Short version
You have landed on a page that typically gets skipped more than any other. So let us keep it short: at StreamFix you do not need an account, registration, or password. We do not sell your data, we do not run our own store, and we do not maintain any user database.
The only place where we actively collect your name and email address is the contact form. When you write to us, we store the message so we can reply. Normal browsing of the site is otherwise anonymous. We measure aggregated traffic, a country code (not your full IP address), and within a single session we remember a random ID that does not lead back to you.
Who the controller is
The data controller as defined in Article 4(7) of the General Data Protection Regulation (the „GDPR”) is LISTIFY s.r.o., a Czech trading company that operates the StreamFix website.
Given the scope and nature of our processing, we are not required under Article 37 GDPR to appoint a Data Protection Officer (DPO). Privacy questions are handled by company management directly, and emails sent to privacy [at] streamfix.io are answered personally.
What data we process
Depending on whether you are just browsing or actively using a feature, we process one or more of the following three categories. We keep them clearly separated so you can see exactly where the line runs between anonymity and identification.
A. Anonymous operational data (no identification)
These items are collected every time you open any page on StreamFix. They do not point to any specific person.
sf_geo cookie for 24 hours.B. Contact form data (identifying)
This is the only place on the entire site where we willingly collect data you can be identified by.
C. Security logs (only during specific events)
Short-term records that appear in well-defined situations and serve exclusively to defend against abuse.
On what legal basis
Every processing activity has a specific legal basis under Article 6 of the GDPR. Here is the exact mapping.
| What we process | Legal basis | Purpose |
|---|---|---|
| Contact form messages | Legal basisArticle 6(1)(b) GDPR (performance of a contract or pre-contractual steps) | PurposeReplying to the message you sent us. |
| Strictly necessary cookies and site operation | Legal basisArticle 6(1)(f) GDPR (operator’s legitimate interest) and technical necessity under Section 89(3) of Czech Act No. 127/2005 Coll. | PurposeMaking sure the site works technically and remembering your cookie banner choice. |
| IP at contact form submission and admin login | Legal basisArticle 6(1)(f) GDPR (legitimate interest in security) | PurposeDefending against spam and brute-force attacks. |
| Analytics (PostHog) in the EU and the UK | Legal basisArticle 6(1)(a) GDPR (consent) | PurposeUnderstanding which content areas work and which do not. |
| Analytics in opt-out jurisdictions (e.g., USA, Canada, Japan) | Legal basisArticle 6(1)(f) GDPR combined with the local framework (CCPA / CPRA, PIPEDA, APPI) | PurposeUnderstanding traffic, with an opt-out available at any time. |
| Marketing pixels (Facebook, Google, Microsoft) | Legal basisArticle 6(1)(a) GDPR (explicit consent) and Article 5(3) of the ePrivacy Directive 2002/58/EC | PurposeMeasuring the effectiveness of ads that brought you here and reaching similar audiences. |
| Affiliate click tracking (anonymous) | Legal basisArticle 6(1)(f) GDPR (legitimate interest) | PurposeVerifying commission payouts from partners. No personal identification. |
How long we keep data
Every data category has a clearly defined time after which it is automatically deleted or overwritten. No „keeping it just in case we might want it someday.”
| Data | Retention | Note |
|---|---|---|
| Contact form messages | RetentionUp to 12 months after resolution | NoteIf you would like us to delete it sooner, a short note to privacy [at] streamfix.io is enough. |
| IP and user-agent with form messages | RetentionUp to 12 months | NoteStored with the message. Used only as a possible defense in disputes or complaints. |
| IP on failed admin login | Retention15 minutes | NoteDeleted automatically after the block expires. Does not concern visitors. |
| Aggregated analytics (PostHog) | Retention365 days | NoteRecords do not lead to a specific person. Cleaned up by a scheduled job. |
| Application error logs | Retention30 days | NoteRotated automatically. Used exclusively for bug fixing. |
| Affiliate click records | RetentionNo time limit (anonymous) | NoteUsed for long-term partner statistics. Contain no personal data, so the GDPR does not apply. |
| Cookies and browser storage | RetentionVaries by type (24 hours to 12 months) | NoteFull table in the Cookie Policy. |
| Admin session (admin_session) | Retention24 hours | NoteConcerns only content administrators, not visitors. |
Recipients and processors
Data from the contact form is seen only by us, meaning the management of LISTIFY s.r.o. To run the website, we rely on several technical providers who, in relation to personal data processing, qualify as processors under Article 28 GDPR. We have a Data Processing Agreement (DPA) in place with each of them.
| Processor | Role | Location |
|---|---|---|
| Vercel Inc. | RoleWebsite hosting and CDN. Processes your IP address strictly to deliver content, not for marketing. | LocationEU edge network / USA |
| Neon Inc. | RoleWebsite database (PostgreSQL). Holds page content, translations, and contact form messages. | LocationEU (Frankfurt) |
| PostHog Inc. | RoleAnonymous analytics. Runs on the EU instance. | LocationEU |
| Resend Inc. | RoleEmail delivery (form submission confirmations, internal alerts). | LocationUSA |
| Sentry | RoleApplication error logging. Does not process visitor emails or IP addresses. | LocationEU / USA |
| Meta Platforms Ireland Ltd. | RoleFacebook Pixel (only with marketing consent). | LocationEU / USA |
| Google Ireland Ltd. | RoleGoogle Ads (only with marketing consent). | LocationEU / USA |
| Microsoft Ireland Operations Ltd. | RoleMicrosoft Advertising UET (only with marketing consent). | LocationEU / USA |
We do not sell personal data. We also do not pass it to data brokers. The only sharing with third parties happens with the marketing pixels above, and only based on your explicit consent.
International transfers
Whenever possible, data stays in the EU. PostHog runs on the European instance, the Neon database lives in a Frankfurt data center. For providers with servers in the USA as well (Vercel, Resend, Sentry, marketing pixels), data may be transferred outside the European Economic Area.
All of these transfers are covered by two independent safeguards:
For specific guarantees for a specific provider, email us at privacy [at] streamfix.io. We are happy to share a copy of the relevant clause.
Cookies and tracking technologies
Cookies, localStorage, and sessionStorage are technical storage in your browser. We dedicate a separate document to them because they deserve their own table and a full explanation of how the cookie banner behaves by region.
In short: we use four cookie categories.
Marketing pixels
StreamFix invests in advertising so we can show the right guides and reviews to the right people. When you click an ad, it makes sense that the ad network wants to know whether something came of your visit. That is what marketing pixels do.
If you are in the strict mode (EU, UK, EEA, Switzerland, Brazil) and do not accept cookies, the ad networks receive no data from StreamFix whatsoever. If you later withdraw consent (the 🍪 icon in the footer), the pixels stop loading on your next visit.
Your rights
As a data subject under the GDPR and Czech Act No. 110/2019 Coll., you have the rights listed below. You can exercise them by email at privacy [at] streamfix.io. We reply within 30 days at the latest, usually within 5 business days.
To verify your identity when you exercise a right, we may ask for an extra detail (such as the original email address the message came from). We do this only so we do not hand your data to a third party. Exercising a right is free, except for manifestly unfounded or disproportionate requests under Article 12(5) GDPR.
How we protect your data
We take technical and organizational safeguards seriously. These are not marketing clichés, they are concrete measures we stick to.
httpOnly, Secure, and SameSite=Lax flags. Valid for 24 hours.If we were to detect a security incident affecting personal data, we follow Articles 33 and 34 GDPR: we notify the supervisory authority within 72 hours and, if the risk is high, we notify you directly.
Children and minors
StreamFix is not directed at people under the age of 16. We do not target minors and do not knowingly collect data about them.
If someone under 16 sends us a message through the contact form, we delete it and any attachments without undue delay once we become aware. If you are a parent or guardian and believe your child has submitted data through our form, email us at privacy [at] streamfix.io. We will delete the data within 5 business days at the latest.
Automated decision-making
We do not use your data for automated decision-making or profiling within the meaning of Article 22 GDPR. No algorithm on our side decides what price you see, which product you are shown, or which ads you receive based on your identity.
The order of VPN recommendations and the displayed prices are driven only by country, platform, and the general visitor population for that region. They have nothing to do with who you specifically are.
Updates and contact
We update this policy regularly, whether because we ship a new feature, switch a processor, or the law changes. The last-updated date is always shown at the top of this page.
For general feedback on the site, the content, or suggestions for new platforms, use the form at streamfix.io/en/contact.