Privacy Policy

Last updated: 4 June 2026 · Effective: 4 June 2026

VSpark is a collab matchmaking platform for indie VTubers. This page covers what data we collect, why we collect it, how we store it, how to delete it, and the specific commitments we make about data received from Google APIs (including YouTube).

Contents

1. Who we are

VSpark is operated as an indie project by a small team. The service lives at https://vspark.gg. The data controller for the purposes of UK GDPR and EU GDPR is the team, contactable at hello@vspark.gg.

2. Data we collect

From your streaming platform (Twitch or YouTube)

When you sign in with Twitch OAuth, we receive and store:

When you sign in with Google OAuth (for YouTube), we receive and store:

We do not receive or store your email password, your Google account password, or any other Google account data beyond the YouTube channel fields listed above.

From you directly

During onboarding and ongoing use, you may provide:

Automatically

When you use VSpark we log:

3. YouTube API Services

Limited Use disclosure

VSpark's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

VSpark uses the YouTube Data API v3 for one purpose only: to verify, when you first sign in with Google, that your YouTube channel meets the 1,000-subscriber requirement for our closed beta, and to display your channel name, handle, and avatar on your VSpark profile so other VTubers can find you.

What we call

A single endpoint: GET /youtube/v3/channels?part=snippet,statistics&mine=true. We call it at your first sign-in to verify the 1,000-subscriber gate, and again on subsequent sign-ins when a fresh OAuth token is available, in order to refresh your channel name, handle, and avatar if you have updated them on YouTube. We do not poll, schedule, or call this endpoint between sign-ins. We read four fields from the response: id, snippet.title, snippet.customUrl, and snippet.thumbnails.default.url, plus statistics.subscriberCount. We do not call any other YouTube endpoint.

Scope we request

https://www.googleapis.com/auth/youtube.readonly. We request the readonly scope because it is the narrowest published scope that exposes channels.list?mine=true for the authenticated user. We do not write to your YouTube account. We do not read your videos, playlists, comments, subscriptions, watch history, or any other YouTube data beyond the channel fields listed above.

What we store

Only the four channel fields above plus the subscriber count snapshot. We do not store the OAuth refresh token. We do not store the access token after the request returns.

What we do not do with YouTube data

How to revoke access

You can revoke VSpark's access to your YouTube data at any time by visiting https://myaccount.google.com/permissions and removing VSpark from the list of connected apps. Revoking access removes our ability to refresh your channel data; your existing VSpark profile remains until you delete it (see section 8).

4. How we use your data

We use the data above to:

We do not use your data to train AI models. We do not profile you for advertising. We do not run ads on VSpark.

5. Sharing and disclosure

We share data with a small set of service providers, used strictly to run VSpark:

We do not sell your data. We do not share your data with advertisers, data brokers, or analytics vendors. We will disclose data to law enforcement only when legally compelled and only after assessing the request for validity.

Profile data you choose to publish (display name, handle, pronouns, bio, genres, vibe tags, hero image, achievements, endorsements) is visible to other approved VSpark users only. Your profile page is gated behind sign-in and is not indexed by search engines.

6. Storage and retention

Your profile, swipes, matches, chat messages, endorsements, and achievement data are kept for as long as your account is active. If you delete your account (section 8), we erase your profile, swipes, matches, chat messages, endorsements, hero image, and YouTube channel snapshot within 30 days.

Server logs are retained for 30 days and then deleted. Email send logs at Resend follow Resend's own retention policy (typically 30 days).

Data is stored on Supabase infrastructure in their EU region. Cloudflare edge caches operate globally; only public profile shell HTML (no private data) is edge-cached.

7. Security

VSpark is built on HTTPS-only with HSTS preload. Database access is gated by Postgres Row Level Security policies and a service-role key held only on our Cloudflare Pages Functions. All cross-user reads go through a server endpoint that strips private columns before responding. OAuth tokens are never persisted to disk past the first-sign-in verification call.

No system is bulletproof. If we become aware of a breach affecting your data, we will notify you by email within 72 hours of discovery, alongside any regulatory notification we are required to make.

8. Your rights and deletion

Depending on where you live, you may have the right to access, correct, port, restrict, or delete your personal data, and to object to processing or withdraw consent. We honour these rights for every user regardless of jurisdiction.

To exercise any of these rights:

If you believe we have mishandled your data, you can lodge a complaint with your local data protection authority. UK residents: the ICO at ico.org.uk.

9. Cookies and local storage

The full inventory, including third-party storage and per-browser clearing instructions, lives on our Cookie Policy. That page is the canonical source.

In short: VSpark uses a small set of strictly-necessary first-party browser storage entries, including a Supabase authentication session, your motion preference, transient UX flags (e.g. dismissed install prompts and seen-achievement IDs), a trusted-host whitelist for chat link warnings, a push-notification preference, and a 24-hour referral capture window.

We do not use third-party tracking cookies. We use Cloudflare Web Analytics for aggregate pageview counts; it sets no cookies, runs no cross-site tracking, and collects no personal data. We do not use Google Analytics.

10. Children and minors

VSpark is not directed at children or minors. You must be at least 18 years old to use the service, as set out in our Terms of Service §2. We do not knowingly collect data from anyone under 18. If you believe a person under 18 has signed up, email hello@vspark.gg and we will remove the account.

11. Changes to this policy

If we make material changes to this policy, we will update the date at the top and post a notice on the landing page or send affected users an email. Continued use of VSpark after the effective date constitutes acceptance of the updated policy.

12. Contact

Questions, requests, or complaints: hello@vspark.gg. We aim to reply within 5 business days.