Privacy policy

for the internal web application “YT Stream” (https://fast.imh-group.us) — As of: June 2025

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

IMH Group, Inc.
8 The Green, Ste B
Dover, DE 19901
United States

Authorized representative: Christian Aberle
General contact: info@imh-group.us, Phone: +1 (302) 212-0640

Privacy requests (access, erasure, rectification, objection): info@imh-group.us

Company details are also available in the Legal notice or Imprint – IMH Group Inc.

2. Purpose of the application

YT Stream is an internal administration tool of IMH Group, Inc. for managing YouTube live streams (channels, playlists, schedules, media). Access is restricted to authorized staff and administrators. No visitor tracking, marketing, or analytics cookies are used.

3. Data processed

  • User accounts: Username, password hash (bcrypt), role (administrator/staff), activation status, creation timestamp.
  • Session cookie: technically required for login and authorization (see section 4).
  • Channel and stream configuration: Channel names, slugs, schedules, playlist entries (file paths/titles), encoder settings.
  • Stream keys and OAuth tokens: stored encrypted in the database (Fernet, derived from the application secret).
  • Audit log: Timestamp, logged-in username, action (e.g. create, edit, start/stop), optional channel ID and short detail (e.g. channel name) — no passwords or stream keys in plain text.
  • Security / rate limiting: IP address on failed login attempts, temporarily in memory (max. 15 minutes, not stored permanently).
  • Operational and error logs: technical logs on the server (Plesk EU), content depends on server configuration.

Staff roles cannot view stream keys in plain text; administrators can manage keys. The UI deliberately avoids displaying unnecessary personal data in messages.

4. Cookies

Only a session cookie (typically named session) is set. This cookie is strictly required for login and does not require consent under Section 25 TTDSG in conjunction with GDPR Recital 28.

  • HttpOnly: yes — no access via JavaScript in the browser.
  • SameSite: Lax (Starlette SessionMiddleware).
  • Secure: in production with HTTPS or when PUBLIC_BASE_URL uses https:// or trusted proxy headers are enabled.

The login page states that signing in sets this cookie. There is no cookie banner for marketing or analytics cookies because none are used.

5. Legal bases (Art. 6 GDPR)

  • Art. 6(1)(b): Processing to perform the usage relationship or provide the internal service to authorized users.
  • Art. 6(1)(f): legitimate interest in IT security, traceability of changes (audit log), abuse prevention (login rate limit).

6. Retention

  • User accounts: until deactivated or deleted by an administrator or upon written request to info@imh-group.us.
  • Session: until logout or end of the browser session.
  • Audit log: until manual cleanup or database deletion; typically retained for a longer period for operational traceability. Entries relating to a user can be addressed on request.
  • Login rate limit (IP): maximum 15 minutes in memory, then automatic deletion.
  • Server logs: according to the hosting provider's retention policy (Plesk EU).

7. Recipients and third parties

Data is not shared with advertising or analytics services. YT Stream includes no built-in tracking (e.g. Google Analytics).

When optional features are used, data may be transmitted to:

  • YouTube / Google: when using OAuth or the API, subject to Google's privacy policies.
  • Jellyfin: only if configured (metadata queries).
  • Hosting (Plesk EU): server operation under a data processing agreement with the provider.

External CDN resources (Tailwind, htmx) are loaded for the UI; IP addresses may technically be processed by the CDN provider. Local static files can be used instead.

8. Technical and organizational measures

  • Passwords are hashed with bcrypt, not stored in plain text.
  • Stream keys and OAuth refresh tokens are stored with Fernet encryption in the database.
  • HTTPS is intended in production; session cookies receive the Secure flag when configured.
  • Application data (DATA_DIR: database, logs, cache) is outside the public web root or protected by server rules.
  • Access only after authentication; role-based restrictions for staff.
  • CSRF protection for form-based actions.

9. Your rights

You have the following rights vis-à-vis the controller, among others:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Object to processing based on legitimate interests (Art. 21 GDPR)
  • Data portability, where applicable (Art. 20 GDPR)
  • Lodge a complaint with a supervisory authority (Art. 77 GDPR)

Deletion of staff accounts: Administrators can deactivate accounts in user management or fully delete staff accounts. For further requests, contact info@imh-group.us.

10. No obligation to provide data

Using YT Stream requires internal authorization. Without providing the data required for login, use is not possible.

Legal notice