← Back to Streamneeds

Data Processing Agreement

Effective 28 May 2026

This Data Processing Agreement (“DPA”) forms part of and supplements the Streamneeds Terms and Conditions (the “Terms”) between HALFORD SUCKS LTD, company number 14173794 (“Company”, “Processor”, “we”, “us”, or “our”) and the user, creator, business client, white-label client or other entity using the Streamneeds Services (“Controller”, “User”, or “Client”). This DPA applies where Streamneeds processes Personal Data on behalf of the Controller in connection with the Services.

1. Definitions

  • “Applicable Data Protection Laws” means all applicable data protection and privacy laws including the UK GDPR, EU GDPR and related legislation.
  • “Controller” means the entity determining the purposes and means of processing Personal Data.
  • “Processor” means the entity processing Personal Data on behalf of the Controller.
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data including collection, storage, organisation, transmission, analysis or deletion.
  • “Services” means the Streamneeds platform, software, integrations, moderation systems, overlays, automation tools and related services.
  • “Subprocessor” means any third party engaged by the Processor to assist in providing the Services.

2. Role of the parties

The parties acknowledge and agree that:

  • the Controller determines the purposes and manner of Personal Data processing relating to its viewers, audience, community members and users;
  • HALFORD SUCKS LTD acts primarily as a Processor in providing the Services;
  • certain processing activities may also be carried out by the Company as an independent Controller where necessary for platform security, billing, legal compliance and operational purposes (for example, managing Controller accounts, securing the platform and processing payments).

3. Subject matter of processing

The Processor may process Personal Data in connection with:

  • livestream engagement systems;
  • moderation systems;
  • chatbot functionality;
  • overlay systems;
  • community engagement tools (points, raffles, giveaways, store);
  • automation and trigger tools;
  • viewer interaction systems; and
  • related creator platform functionality.

4. Types of Personal Data

The types of Personal Data processed may include:

  • usernames and display names;
  • email addresses;
  • channel / stream information;
  • Discord and Kick account identifiers;
  • Twitch and YouTube event data, where a Controller configures inbound stream alerts;
  • IP addresses and user-agent / browser information;
  • chat activity and message counts;
  • moderation activity (bans, flags and related notes);
  • participation and engagement statistics;
  • voluntary data viewers submit through enabled features — casino account usernames, cryptocurrency wallet addresses, affiliate codes, and prize shipping details where applicable;
  • uploaded files and content; and
  • related platform activity data.

The Processor does not collect casino account passwords or balances, and does not store payment card details (see Section 9).

5. Categories of data subjects

Data subjects may include:

  • creators;
  • viewers;
  • moderators;
  • community members;
  • subscribers;
  • platform users; and
  • connected third-party platform accounts.

6. Purpose of processing

Personal Data may be processed for the purposes of:

  • providing the Services;
  • platform functionality;
  • moderation systems;
  • livestream engagement systems;
  • reporting and statistics;
  • technical support;
  • automation functionality;
  • platform optimisation;
  • account management;
  • security and abuse prevention; and
  • related operational purposes.

The Controller is solely responsible for ensuring that it has a lawful basis for processing Personal Data using the Services.

7. Processor obligations

The Processor shall:

  • process Personal Data only as reasonably necessary to provide the Services;
  • implement reasonable technical and organisational security measures;
  • restrict internal access to Personal Data where reasonably appropriate;
  • take reasonable steps to protect Personal Data against unauthorised access, loss or misuse; and
  • comply with applicable obligations under Applicable Data Protection Laws where required.

The Processor does not guarantee uninterrupted or error-free security.

8. Controller obligations

The Controller shall:

  • comply with Applicable Data Protection Laws;
  • ensure lawful collection and use of Personal Data;
  • provide all necessary notices to its users and viewers;
  • obtain any necessary consents;
  • ensure lawful use of viewer engagement and moderation systems; and
  • remain solely responsible for determining the legality of its use of the Services.

The Controller acknowledges that Streamneeds is a software provider only.

9. Subprocessors

The Controller authorises the Processor to engage Subprocessors where reasonably necessary for operation of the Services. Subprocessors may include providers relating to cloud hosting, infrastructure, communications, payment processing and platform functionality. Current providers include:

  • Vercel — application hosting and file/blob storage
  • Neon — managed PostgreSQL database (EU, eu-west-2)
  • Railway — bot hosting
  • Stripe — payment processing (no card data stored by us)
  • Pusher — real-time messaging
  • Resend — transactional email
  • Upstash — rate limiting
  • Discord, Kick — platform integrations the Controller authorises

The Processor reserves the right to update or replace Subprocessors. Where we materially change our Subprocessors, we will update this DPA accordingly.

10. International data transfers

The Controller acknowledges that Personal Data may be transferred, processed or stored internationally in connection with the Services, including in the United Kingdom, the European Economic Area and the United States. Where reasonably required, the Processor relies on appropriate safeguards such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses.

11. Security measures

The Processor shall maintain commercially reasonable security measures appropriate to the nature of the Services. Such measures may include:

  • access controls and role-based permissions;
  • authentication systems;
  • bcrypt hashing of passwords;
  • encryption of sensitive integration tokens at rest;
  • encrypted communications (TLS) in transit; and
  • operational security and audit-logging procedures.

The Controller acknowledges that no system can be guaranteed fully secure.

12. Data retention and deletion

The Processor may retain Personal Data for as long as reasonably necessary for operation of the Services, security purposes, legal obligations, dispute resolution, fraud prevention and enforcement of agreements. Where deletion requests are approved, relevant account data may be deleted within up to twenty-eight (28) days. Certain information may be retained where reasonably necessary for compliance, legal or security purposes.

13. Data subject requests

Where reasonably applicable, the Processor may assist the Controller in responding to lawful requests relating to access, deletion, correction, restriction, portability or objection rights. The Controller remains primarily responsible for handling such requests in respect of its viewers and community members.

14. Data breaches

If the Processor becomes aware of a confirmed Personal Data breach affecting the Services, the Processor shall take commercially reasonable steps to investigate the incident, mitigate impacts where reasonably possible, and notify affected Controllers where reasonably required by law. The Processor does not accept liability for breaches arising from third-party services, User misuse, compromised accounts, insecure integrations, or circumstances outside the Processor’s reasonable control.

15. Liability limitations

To the maximum extent permitted by law:

  • the Processor shall not be liable for indirect, consequential or incidental damages;
  • the Controller remains solely responsible for lawful use of the Services; and
  • the aggregate liability of HALFORD SUCKS LTD arising under this DPA shall not exceed the total amount paid by the Controller to Streamneeds during the six (6) months preceding the relevant claim.

16. Audits

The Processor is not obligated to permit intrusive security audits, penetration testing or infrastructure access by Controllers unless separately agreed in writing. Reasonable compliance information may be provided at the Processor’s discretion.

17. Termination

This DPA shall terminate automatically upon termination of the applicable Services or Terms unless otherwise required by law.

18. Governing law

This DPA shall be governed by and interpreted in accordance with the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

19. Contact

For privacy or data processing enquiries, contact: