Security & Privacy
StreamSweeper takes security and privacy seriously. This guide explains how we protect your data, what information we collect, and best practices for keeping your account secure.
Credential Encryption
All IPTV connection credentials stored in StreamSweeper are encrypted using military-grade encryption standards.
AES-256 Encryption
StreamSweeper uses AES-256 encryption to protect your sensitive data:
- Industry Standard: AES-256 is the same encryption used by governments and financial institutions
- Encryption at Rest: All credentials are encrypted before being stored in the database
- Automatic Encryption: Credentials are encrypted the moment you save a connection
- Secure Decryption: Only decrypted when needed to generate your playlists
What Gets Encrypted
The following information is encrypted using AES-256:
- Xtream Codes Credentials: Portal URLs, usernames, and passwords
- M3U URLs: Direct playlist URLs (if they contain authentication tokens)
- API Keys: Any third-party integration credentials
Security Guarantee: Your IPTV provider credentials are never stored in plain text. Even StreamSweeper employees cannot see your passwords - they exist only in encrypted form in the database.
Encryption in Transit
In addition to encryption at rest, all data is protected during transmission:
- HTTPS/TLS: All communication with StreamSweeper uses encrypted HTTPS connections
- Secure API Calls: Connections to your IPTV provider are made over secure protocols when available
- Certificate Validation: SSL/TLS certificates are validated to prevent man-in-the-middle attacks
Data Storage & Protection
Understanding what data StreamSweeper stores and how it's protected:
What We Store
- Account Information: Email address and hashed password
- Connection Details: IPTV credentials (encrypted), connection names, and status
- Playlist Configurations: Filter settings, post-processing rules, playlist names
- EPG Cache: Program guide data (up to 7 days) from your IPTV provider
- Channel Lists: Cached channel information from your connections
- Usage Data: Access logs, feature usage, and performance metrics
- Payment Information: Subscription status (payment details are handled by PayPal or our Bitcoin payment processor, not stored by StreamSweeper)
What We DON'T Store
- Video Content: StreamSweeper never stores or caches any video streams
- Credit Card Numbers: Payment processing is handled entirely by PayPal and our Bitcoin payment processor
- Viewing History: We don't track what channels or programs you watch
- Unencrypted Passwords: All passwords are hashed or encrypted
Database Security
- Encrypted Backups: Database backups are encrypted and stored securely
- Access Controls: Limited access to production database on need-to-know basis
- Audit Logging: Database access is logged for security monitoring
- Regular Updates: Database software is kept up-to-date with security patches
Data Isolation: Each user's data is isolated in the database. You can only access your own connections, playlists, and settings. Cross-account access is prevented at the application and database level.
Password-Protected Playlists
For additional security, you can enable password protection on your M3U and EPG/XMLTV URLs.
How Password Protection Works
When enabled, password protection adds an extra layer of security to your playlist URLs:
- You set a custom password for each playlist
- The password is added as a parameter to your M3U and EPG URLs
- Anyone accessing the URLs must provide the correct password
- Without the password, the playlist cannot be downloaded
Enabling Password Protection
- Go to Live TV
- Click Edit on the playlist you want to protect
- Scroll to Security Settings
- Enable Password Protection
- Enter a strong password
- Click Save
Using Password-Protected URLs
After enabling password protection, your URLs will include the password parameter:
- M3U URL:
https://app.streamsweeper.com/playlist/abc123?password=yourpassword
- EPG URL:
https://app.streamsweeper.com/epg/abc123?password=yourpassword
Player Compatibility: Some IPTV players don't support password-protected URLs. If your player can't access password-protected playlists, you may need to disable this feature or use a different player.
When to Use Password Protection
- Shared Networks: If others have access to your network or devices
- Public Media Servers: When sharing playlists with limited users on Emby/Jellyfin/Plex
- Extra Security: As an additional security layer on top of URL obscurity
When Password Protection Isn't Necessary
- Personal use on private devices
- URLs are already kept private and secure
- Your IPTV player doesn't support authentication parameters
Account Security Best Practices
Follow these recommendations to keep your StreamSweeper account secure:
Strong Passwords
- Use a unique password: Don't reuse passwords from other services
- Make it complex: At least 12 characters with mix of letters, numbers, and symbols
- Use a password manager: Tools like 1Password or Bitwarden help generate and store strong passwords
- Update regularly: Change your password periodically, especially if you suspect compromise
Email Security
- Secure your email: Your StreamSweeper account is tied to your email - protect it with a strong password
- Enable 2FA on email: Two-factor authentication on your email account adds another layer of protection
- Verify emails: Be cautious of phishing emails claiming to be from StreamSweeper
Connection Management
- Remove unused connections: Delete old or inactive IPTV connections
- Update credentials: If you change your IPTV provider password, update it in StreamSweeper
- Test connections: Regularly verify connections are working and secure
Playlist URL Security
- Keep URLs private: Don't share your playlist URLs publicly
- Regenerate if exposed: If URLs are accidentally shared, delete and recreate the playlist to get new URLs
- Use password protection: Enable for sensitive or semi-public use cases
- Limit sharing: Only share playlist URLs with trusted devices and people
URL Regeneration: If you believe your playlist URLs have been compromised, simply delete the playlist and create a new one. This generates fresh URLs that replace the old ones.
Two-Factor Authentication
StreamSweeper currently does not offer built-in two-factor authentication (2FA), but we recommend protecting your account through other security measures:
Security Without Built-In 2FA
- Email 2FA: Enable 2FA on your email account to prevent account takeover
- Strong Passwords: Use a complex, unique password for StreamSweeper
- Password Manager: Use a password manager with 2FA enabled
- Monitor Account Activity: Review usage and watch for suspicious activity
Future Feature: Two-factor authentication is on our roadmap. We're evaluating options like TOTP (Google Authenticator), SMS, and email-based 2FA to provide additional account security in future updates.
Privacy Policy Summary
Key points from our privacy policy (full policy available at /privacy):
What We Collect
- Account Data: Email, password (hashed), subscription status
- IPTV Credentials: Connection details (encrypted with AES-256)
- Usage Data: Feature usage, access logs, performance metrics
- Device Information: Browser type, IP address, operating system
How We Use Your Data
- Service Provision: Generate playlists, process connections, cache EPG data
- Account Management: Authentication, subscription management, support
- Service Improvement: Performance optimization, bug fixes, feature development
- Security: Fraud detection, abuse prevention, system security
What We DON'T Do
- No Selling Data: We never sell your personal information to third parties
- No Content Tracking: We don't track what channels or programs you watch
- No Ad Targeting: We don't use your data for advertising
- No Sharing Credentials: IPTV credentials are never shared with anyone
What Data StreamSweeper Collects
Transparency about data collection:
Required for Service
- Account credentials: Email and password for login
- IPTV connections: To generate playlists
- Playlist settings: To apply your filters and rules
- Payment info: To process subscriptions (via PayPal or Bitcoin)
Automatic Collection
- Access logs: IP addresses, timestamps, accessed resources
- Usage patterns: Features used, frequency, performance data
- Error reports: Technical logs for debugging and support
Optional
- Support communications: Only when you contact support
- Feature feedback: If you choose to participate in surveys or feedback
Data Minimization: StreamSweeper follows the principle of data minimization - we only collect what's necessary to provide our service. We don't collect extraneous personal information.
GDPR Compliance
StreamSweeper complies with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA) and United Kingdom.
Your GDPR Rights
- Right to Access: Request a copy of your personal data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your account and data
- Right to Portability: Export your playlist configurations
- Right to Restrict Processing: Limit how we use your data
- Right to Object: Object to certain types of data processing
- Right to Complain: Lodge a complaint with a supervisory authority
Exercising Your Rights
To exercise any GDPR rights, contact us at:
- Email: [email protected]
- Subject Line: "GDPR Request"
- Response Time: We'll respond within 30 days
Legal Basis for Processing
- Contract: Processing necessary to provide the service you've subscribed to
- Consent: You've explicitly agreed to data processing
- Legitimate Interest: Fraud prevention, security, service improvement
- Legal Obligation: Compliance with tax and financial regulations
Account Deletion & Data Removal
You can delete your StreamSweeper account and data at any time.
How to Delete Your Account
- Log in to StreamSweeper
- Go to Account Settings
- Scroll to Delete Account section
- Click Delete My Account
- Confirm deletion
What Happens When You Delete
- Immediate: Account is deactivated and playlists stop working
- Within 24 Hours: IPTV credentials are permanently deleted from database
- Within 7 Days: All playlist configurations, EPG cache, and channel data are removed
- Within 30 Days: Account information and logs are purged (except as required for legal compliance)
Data Retained for Legal Reasons
Some data is retained for legal compliance:
- Transaction Records: Kept for 7 years for tax purposes
- Account Creation Metadata: Basic info for fraud prevention (IP, date, email hash)
- Legal Requests: Data preserved if subject to legal hold or investigation
Irreversible: Account deletion is permanent and cannot be undone. Make sure to export any playlist configurations you want to keep before deleting your account.
Reporting Security Issues
If you discover a security vulnerability or issue with StreamSweeper, please report it responsibly.
How to Report
- Email: [email protected]
- Subject: "Security Vulnerability Report"
- Include: Detailed description, steps to reproduce, potential impact
- Don't: Publicly disclose the vulnerability before we've had a chance to fix it
Our Commitment
- Acknowledgment: We'll acknowledge receipt within 48 hours
- Investigation: We'll investigate and validate the report
- Resolution: Critical vulnerabilities will be patched within 7 days
- Communication: We'll keep you informed of progress and resolution
- Recognition: With your permission, we'll credit you for responsible disclosure
What to Report
- Authentication bypasses or privilege escalation
- Data exposure or credential leaks
- SQL injection, XSS, or other code injection vulnerabilities
- Encryption or cryptographic weaknesses
- Server misconfigurations exposing data
Responsible Disclosure: We appreciate security researchers who report vulnerabilities responsibly. We're committed to working with you to understand and resolve issues quickly.
Security FAQ
Can StreamSweeper employees see my IPTV passwords?
No. All IPTV credentials are encrypted with AES-256 before storage. Passwords exist only in encrypted form in the database and cannot be viewed by anyone, including StreamSweeper staff.
What happens if StreamSweeper gets hacked?
In the unlikely event of a breach, encrypted credentials remain protected by AES-256 encryption. We have incident response procedures, would immediately notify affected users, and would work with security experts to remediate any issues.
Are my playlists publicly accessible?
No. Playlist URLs are long, random, and difficult to guess. They're only accessible to those who have the exact URL. You can add password protection for additional security.
Does StreamSweeper monitor what I watch?
No. StreamSweeper generates playlists but doesn't track what channels or programs you watch. We only see when playlists are accessed, not what streams are played.
Is my payment information safe?
Yes. Payment processing is handled entirely by PayPal (a PCI-compliant payment processor) and BTCPay for Bitcoin payments. StreamSweeper never stores credit card numbers or payment details.
Can I use StreamSweeper on public WiFi?
Yes. All communication with StreamSweeper uses HTTPS/TLS encryption, protecting your data even on public networks. However, we still recommend using a VPN on untrusted networks for maximum security.
Additional Resources
Contact Security Team
For security concerns, privacy questions, or data requests: