CurlCast
Login

Privacy Policy

Last Updated: October 29, 2025

1. Introduction

CurlCast Streaming Services ("CurlCast," "we," "our," or "us") provides software and hardware solutions that allow curling clubs to livestream games to YouTube and for fans to watch those streams. This Privacy Policy explains how we collect, use, share, and protect your information, including Google user data obtained through OAuth.

Contact: curlcast.net@gmail.com

Business Name: CurlCast Streaming Services

2. Scope of Policy

This Policy applies to all users of CurlCast, including:

  • Viewers – individuals who use our website or app to browse clubs and watch YouTube streams (no login or payment required).
  • Club Managers – authorized users who sign in via Google OAuth to manage club profiles, schedules, and broadcast metadata.

It covers all interactions with our website, apps, and streaming automation services.

3. Data Accessed (What We Collect)

A. Viewer Data

  • Technical data (IP address, device/OS/browser type, pages viewed, timestamps, referrer, performance metrics).
  • Cookies or local storage for essential functionality.
  • Embedded YouTube: YouTube may set its own cookies per Google’s policies.

CurlCast does not create viewer accounts or intentionally collect personally identifiable information (PII).

B. Club Manager Data

  • Identity: name, email address, Google user ID, and profile photo (via Google Sign-In).
  • OAuth tokens: access and refresh tokens (never your Google password).
  • YouTube metadata: channel ID, broadcast IDs, and related fields needed for broadcast management.
  • Manager inputs: club name, sheet labels, team names, event titles, and uploaded images.
  • Operational data: logs, timestamps, device info, and app version for reliability and security.

4. Data Usage (How We Use Your Data)

  • Authenticate and authorize club managers via Google OAuth.
  • Manage YouTube broadcasts (create, bind, list, or update streams) on behalf of clubs.
  • Operate, maintain, and secure CurlCast systems and services.
  • Send operational updates, incident alerts, or support messages.

We do not use Google user data for advertising, marketing, or profiling.

5. Data Sharing (Who We Share With)

CurlCast does not sell or rent personal data. We share information only when necessary:

  • Service providers: Google Cloud Platform (Firestore, Cloud Functions, Secret Manager, Logging) under confidentiality and security agreements.
  • YouTube: as required to operate broadcasts through the YouTube Data API.
  • Legal authorities: when required by law or to protect rights and safety.

We do not grant advertisers or analytics partners access to Google user data.

6. Google OAuth & YouTube API Disclosure

OAuth Flow: Managers connect their YouTube channel via Google OAuth 2.0.

Scopes Requested:

  • openid, email, profile (Google Sign-In)
  • https://www.googleapis.com/auth/youtube (YouTube Data API v3)

Endpoints Used: liveBroadcasts.list, liveBroadcasts.insert, liveBroadcasts.update, liveBroadcasts.bind, liveStreams.list

Limited Use Compliance: CurlCast’s use and transfer of Google user data complies with the Google API Services User Data Policy, including Limited Use requirements.

Server-Side Only: All API calls occur within secure Cloud Functions using the official googleapis library; no client/browser requests access Google data.

Revocation & Deletion: You may revoke CurlCast’s access at myaccount.google.com/permissions or disconnect YouTube within the CurlCast dashboard. When revoked, stored refresh tokens are deleted and all API activity ceases.

7. Data Storage & Protection (How We Protect It)

  • Encryption: All data encrypted in transit (TLS) and at rest through Google Cloud.
  • Access Control: Tokens and secrets stored in Secret Manager or Firestore; access is role-based, logged, and limited to production systems.
  • Audit Logs: Administrative actions and data access are recorded and monitored.
  • Cross-Border Transfers: Data may be processed in cloud regions outside your country under recognized privacy frameworks.

8. Data Retention & Deletion

  • OAuth tokens: retained only while your YouTube channel is connected; deleted immediately after revocation or disconnection.
  • Manager accounts and club data: retained while active and up to 12 months after closure for legal or operational reasons, then deleted or anonymized.
  • Operational logs: stored for 90 days for security and troubleshooting, then automatically deleted.
  • User requests: managers may email curlcast.net@gmail.com to request access, correction, or erasure of personal data.

9. Your Rights & Choices

  • Disconnect or revoke OAuth access any time.
  • Request access, correction, or deletion of data by emailing curlcast.net@gmail.com or by using our Account/Data Deletion Request Link.
  • Adjust browser or device settings to manage cookies or permissions.
  • Where required by law (e.g., EU / UK / EEA / certain U.S. states), you may exercise additional privacy rights via email request.

10. Children’s Privacy

CurlCast is intended for general audiences and club staff. We do not knowingly collect data from children under the age of digital consent (typically 13–16). If you believe a child has submitted information, contact us to delete it.

11. Third-Party Services

Our site and app embed YouTube content and may link to third-party services. Those services’ own privacy policies govern their data collection and use.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be announced in-product or by email to managers. The “Last Updated” date reflects the current version.