Privacy Policy

Last updated: March 27, 2026

1. Data Controller

StreamReader is operated by Hovestadt Marketing, based in the Netherlands.

Contact for privacy inquiries: data@hovestadtmarketing.com

2. What Data We Collect

Account Data

When you create an account via email or Google OAuth, we collect:

Email address
Name (if provided via Google OAuth)
Authentication tokens (managed by Supabase)

Payment Data

Payments are processed by Stripe. We do not store credit card numbers. We receive from Stripe: your Stripe customer ID, subscription status, and billing email. See Stripe's Privacy Policy.

Content Data

Documents you upload are processed locally in your browser. Extracted text may be stored on our servers (Supabase, hosted in Ireland, EU) to enable cloud sync features. We store:

Extracted text content from your documents
Reading positions and progress
Highlights and annotations you create

We do not store original PDF or EPUB files on our servers. Original files are processed client-side only.

Usage Data

With your consent, we collect analytics data via Google Analytics (GA4):

Pages visited and features used
Reading speed preferences
Device type and browser
Approximate location (country/region level)

This data is anonymized and used to improve the Service. Analytics cookies are only set after you provide consent.

Technical Data

IP address (for security and abuse prevention)
Browser type and version
Operating system

3. Legal Basis for Processing

Data	Legal basis	GDPR Article
Account data	Performance of contract	Art. 6(1)(b)
Payment data	Performance of contract	Art. 6(1)(b)
Content data	Performance of contract	Art. 6(1)(b)
Analytics data	Consent	Art. 6(1)(a)
Technical/security data	Legitimate interest	Art. 6(1)(f)

4. How We Use Your Data

To provide and maintain the Service (reading, highlights, library)
To process payments and manage subscriptions
To sync your reading progress across devices
To improve the Service based on usage patterns (with consent)
To communicate about your account or service changes
To prevent abuse and ensure security

5. Third-Party Processors

Service	Purpose	Location	Transfer mechanism
Supabase	Authentication, database	Ireland (EU)	N/A (EU)
Stripe	Payment processing	US	EU-US Data Privacy Framework
Google (GA4/GTM)	Analytics	US	EU-US Data Privacy Framework
Google (OAuth)	Authentication	US	EU-US Data Privacy Framework
Vercel	Hosting, CDN	Global (US-based)	EU-US Data Privacy Framework

6. Data Retention

Account data: Retained while your account is active. Deleted within 30 days of account deletion.
Content data: Retained while your account is active. Deleted within 30 days of account deletion.
Payment data: Retained by Stripe per their policies. We retain subscription status for the duration of your account.
Analytics data: Retained by Google per GA4 default settings (14 months).
Technical logs: Retained for up to 90 days for security purposes.

7. Your Rights (GDPR)

Under the GDPR, you have the following rights:

Access: Request a copy of your personal data
Rectification: Correct inaccurate data
Erasure: Request deletion of your data ("right to be forgotten")
Restriction: Request limited processing of your data
Portability: Receive your data in a structured, machine-readable format (use the "Export my data" feature in Settings)
Objection: Object to processing based on legitimate interest
Withdraw consent: Withdraw analytics consent at any time via cookie settings

To exercise any of these rights, contact us at: data@hovestadtmarketing.com

We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl

8. Cookies

We use the following cookies:

Cookie	Purpose	Duration	Type
sr-auth	Authentication session	Session	Necessary
sr_theme	Theme preference	Persistent	Necessary
sr_tos_accepted	TOS acceptance	Persistent	Necessary
_ga, _ga_*	Google Analytics	2 years	Analytics (consent required)
_gid	Google Analytics	24 hours	Analytics (consent required)

Analytics cookies are only set after you provide explicit consent via our cookie banner. You can withdraw consent at any time.

9. Security

We implement appropriate technical and organizational measures to protect your data, including:

HTTPS encryption for all data in transit
Row-level security on database tables
Supabase authentication with JWT tokens
Stripe PCI-DSS compliance for payment data
Access controls limiting data access to authorized personnel

No system is 100% secure. If we become aware of a data breach affecting your personal data, we will notify you and the relevant authorities as required by law.

10. Children

StreamReader is not intended for children under 16 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us at data@hovestadtmarketing.com.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect.

13. Contact

Hovestadt Marketing
Privacy inquiries: data@hovestadtmarketing.com
Copyright notices: data@hovestadtmarketing.com
Website: streamreader.io

See also: Terms of Service · Back to StreamReader