No analytics. No cookies. No email required to sign up.
Privacy Policy
Last updated: 31 May 2026
Summary
Live streams are end-to-end encrypted. Our servers relay ciphertext, never plaintext.
We don't log your IP or activity. IPs stay in memory for rate limiting only.
Hetzner DE. Spanish operations. GDPR baseline for every user worldwide.
Who we are
Atalaia is operated from Spain. The service runs on infrastructure located in Germany (Hetzner Online GmbH), inside the European Union.
Privacy questions, deletion requests, GDPR requests:
atalaiaapp.6c1ta@anonaddy.me
What we collect
The minimum required to run the service:
- Account ID: a random identifier generated on your device. We never ask for your name, email, phone, or address.
- Password hash: your password is hashed with bcrypt before it reaches our servers.
- Refresh tokens: random strings that keep you signed in for up to 30 days. Rotated single-use.
- Premium status: whether your account has an active subscription and until when.
- Invoice records: invoice ID, amount, currency, and status (issued/paid/expired). No wallet addresses or transaction IDs linked to your account.
What we do NOT collect
- IP address & activity logs: our servers write no access logs. Your IP is used only transiently in memory for rate limiting, then discarded. Never stored.
- Your footage: live streams are end-to-end encrypted between your phone and your viewer. We never see, store, or process video.
- Your location: Atalaia does not request GPS or collect any location data.
- Contacts, photos, files, or device identifiers: none of it touches our servers.
- Analytics: no Google Analytics, no Meta Pixel, no third-party trackers.
- Email address: we never require an email to sign up. If you contact us by email, we use it only to reply to that thread.
- Tracking cookies: the web viewer uses
localStorageonly to keep you signed in.
Legal basis for processing
| Data | Purpose | Legal basis |
|---|---|---|
| Account ID + password hash | Authenticate you on each device | Contract |
| Refresh tokens | Keep you signed in without re-typing password | Contract |
| Premium status | Enforce paid features (HD, multi-viewer) | Contract |
| Invoice records | Accounting and dispute resolution | Legal obligation + legitimate interest |
Who has access
- Atalaia operators: only when investigating bugs or abuse reports.
- Hetzner: our infrastructure provider sees encrypted data at rest. Privacy policy.
- BTCPay Server: our self-hosted payment processor. It only receives invoice metadata: amount and payment status.
We do not transfer your data outside the EU/EEA.
How long we keep your data
| Data | Retention | Why |
|---|---|---|
| Free accounts (inactive) | 15 days | Auto-deleted, including all tokens and invoices |
| Premium accounts | While active | 15-day rule resumes after premium expires |
| Invoice records | 6 years | Spanish accounting law, even after account deletion. Contains only invoice ID, amount, currency, status, and the account ID at time of issue. |
| Server access logs | None | We don't write them |
Your rights
Under GDPR (extended to every Atalaia user globally), you have the right to:
- Access: get a copy of all data we hold about you.
- Delete: wipe your account and all associated data. Use "Delete account" in the app, or email us. Invoice records are kept for legal reasons but contain no personal data beyond your account ID.
- Rectify: correct any incorrect data.
- Restrict: pause processing of your data.
- Portability: receive your data in a machine-readable format.
- Object: to processing based on legitimate interest.
- Complain: to your national data protection authority. In Spain: aepd.es.
We respond to all requests within 30 days. No fees.
Email: atalaiaapp.6c1ta@anonaddy.me
Security
Passwords hashed with bcrypt, all traffic encrypted in transit with TLS 1.2+. Live video is end-to-end encrypted between devices over WebRTC (DTLS-SRTP). Recordings add a post-quantum hybrid KEM (X25519 + ML-KEM-768) wrapping a per-video AES-256-GCM key.
Changes to this policy
Material changes will be announced via the app and website at least 30 days before taking effect. Continued use after changes take effect constitutes acceptance.
Contact
Privacy questions, GDPR requests, security disclosures:
Spanish data protection authority: aepd.es