Privacy

Privacy Policy

Oxygen Donuts Privacy Policy: what data we process, why we need it, cookies, on-chain data, and user rights.

Updated: June 17, 2026
Effective: June 17, 2026

This Policy explains what data Oxygen Donuts processes when you use the website, dashboard, donation pages, embedded wallet flows, OBS alerts, Telegram bot, and related features.

In short: we do not sell personal data and we do not ask for your seed phrase or private key. Wallet payments run through smart contracts; QR/exchange payments may temporarily use a technical per-intent address before settlement. We process account, technical, and payment metadata needed to operate the service safely.

1. Who is responsible for data

Service operator: Oxygen Donuts. For privacy questions and data requests, contact [email protected].

If a separate legal entity, address, DPO, or contact point is published later, this Policy will be updated.

2. Data we process

  • Account/session data: wallet address, account id, Google/Privy email, linked Twitch/YouTube/Telegram identities, language preference, session cookies.
  • Streamer profile: display name, slug, avatar, banner, bio, social links, settings, accepted networks/tokens, OBS and notification settings.
  • Donation/payment data: intent ids, tx hashes, chain id, token, amount, donor nickname, anonymous flag, donation message, TTS text/status, QR/payment metadata, referral attribution.
  • Technical/security data: IP address, user agent, headers, request logs, rate-limit events, abuse/security signals, error logs.
  • Communications: support requests, bot messages/preferences, email/notification preferences.
  • Public content: donation page, profile content, public links, and public donation entries where enabled by product settings.

3. Purposes and legal basis

  • Account/login: wallet address, email, OAuth ids, session cookies - contract / legitimate interest.
  • Donation processing: tx hash, chain id, token, amount, donor nickname, message, TTS/referral metadata - contract / legitimate interest.
  • Security, AML, and risk: IP, wallet, transaction metadata, logs, abuse signals, sanctions/fraud/suspicious activity screening - legitimate interest / legal obligation.
  • Notifications: Telegram id, bot preferences, delivery events, and connected-service settings - consent / contract.
  • Support: email, messages, diagnostics, and request history - contract / legitimate interest.
  • Marketing emails, if added later: email and preferences - consent.

4. Google and YouTube data

If you connect Google or YouTube, Oxygen may process your Google account identifier, email address, YouTube channel identifier, channel display name, avatar, and OAuth tokens where needed to provide connected features.

We use this data only to authenticate you, connect your creator profile, display linked account status, operate features you enable, maintain security, and provide support. We do not sell Google user data. Use and transfer of information received from Google APIs must comply with the Google API Services User Data Policy, including Limited Use requirements where applicable.

5. Cookies and local/session storage

Oxygen currently uses necessary and functional cookies/session tokens for login, locale, OAuth protection, and admin access. We do not use advertising cookies and do not set analytics cookies unless they are needed.

  • locale - stores selected language.
  • oxy_wallet and oxy_account - maintain user sessions.
  • oxy_admin - protects founder/admin session for /admin.
  • oxy_twitch_oauth_nonce and oxy_social_oauth_nonce - protect OAuth flow from CSRF/state attacks.
  • privy-token - used by Privy for embedded wallet/auth session.
  • If we add non-strictly necessary analytics, advertising, or marketing cookies, we will add a consent/preference flow before using them where required by law.

6. Public blockchain data

Blockchain data is public and usually immutable. Wallet addresses, tx hashes, token, amount, chain id, contract events, and related on-chain metadata may be visible in public explorers and cannot be deleted from blockchains by us.

Deleting an account or off-chain data does not delete data from public blockchain networks.

7. Who may receive data

We share data only where needed to run the service, maintain security, provide support, comply with law, or operate an integration you enable.

  • Privy: embedded wallet/auth - email, wallet/session data, and embedded wallet metadata.
  • Supabase: database, auth/backend, and operational storage - account, profile, settings, and payment metadata.
  • Vercel: hosting and delivery - request logs and technical logs.
  • Cloudflare/R2 or similar storage/security providers: asset storage, security, and delivery - IP, logs, and stored assets where used.
  • Telegram: notifications and bot features - Telegram id, messages, commands, and notification preferences.
  • Twitch, YouTube, and Google: OAuth/channel linking - account/channel identifiers, profile data, and OAuth tokens where needed.
  • Blockchain networks, RPC providers, explorers, and smart contracts: blockchain interaction - wallet, transaction, and network metadata.
  • Legal/security recipients: courts, regulators, law enforcement, advisers, auditors, or security responders where required or reasonably necessary.

8. Retention and deletion

We keep data for as long as needed for accounts, service operation, security, records, disputes, legal obligations, and abuse prevention. These are practical guideposts and may change if data is needed for abuse, fraud, legal compliance, dispute handling, or incident recovery.

If you delete your account or request deletion, we will delete or anonymize off-chain data where possible and lawful. We may retain minimal records needed for security, fraud prevention, legal compliance, dispute handling, or incident recovery.

  • Session cookies: until logout or expiration.
  • Security logs: typically 30-180 days, unless needed for abuse, fraud, or incident investigation.
  • Support messages: up to 24 months after last contact.
  • Account/profile data: while the account is active or while needed for service and lawful purposes.
  • Donation/payment metadata: retained as needed for accounting, security, disputes, fraud prevention, and legal compliance.
  • On-chain data: retained by public blockchains independently of Oxygen.

9. Your rights and choices

Depending on your jurisdiction, you may have rights to request access, copy, correction, deletion, restriction, portability, or objection. Send requests to [email protected].

We may ask you to verify identity or account/wallet ownership before completing a request. On-chain data and data held by third-party platforms may be outside our control.

10. International processing, security, and children

Oxygen and its providers may process data in different countries. We use technical and organizational security measures, but no internet or blockchain service can guarantee absolute security.

The service is not intended for users under 18, under the age of majority in their jurisdiction, or users who cannot legally use crypto assets or enter these Terms. Contact us if you believe a child provided data to us.

11. Policy updates

We may update this Policy when the product, providers, laws, or data practices change. The new version will be posted on this page with a new update date.

Privacy Policy - Oxygen Donuts