Privacy Policy
Last updated: 2026-04-23
Data controller: Zbelthas, sole proprietor, Italy
Contact: privacy@limpido.app
Partita IVA: (to be inserted at launch)
We designed Limpido around the idea that software should work for you, not on you.
1. The honest summary
- No telemetry by default. Limpido installs silently and does not send us anything unless you explicitly opt in.
- We never see your email. Your email stays at Stripe. We store only a hash.
- We never see your videos or what you watch. The content-script runs locally; it never calls home.
- We do see the minimum needed to deliver your license. One-way hashes of your device fingerprint so we can enforce the device limit.
- We follow GDPR. You have rights over your data, listed in §7.
2. What we collect
2.1 Purchase data (via Stripe)
Stripe collects your email, payment method, billing country, IP, and transaction history. We receive from Stripe: a customer ID, product/price ID, transaction amount, and a SHA3-256 hash of your email.
2.2 License activation data
A one-way hash of a stable device identifier (SHA3-256 of MAC, CPU vendor, disk serial). Your OS and CPU architecture. Timestamps and a random install ID.
2.3 Operational data (Cloudflare)
Request logs at Cloudflare retain IP addresses for up to 7 days for anti-abuse. Our API logs store request ID, route, status code, duration — never IP, email, or license key.
2.4 Optional telemetry (OFF by default)
If enabled: app version, OS version, aggregate feature counts, crash reports (stack trace only, no memory/disk/URLs).
2.5 IPTV module — credentials and watch state
When you import an Xtream Codes account, the password is AES-256-GCM-encrypted before it touches the disk; the key is wrapped in the OS keyring (macOS Keychain, Windows DPAPI, Linux Secret Service) and never leaves your machine. M3U URLs and Xtream hosts are stored verbatim. Stream URLs are routed through a loopback HTTP proxy bound to 127.0.0.1 so the WebView never receives cleartext credentials.
Per-channel state — favorites, watch progress, recently-watched, stream-health attempts, EPG cache
— lives entirely in the local sled databases (playlists_db and epg_db under the app data dir). Nothing is uploaded to our servers; we have no record
of which channels you watch, when, or for how long.
3. What we do not collect
Your email plaintext, IP (beyond Cloudflare), name, address, browsing history, video activity, or tracking cookies. Specifically on the IPTV side: we never see your IPTV provider's hostname, your Xtream username/password, the channels in your playlist, or what you watch. Every IPTV fetch goes from your machine directly to the provider you configured.
4. Legal basis (GDPR)
- Contract performance (Art. 6(1)(b)): processing necessary for license delivery.
- Legitimate interest (Art. 6(1)(f)): anti-fraud, audit logs, kill-switch.
- Consent (Art. 6(1)(a)): optional telemetry and crash reports.
5. Recipients and sub-processors
| Purpose | Provider | Location | Safeguards |
|---|---|---|---|
| Payment | Stripe Payments Europe, Ltd. | Ireland | SCCs + DPA |
| Hosting + CDN | Cloudflare, Inc. | Global (EU-preferred) | SCCs + DPA |
| Resend, Inc. | US | SCCs + DPA |
No data is sold. No data is shared with advertisers.
6. International transfers
All transfers rely on Standard Contractual Clauses (SCCs) and supplementary measures including TLS + hybrid post-quantum encryption.
7. Your rights (GDPR Chapter III)
- Access (Art. 15) — request a copy of your data.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure (Art. 17) — delete your data (fiscal law exceptions).
- Restriction (Art. 18) — restrict processing during disputes.
- Portability (Art. 20) — receive data in machine-readable format.
- Object (Art. 21) — object to legitimate-interest processing.
- Withdraw consent at any time for optional telemetry.
- Complain to the Garante per la Protezione dei Dati Personali — garanteprivacy.it.
Self-service paths:
- Erasure (Art. 17) — visit Account → Settings → Danger zone (web) or the same page in the desktop app, and click Delete my account permanently. We immediately cancel any active Stripe subscription, wipe your account row (cascades to licenses, devices, sessions, TOTP secret, backup codes, passkeys, preferences), and revoke every trusted-device cookie. Past Stripe invoices are retained for 10 years under Italian fiscal law (Codice Civile art. 2220); audit-log events are retained for 7 years cold for security obligations under GDPR Art. 17 §3(b).
- Portability (Art. 20) — same page, Export my data. Downloads a JSON file containing your account row, licenses, devices, sessions metadata, TOTP enrolment status (without the secret), passkey metadata (without public keys), preferences, trusted-browser counts, and Stripe invoices. Credential material is intentionally excluded — it is one-way and useless to import elsewhere.
For every other right — and for the carve-outs we keep (e.g. fiscal-law invoice retention) — email privacy@limpido.app. We respond within 30 days.
8. Retention
| Data | Retention |
|---|---|
| Email hash, license, device hashes | Life of license + 6 months |
| Invoice records | 10 years (Italian fiscal law) |
| Support emails | 12 months |
| Edge access logs | 7 days |
| API logs | 30 days hot + 365 days cold |
| Audit events | 90 days hot, 7 years cold |
| Optional telemetry | 24 months; aggregated after 6 |
9. Security
Hybrid classical + post-quantum cryptography throughout: Ed25519 + ML-DSA-65 for signatures; X25519 + ML-KEM-768 for key exchange; AES-256-GCM at rest.
10. Contact
- Privacy: privacy@limpido.app
- Security: security@limpido.app (PGP encouraged)
- Billing: billing@limpido.app