Privacy Policy

Last updated: 2026-05-10

Chatocalypse ("we", "us", "the service") is a tool that lets your livestream viewers trigger in-game effects on your stream. To do that we have to know who you are on the platforms you stream from (Twitch, TikTok, and more we may add later) and host a relay that shuttles events from those platforms to your overlay and your game. This page explains exactly what we collect, why, where it lives, and how to get rid of it.

1. Who we are

Chatocalypse is operated by an independent developer. We do not sell ads, we do not sell user data, and we do not have an advertising network or analytics partner embedded in our site. The service runs on Cloudflare Workers and Cloudflare D1 (a SQLite-compatible database hosted at the network edge).

2. What we collect

We collect three categories of data:

• Account identity — the minimum needed to identify you on the platforms you connect (your Twitch user ID, your TikTok open_id, or your email if you signed up by email).
• Service configuration — your Chatocalypse slug, the secret stream key the desktop app uses to publish to our relay, and the overlay configuration JSON (theme, position, animations, etc.) you save from the dashboard.
• Live event traffic — chat messages, gifts, follows, subscriptions, channel-point redemptions, and similar viewer events that the desktop app or a connected provider streams to your relay so it can be delivered to your overlay and your game.

Live event traffic is not stored. It passes through a Durable Object in memory, fans out to subscribed overlay browsers and to your game, and is dropped. We do not log individual chat messages, gift contents, or viewer usernames to our database.

3. Why we collect it

• To create your account and let you sign in next time.
• To produce stable URLs (your slug) and authenticate your desktop app to our relay (your stream key).
• To remember your overlay preferences across browser sessions.
• To route real-time events from your viewer-facing platforms to the right overlay and game on your machine.

We do not use your data to build advertising profiles, train machine-learning models, or sell to third parties.

4. Twitch data

When you click "Sign in with Twitch", Twitch redirects you to their consent screen. We request the user:read:email scope. If you approve, we receive:

• your Twitch numeric user ID,
• your Twitch login (the @handle in your URL),
• your Twitch display name,
• your Twitch email address (only if you have one set on the Twitch account and only because Twitch returns it with the identity scope).

We use your Twitch user ID as a stable lookup key. The login and display name show on your dashboard so you can confirm you signed in to the right account. Your email is stored only so we can recognize you again if you later sign in by email; we don't send you marketing email.

All chat reading, EventSub subscriptions, and bot interactions happen locally on the desktop app you install on your stream PC, using a separate Twitch token that you authorize directly on that machine. The cloud service does not hold any Twitch token capable of reading chat, posting messages, or subscribing to EventSub on your behalf.

5. TikTok data

When you click "Sign in with TikTok", TikTok redirects you to their consent screen. We request the user.info.basic and user.info.profile scopes. If you approve, we receive and store:

• open_id — a stable per-app identifier for your TikTok account. This is our primary lookup key.
• union_id — a cross-app identifier (only populated if your TikTok account is part of a TikTok business account).
• display_name and avatar_url — to show "Connected as <name>" on the dashboard.
• username — your @handle, used so cloud-routed TikTok LIVE events can be matched to your account.
• The OAuth access_token, refresh_token, and their expiry. These let us fetch your basic profile once, and let us call TikTok's revoke endpoint when you click Disconnect so the consent grant is actually withdrawn (not just removed from our database).

The TikTok scopes we request are read-only and limited to public profile information. The token we store cannot post videos, cannot follow or message anyone, cannot read your inbox, and cannot take any action on your account other than reading the same fields above.

TikTok LIVE events

TikTok does not currently expose an official EventSub-style public webhook for LIVE chat, gifts, follows, or shares. So if you choose to use cloud-mode TikTok routing, those events come from one of three sources, depending on what mode the operator (us, or a self-hosted instance) has configured:

• Disabled (default in our public service): no cloud TikTok ingest. You can still receive TikTok events via the optional desktop app.
• Managed provider: a paid third-party TikTok LIVE event provider runs the integration and forwards normalized events to us. We do not relay your TikTok session cookies or login credentials.
• Official partner: reserved for explicit TikTok-approved partner access. We will only enable this with TikTok's written agreement.
• Experimental unofficial: development only; not used in our public service. Disabled by default.

TikTok webhooks

We subscribe to TikTok's authorization.removed webhook. If you revoke our app's access from TikTok's app management page, TikTok notifies us and we immediately delete your TikTok identifiers from our database — independent of whether you also use our in-app Disconnect button.

6. Other platforms (future)

We may add support for additional streaming and chat platforms (for example YouTube Live, Kick, Discord). Each new platform will follow the same rules:

• We request the minimum scopes needed for your stated use case.
• We store only the identifiers and tokens necessary to keep you signed in and to revoke access when you disconnect.
• This page will be updated to list each new platform's specific data with the same level of detail as the Twitch and TikTok sections above.
• We will not enable a new platform's ingest without disclosing it here first.

7. Email signup

If you sign up with an email address, we store the lowercased email and a magic-link token (a 64-character random string). The token is single-use and expires 30 minutes after issue. We send the link via Resend (https://resend.com), which acts as our email-delivery processor under their privacy terms. We do not send marketing email; the only message you'll receive is the sign-in link you requested.

8. Cookies and sessions

We set two cookies, both first-party, both HttpOnly + Secure + SameSite=Lax:

• cc_session — a signed reference to your session row, valid 30 days. Identifies you to the dashboard. Cleared when you sign out.
• cc_oauth_state — a short-lived (10 minute) cookie used to pin an OAuth redirect to the browser tab that initiated it (CSRF defense on the OAuth callback). Cleared as soon as you complete sign-in.

We do not use third-party cookies, tracking pixels, or analytics cookies. There is no Google Analytics, no Facebook Pixel, no Meta tracking, and no advertising SDK on this site.

9. Who we share data with

• Cloudflare — hosts the Worker, the Durable Object relay, the D1 database, and serves static assets. Cloudflare sees the requests it processes for us in the normal course of running our infrastructure.
• Twitch — only the OAuth handshake itself, during sign-in. We do not push data back to Twitch.
• TikTok — the OAuth handshake plus webhook receipts. When you click Disconnect we POST to TikTok's revoke endpoint with the access token so the grant is withdrawn on TikTok's side.
• Resend — only when you request an email magic link, and only the recipient address and the link itself.
• TikTok LIVE event provider — only when you (or the operator) have enabled cloud-mode TikTok ingest in managed_provider or official_partner mode, and only the @handle the provider needs to route events to your account.

We do not sell or rent your data. We do not share it with advertisers, data brokers, or model-training datasets.

10. How long we keep it

• Account identity (Twitch ID / TikTok open_id / email): until you delete the account.
• Stream key, slug, and overlay configuration: until you delete the account or change them.
• Sessions: 30 days from the last sign-in, or until you sign out.
• Magic-link tokens: 30 minutes, single-use.
• TikTok OAuth tokens: until you click Disconnect, until TikTok notifies us via webhook that you revoked, or until you delete the account — whichever happens first.
• Live event traffic: not stored. Held in memory only long enough to fan out to subscribers (typically milliseconds).

11. Deleting your account or disconnecting a platform

From the dashboard you can:

• Disconnect TikTok — calls TikTok's revoke endpoint to invalidate the OAuth grant on TikTok's side, then clears open_id, union_id, handle, display name, avatar, and stored tokens from our database.
• Sign out — drops the session cookie and deletes the session row.

To delete your full account (including your slug, stream key, saved overlay configuration, and any linked platform identities), email us at the address in §15 with the subject "Delete my account" from the email associated with the account, or from an account whose Twitch / TikTok identity you can prove. We confirm the deletion within 30 days.

12. Your rights

Depending on where you live, you may have the right to access, correct, or delete the personal data we hold about you, to object to or restrict certain processing, and to lodge a complaint with your data protection authority. You can exercise these rights by emailing us — see §15.

13. Children

Chatocalypse is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe we have, contact us and we will delete it.

14. Changes to this policy

If we change this policy in a way that affects what we collect or who we share it with, we will update the date at the top and note the substantive change in our release notes. Continued use after a change means you accept the updated terms; if you don't, see §11 to delete your account.

15. Contact

Questions or requests: privacy@chatocalypse.com.

Home · Terms of Service