1. Introduction
GoopForge LLC (“GoopForge,” “we,” “us,” or “our”) provides an AI-assisted weekly streaming planner for Twitch creators. This Privacy Policy describes how we collect, use, store, and share information when you use our website and application (the “Service”).
By signing in or using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.
2. Information we collect
We collect information in the following categories.
2.1 Account and identity (from Twitch sign-in)
When you sign in with Twitch, we receive and store:
| Data | Source | Purpose |
|---|---|---|
| Twitch user ID | Twitch OAuth | Account identification and API calls on your behalf |
Twitch login (providerLogin) | Twitch OAuth | Account linking and display |
| Display name | Twitch OAuth | Display in the app |
| Email address | Twitch OAuth (when you grant user:read:email) | Account contact; may be shown in Settings |
| Broadcaster type (affiliate/partner status) | Twitch OAuth | Product context |
| Twitch account creation date | Twitch OAuth | Product context |
| Profile image URL | Twitch OAuth | Avatar in Settings and the app shell |
We do not store OAuth access or refresh tokens in your browser session cookie. Tokens are stored encrypted in our database (see Section 7).
Twitch OAuth scopes we request:
- At sign-in:
user:read:email,moderator:read:followers - When you use optional features (for example, Push to Twitch schedule sync): additional scopes such as
channel:manage:schedulemay be requested incrementally
You can review Twitch's own privacy practices at https://www.twitch.tv/p/legal/privacy-policy.
2.2 Optional Steam account link
If you choose to link Steam (Settings → Plan My Stream):
| Data | Source | Purpose |
|---|---|---|
| Steam ID | Steam OpenID 2.0 | Link your Steam account to GoopForge |
| Owned-games snapshot | Steam Web API (server-side) | Planner category filtering (app IDs, optional game names, optional playtime, optional Twitch category mapping) |
We do not store Steam access or refresh tokens. Steam linking uses OpenID verification only.
When you unlink Steam, we delete your Steam OAuth record and your personal games snapshot. A separate global catalog that maps Steam app IDs to Twitch category IDs (derived from public game metadata, not tied to your identity) may persist after unlink.
2.3 Preferences and profile survey
You may provide streaming preferences and profile survey answers, including:
- Preferred and disallowed game categories
- Timezone and weekly availability windows
- Availability notes
- Streamer profile rankings (goals, content style, category preference)
- Optional stream description (free text, up to 300 characters)
These fields are used to personalize your weekly plan. Your optional stream description is not sent to third-party AI models in the current product version.
2.4 Weekly plan and recommendation data
When you use the planner, we store:
- Weekly plan metadata (week start, status, sync timestamps)
- Plan slots (day, times, selected category, optional stream title)
- Generated recommendations (category options, rationale, confidence, hooks, title suggestions, and related display copy)
- Recommendation interaction events — for example when recommendations are shown, modified, locked, or synced to Twitch (
recommendation.shown,recommendation.modified,recommendation.locked,recommendation.synced, and related types). These events help us improve recommendation quality over time.
Plan slot times and category names in plans are treated as non-sensitive plan content suitable for display in the app.
2.5 Twitch channel statistics
To personalize recommendations, we fetch and store aggregated channel metrics, including:
- Follower count (via Twitch Helix, using the
moderator:read:followersscope) - Recent average viewers from archived VODs
- Point-in-time snapshots captured when your plan is regenerated (for growth attribution)
Channel stats are refreshed periodically (typically at most once every 24 hours unless forced at sign-in).
2.6 Live concurrent viewer (CCV) self-capture
For registered users with an active Twitch connection, we measure your live stream concurrent viewers when you go live:
- How: Twitch EventSub notifications (stream online/offline) plus periodic polling of Twitch Helix while a session is live
- What we store: Stream session records (start/end times, peak and average concurrent viewers, optional category ID) and individual viewer-count samples during the live window
- Who: Registered GoopForge users only — not visitors who have not signed in
- Why: To inform planner ranking and growth attribution (for example, comparing performance before and after plan changes)
We do not publish your live viewer counts to other users.
2.7 In-app feedback
If you submit feedback through the in-app widget while signed in, we store:
- Your message (up to 400 characters)
- Optional page path where you submitted feedback
- Your internal user ID and timestamp
When email notification is configured, we send the feedback text and basic account metadata (user ID, display name, email if available) to our team via Resend. Feedback message bodies are not written to application logs.
2.8 Cookies and session data
We use one primary session cookie:
| Cookie | Purpose | Attributes |
|---|---|---|
goopforge_session | Keeps you signed in; holds encrypted session payload | HttpOnly; SameSite=Lax; Secure in production |
The session payload includes your internal user ID, email, display name, and Twitch profile image URL. It does not include OAuth tokens.
During OAuth flows, the session may temporarily hold a CSRF state value and optional pending sync parameters. These are cleared after authorization completes.
We do not use third-party advertising or analytics cookies in the current MVP.
2.9 Information we do not collect
- We do not sell your personal information.
- We do not run third-party analytics trackers (for example, Google Analytics) in the current MVP.
- We do not log OAuth tokens, session secrets, or full feedback message bodies in server logs.
3. How we use information
We use the information above to:
- Authenticate you and maintain your session
- Generate, display, and sync weekly streaming plans
- Call Twitch (and optionally Steam) APIs on your behalf within granted scopes
- Measure live stream performance (CCV self-capture) for registered users
- Improve recommendations using interaction events and aggregated outcomes
- Respond to feedback you submit
- Operate, secure, and debug the Service (without logging secrets or sensitive message bodies)
- Comply with law and enforce our Terms of Service
4. How we share information
We do not sell your personal information. We share information only as described below.
4.1 Service providers and subprocessors
| Provider | Role | Data involved |
|---|---|---|
| Twitch (Twitch Interactive, Inc.) | OAuth, Helix API, EventSub | Account identifiers, tokens (encrypted at rest on our systems), channel and stream data per granted scopes |
| Steam (Valve Corporation) | Optional account link; owned-games API | Steam ID; game library metadata when you link and refresh |
| Third-party AI text generation | Optional AI generation of stream hooks and title suggestions | Category IDs and names, familiarity signals, and variation seeds — not your email, display name, OAuth tokens, channel stats, or stream description |
| Resend | Email delivery for feedback notifications | Feedback text, user ID, display name, email (if present), page path, timestamp |
| IGDB (via Twitch app credentials) | Global game genre/theme catalog | Twitch category IDs only — no user identifiers or preferences |
| Cloud hosting and database | Application hosting and PostgreSQL storage | Data described in this policy, protected by access controls |
We may add or change subprocessors as the Service evolves. Material changes will be reflected in an updated version of this policy.
4.2 Legal and safety
We may disclose information if required by law, court order, or governmental request, or when we believe disclosure is necessary to protect rights, safety, or the integrity of the Service.
4.3 Business transfers
If GoopForge is involved in a merger, acquisition, or asset sale, your information may transfer as part of that transaction, subject to this Privacy Policy or a successor policy with notice.
5. Data retention
| Data category | Retention |
|---|---|
| Active account data | Retained while your account is active and you use the Service |
| OAuth tokens | Retained while linked and needed for API access; updated on refresh |
| Steam library snapshot | Refreshed periodically (typically at most every 24 hours while linked); deleted on Steam unlink |
| Twitch channel stats | Refreshed periodically (typically at most every 24 hours); retained while account active |
| Live CCV sessions and samples | Retained while account active; used for planner context and growth attribution |
| Recommendation events | Retained while account active to improve recommendations; intended to be anonymized if your account undergoes full deletion/purge |
| Cached market-intelligence entries | Global caches with TTL-based purge; not user-specific |
| Feedback | Retained while account active; deleted when your user record is deleted from our database |
When an account is soft-deleted (see Section 6), we stop treating the account as active for sign-in and planning. A full purge and anonymization workflow for soft-deleted accounts is planned but not yet automated.
6. Account deletion
GoopForge uses a soft delete model. You can delete your account at any time from Settings → General → Delete account.
When you confirm account deletion:
- We mark your account with a deletion timestamp (
deletedAt) - We unsubscribe Twitch EventSub notifications for your account
- We sign you out and stop treating your account as active for sign-in and planning
Steps 1–3 are live today. A full purge and anonymization job for remaining personal data (step 4) is planned but not yet automated. Until that job runs, some data may remain in our database in a deactivated state.
Re-sign-in before purge: If you sign in again with the same Twitch account before the purge job has run, we restore your account, clear the deletion timestamp, refresh your OAuth tokens, and reactivate your prior data (plans, preferences, and linked services) as they existed at deletion.
Recommendation events and other learning data are intended to be anonymized, not attributed to you, after a completed deletion/purge process.
7. Security
We apply measures aligned with our security baseline, including:
- OAuth tokens encrypted at rest using AES-256-GCM (
TOKEN_ENCRYPTION_KEY) - Session cookies encrypted via iron-session;
HttpOnly,SameSite=Lax, andSecurein production - CSRF protection on OAuth callbacks (
statevalidation) - Access controls on authenticated API routes
- Logging practices that avoid OAuth tokens, session contents, and decrypted credentials
No method of transmission or storage is 100% secure. You are responsible for maintaining the security of your Twitch account credentials.
8. Your choices and rights
Depending on where you live, you may have rights to access, correct, delete, or export personal information, or to object to or restrict certain processing.
Current MVP capabilities:
| Right | Available today |
|---|---|
| Access / export | Not yet self-service |
| Correction | Update preferences and profile survey answers in Settings |
| Deletion | Settings → General → Delete account (soft delete; see Section 6) |
| Withdraw Twitch/Steam link | Disconnect Steam in Settings; Twitch is required for core sign-in — deleting your GoopForge account removes active Twitch linkage from our processing |
| Opt out of sale/sharing (US state laws) | We do not sell personal information |
We may retain certain information as required by law or for legitimate business purposes (for example, security logs).
California residents: You may have additional rights under the CCPA/CPRA, including the right to know, delete, and correct personal information, and the right to non-discrimination for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising.
EEA/UK residents: If applicable law provides you rights under GDPR, our legal bases include contract performance (providing the Service), legitimate interests (improving recommendations and securing the Service), and consent where required (for example, optional Steam linking).
9. Children's privacy
The Service is not directed to children under 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children.
10. International users
GoopForge is operated from the United States. If you access the Service from outside the U.S., your information may be processed in the U.S. and other countries where our service providers operate, which may have different data-protection laws than your country.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date and, for material changes, provide additional notice (for example, in the app). Continued use after changes take effect constitutes acceptance of the updated policy.