Data Privacy
Streamdiver is GDPR-compliant by design – not as a retrofit. This page explains how the platform protects personal data, avoids unnecessary data collection, and keeps your content under your control.
GDPR Compliance
The General Data Protection Regulation (GDPR / DSGVO) is the foundation of our data handling practices. Key aspects:
- Data minimization – We process only the data required to deliver the service. No tracking, no profiling, no ad-tech.
- Purpose limitation – Uploaded content is processed for the features you use (transcription, search, etc.) and nothing else.
- Storage limitation – You control the lifecycle of your content. Deleted assets are purged from all systems, including backups, within the retention period specified in your DPA.
- Data Processing Agreements – We provide a DPA (Auftragsverarbeitungsvertrag / AVV) to every customer, defining processing purposes, security measures, sub-processor lists, and data subject rights.
Streamdiver does not use US-based cloud providers (AWS, Azure, Google Cloud) for data processing or storage. This means your data is not subject to the US CLOUD Act, which can compel US-headquartered providers to hand over data regardless of where it is physically stored.
Cookie-Free Publishing-Suite
The Streamdiver Publishing-Suite – Player, Channel Slider, and Media Library – operates without cookies. This is a fundamental architectural decision, not a configuration toggle.
What this means for your website
| Aspect | Streamdiver | Typical video platforms |
|---|---|---|
| Cookies set on embed | None | Third-party tracking cookies |
| Cookie consent banner required | No | Yes (ePrivacy Directive) |
| Data sent to third parties | None | Analytics, ad networks |
| GDPR-relevant data processing | Only on your terms | Often unclear or extensive |
When you embed a Streamdiver widget, your visitors' browsers communicate directly with European infrastructure. No identifiers are stored on the client, and no data flows to advertising or analytics networks.
Technical details
- Widgets are delivered as Web Components with no local storage, session storage, or cookie usage
- Video streaming uses HLS over HTTPS – the only network requests are for video segments and metadata
- No fingerprinting, no tracking pixels, no third-party scripts
Data Residency
All data is processed and stored exclusively in ISO 27001 certified data centers in Austria, Germany, and Finland.
- No data ever leaves the EU
- No replication to non-EU regions
- Sub-processors are contractually bound to the same geographic restrictions
This applies to all data types: uploaded media, AI-generated metadata (transcripts, entities, summaries), user-provided metadata, and system logs.
Self-Hosted AI Models
Streamdiver's AI pipeline – transcription, speaker recognition, entity extraction, summarization, semantic search, and RAG – runs entirely on self-hosted models within our European infrastructure.
- No data is sent to OpenAI, Anthropic, Google, or any other external AI provider
- Models are deployed and updated by the Streamdiver engineering team
- Inference happens within our European infrastructure, with no data leaving the EU
- AI results (transcripts, entities, embeddings, etc.) are available exclusively through your tenant's API
This ensures that your content never becomes training data for third-party models and never traverses networks outside your data residency boundary.
Data Processing Overview
| Data category | Processing location | Retention | Access |
|---|---|---|---|
| Uploaded media (video, audio, documents) | AT / DE | Customer-controlled | Tenant-isolated |
| AI-generated metadata (transcripts, entities, summaries) | AT / DE / FI | Tied to source asset | Tenant-isolated |
| API credentials (OAuth 2.0) | AT / DE | Until revoked | Tenant admin |
| System and access logs | AT / DE | Per DPA terms | Streamdiver operations |
Sub-Processors
A current list of sub-processors is included in every DPA. We notify customers of sub-processor changes in advance, as required by GDPR Article 28.
Your Rights and Controls
As a data controller, you retain full control:
- Export – All content and metadata is accessible via the REST API
- Deletion – Assets and associated AI data can be deleted via the API at any time
- Portability – Transcripts are available in JSON, SRT, DOCX, and TXT; media in original and transcoded formats
- Audit – Access logs and processing records available on request
For questions about data privacy or to request a DPA, contact us.