Privacy Policy
Last updated: April 1, 2026
Joyp builds the player. You bring the content. This policy explains what data we collect, how we protect it, and what happens if something goes wrong.
Joyp is a media player.
We don't provide playlists, channels, or streams. We don't host video. We have zero affiliation with any content distributor or streaming service. You are responsible for the content you access.
Questions? privacy@joyp.tv
1. What We Collect
Account basics
Email, display name (optional), your password (hashed with a modern memory-hard algorithm, never stored in plaintext), subscription tier, age confirmation.
Your streaming credentials (the important one)
When you add a playlist source, your credentials (server URL, username, password) get encrypted on your device before they ever leave it. The encryption is keyed off a passphrase only you know. That passphrase never touches our servers.
We cannot read your credentials. Period. This is zero-knowledge encryption. If our entire database gets dumped tomorrow, an attacker gets ciphertext they can't decrypt. Neither can we. That's the whole point.
The free player at free.joyp.tv works differently. It has no account and no vault. Credentials are passed through our proxy during API calls and are never logged or stored. They exist in server memory only during the request.
Device info
A SHA-256 hash of your browser characteristics (not a hardware serial number), device name from User-Agent, last login IP and timestamp.
Usage data
Favorites, watch history, custom groups, profile settings, EPG preferences, player settings like volume and captions. This syncs across your devices.
We don't monitor or log what you watch. Channel selection happens on your device. We see metadata (channel IDs in your favorites), not content.
Payments
Payments run through our self-hosted Bitcoin payment system (Lightning and on-chain). We see the invoice and the on-chain or Lightning transaction reference. We do not store the wallet you send from. Card payments via CCBill or Segpay may be available in some regions; the payment method offered at checkout reflects current availability and the processor's privacy policy applies to those flows.
Analytics
GA4 loads only if you opt in. Collects anonymized page views. You can disable it anytime. We don't use it to track what you watch.
Onboarding events (beta)
While Joyp is in beta we record seven onboarding milestones to see where new users get stuck: signed up, email verified, vault created, provider attached, first live watch, first VOD watch, trial converted. We store the IP from your invite-code redemption to detect abuse. We do not record what you watched, when you watched it, or for how long — only that you crossed the milestone. The full list of fields is visible in our open-source repo.
2. What We Do With It
Auth, sync, email (verification, password reset, payment receipts, security alerts), aggregated analytics, rate limiting and abuse prevention. That's it.
We don't sell your data. We don't share it with advertisers. We don't do profiling or automated decision-making. There's no ad network anywhere in the stack.
3. Legal Basis (GDPR)
- Contract: Running your account, syncing your data, managing your subscription
- Legitimate interest: Security, fraud prevention, keeping the service running
- Consent: Analytics and marketing emails (opt-in only, revoke anytime)
- Legal obligation: Tax records, regulatory compliance
4. Who Else Touches Your Data
| Service | What they do | What they see |
|---|---|---|
| Self-hosted Bitcoin payment system | Bitcoin payments | Invoice ID, transaction reference, tier |
| Resend | Transactional email | Email address, message content |
| AWS | Hosting, database, vault storage | All account data (encrypted at rest) |
| Google Analytics | Usage metrics | Anonymized page views (consent only) |
| Sentry | Error monitoring | Error traces, device info (no PII) |
Each one has a signed Data Processing Agreement. They encrypt data in transit and at rest and are required to notify us promptly if something goes wrong on their end.
5. How Long We Keep It
Most user-controlled data stays until you decide to remove it. Operational data (logs, caches, ephemeral records) follows the schedule below.
| What | How long |
|---|---|
| Account data | Until you delete your account |
| Encrypted vault blobs | Until you delete or reset it; 30-day grace after account deletion |
| Watch history and favorites | Until you clear them or delete your account |
| Device records | Until you unlink the device or delete your account |
| Refresh tokens (joyp-rt cookie) | 2–14 days (rolling) depending on session type — standard, remember-me, or recovery |
| Payment records | 7 years (tax law requires this) |
| Nginx / API access logs | 30 days, then purged |
| Audit logs (account delete / export events) | 1 year |
| S3 EPG and playlist cache | 7-day hard cap, sooner when invalidated |
| Background-job logs (BullMQ) | 72 hours for completed, 7 days for failed |
| Inactive accounts | 24 months without sign-in, after one warning email |
The inactive-account cleanup is currently a manual sweep; we're building automated tooling so the timeline above runs without human intervention. If your account is approaching the 24-month threshold, we'll email you before any action is taken.
6. How We Protect It
All primary services (joyp.tv, getjoyp.com, our API) use TLS 1.2 or higher with HSTS enforced at a 2-year max-age. Database encrypted at rest via AWS. Vault blobs are stored encrypted at rest on S3 on top of the client-side encryption.
One narrow exception: the stream-trampoline popup at play.joyp.tv is served over HTTP by design. Many IPTV providers serve their streams over unencrypted HTTP, and browser mixed-content rules require a same-protocol bridge to forward those streams to the player. No authentication credentials, account tokens, or personal data pass through this popup — only the stream URL you have already provided to your IPTV provider, which the popup forwards back to your local player.
Passwords are hashed with a modern, GPU-resistant memory-hard algorithm. Access tokens expire in 15 minutes with automatic refresh rotation. Admin panel is IP-restricted at the infrastructure level. Every API endpoint is rate-limited.
The vault encryption is the centerpiece: your provider credentials are encrypted on your device, transmitted as ciphertext, stored as ciphertext. The key lives in your head. If you lose your passphrase, we can't recover it for you. That's the trade-off for real privacy.
7. If Something Goes Wrong
If we discover a data breach:
- We assess the scope and risk immediately
- We notify the relevant supervisory authority within 72 hours if there's a real risk to you (GDPR Article 33)
- We notify you directly if the risk is high (Article 34)
- California residents: without unreasonable delay per Cal. Civ. Code § 1798.82
Here's what zero-knowledge means in practice: If our database gets breached, your streaming credentials stay encrypted. An attacker gets ciphertext they can't use without your passphrase, which we never had. You would not need to change your credentials. We would still notify you about any plaintext data that was exposed (email, tier, device info) and require a password reset.
This is the core advantage of our architecture. Most media players store credentials in plaintext. We store ciphertext. A breach of our systems is not a breach of your streaming access.
8. Your Rights
If you're in the EU/EEA/UK (GDPR)
You can: access your data, correct it, delete it, restrict how we process it, export it in JSON, object to processing, or withdraw consent for analytics/marketing. All of these are available in your account settings or by emailing privacy@joyp.tv.
If you're in California (CCPA)
You can: know what we collect, delete your data, opt out of data sales (we don't sell data, so there's nothing to opt out of). We won't treat you differently for exercising these rights.
How to do it
- Export: Settings → Data Management → Export JSON.
- Delete account: Email privacy@joyp.tv from the address on the account. We process verified deletion requests within 30 days, including BTCPay invoice history and S3 vault blobs. (A self-service Settings UI for account deletion is on the roadmap.)
- Everything else: privacy@joyp.tv. 30-day response (45 for complex requests).
9. International Transfers
We're US-based. Data lives in AWS us-east-1. If you're in the EU/UK, your data crosses the Atlantic under contractual and technical safeguards including Standard Contractual Clauses where executed with the relevant processor. Everything is encrypted in transit and at rest. We are not currently certified under the EU–US Data Privacy Framework.
10. Kids
You need to be at least 13 (US) or 16 (EU/UK) to use Joyp. We don't knowingly collect data from anyone under those ages. If we find out a minor signed up, we delete their data. If you think a child created an account, let us know at privacy@joyp.tv.
11. Changes
If we change this policy in a meaningful way, we'll email you and show an in-app notice at least 30 days before it takes effect.
12. Contact
privacy@joyp.tv for data requests and privacy questions. support@joyp.tv for general help. EU residents can also file a complaint with their local data protection authority.