Privacy Policy
Last updated: March 4, 2026
This policy describes what information SRS Viewer ("the Service") collects and how it is used. The Service is a live streaming platform — data collection varies depending on which features are enabled by the instance operator.
Information We Collect
Account Information
If authentication is enabled, we collect the following when you create an account:
- Username
- Password (hashed using bcrypt, never stored in plain text)
We also store your stream key (a generated UUID), stream title, streaming permissions, and admin status. A creation timestamp is recorded when your account is created.
Authentication Logs
When you log in, publish a stream, or connect as a viewer, we log:
- Your IP address
- Username
- Event type (login, stream publish, stream play, stream unpublish)
- Success or failure status
- Timestamp
These logs are automatically deleted after 30 days.
Viewer Analytics
When you watch a stream, we track:
- Your IP address (used to count unique viewers)
- Viewer counts per stream (recorded every 30 seconds)
- Stream session start and end times
- Peak and average viewer counts per session
Viewer snapshots are automatically deleted after 30 days. If you are connected through Discord, your viewer entry is anonymized as a Discord proxy identifier rather than your real IP.
Chat Messages
If chat is enabled, we store:
- Your username and user ID
- Message content (up to 500 characters)
- Channel (which stream you sent the message in)
- Timestamp
- Badges (admin, streamer indicators)
- Who deleted a message (if it was deleted by a moderator)
Chat messages are automatically deleted after 7 days.
Chat bans are stored with the banned user, banning moderator, reason, channel, and expiration time.
IP Addresses
Your IP address is collected from the direct connection. If the instance operator has enabled proxy trust, your IP may instead be read from headers such as X-Real-IP, CF-Connecting-IP, or X-Forwarded-For.
IP addresses are used for:
- Unique viewer identification
- Authentication logging
- Rate limiting
Cookies
The Service uses a single authentication cookie (srs_auth_token) containing a JWT token. This cookie is:
- HttpOnly (not accessible to JavaScript)
- Secure (HTTPS only in production)
- SameSite strict
- Expires after 24 hours (configurable by the operator)
No third-party tracking cookies are used.
Server Logs
HTTP requests are logged to the console with the request method, URL, response status, response time, and client IP. Requests to static assets (/public/*) are excluded. These logs are not persisted to a database.
What We Do Not Collect
- Stream recordings — The Service does not record your video or audio. Streams are processed in real time by the SRS media server and are not stored.
- Browser fingerprints — We do not fingerprint your browser.
- Third-party analytics — No external analytics services (Google Analytics, etc.) are used.
Discord Integration
If the Discord Activity feature is enabled, the Service exchanges a Discord OAuth2 authorization code for an access token to authenticate you within the Discord embedded app. The Service requests only the identify scope. The access token is returned to the client and is not stored server-side.
When viewing streams through Discord, your viewer entry uses an anonymized identifier instead of your real IP address.
Data Sharing
We do not sell or share your personal information with third parties. Information may only be disclosed:
- When required by law
- To protect the rights and safety of users or the public
Data Retention
| Data | Retention |
|---|---|
| Account information | While your account is active |
| Authentication logs | 30 days |
| Viewer analytics | 30 days |
| Chat messages | 7 days |
| Chat bans | Until expiration or removal |
| Server request logs | Not persisted (console only) |
Administration
Administrators can view chat messages, delete messages, ban users, and manage accounts. Moderation actions (such as who deleted a message) are tracked.
Your Rights
You may request deletion of your account and all associated data by contacting the instance operator.
Changes
We may update this policy at any time. Continued use of the Service after changes constitutes acceptance of the updated policy.
Contact
If you have questions about this policy, you can reach us through the project's source repository.