Privacy Policy

Controller, scope, and applicability

This privacy policy applies to the public website, the authenticated dashboard, the support area, and the paid digital services offered under the GoOverlay brand. The controller details that legally identify the operating entity are published in the Legal Notice (Impressum).

This policy applies whenever GoOverlay determines the purposes and means of processing personal data relating to visitors, registered users, collaborators, customers, and support contacts.

Purposes and legal bases

GoOverlay processes account, authentication, session, workspace membership, widget, scene, support, and security-log data to provide the service, secure accounts, prevent abuse, and fulfill contractual and legal obligations.

If a visitor gives consent on the public website, GoOverlay may also process pseudonymous public-site visit telemetry through Google Analytics for traffic measurement and public-page improvement. That analytics path is not activated by default and does not apply to the authenticated app area or viewer routes.

Depending on the processing purpose, GoOverlay relies on contract performance, legal obligations, legitimate interests in secure and reliable operation, or consent where consent is legally required.

Categories of personal data

Processed data may include account identifiers, login credentials, encrypted or hashed contact data, plan and billing state, workspace ownership and collaborator assignments, widget and scene configuration data, support messages, and technical usage or security metadata.

Where payment flows are used, GoOverlay does not store full card details itself. Payment card handling remains with the payment provider and the data returned to GoOverlay is limited to the identifiers and billing events required to reconcile subscription state.

Payments, processors, and recipients

Hosting, infrastructure, email, support, and payment processors receive only the data required for their role under the applicable contractual and data-protection terms. The current payment processor for paid plans is Stripe.

For billing reconciliation, GoOverlay stores the customer, checkout, subscription, invoice, and price identifiers returned by the payment processor together with the internal account reference needed to assign billing events correctly.

International transfers

If processors or subprocessors process personal data outside the European Economic Area, GoOverlay uses only transfer mechanisms permitted under the GDPR, such as an adequacy decision or appropriate safeguards including the European Commission standard contractual clauses where required.

Transfer details depend on the final infrastructure and processor setup in productive operation and are documented in the processing records and processor agreements kept by the controller.

Retention, newsletter, and rights

Personal data is stored only for as long as required for contract performance, account security, abuse prevention, support handling, billing reconciliation, or statutory retention duties. When those purposes end, data is deleted or anonymized unless continued storage is legally required.

Where consent-based public-site analytics is used, consent can be withdrawn for future browser-side analytics collection at any time through the consent controls or by deleting the related browser storage.

Optional newsletter and product-update emails are sent only on an opt-in basis. An objection or unsubscribe stops future marketing messages without affecting essential account, security, billing, or service emails.

Data subjects can request access, rectification, erasure, restriction, portability, or objection through the contact details in the legal notice or the in-app support channel. A complaint may also be lodged with the competent data protection supervisory authority in line with the GDPR.

Security and account protection

GoOverlay uses technical and organizational measures intended to protect confidentiality, integrity, availability, and resilience of the service, including access control, credential protection, signed output URLs, and role-based workspace separation.

No internet service can guarantee absolute security. Users remain responsible for protecting their own credentials, local devices, streaming endpoints, and collaborator access decisions.