HippieTV
Créer un compte

Legal · Last updated 14 maggio 2026

Privacy policy

This policy describes how JOLABS40we ») collects, uses and protects personal data of users of the HippieTV service (« you »), in compliance with Regulation (EU) 2016/679 (« GDPR ») and the French Data Protection Act.

1. Data controller

Controller
JOLABS40, represented by its President
Contact
[email protected]
Postal address
61 rue de Lyon, 75012 Paris, France

2. Data collected and purposes

2.1 Strictly necessary account data

  • Email — for authentication, service notifications and support.
  • Password (optional) — stored hashed with Argon2id, never in plaintext.
  • Locale (preferred language) — to serve the UI in the right language.
  • Device identifiers (non-reversible hardware fingerprint) — for account security (multiple session management).

2.2 Payment data

Payment data (card numbers, IBAN, etc.) is never processed by us. It is collected and stored exclusively by our provider Lemon Squeezy LLC (Merchant of Record). We only receive transaction status (success, failure, refund) needed for subscription management.

2.3 Technical data

  • Hashed IP address (SHA-256 with secret salt) — for security (rate-limiting, abuse detection). Plaintext IP is never stored.
  • Approximate country (derived from IP via Cloudflare) — for geographical display of active sessions in the « My devices » screen.
  • User-Agent (OS and browser version only, no detailed fingerprint) — for technical support.
  • Audit logs (logins, logouts, account changes) — for security.

2.4 Data NOT collected

  • Your Xtream Codes credentials or IPTV playlist: they remain encrypted on your device only (OS keyring) and never reach us.
  • The content of your viewing (channels watched, duration, etc.) on the Free plan.
  • No biometric, health or sensitive data.

3. Legal bases

  • Performance of contract (art. 6.1.b GDPR) — for account, subscription and authentication management.
  • Legal obligations (art. 6.1.c GDPR) — for invoicing and accounting retention (10 years).
  • Legitimate interest (art. 6.1.f GDPR) — for service security (audit logs, rate-limiting, fraud detection).
  • Consent (art. 6.1.a GDPR) — only for non-essential communications (newsletter, explicit opt-in).

4. Retention period

  • Active account data: for the entire account lifetime.
  • After account deletion: 30 days of technical archival, then permanent deletion.
  • Invoices and accounting data: 10 years (French Commercial Code requirement).
  • Audit logs: kept for the lifetime of the account + 30 days after deletion, for security and technical diagnostic.
  • Cloudflare server logs: 24 hours (Cloudflare default policy).

5. Subprocessors

We use the following subprocessors, all under data processing agreements (DPA):

Cloudflare, Inc. (USA)
Hosting, CDN, application security. Transfer outside EU framed by European Commission's Standard Contractual Clauses.
Lemon Squeezy LLC (United States)
Payment processing, invoicing, VAT collection. Merchant of Record. Transfer outside EU framed by European Commission's Standard Contractual Clauses.
Resend (USA)
Transactional email delivery (magic link, password reset, notifications). No content storage beyond what's necessary for delivery.

6. Your rights

Pursuant to GDPR, you have the following rights:

  • Right of access to your data (art. 15);
  • Right to rectification (art. 16);
  • Right to erasure (art. 17);
  • Right to restriction of processing (art. 18);
  • Right to portability (art. 20) — JSON export of your data available in My Account;
  • Right to object (art. 21);
  • Right to withdraw consent at any time, without retroactive effect.

To exercise these rights: [email protected]. Response within 30 days (1 month) maximum.

In case of disagreement, you may also lodge a complaint with the CNIL (www.cnil.fr) or with the supervisory authority of your country of residence.

7. Security

Technical and organisational measures implemented:

  • Mandatory TLS 1.3 encryption for all communications (HTTPS).
  • Passwords hashed with Argon2id, unique salts, never in plaintext.
  • One-shot rotation auth tokens, replay detection.
  • httpOnly + Secure + SameSite=Lax session cookies.
  • Audit logs for any sensitive change (login, logout, password change, device revocation).
  • SHA-256 hashing of emails and IPs with secret salts at storage; no plaintext storage.

8. Cookies

See our cookie policy for details on cookies used and how to manage them.

9. Minors

The HippieTV service is not intended for people under 16. If you discover that a minor has created an account, write to us at [email protected] for immediate deletion.

10. Changes

This policy may be modified. Any substantial modification is notified by email at least 30 days before its entry into force.

11. Contact

For any question about your data: [email protected].