EFFECTIVE 2026-05-08 · LAST UPDATED 2026-05-29
1. Who runs delayed
delayed is operated by Yusuf Dede as an individual, based in Turkey. For privacy questions, data-access requests, or anything in this policy, write to support@delayed.stream.
Under EU GDPR Article 4(7) and Turkish KVKK Article 3, this is the data controller for the personal data described below.
2. What "personal data" we actually have
Everything in this section is the complete list. If something isn't here, we don't have it.
From your purchase (via Polar.sh)
Polar.sh handles checkout as our Merchant of Record. They share with us:
- Email address (so we can email your license key and contact you about your subscription)
- First and last name (as you entered at checkout)
- Country (used for invoice generation and VAT, not stored beyond what Polar already retains)
- Subscription / lifetime status and renewal dates
Polar processes your full billing details (payment method, billing address) under their own privacy policy at polar.sh/legal/privacy. We never see your card or full billing address.
From the desktop app, while it's running
The app makes outbound network calls to three endpoints by default, plus optional calls when you use platform OAuth or TikTok via Streamlabs:
- Polar.sh license API: sends your license key plus a stable per-machine identifier (
MachineGuid from Windows registry) so Polar can validate the activation. Runs on launch and once every 6 hours while the app is open.
- api.delayed.stream/trial/touch: establishes when your 30-day free trial started. Sends a one-way SHA-256 hash of your
MachineGuid (not the raw value — the hash cannot be reversed to recover your GUID), a timestamp, and an HMAC signature. Our server stores the hash alongside a started_at timestamp. Called on first launch, then once every 7 days to re-confirm trial state.
- api.delayed.stream/dl: checks for app updates. Sends nothing about you; just a GET request for the latest manifest. Logged server-side with a generic web-server access log (IP + user-agent), retained 30 days, then rotated.
- api.delayed.stream/oauth (optional): used only if you click Connect Twitch, Connect YouTube, or Connect Kick. See below.
- streamlabs.com (TikTok only, optional): see below.
Outside those calls, the app makes no network requests we initiate. Your stream goes from the app directly to your destinations (Twitch, YouTube, Kick, TikTok, custom RTMP) over RTMP; that traffic does not pass through us.
When you connect Twitch, YouTube, or Kick via OAuth (optional)
If you click Connect Twitch, Connect YouTube, or Connect Kick in the Settings window, the app opens a browser to api.delayed.stream, which redirects you to the platform's own authorization page. When you authorize:
- The platform sends an authorization code to
api.delayed.stream.
- Our server exchanges the code for an access token (with the platform) and immediately uses it to read your stream key and display name (your channel username). The access token is not stored.
- The stream key and display name are held in-memory on our server for up to 10 minutes, then permanently deleted — whether or not the app retrieved them.
- The app polls our server and retrieves the stream key and display name. The stream key is stored in Windows Credential Manager (DPAPI) on your device. The display name is written to
settings.json on your device alongside the destination record.
- We do not retain OAuth access tokens, refresh tokens, or stream keys on our servers beyond that 10-minute in-memory window. The exchange is one-shot: code in, key out, everything discarded.
- If you click Disconnect, the stream key is deleted from Credential Manager on your device. The display name entry in
settings.json is removed when you delete the destination.
When you connect Streamlabs (optional, TikTok integration)
TikTok does not provide an open API for individual developers to request live credentials. To support TikTok streaming, delayed uses an OAuth flow via Streamlabs: you log in to your own Streamlabs account in a browser window, authorize the connection, and Streamlabs returns a token that allows the app to start and end TikTok broadcast sessions on your behalf.
What this means for your data:
- The Streamlabs OAuth token is stored in Windows Credential Manager (DPAPI, same as stream keys). It is never written to a plain file, never sent to our servers, and never logged.
- When you start a TikTok-enabled stream, the app calls
streamlabs.com/api with your token to request an RTMP URL and stream key for the session. That URL points directly to TikTok's ingest servers. Streamlabs is not in the stream path: your video goes from your PC to TikTok, not through Streamlabs.
- When the stream ends, the app calls
streamlabs.com/api again to close the TikTok broadcast session.
- If you click Disconnect in the app, the token is deleted from Credential Manager.
- We do not see, log, or store your Streamlabs username, TikTok username, or any other Streamlabs account data. The token lives on your device only.
Streamlabs' own privacy policy governs how they handle your data when you log in: streamlabs.com/privacy.
What stays on your device
- Stream destinations and stream keys (encrypted by Windows Credential Manager / DPAPI, never written to a plain file, never sent anywhere by the app)
- Your platform display name (Twitch username, YouTube channel name, Kick username), stored in
settings.json alongside the destination record if you connected via OAuth. This is your public username, not a secret.
- Your Streamlabs OAuth token, if you've connected Streamlabs (same Credential Manager store, deleted on disconnect)
- Your delay and protective-buffer settings
- Your license key (encrypted in the same Credential Manager store)
- Your trial start date (encrypted in Credential Manager; the server knows only your machine hash and start timestamp, not the key)
- Your video and audio stream content while delayed
3. What we explicitly do not collect
- No analytics, no telemetry, no event tracking
- No crash reporting
- No "anonymous usage statistics"
- No behavioural data (which buttons you click, how long you stream, etc.)
- No cookies on this website beyond what's strictly necessary (currently: none)
- None of your stream content; your video and audio never reach our servers
This is enforced by code, not policy: the app simply does not contain analytics, error reporting, or telemetry libraries. You can verify by capturing its outbound traffic.
4. Why we hold what we do
- Email + name: to deliver your license, send refund/billing emails, and respond if you contact support. Legal basis: contract (Art. 6(1)(b) GDPR / KVKK Art. 5(2)(c)).
- Country: to generate compliant invoices via Polar. Legal basis: legal obligation (Art. 6(1)(c) GDPR).
- License key + machine ID: to enforce one active install per license. Legal basis: contract.
- Trial machine hash + started_at: to enforce the 30-day trial period as disclosed at point of download. Legal basis: legitimate interest (Art. 6(1)(f) GDPR). Retained while the trial is active; we have no automated deletion after the trial ends but this data has no value to us once the trial period has passed.
- OAuth stream key + display name (in-memory, transient): to deliver the platform stream key to your device as part of the one-click connect feature you initiated. Legal basis: contract. Held for a maximum of 10 minutes, then permanently deleted from our servers.
- Update-check IP/UA logs: to keep the update endpoint running and detect abuse. Legal basis: legitimate interest. Retained 30 days.
5. How long we keep it
- Active subscribers / lifetime customers: as long as your account is active.
- After cancellation or refund: we retain email + license-issue record for 2 years for tax / accounting purposes, then delete. Polar.sh has its own retention rules for the same data.
- Server-side update-check logs: rotated after 30 days.
6. Your rights
If you live in the EU/UK (GDPR) or Turkey (KVKK), you can ask us to:
- Tell you what we hold about you
- Correct anything that's wrong
- Delete your account and personal data
- Export your data in a machine-readable format
- Object to processing or restrict it
Email support@delayed.stream with the subject "Data Request" and we will respond within 30 days as required by GDPR Art. 12, or 30 days as required by KVKK Art. 13. Some data sits in Polar's systems too; we'll forward those requests to them where applicable.
If you believe we've mishandled your data, you have the right to complain to your local supervisory authority (in Turkey: KVKK; in the EU, your national DPA).
7. Data transfers
Polar.sh is incorporated in the United States. Their use of your billing data is governed by their own privacy policy and the relevant cross-border transfer mechanisms (typically Standard Contractual Clauses for EU customers).
Our update server (api.delayed.stream) is hosted in the EU. Your update-check logs do not leave the EU.
8. Children
delayed is intended for streaming professionals and is not directed at children under 16. We do not knowingly collect data from children. If you're a parent and believe we have, email us and we'll delete it.
9. Changes to this policy
If we change this policy, we'll update the "last updated" date at the top and, for material changes, email subscribers with the diff. Trivial wording fixes don't trigger a notification.
Plain summary: we have your email and name (because Polar gave them to us). The app talks to Polar to validate your license, to our server to confirm your trial start date (using a hash of your machine ID, not the ID itself), and to our update endpoint to check for new versions. If you click Connect Twitch/YouTube/Kick, your stream key passes through our server for up to 10 minutes while the OAuth exchange completes, then it's deleted server-side and stored only in Windows Credential Manager on your PC. If you use TikTok, the app also talks to Streamlabs to start and end TikTok broadcasts — your Streamlabs token lives on your PC only. No telemetry, no analytics, your stream never touches us.