Private beta draft -- TIVERA

This document is the v1.5-beta privacy policy applicable to the TIVERA private beta (~10-20 friend testers). The Editor is Mitchou, a natural person residing in Morocco. An expanded v2.0 will be published post-TIVERA LLC (Wyoming) incorporation. Provisional contact listed in section 12 (Contact) below.

Last updated: 2026-05-26

Privacy Policy -- TIVERA

Version: 1.5-beta -- DRAFT, private beta, pre-LLC US Wyoming incorporation Effective date: 2026-05-26 Last updated: 2026-05-26 Reference language: French (controller jurisdiction: Morocco -- Law 09-08, supervisory authority CNDP; GDPR applies extraterritorially -- Art. 3.2 -- for users residing in the EU/EEA). This English version is a faithful translation; in case of conflict, the French version prevails.

DRAFT -- to be reviewed by Mitchou before public v1.0 release. Fields to complete are marked [TO COMPLETE: ...].

Difference vs upcoming v2.0 (post-incorporation): this version 1.5 reflects the state of the private beta (~10-20 friend testers). The Editor remains Mitchou as a natural person under Moroccan law. The incorporation of TIVERA LLC (Wyoming) plus the activation of monetization channels (Stripe / PayPal / Play Billing / AdMob) will lead to a v2.0 published before the public v1.0 launch.

TL;DR for those in a hurry

TIVERA is an Android BYOC IPTV player application (Bring Your Own Content). You import your own streams (M3U / Xtream Codes / EPG XMLTV). We do not host, distribute, or suggest any content.

Data collected by default: zero. Data shared with third parties: zero. Advertising tracking: zero.

All your data (M3U URLs, Xtream credentials, EPG mappings, watch history) stays locally on your device, encrypted at rest (SQLCipher AES-256 + Google Tink AEAD).

The only optional processing involving a third party is Firebase Crashlytics (crash reports) -- disabled by default, explicit opt-in required.

Provisional contact (private beta): android.mitchou@gmail.com -- for any question, rights exercise, or report, pending the setup of dedicated emails (privacy@tivera.tv, contact@tivera.tv) post-LLC incorporation.

1. Data Controller (GDPR Art. 13.1.a)

Field	Value
Editor	Mitchou (independent publisher, natural person under Moroccan law)
Commercial name	TIVERA
Contact email	`[TO COMPLETE: contact@tivera.tv -- pending DNS post-incorporation]` -- during beta: `android.mitchou@gmail.com`
Postal address	`[TO COMPLETE: valid Morocco postal address for legal notice -- provided upon request during private beta]`
Data Protection Officer (DPO)	Not required (GDPR Art. 37 -- independent publisher, < 250 employees, no large-scale processing of sensitive data)
Applicable jurisdiction	Morocco -- Law 09-08 on the protection of individuals with regard to the processing of personal data (supervisory authority: CNDP). GDPR applies extraterritorially (Art. 3.2) for users residing in the EU/EEA.

Contact for exercising GDPR / CCPA rights / privacy inquiries: [TO COMPLETE: privacy@tivera.tv] -- during beta: android.mitchou@gmail.com.

Committed response time: 30 days (GDPR Art. 12.3).

2. Nature of the application (GDPR Art. 13.1.c)

TIVERA is a generic BYOC IPTV player distributed (during the private beta phase) as a direct APK. The Android package is com.mitchou.iptvpro (stable pre-pivot applicationId, preserved for Play Store continuity post-incorporation).

What TIVERA IS:

A multimedia (video / audio) stream player for content you bring yourself.
A local organizer of your sources (M3U URL, Xtream Codes API credentials, EPG XMLTV).
A local diagnostic tool (DiagOverlay) displaying the technical health of your stream.
A local recorder (DVR) saving streams to your device storage on your demand.

What TIVERA IS NOT:

Not a content distribution service (zero pre-loaded channels, zero proprietary catalog).
Not an algorithmic recommendation service (zero "for you" suggestions, zero "trending").
Not an advertising service (zero ad tracker, zero third-party ad network in private beta).
Not a cloud service (zero cloud sync, zero online user account in private beta).

You are solely responsible for the streams you import and their compliance with copyright law applicable in your jurisdiction. See Terms of Service and DMCA Policy.

3. Data processed (GDPR Art. 13.1.c, 13.2.a)

3.1 Data entered by the user -- stored locally on your device only

Data	Purpose	Legal basis (GDPR Art. 6)	Storage	Retention
M3U URL / playlist URL	Playback of your streams	Contract performance (6.1.b) -- service rendered upon your request	Local device, SQLCipher AES-256	Until manual deletion or uninstall
Xtream Codes credentials (host, username, password)	Connection to your IPTV panel	Contract performance (6.1.b)	Local device, Google Tink AEAD encryption (Android Keystore master key) above SQLCipher	Same
EPG XMLTV URL	Program guide retrieval	Contract performance (6.1.b)	Local device, SQLCipher AES-256	Same
EPG-to-channel mappings	Guide personalization	Contract performance (6.1.b)	Local device, SQLCipher AES-256	Same
Watch history (channel / movie / episode + resume position)	"Continue Watching" feature	Contract performance (6.1.b)	Local device, SQLCipher AES-256	Same
Favorites	UI personalization	Contract performance (6.1.b)	Local device, SQLCipher AES-256	Same
Video recordings (DVR)	Time-shifted viewing on your demand	Contract performance (6.1.b)	Local device, unencrypted storage (`.ts` / `.mp4` files) under `Android/data/com.mitchou.iptvpro/files/recordings/`	Until manual deletion or uninstall
UI preferences (language, theme, quality)	UX personalization	Legitimate interest (6.1.f)	Local device, DataStore Proto	Same

None of this data is transmitted to Mitchou or any third party.

3.2 Data collected automatically by the application

Data	Collected?	Transmitted to a third party?
Android Advertising Identifier (AAID/GAID)	No	No
IP address	Not collected by TIVERA (requests to your Xtream panels go from your IP, seen only by the servers you configured)	No
Geolocation	No	No
Contacts / SMS / call logs	No	No
Photos / files (excluding explicit DVR recordings)	No	No
Biometric data	No	No
Device unique identifier (Android ID, IMEI, MAC)	No	No
Web browsing history	No	No (the app is not a browser)
Microphone / camera	No	No (permissions not declared in the manifest)

3.3 Technical data transmitted to servers you configure

When you import an Xtream Codes panel or an M3U / EPG URL:

Your HTTP/HTTPS requests leave your device toward the server you chose.
That server (which is neither Mitchou nor a service controlled by TIVERA) necessarily receives:
- Your IP address (visible to any server on the Internet).
- Your Xtream Codes credentials (sent to the server for authentication).
- The User-Agent (okhttp/X.Y.Z or similar).
TIVERA has no control over the privacy policy of these third-party servers. Consult their policy directly before entrusting them with your credentials.

3.4 Crashlytics (Firebase) -- opt-in only

If -- and only if -- you explicitly enable "Send crash reports" in Settings -> Privacy (disabled by default), the application transmits to Google Firebase Crashlytics on a crash:

Data	Description
Crash stack trace	Kotlin / JVM call stack at the moment of crash
App version	E.g. `1.0.0 (build 1)`
Android version	E.g. `Android 14, API 34`
Device model	E.g. `Samsung SM-S911B`
System locale	E.g. `fr_FR`
Crashlytics Installation ID	Pseudonymous random identifier generated by Firebase at first launch (GDPR Art. 4.5: pseudonymized), allowing several crashes from the same device to be grouped without identifying the person
Custom keys (debug)	A few technical keys/values (e.g. `current_screen=PlayerScreen`, `last_action=tap_record`) -- never URLs, never credentials, never channel names (cf. internal rules `SecretRedactor` + `no_channel_names_in_git`)

What is NEVER transmitted to Crashlytics, even with opt-in:

Your M3U / EPG URLs (redacted by SecretRedactor before any log).
Your Xtream Codes credentials (same).
Your channel / movie / series names (internal filtering).
Your watch history.
Your resume positions.
Your advertising AAID (TIVERA does not use play-services-ads-identifier in private beta).

Sub-processor: Google Firebase (Firebase Privacy Policy). Crashlytics server location: Google multi-region (USA + EU), covered by EU-USA Standard Contractual Clauses (SCC) and the Data Privacy Framework (DPF) certified by Google LLC. Firebase retention: 90 days by default on the Crashlytics side, configurable on admin side. Disablement: Settings -> Privacy -> Send crash reports: OFF. Immediate effect.

3.5 No other analytics / advertising tools

As of release 1.5-beta:

No Firebase Analytics (dependency not included).
No Google Analytics for Firebase.
No Facebook SDK / Meta Audience.
No AdMob / third-party ad network.
No Mixpanel / Amplitude / Segment.
No tracking pixels.

(If any such dependency is added in a future version -- typically AdMob on the Free tier post-LLC incorporation -- this policy will be updated and you will be notified in-app -- see section 11.)

4. Recipients of the data (GDPR Art. 13.1.e)

Recipient	Data involved	Purpose	Country
You (on your device)	100% of entered data	App use	Local
IPTV / EPG servers you configure	Xtream credentials + EPG URL + IP + User-Agent (necessarily transmitted over HTTP/HTTPS during your requests)	Authentication + stream playback	Variable (depends on the panel you choose)
Google Firebase (Crashlytics)	ONLY if opt-in: stack trace + device metadata + pseudonymous Installation ID	Crash diagnostics	USA / EU (under SCC + DPF)
Mitchou (editor)	NO data directly transmitted	--	--

No sale of data to data brokers or aggregators. No sharing for advertising purposes. No international transfer outside Crashlytics opt-in (under SCC + DPF).

5. Your rights (GDPR Art. 13.2.b, 15 to 22 + CCPA)

5.1 GDPR rights (EU / EEA / UK residents)

Right	How to exercise it
Right of access (Art. 15)	All your data is locally on your device, accessible via `Settings -> Sources` / `Settings -> Privacy -> Export my data` (local JSON export). Mitchou stores nothing -- no request needed.
Right to rectification (Art. 16)	Edit directly in the app (`Settings -> Sources -> Edit`).
Right to erasure / right to be forgotten (Art. 17)	`Settings -> Privacy -> Erase all my data` OR uninstall the app. Uninstalling fully deletes the `/data/data/com.mitchou.iptvpro/` directory. If Crashlytics opt-in is active -> additional request to `android.mitchou@gmail.com` to trigger deletion on the Firebase side (Mitchou submits a Google Firebase Customer Data Access Request -- 30 days).
Right to restriction of processing (Art. 18)	Disable Crashlytics opt-in (`Settings -> Privacy`). For local data, simply delete the relevant sources.
Right to data portability (Art. 20)	`Settings -> Privacy -> Export my data` generates a JSON file containing: sources, EPG mappings, favorites, watch history. Open, readable, re-importable format.
Right to object (Art. 21)	Uninstall the app. No processing based on legitimate interest at scale.
Right not to be subject to automated decision-making (Art. 22)	TIVERA performs no profiling or automated decision-making. The recovery engine uses technical heuristics (escalation ladder, progressive backoff) -- no Machine Learning, no AI within the meaning of the EU AI Act.

5.2 CCPA / CPRA rights (California residents)

CCPA rights apply even though TIVERA does not "sell" data within the CCPA meaning (zero sharing with third parties for commercial purposes by default).

CCPA right	TIVERA response
Right to Know (categories collected)	See section 3 above. CCPA categories processed: none in the strict sense (zero centralized collection). With Crashlytics opt-in: `Identifiers (pseudonymous Crashlytics Installation ID)` + `Internet/Network Activity (stack trace, Android version)`.
Right to Delete	`Settings -> Privacy -> Erase all my data` + uninstall. Crashlytics request if applicable: `android.mitchou@gmail.com`. 45-day deadline (CCPA).
Right to Correct (CPRA)	Same as GDPR section 5.1.
Right to Opt-Out of Sale / Sharing	No CCPA sale or sharing by default. No mechanism to activate. TIVERA publishes the Global Privacy Control (GPC) signal on the Privacy Policy web page (to be activated post-hosting).
Right to Limit Use of Sensitive Personal Information	No sensitive data collected.
Right to Non-Discrimination	No discrimination tied to exercising CCPA rights.
Authorized Agent	You can designate an authorized agent to exercise your rights; we will require written proof of authorization.

5.3 Complaints

If you believe your rights are not respected, you may file a complaint with:

CNDP (Morocco -- the controller's primary supervisory authority): https://www.cndp.ma
EU / EEA residents: the data protection authority of your country of residence (e.g. CNIL in France: https://www.cnil.fr/fr/plaintes). Full list of authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
California Attorney General: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company

6. Data security (GDPR Art. 32)

TIVERA applies appropriate technical and organizational measures:

6.1 Encryption at rest

SQLCipher (AES-256) on the local Room database (channels, EPG, sources, recordings metadata, watch history).
Google Tink AEAD (authenticated encryption, Android Keystore master key TEE / StrongBox when available) as an overlay for Xtream Codes credentials and EPG credentials, AAD bound to the row identifier (anti cell-swap attack).
DataStore Proto for preferences (not encrypted -- no sensitive data, UI settings only).
Recordings (.ts / .mp4): not encrypted (standard viewing requires no on-the-fly encryption), stored under Android/data/com.mitchou.iptvpro/files/recordings/ (scoped storage, deleted on uninstall).

6.2 Encryption in transit

Strict HTTPS to first-party domains (googleapis.com, firebaseio.com, firebase.com, crashlytics.com, app-measurement.com, gstatic.com, google-analytics.com, firebaseapp.com).
Cleartext HTTP tolerated only toward IPTV/EPG servers you configure (most historical Xtream panels still serve in HTTP -- denying cleartext would break BYOC usage). You may choose an HTTPS panel if you want in-transit encryption to your server.
SHA-256 cert pinning on Google/Firebase domains, infrastructure ready (FirstPartyCertPinner), to be activated post-launch v1.0 (pin capture pending).

6.3 Defensive architecture

Minimal Android permissions: INTERNET, ACCESS_NETWORK_STATE, WAKE_LOCK, FOREGROUND_SERVICE, FOREGROUND_SERVICE_DATA_SYNC, FOREGROUND_SERVICE_MEDIA_PLAYBACK, POST_NOTIFICATIONS, WRITE_EPG_DATA. No runtime dangerous permission (no location, no contacts, no microphone, no arbitrary external storage).
R8 / ProGuard minification enabled in release builds (reduces attack surface).
Restrictive backup rules: encrypted Xtream sources excluded from automatic Google Drive backup (@xml/backup_rules + @xml/data_extraction_rules).
SecretRedactor: every Timber / Crashlytics log passes through a redactor that strips URLs, credentials, IBANs, Bearer tokens, hex runs >= 32 chars before emission.
Systematic code review: cross-agent audits security-auditor + mobile-pentest-auditor on every PR touching credentials / encryption / network.

6.4 Breach notification (GDPR Art. 33)

In case of a personal data breach affecting your rights, Mitchou will notify the CNDP (and, for affected EU users, the competent EU supervisory authority) within 72 hours and you directly via the in-app policy update mechanism (section 11) if the breach presents a high risk (GDPR Art. 34). Given the absence of centralized storage on Mitchou's side, practical risk is limited to Crashlytics opt-in flows.

7. Minors (COPPA + GDPR Art. 8)

TIVERA is intended for an audience aged 13 years or older (COPPA US-compliant and GDPR Art. 8-compliant).

No intentional collection of data concerning children under 13.
Declarative age gate at first launch (without collecting date of birth -- a simple declarative confirmation >= 13 years).
IARC Play Store classification likely post-pivot: Mature 17+ or PEGI 12 / Teen, since BYOC content is entirely user-controlled and may include adult content (user responsibility, see Terms of Service).
If you are a parent / guardian and notice that a minor under 13 uses the app without your consent: contact android.mitchou@gmail.com to delete any data possibly associated (in practice: uninstalling is enough).

8. Cookies / third-party trackers

TIVERA is a native Android mobile application, not a website.

No HTTP cookie stored by TIVERA for its own purposes.
Third-party server cookies: if your Xtream panel sends cookies (rare, some Cloudflare-protected setups set a __cf_bm cookie), TIVERA handles them via an InMemoryCookieJar purely in RAM, never persisted to disk, cleared on app close. No inter-session tracking.
No tracking pixel, no beacon, no third-party script.

The tivera.tv website (which hosts this policy) likewise sets no cookie, embeds no third-party analytics or advertising script, and makes no external CDN call at runtime (internal rule R-NA-1: zero outbound external API).

9. International transfers (GDPR Art. 44 to 50)

Transfer	Legal framework
Your device -> IPTV/EPG servers you configure	No transfer orchestrated by Mitchou -- you choose the destination server. Mitchou is neither operator nor joint controller.
Crashlytics opt-in -> Google LLC (USA)	Standard Contractual Clauses (SCC) adopted by Google + Google LLC certification under the EU-USA Data Privacy Framework (DPF). Additional safeguards: pseudonymization (Installation ID), no sensitive data, systematic client-side redaction.

10. Retention period (GDPR Art. 13.2.a)

Category	Duration
Local data (M3U, Xtream, EPG, watch history, recordings)	Indefinite as long as the app is installed. Immediate erasure on uninstall OR via `Settings -> Privacy -> Erase all my data`.
Crashlytics opt-in	90 days on Google Firebase side (default retention, not modifiable on Mitchou's side). Deletion on request to `android.mitchou@gmail.com` (30 days).
PerfEvent logs (`buffer.log` internal device)	Sliding ring buffer of 10,000 events, never transmitted off-device. Erased on uninstall.

11. Updates to this policy

Any material modification to this policy will trigger:

In-app notification at the next launch following the version change (non-blocking banner + direct link to the diff).
Update of the "Last updated" date at the top of this document.
Git diff retention (this policy is publicly versioned in the tivera-web site repository).
Re-acceptance required if the modification involves a new processing category (e.g. AdMob, user accounts, payments).

Minor modifications (typos, clarifications without substantial impact) do not trigger re-acceptance.

Expected change v1.5-beta -> v2.0: upon incorporation of TIVERA LLC (Wyoming, US) + opening of monetization channels (Stripe, PayPal, Play Billing, AdMob), a v2.0 will be published covering: Data Controller = TIVERA LLC, secondary Data Processor = Mitchou natural person (Morocco), Magic Link Firebase user accounts, payments, cross-border transfers, EU 14-day cooling-off period.

12. Contact

For any question regarding this privacy policy or to exercise your rights:

During private beta: android.mitchou@gmail.com (single contact channel)
Post-LLC incorporation (v2.0):
- General email: [TO COMPLETE: contact@tivera.tv]
- Dedicated privacy email: [TO COMPLETE: privacy@tivera.tv]
- DMCA email: [TO COMPLETE: dmca@tivera.tv] (cf. DMCA Policy)
- Postal address: [TO COMPLETE: valid Morocco postal address -- provided on request during beta]

Committed response time: 30 days (GDPR) / 45 days (CCPA).

13. Related documents

Terms of Service -- service rules and responsibilities
DMCA Policy -- content takedown procedure

Status: DRAFT v1.5-beta of 2026-05-26, valid for the private beta only (~10-20 friend testers). To be reviewed by Mitchou + (recommended) GDPR-specialized lawyer before publishing v2.0 at a fixed URL post-LLC incorporation. Hosting: https://tivera.tv/en/legal/privacy/ (Cloudflare Pages post-deploy, static, internal rule R-NA-1).