This Privacy Policy describes how HypeVault ("HypeVault," "we," "us," or "our") collects, uses, discloses, and protects information about you when you use our website, dashboard, OBS overlays, browser extensions, and any related services (collectively, the "Service").

By using the Service you agree to the practices described in this Policy. If you do not agree, please do not use the Service.

1. Who we are

HypeVault is an online platform that helps streamers monetize their channels with drag-and-drop overlays, card packs and a card shop, chat games, marathon timers, viewer-to-streamer subscriptions, a free loyalty-points system ("Loyalty Gems"), and social profiles. USD payments are processed by Stripe and routed to each streamer's connected Stripe Express account. For any privacy question, contact us at privacy@hypevault.io.

2. Information we collect

2.1 Account information

When you sign up we collect your email address, display name, password (hashed), and an optional profile photo. If you sign in through Twitch, YouTube, Kick, or Google, we receive your platform user ID, display name, avatar, email (if granted), and OAuth access / refresh tokens scoped to the permissions you approved.

2.2 Streaming-platform data

Once you connect a streaming account, we receive events you authorized us to receive, including chat messages, follows, subscriptions, cheers, tips, raids, super chats, memberships, redemptions, and live-status changes. We use this data to power overlays, alerts, marathon timers, games, and analytics.

2.3 Viewer interaction data

When viewers interact with a streamer's overlay or social profile — for example by tipping, subscribing, buying cards from the card shop, redeeming card packs, earning or spending Loyalty Gems, claiming gift drops, posting comments, or playing chat games — we process the resulting events so we can render overlays, update Gem balances, and route funds to the streamer via Stripe Connect.

2.4 Payment information

Tips, card-shop purchases, viewer-to-streamer subscriptions, and the HypeVault Paid-tier platform subscription are all processed by Stripe. For tips, card-shop sales, and viewer-to-streamer subscriptions, HypeVault uses Stripe Connect destination charges — the streamer's share of the transaction is transferred directly to the streamer's connected Stripe Express account at the moment the payment settles. HypeVault never holds streamer funds in an internal payout ledger and does not run a payout queue. We never store full card numbers or bank credentials. Stripe provides us with a token, the last four digits of the funding instrument, and transaction metadata so we can show your purchase history and reconcile balances. Stripe shares transaction data, payout status, and verification status back to HypeVault so we can display your earnings, process disputes, and reconcile balances.

2.5 Tax and identity information

If you onboard with Stripe Connect to receive payouts, Stripe may collect government-issued identification, tax forms (W-9, W-8BEN, etc.), and address verification to comply with KYC and tax regulations. This data is handled by Stripe under their own privacy practices; we receive only the status of the verification.

2.6 Content you upload

Images, video, audio, custom widget code, posts, comments, and other content you upload are stored on Cloudflare R2 (S3-compatible object storage) and referenced in our database.

2.7 Device and log data

We automatically collect IP address, user agent, device type, language, referring URL, and timestamps when you interact with the Service. We use this for security, abuse prevention, and aggregate analytics.

2.8 Cookies and similar technologies

We use first-party cookies to keep you signed in, to remember your preferences, and to prevent fraud. We use a minimal set of analytics cookies to understand aggregate usage. We do not use third-party advertising cookies.

3. Companion Application

If you choose to install the HypeVault Companion Application (the "Companion App"), the following applies in addition to the rest of this Policy.

3.1 Data stored locally

The Companion App stores the following data on your device under %AppData%\HypeVault\:

  • settings.json — your Gateway URL, Companion Token, and feature preferences (keyboard chaos enabled/disabled, jumpscares enabled/disabled, start-with-Windows preference).
  • cache\ — jumpscare images and sounds downloaded from HypeVault's servers, cached locally to reduce repeat load times.

No data in these files is transmitted to HypeVault or any third party, except your Companion Token, which is sent to the HypeVault WebSocket gateway solely to authenticate your connection.

3.2 Keyboard input

The Companion App intercepts keyboard input exclusively during active Keyboard Chaos events. No keystrokes are recorded, logged, stored, or transmitted at any time. The keyboard hook is a local, in-process remap that exists only in memory for the duration of the effect.

3.3 Network requests

While running, the Companion App makes the following outbound network requests:

  • WebSocket connection to ws.hypevault.io — persistent, for receiving real-time events.
  • HTTPS GET to hypevault.sfo3.cdn.digitaloceanspaces.com/Downloads/latest.json — periodic version check (every four hours).
  • HTTPS GET to DigitalOcean Spaces — only when downloading a jumpscare asset or an approved update.

No personally identifiable information beyond your Companion Token (a signed JWT identifying your streamer account) is transmitted in any of these requests.

3.4 Uninstalling

Uninstalling the Companion App via Add/Remove Programs removes all installed files. The %AppData%\HypeVault\ directory is not removed automatically; you may delete it manually to remove cached assets and settings.

4. How we use information

  • To operate, secure, and maintain the Service.
  • To process tips, card-shop purchases, subscriptions, and the platform Paid tier through Stripe, and to route streamer earnings via Stripe Connect.
  • To track Loyalty Gem earn and spend balances on each streamer's channel.
  • To deliver alerts and events to your overlays in real time.
  • To enforce our Terms of Service and prevent fraud, abuse, or harm.
  • To communicate with you about your account, security, billing, and product updates.
  • To improve features, fix bugs, and measure performance.
  • To comply with legal obligations and respond to lawful requests.

5. Legal bases (EEA / UK users)

If you are in the European Economic Area or the United Kingdom, we rely on the following legal bases: performance of a contract (delivering the Service you signed up for), legitimate interests (securing the Service, preventing fraud, improving features), consent (where required, such as optional analytics), and legal obligation (tax reporting, lawful requests).

6. How we share information

We share information only as described below. We do not sell your personal data.

  • Streaming platforms. Connected accounts (Twitch, YouTube, Kick, Google) exchange data with us per the scopes you approved.
  • Payment processor. Stripe handles tips, subscriptions, card-shop purchases, and the platform Paid tier. Streamer earnings are routed via Stripe Connect destination charges directly to each streamer's connected Stripe Express account. Stripe receives the information necessary to process the transactions and to satisfy its own KYC and tax obligations.
  • Infrastructure providers. Hosting (DigitalOcean), object storage (Cloudflare R2 / DigitalOcean Spaces), database (managed MySQL), email delivery (Resend).
  • Other users. Public profile content — display name, avatar, bio, posts, card collections, and aggregate stats — is visible to other users. Loyalty Gem balances, Stripe Connect balances, and account email are private.
  • Legal and safety. When required by law, valid legal process, or to protect the rights, property, or safety of HypeVault, our users, or the public.
  • Business transfers. If we are involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction, subject to this Policy.

7. Data retention

We retain account information for as long as your account is active. When you delete your account, we delete or anonymize personal data within 30 days, except where we are required to retain it for legal, tax, accounting, fraud-prevention, or dispute-resolution purposes (typically up to 7 years for financial records). Stream-event data older than 24 months is aggregated or deleted.

8. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate information.
  • Delete your account and associated data.
  • Export a copy of your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local data-protection authority.

Account-level actions (export, delete) are available in Dashboard → Settings → Privacy. For any other request email privacy@hypevault.io; we respond within 30 days.

8.1 California residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, to request deletion, to correct inaccurate information, to opt out of any sale or sharing of personal information (we do not sell), and to be free from discrimination for exercising these rights.

9. Security

We protect data with TLS in transit, encryption at rest for sensitive fields, hashed passwords (argon2 / bcrypt), least-privilege access controls, audit logging, and regular dependency updates. No system is perfectly secure; we cannot guarantee absolute security.

10. Children

The Service is not directed to children under 13 (or 16 in the EEA / UK). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us and we will delete it.

11. International transfers

HypeVault operates servers on DigitalOcean (United States) and uses globally distributed providers (Cloudflare, Stripe). If you access the Service from outside these regions, your information may be transferred internationally, subject to appropriate safeguards such as Standard Contractual Clauses.

12. Third-party links

Overlays, posts, and other user-published content may link to third-party sites. We are not responsible for the privacy practices of those sites.

13. Changes to this Policy

We may update this Policy. We will post the new version with a revised "Last updated" date and, for material changes, notify you in-app or by email at least 7 days before the change takes effect.

14. Contact

Questions or requests: privacy@hypevault.io.