The legally binding version of this document is the French one. This English version is a courtesy translation.
Last updated: 2026-05-26
Privacy Policy -- TIVERA
Version: 2.0-beta -- DRAFT (rewrite post-cloud self-hosted) Effective date: 2026-06-01 Last updated: 2026-06-01 Reference language: French (controller jurisdiction: Morocco -- Law 09-08, supervisory authority CNDP; GDPR applies extraterritorially -- Art. 3.2 -- for users residing in the EU/EEA)
⚠️ DRAFT -- TO BE VALIDATED BY A LAWYER (CNDP / Law 09-08 + GDPR) before publication. This rewrite discloses the optional cloud account + the self-hosted telemetry now in production (version 1.5-beta did not cover them). Fields still to complete are marked
[A COMPLETER : ...](gated by the incorporation of the LLC / a Moroccan postal address).Editor: Mitchou, natural person under Moroccan law. The incorporation of TIVERA LLC (Wyoming) + the activation of payments (Stripe / PayPal / BTCPay) will be the subject of an update (data controller, transfers, EU representative).
TL;DR
TIVERA is an Android BYOC IPTV player application (Bring Your Own Content). You import your own streams (M3U / Xtream Codes / EPG XMLTV). We do not host, distribute, or suggest any content.
- The core of the app (BYOC playback) requires NO account: your streams, credentials, and history stay locally on your device, encrypted (SQLCipher AES-256 + Google Tink AEAD). Nothing is sent to our servers.
- An account is OPTIONAL: only if you activate Premium or multi-device synchronization. It then processes a minimal surface (your email, your subscription status, the list of your devices, your invoices) on our self-hosted backend.
- Anonymous telemetry: to improve stability and the app, we collect anonymous usage statistics and crash reports, keyed by a pseudonymous per-installation identifier (never your identity, never your streams/channels).
- Zero advertising, zero third-party tracker, zero data sale.
1. Data Controller (GDPR Art. 13.1.a)
| Field | Value |
|---|---|
| Editor | Mitchou (independent publisher, individual under Moroccan law) |
| Commercial name | TIVERA |
| Contact email | [email protected] |
| Privacy email | [email protected] |
| Postal address | [A COMPLETER : adresse postale Maroc valide pour notice legale] |
| Data Protection Officer (DPO) | Not required (GDPR Art. 37 -- independent publisher, < 250 employees, no large-scale processing of sensitive data) |
| EU Representative (GDPR Art. 27) | [A COMPLETER : a designer avant le lancement public -- requis car responsable hors UE ciblant des utilisateurs UE] |
| Applicable jurisdiction | Morocco -- Law 09-08 (authority: CNDP). GDPR extraterritorially (Art. 3.2) for EU/EEA users. |
Committed response time: 30 days (GDPR Art. 12.3).
2. Nature of the application (GDPR Art. 13.1.c)
TIVERA is a generic BYOC IPTV player distributed as a direct APK (and via the stores). The Android package is com.mitchou.iptvpro.
What TIVERA IS:
- A multimedia (video / audio) stream player for content you bring yourself.
- A local organizer of your sources (M3U URL, Xtream Codes API, EPG XMLTV).
- A local diagnostic tool + a local recorder (DVR) on your demand.
- Optionally: an account service (Premium + synchronization of subscription status across your devices), via a backend that we operate (see § 3.4).
What TIVERA IS NOT:
- Not a content distribution service (zero pre-loaded channels, zero catalog).
- Not an algorithmic recommendation service.
- Not an advertising service (zero advertising tracker, zero third-party ad network).
Important: using TIVERA to play your streams requires no account and no connection to our servers. The account (§ 3.4) and the telemetry (§ 3.5) are the only processing operations involving our servers; they are described in detail below.
You are solely responsible for the streams you import. See Terms of Service and DMCA Policy.
3. Data processed (GDPR Art. 13.1.c, 13.2.a)
3.1 Data entered by the user -- stored locally on your device only
| Data | Purpose | Legal basis (GDPR Art. 6) | Storage | Retention |
|---|---|---|---|---|
| M3U URL / playlist | Playback of your streams | Contract performance (6.1.b) | Local, SQLCipher AES-256 | Until manual deletion / uninstall |
| Xtream credentials (host, user, password) | Connection to your IPTV panel | Contract performance (6.1.b) | Local, Google Tink AEAD (Android Keystore key) above SQLCipher | Same |
| EPG XMLTV URL / mappings | Program guide | Contract performance (6.1.b) | Local, SQLCipher AES-256 | Same |
| Watch history + resume position | "Continue Watching" | Contract performance (6.1.b) | Local, SQLCipher AES-256 | Same |
| Favorites | UI personalization | Contract performance (6.1.b) | Local, SQLCipher AES-256 | Same |
Recordings (DVR .ts/.mp4) | Time-shifted viewing on your demand | Contract performance (6.1.b) | Local, unencrypted, scoped storage | Same |
| UI preferences | UX personalization | Legitimate interest (6.1.f) | Local, DataStore Proto | Same |
None of this data is transmitted to Mitchou or to any third party.
3.2 Data collected automatically by the application
| Data | Collected? |
|---|---|
| Advertising identifier (AAID/GAID) | No |
| Geolocation | No |
| Contacts / SMS / calls | No |
| Photos / files (excluding explicit DVR) | No |
| Biometrics | No |
| Hardware identifier (Android ID, IMEI, MAC) | No |
| Microphone / camera | No (permissions not declared) |
| IP address | Not for ordinary browsing. However, during sensitive account-related operations (device revocation, pairing, GDPR requests, rate limiting), our backend temporarily logs the client IP + the User-Agent in an audit log (audit_log) for security / anti-abuse purposes -- see § 3.4. Retention 90 days, anonymized upon account deletion. |
3.3 Technical data transmitted to the servers you configure
When you import an Xtream panel or an M3U/EPG URL, your requests leave your device toward the server you chose (neither Mitchou nor TIVERA). That server receives your IP, your Xtream credentials, and your User-Agent. We have no control over its privacy policy -- review it before entrusting it with your credentials.
3.4 TIVERA cloud account -- OPTIONAL (Premium / multi-device)
If -- and only if -- you create an account (to activate Premium or synchronize your status across devices), we process a minimal surface of data on our self-hosted backend (PocketBase software, on Mitchou's infrastructure in Morocco, exposed via Cloudflare Tunnel). None of your streams, Xtream credentials, channels, or history is ever sent to this backend -- they stay on your device (§ 3.1).
| Data | Purpose | Legal basis |
|---|---|---|
| Email (magic-link / OTP code sign-in, or optional "Continue with Google") | Identify your account, send you the sign-in code | Contract performance (6.1.b) |
Subscription status (entitlement: plan, provider, expiry date) | Grant access to Premium on your devices | Contract performance (6.1.b) |
| Devices (id, name given by you, platform, last activity -- max 5) | Manage your devices + security | Contract performance + legitimate interest (security) |
| Pairing (ephemeral hashed token, expires in 5 min, single use) | QR sign-in between devices | Contract performance (6.1.b) |
| Invoices (metadata: displayed amount, status, PDF link hosted by the payment provider) | Accounting obligation / disputes | Legal obligation (6.1.c) |
Audit log (audit_log: action, client IP, User-Agent, email reduced to domain) | Security / anti-abuse / GDPR proof | Legitimate interest (6.1.f) |
- The eventual password is stored hashed (never in clear text). The pairing tokens are stored hashed (SHA-256), never in clear text.
- Retention: until the deletion of your account (§ 5, right to erasure -- cascade purge), except invoices (accounting obligation, see § 10) and the audit log (90 d, PII anonymized upon deletion).
3.5 Telemetry (usage statistics + crash reports) -- anonymous / pseudonymous
To improve stability and the application, we collect telemetry keyed by a pseudonymous installId: a random UUID generated per-installation, without any hardware identifier, without email, without PII, and never linked to your account.
| Stream | Data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
Usage statistics (app_events, our backend) | pseudonymous installId, usage event (e.g. screen opening), platform, app version | Product metrics (active users, retention) | Legitimate interest (6.1.f) -- [A COMPLETER : a confirmer avec l avocat : interet legitime vs consentement pour l analytics] | 90 days |
| Crash reports | pseudonymous installId, call stack, technical event thread (breadcrumbs redacted), device model, version | Diagnostics + stability | Legitimate interest (6.1.f) | 90 days |
Aggregates (daily_metrics, our backend) | pseudonymous installId, aggregated counters and percentiles (no channel name, no URL) | Version comparison, trends | Legitimate interest (6.1.f) | 180 days |
Crash tools: transition in progress from Google Firebase Crashlytics (legacy) to self-hosted GlitchTip (sentry.tivera.tv, Mitchou's infrastructure). During the transition, both may coexist; Crashlytics remains opt-in (disabled by default, Settings -> Privacy). The full diagnostic dump, for its part, goes to our backend (self-hosted).
What is NEVER in the telemetry: your M3U/EPG URLs, your Xtream credentials, your channel/movie/series names, your watch history, your email, no advertising identifier. A systematic redaction (SecretRedactor) removes URLs/credentials/tokens before any emission.
3.6 No other analytics / advertising tools
No Firebase Analytics, Google Analytics, Meta/Facebook SDK, AdMob or advertising network, Mixpanel/Amplitude/Segment, tracking pixels. (Any future addition will entail an update of this policy + in-app notification -- § 11.)
4. Recipients of the data (GDPR Art. 13.1.e)
| Recipient | Data | Purpose | Country |
|---|---|---|---|
| You (on your device) | 100% of the entered BYOC data | App use | Local |
| IPTV/EPG servers you configure | Xtream credentials + IP + User-Agent | Authentication + playback | Variable (your choice) |
| Our self-hosted backend (Mitchou, Morocco) | ONLY if account: email, entitlement, devices, pairing, invoices (metadata), audit; + pseudonymous telemetry (installId) | Account / Premium / security / product improvement | Morocco |
| Cloudflare | Network transit (CDN + Tunnel + WAF) -- sees IP/headers, stores no personal data | Routing + network security | Multinational (DPA) |
| GlitchTip (self-hosted) | Pseudonymous crash reports | Diagnostics | Morocco (Mitchou infra) |
| Payment providers (Stripe / PayPal / BTCPay) | Payment data entered on their pages (redirection) -- TIVERA never sees your card | Premium collection | USA / variable (their DPAs) |
| Transactional email (SMTP provider, e.g. Brevo) | Email + sign-in code (OTP) | Sending the link/code | EU / variable (DPA) |
| Google (optional) | OAuth "Continue with Google" (if chosen); Play Integrity (anti-fraud); Play Billing (if purchase via the Play Store) | Sign-in / anti-fraud / payment | USA (Google DPA) |
| Google Firebase Crashlytics (opt-in, in transition) | Stack trace + pseudonymous Installation ID | Crash diagnostics | USA/EU (SCC + DPF) |
No sale of data. No advertising sharing. No stream/channel data leaves your device.
5. Your rights (GDPR Art. 13.2.b, 15 to 22 + CCPA)
5.1 GDPR rights (EU / EEA / UK residents)
| Right | How to exercise it |
|---|---|
| Access (Art. 15) | Local data: Settings -> Privacy -> Export my data. Account data: machine export of your account (email, entitlement, devices, invoices, pairings [token redacted], logs concerning you) -- from /account or on request to [email protected]. |
| Rectification (Art. 16) | Local: in the app. Account: email modifiable, or request to [email protected]. |
| Erasure / right to be forgotten (Art. 17) | Local: Settings -> Privacy -> Erase all my data OR uninstall. Account: cascade deletion (from /account or via [email protected]) -- deletes entitlement, devices, invoices, pairings, and anonymizes your audit-log rows. |
| Restriction (Art. 18) | Disable Crashlytics opt-in; delete the local sources; request the restriction of the account at [email protected]. |
| Portability (Art. 20) | Same JSON exports (local + account), open formats. |
| Objection (Art. 21) | Telemetry (legitimate interest): [A COMPLETER : mecanisme d opt-out a confirmer avec l avocat]. Account: delete it. |
| Automated decision-making (Art. 22) | No profiling or automated decision-making. The recovery engine is purely heuristic -- no Machine Learning / AI within the meaning of the AI Act. |
5.2 CCPA / CPRA rights (California)
TIVERA neither sells nor shares data within the CCPA meaning. Rights to Know / Delete / Correct / Opt-Out (not applicable) / Limit (no sensitive data) / Non-Discrimination / Authorized Agent applicable -- exercise via [email protected] (45-day deadline).
5.3 Complaint
- CNDP (Morocco): https://www.cndp.ma
- EU/EEA residents: your national authority (e.g. CNIL: https://www.cnil.fr/fr/plaintes). List: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
- California AG: https://oag.ca.gov/contact/consumer-complaint-against-business-or-company
6. Data security (GDPR Art. 32)
6.1 On the device
- SQLCipher (AES-256) on the local database; Google Tink AEAD (Android Keystore key TEE/StrongBox) as an overlay for the Xtream/EPG credentials (AAD bound to the row, anti cell-swap).
- Minimal Android permissions (no dangerous runtime permission); R8/ProGuard; restrictive backup rules;
SecretRedactoron every log.
6.2 Backend (account + telemetry)
- Self-hosted backend (PocketBase, Morocco); exposed via Cloudflare Tunnel (TLS terminated at the edge, WAF).
- Payment webhooks verified (HMAC + anti-replay + idempotence); signed subscription lease (Ed25519); hashed pairing tokens; hashed passwords.
- Encrypted backups (AES-256); audit log for sensitive operations.
6.3 Encryption in transit
- HTTPS to our backend (
api.tivera.tv) and our subdomains. - Cleartext HTTP tolerated only toward the IPTV/EPG servers you configure (many panels still serve over HTTP -- refusing it would break BYOC usage).
6.4 Breach notification (GDPR Art. 33-34)
In the event of a breach affecting your rights, Mitchou notifies the CNDP (and, for EU users, the competent authority) within 72 hours, and you directly if the risk is high. Procedure: docs/cloud/INCIDENT_RESPONSE.md.
7. Minors (COPPA + GDPR Art. 8)
TIVERA is intended for those 13 years or older. No intentional collection of data of minors under 13; declarative age gate at first launch. Parent/guardian: [email protected] for any deletion.
8. Cookies / third-party trackers
- Application: no proprietary HTTP cookie; eventual third-party server cookies (e.g.
__cf_bmfrom a panel) handled in RAM (InMemoryCookieJar), never persisted. No pixel/beacon. tivera.tvwebsite: no third-party cookie, no third-party analytics/advertising script, no external CDN at runtime (internal rule R-NA-1). Calls go only toward our backend (api.tivera.tv) on user action (sign-in, account).
9. International transfers (GDPR Art. 44 to 50)
| Transfer | Framework |
|---|---|
| Your device -> IPTV/EPG servers you configure | No transfer orchestrated by Mitchou (you choose the recipient). |
| Your device -> our backend (Morocco) (if account/telemetry) | Morocco is not on the EU adequacy list. For EU users: [A COMPLETER : base/garantie a confirmer avec l avocat -- necessite contractuelle (Art. 49) et/ou garanties appropriees + designation d un representant UE Art. 27]. |
| Cloudflare transit | Network routing (no storage of personal data); Cloudflare DPA. |
| Payment (Stripe/PayPal/BTCPay), SMTP, Google (optional) | Under their own respective DPAs / SCCs / DPFs. |
| Crashlytics opt-in -> Google LLC | EU SCCs + DPF; pseudonymization. |
10. Retention period (GDPR Art. 13.2.a)
| Category | Duration |
|---|---|
| Local data (M3U, Xtream, EPG, history, recordings) | As long as the app is installed; immediate erasure on uninstall / via Erase all my data. |
| Account (email, entitlement, devices, pairings) | Until account deletion (cascade purge). Entitlement: until expiry + 90 d (dispute/refund window). |
| Invoices | 3 years minimum (accounting obligation -- to be confirmed; also required by the payment providers for disputes). |
Audit log (audit_log, incl. IP) | 90 days; rows anonymized upon account deletion. |
Usage statistics (app_events) | 90 days. |
Crash reports (crash_reports / GlitchTip) | 90 days. |
Aggregates (daily_metrics) | 180 days (anonymous counters). |
| Crashlytics opt-in | 90 d on Google's side; deletion on request. |
PerfEvent logs (buffer.log device) | Local ring buffer, never transmitted as such; erased on uninstall. |
11. Updates to this policy
Any material modification entails: in-app notification at the next launch + update of the date + retention of the Git diff (publicly versioned) + re-acceptance if a new processing category is added. Minor modifications do not trigger re-acceptance.
12. Contact
- General email:
[email protected] - Privacy email (rights exercise):
[email protected] - DMCA email:
[email protected](cf. DMCA Policy) - Postal address:
[A COMPLETER : adresse postale Maroc valide]
Response time: 30 days (GDPR) / 45 days (CCPA).
13. Related documents
Status: DRAFT v2.0-beta of 2026-06-01 -- discloses the optional cloud account + the self-hosted telemetry now in production. To be validated by a lawyer (CNDP Law 09-08 + GDPR) before firm publication: legal basis of the telemetry (legitimate interest vs consent), Morocco->EU transfer safeguards, EU representative (Art. 27), telemetry opt-out mechanism. The French version prevails; the other languages are courtesy translations.