1. Introduction & scope
This Privacy Policy explains how [Legal entity name — e.g. Palm IPTV Ltd.] ("Palm IPTV", "we", "us" or "our") collects, uses, shares and protects personal information when you use the Palm IPTV applications and websites, including our marketing site at www.palmiptv.com, our web application at app.palmiptv.com, our backend API at back.palmiptv.com, and our apps for Android, iOS, Windows, macOS and Linux (together, the "Service").
Palm IPTV is a media player — not a content provider. We do not provide, host, resell or include any channels, streams or audiovisual media, and we are not affiliated with any IPTV provider. To watch anything, you connect your own, separately obtained third-party IPTV subscription. The audiovisual streams flow directly between your provider and your device and do not pass through our servers, so we do not receive or log what you watch.
This policy covers the personal information we process as a controller. It does not cover the data practices of your chosen IPTV provider, the app stores, or the payment processors, each of which operates under its own privacy policy (see Section 12).
2. Information we collect
We aim to collect as little personal information as possible and to keep data on your device wherever we can. Many features work entirely offline; an account and cloud sync are optional. The table below summarises what we may collect, why, and (for users in the EEA, UK or Switzerland) the legal basis under the GDPR / UK GDPR.
| Category | Examples | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Account data | Email address; securely hashed password; email-verification and password-reset tokens (hashed at rest, single-use, rate-limited). | Create and secure your account; verify your email; enable password recovery; authenticate you (via a JWT stored locally on your device). | Performance of a contract; legitimate interests (account security). |
| IPTV provider connection details (sensitive) | Xtream Codes server host, username and password; or an M3U/M3U8 playlist URL — for each provider you add. | Connect the app to your own IPTV provider so you can play your content. For paid-tier users, these are cloud-synced so your providers appear on your other devices. | Performance of a contract (providing the core player and sync feature). |
| In-app configuration synced to the cloud | Your registered IPTV servers and your Live TV favorites (favorited categories and channels). | Sync your setup across your signed-in devices (paid tier only). Free-tier data stays on your device. | Performance of a contract. |
| Billing & entitlement identifiers | A processor customer ID, current plan, trial end date and entitlement status. We do not see or store card numbers. | Manage your subscription, free trial and access to paid features. | Performance of a contract; legitimate interests (fraud prevention); legal obligation (tax/accounting records held by our processors). |
| Device, technical & platform data | The platform your client reports (web, android, ios, windows, macos or linux); information needed to deliver our emails and operate the API. | Point verification and magic-link emails to the right place; operate, secure and troubleshoot the Service. | Legitimate interests; performance of a contract. |
| Communications & support | Emails you send us and their contents (e.g. to privacy@palmiptv.com). | Respond to your requests and provide support. | Legitimate interests; performance of a contract; legal obligation (handling rights requests). |
| Cookies & local storage | Minimal necessary cookies/tokens (e.g. your authentication JWT) and a local theme preference. | Keep you signed in and remember basic preferences. See Section 11. | Legitimate interests (strictly necessary storage); consent where required. |
Your IPTV provider credentials. Because these are sensitive, we want to be explicit. When you add a provider, the app stores the host, username and password (or playlist URL) you enter. If you are on the paid tier and signed in, these details are transmitted over HTTPS to our backend and cloud-synced so they appear on your other devices. Within our organisation, access is limited to the systems and personnel that operate the sync and support services, and the data is held in our PostgreSQL database (see Section 8). Free-tier users' provider details remain on their device and are not sent to us. We strongly recommend you use credentials that are unique to your IPTV provider and not reused elsewhere. Note that many IPTV providers deliver their streams over plain (unencrypted) HTTP, which is outside our control.
We do not knowingly collect special categories of personal data, and we do not ask you to provide them.
3. How we use your information
We use the information described above to:
- Provide the core media player and let you connect and play content from your own IPTV provider;
- Create, secure and authenticate your optional account, and verify your email address;
- Enable password reset and recovery;
- For paid-tier users, sync your registered IPTV servers and Live TV favorites across your devices;
- Manage your subscription, your 7-day free Premium trial, and your access to paid features;
- Send transactional emails (such as verification codes, magic links and password-reset messages) — we use the platform your client reports so these point to the right app or website;
- Provide customer support and respond to your enquiries;
- Operate, maintain, secure and improve the Service, including preventing fraud and abuse (for example, rate-limiting token requests);
- Comply with our legal obligations and enforce our Terms & Conditions.
4. Legal bases for processing (GDPR / UK GDPR)
If you are in the European Economic Area, the United Kingdom or Switzerland, we rely on the following legal bases under the GDPR / UK GDPR:
- Performance of a contract — to provide the Service you have asked for, including the player, your account, cloud sync and subscription management.
- Legitimate interests — to secure and improve the Service, prevent fraud and abuse, and respond to your communications, where these interests are not overridden by your rights.
- Legal obligation — to comply with applicable law (for example, tax and accounting records kept by our payment processors, and handling of privacy-rights requests).
- Consent — where we ask for it (for example, any non-essential cookies or storage). You may withdraw consent at any time without affecting prior processing.
5. How information is shared
We do not sell your personal information, and we do not "share" it for cross-context behavioural advertising as those terms are defined under California law. We disclose personal information only to the service providers ("sub-processors") that help us run the Service, and only as needed for them to perform their function on our behalf. Our current sub-processors are:
| Provider | Purpose | Notes |
|---|---|---|
| Resend | Sending transactional email (verification codes, magic links, password-reset messages). | Receives your email address and message content needed to deliver the email. |
| RevenueCat | Orchestrating in-app subscription purchases on the app stores. | Manages entitlements for Apple App Store (iOS/macOS) and Google Play (Android) purchases. |
| Stripe and/or Paddle | Processing Web/Windows/Linux payments. | Paddle may act as merchant of record. They handle card data directly; we do not receive card numbers. |
| [Hosting / database provider — e.g. cloud host & managed PostgreSQL provider] | Hosting our backend API and PostgreSQL database. | [Confirm provider, region and DPA before publishing.] |
We may also disclose personal information where required to comply with applicable law, a lawful request from a public authority, or legal process; to enforce our agreements; to protect the rights, safety and property of Palm IPTV, our users or others; or in connection with a merger, acquisition or sale of assets, in which case we will require the recipient to honour this policy or notify you of any material change.
6. International data transfers
We and our sub-processors may process personal information in countries other than your own, including [list of processing locations — e.g. the United States and the EU]. Where we transfer personal information out of the EEA, UK or Switzerland to a country that does not provide an adequate level of protection, we rely on appropriate safeguards such as the European Commission's [Standard Contractual Clauses / UK International Data Transfer Agreement or Addendum, as applicable]. You may request a copy of the relevant safeguards by contacting us at privacy@palmiptv.com.
7. Data retention
We keep personal information only for as long as necessary for the purposes described in this policy, after which we delete or anonymise it. In practice:
- Account, synced servers and favorites — kept while your account is active. If you delete your account, we delete or anonymise this data within [retention period — e.g. 30 days], except where we must retain certain records to meet legal obligations.
- Verification and password-reset tokens — single-use and short-lived; they expire and become invalid after use or after their [token expiry window].
- Billing and entitlement records — retained by us and/or our payment processors for as long as required for accounting, tax and audit purposes ([statutory retention period]).
- Support communications — retained for [support retention period].
8. Security
We take reasonable technical and organisational measures to protect personal information, including:
- Hashing account passwords (we never store passwords in plain text);
- Hashing email-verification and password-reset tokens at rest, and making them single-use and rate-limited;
- Transmitting data between our apps and our backend (back.palmiptv.com) over HTTPS;
- Storing authenticated sessions as a JWT held locally on your device rather than a long-lived server-side credential.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. Two points specific to IPTV are worth highlighting: (1) the audiovisual streams you play flow directly between your provider and your device, not through us; and (2) many IPTV providers deliver those streams over plain HTTP, which is outside our control. We therefore recommend you use credentials unique to your IPTV provider and keep your devices secure.
9. Your privacy rights
EEA, UK & Switzerland (GDPR / UK GDPR)
Subject to applicable law, you have the right to: access your personal data; have it rectified if inaccurate; have it erased; restrict or object to its processing; receive it in a portable format; and withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office; in the EEA, your national data protection authority).
California (CCPA / CPRA)
If you are a California resident, you have the right to know what personal information we collect and how we use and disclose it; to request deletion of your personal information; to request correction of inaccurate personal information; and to opt out of the "sale" or "sharing" of your personal information. We do not sell or share your personal information, so there is nothing to opt out of, but you may still exercise your other rights. We will not discriminate against you for exercising any of these rights.
How to exercise your rights
To make a request, email us at privacy@palmiptv.com. We will verify your request (for example, by confirming control of your account email) and respond within the timeframe required by applicable law. You may use an authorised agent where the law permits.
10. Children's privacy
The Service is intended for adults. You must be at least [18] years old, or the age of majority in your jurisdiction, to use the Service. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@palmiptv.com and we will take steps to delete it.
11. Cookies & local storage
Our marketing site and web app use minimal, necessary local storage and cookies/tokens — for example, your authentication JWT to keep you signed in, and a local theme preference (light/dark). Palm IPTV [does not currently use third-party analytics or serve advertising — CONFIRM before publishing; if any analytics/crash-reporting SDK is added, list it here]. If we introduce non-essential cookies or analytics in the future, we will update this policy and, where required, ask for your consent first.
12. Third-party services & links
The Service connects to and links to services operated by others, each governed by its own privacy practices, not this policy:
- Your IPTV provider. The provider whose credentials you enter has its own privacy policy and terms; your relationship for the content itself is with them.
- App stores and payment processors. Apple App Store, Google Play, RevenueCat, Stripe and Paddle handle purchases under their own policies and receive the information needed to process your payment.
- Other links. Our sites may link to third-party websites we do not control.
We encourage you to review the privacy policies of any third party before providing them with your information.
13. Changes to this policy
We may update this policy from time to time to reflect changes in our practices, technology or legal requirements. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you through the Service or by email. Your continued use of the Service after an update takes effect means you accept the revised policy.
14. Contact us
If you have questions, concerns or requests about this policy or your personal information, contact us at:
- Email: privacy@palmiptv.com
- Legal entity: [Legal entity name]
- Postal address: [Registered postal address]
- Data Protection Officer (if appointed): [DPO name / contact, or "not appointed"]
- EU / UK representative (if applicable): [Art. 27 EU representative and/or UK representative, or "not applicable"]
The data controller for your personal information is [Legal entity name and registered address], and the governing law of this policy is [governing law / jurisdiction].
For the terms that govern your use of the Service, please also read our Terms & Conditions.