Legal

Privacy Policy

How we handle your data with transparency and respect for your privacy rights.

Last updated: March 2026

Introduction

This Privacy Policy describes how Nori Systems GmbH ("we", "us", "our") collects, uses, and protects your personal information when you use PanoraCast, our cloud-based IP camera streaming service available at https://panoracast.com and https://app.panoracast.com.

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (nDSG).

Information We Collect

Account Information:

  • Email address
  • Display name
  • Password hash (if you register directly with us)
  • Google OAuth profile information (if you sign up using Google authentication)
  • Account creation date and last login timestamp

Payment Information:

  • Billing details processed securely through Stripe (we do not store credit card numbers or payment card details)
  • Subscription plan level (free or pro)
  • Stripe customer ID and subscription ID for billing management

Camera and Stream Data:

  • Camera names and identifiers
  • RTSP/RTMP connection URLs configured by you
  • Stream configuration settings (stored in JSONB format, including resolution preferences, privacy settings, embed options)
  • Embed tokens (UUID identifiers for public stream access)
  • Access control settings (PIN protection, allowed domains, time scheduling, timezone preferences)
  • Logo overlay files and positioning configurations

Usage Data:

  • Stream viewer counts (incremented/decremented in real-time via Redis)
  • Stream events (play, stop, publish, unpublish timestamps)
  • IP addresses of viewers accessing your public streams
  • Client identifiers and user agents
  • Viewer count snapshots for analytics (periodic timestamped records)
  • Camera connection status and error logs

Cookies and Session Data:

  • Session cookies for authentication and login state
  • JWT (JSON Web Tokens) for secure API access
  • Essential cookies only (we do not use tracking, advertising, or marketing cookies)

How We Use Your Information

We use your personal data for the following purposes:

  • Service Delivery: To provide streaming infrastructure, ingest camera feeds via RTSP/RTMP, transcode to HLS format, and deliver embedded players to your viewers.
  • Account Management: To create and maintain your account, authenticate your access, and manage your subscription.
  • Payment Processing: To handle billing through Stripe for pro subscriptions, invoices, and refunds.
  • Analytics: To generate viewer statistics, monitor stream health, detect connection issues, and provide you with insights about your camera feeds.
  • Customer Support: To respond to your inquiries, troubleshoot technical issues, and improve our service.
  • Security: To protect against unauthorized access, prevent fraud, detect abuse, and maintain the integrity of our platform.
  • Service Improvement: To analyze usage patterns and optimize streaming performance, reliability, and feature development.

Data Storage and Security

Your data is stored and processed with the following measures:

  • Database: Account, camera, and stream metadata are stored in a PostgreSQL 16 database with encrypted connections (TLS).
  • Cache: Real-time stream status and viewer counts are stored in Redis 7 with encrypted connections.
  • Server Location: Our production server is hosted in Helsinki, Finland (EU) via Hetzner Cloud.
  • Encryption: All data in transit is encrypted using TLS 1.3 via Caddy reverse proxy with automatic certificate management.
  • Access Control: Database and API access is restricted to authorized personnel and services only. JWT authentication protects all API endpoints.
  • Backups: Regular database backups are performed and stored securely.

Third-Party Services

We use the following third-party services that may process your data:

  • Stripe: Payment processing for subscriptions. Stripe is PCI DSS Level 1 certified. Read their privacy policy at stripe.com/privacy.
  • Google OAuth: Optional authentication method. If you choose to sign up with Google, we receive your email address and profile information from Google. Read Google's privacy policy at policies.google.com/privacy.
  • Hetzner Cloud: Infrastructure hosting provider based in Germany (EU). Read their privacy policy at hetzner.com/legal/privacy-policy.
  • Caddy: Open-source reverse proxy for TLS certificate management (no data sharing with third parties).

Data Retention

We retain your data as follows:

  • Account Data: Retained while your account is active and for a reasonable period after account closure to comply with legal obligations.
  • Stream Events: Viewer events and analytics data are retained for up to 90 days for reporting purposes.
  • Logs: System logs containing IP addresses and error traces are retained for up to 30 days for debugging and security monitoring.
  • Deletion: Upon account deletion request, we permanently delete your personal data within 30 days, except where we are legally required to retain certain information (e.g., for tax or anti-fraud purposes).

Your Rights (GDPR and Swiss DPA)

Under GDPR and Swiss data protection law, you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten").
  • Right to Data Portability: Receive your data in a structured, machine-readable format and transfer it to another service provider.
  • Right to Restriction: Request that we limit the processing of your data in certain circumstances.
  • Right to Object: Object to processing of your data for specific purposes.
  • Right to Withdraw Consent: Withdraw your consent at any time (where processing is based on consent).

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

Cookies

PanoraCast uses essential cookies only:

  • Authentication Cookies: JWT tokens to keep you logged in and secure your session.
  • Session Cookies: Temporary cookies to maintain your login state across pages.

We do not use tracking cookies, advertising cookies, or marketing cookies. No third-party analytics scripts (e.g., Google Analytics) are present on our platform.

Children's Privacy

PanoraCast is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal information, please contact us at [email protected] and we will promptly delete it.

International Data Transfers

Your data is processed and stored in the European Union (Helsinki, Finland). Switzerland has been recognized by the EU as providing an adequate level of data protection. If data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. If we make material changes, we will notify you via email (to the address associated with your account) at least 30 days before the changes take effect. Continued use of PanoraCast after policy updates constitutes acceptance of the revised terms.

Contact Us

If you have questions about this Privacy Policy, need to exercise your data protection rights, or have concerns about how we handle your information, please contact us: