Privacy Policy

deutschmark toolset privacy

Last Updated: May 4, 2026

Toolset is a creator utility for Twitch streamers: hosted OBS sources, music widgets, chat tools, clip and video helpers, a local ForgetMeNot runtime, and setup pages for related downloads. This policy explains what data is collected, why it is used, where it is stored, how long it is kept, and which outside services are involved.

Toolset is operated globally for Twitch creators wherever Twitch is available. Toolset infrastructure is hosted on Cloudflare in the United States, with edge caching at points of presence worldwide. By using Toolset you acknowledge that your data may be transferred to, stored in, and processed in the United States and at Cloudflare's global edge network.

Companion document: Terms of Service — rules for using Toolset, copyright handling, and the legal relationship.

Back to ToolsetRead the docs

1. Overview

Toolset collects only what is needed to run the service, authenticate your account, save your tool configuration, and make the connected streaming features work. The app is not an advertising product. It does not run Google Analytics, Mixpanel, PostHog, or similar third-party tracking SDKs.

Operational logs (who hit which endpoint, what response code, when) are reviewed when investigating bugs, abuse, or security incidents. They are not used for behavioral profiling or marketing.

2. Information Collected

2.1 Twitch account data and OAuth scopes

Toolset uses Twitch OAuth for sign-in. The auth worker stores your Twitch user ID, login, display name, profile image URL, chat color, profile color when available, and encrypted Twitch access and refresh tokens.

The OAuth tokens carry the following scopes — these define what Toolset can do on your behalf, and you grant them at the Twitch consent screen during sign-in:

  • user:read:emailConfirm your Twitch identity at sign-in (email is requested by the OAuth flow but not stored by Toolset)
  • chat:readRead messages from your channel chat for ForgetMeNot and command tools
  • chat:editSend messages from your bot account or your own account when you trigger a command
  • channel:read:redemptionsDetect channel point redemptions for tools that respond to them
  • clips:editCreate and read clips when you trigger a clip command or use Clip Play
  • channel:manage:videosRead VOD metadata for tools like Clipline that operate on past broadcasts
  • user:read:chat_colorRead your saved Twitch chat color so the toolset can match it

Toolset only requests scopes for tools you actually use. If you don't connect a tool that needs a scope, that scope isn't on your token.

2.2 Spotify connection data

If you connect Spotify, Toolset uses an unusual model: you create your own Spotify Developer App and provide its client ID and client secret to Toolset. This means your Spotify usage is not pooled with other Toolset users under a shared registered app — Spotify sees the calls as coming from your own developer project. The privacy implication is that your Spotify activity is not visible to Toolset in aggregate.

Toolset stores the client ID and client secret you provide (encrypted at rest with AES-GCM in Cloudflare KV; never displayed back to you in plaintext after entry), encrypted Spotify OAuth tokens, and your Spotify profile display name, ID, and image URL when available. The music tools call Spotify now-playing, playback, queue, library, and playlist APIs according to the permissions you authorize.

2.3 Tool configuration and hosted sources

Toolset stores settings for widgets and stream tools, including theme and player options, hosted source labels and opaque wid tokens, OBS browser-source configuration, video shout-out filters, Clip Play settings, BRB Player sources, Stream Start/End settings, Emote Rain settings, command profiles, editor feed items, and editor summaries.

wid tokens are opaque random identifiers — they do not encode your Twitch user ID or any personal data, and they grant only read access to the specific widget configuration they were issued for.

2.4 ForgetMeNot chat bot — local runtime, viewer chat

ForgetMeNot runs on your computer, not on Toolset infrastructure. The Chat Bot page in Toolset stores bot settings, policy settings, install records, bot-account connection details, and short-lived pairing codes. Installation secrets are stored as SHA-256 hashes after setup.

The Gemini API key field in the onboarding flow is sent to your local ForgetMeNot runtime at localhost. It is never transmitted to or stored on Toolset infrastructure. AI prompts and responses flow directly between your local machine and Google Gemini under your own account.

Viewer chat data flow. When ForgetMeNot is running, it reads Twitch chat messages from your channel via the bot account's Twitch IRC connection in order to perform commanded functions (for example, responding when someone uses a command, or generating context-aware replies). Chat messages are processed locally on your machine. Long-term retention of chat content for ForgetMeNot's memory features is governed by your local ForgetMeNot configuration, not by Toolset.

Viewers in your chat are not Toolset account holders, but their messages may be processed by ForgetMeNot under your direction. As the streamer, you are the controller for that processing — see the viewer/third-party section below and the "Chat Bot Use" section of the Terms of Service.

2.5 Viewer and third-party data

Several Toolset features process data about Twitch users other than the streamer account holder — for example, chat participants whose messages are read by ForgetMeNot, clip creators whose clips you push to stream via Clip Play, and raid sources displayed by Video Shout Out.

This data is processed on your behalf as the streamer-account holder. The underlying personal data (chat handle, clip metadata, profile image) is governed by Twitch's own data practices and is fetched from Twitch using your authorized OAuth tokens. Toolset does not retain searchable archives of viewer chat messages on its own infrastructure.

2.6 Support and recurring donations

The /support page accepts one-time donations and a $5 / month recurring supporter tier through Stripe Checkout. Toolset stores your Stripe customer ID, the Stripe subscription ID and status when applicable, lifetime contribution total in cents, the public name shown on the monthly funder list (or the literal string anonymous if you tick the anonymous box at checkout), and timestamps for perk window calculations.

Card details are handled entirely by Stripe and are never seen by Toolset. Stripe processes payment data under Stripe's privacy policy. You can change card, plan amount, or cancel from the Stripe Customer Portal linked under Settings → Billing.

2.7 Technical data

Cloudflare and the Toolset workers process the following operational data needed to serve the app, prevent abuse, and keep sessions safe:

  • • Your IP address (used for rate limiting and abuse detection, not stored long-term beyond Cloudflare's edge log retention)
  • • User agent string
  • • Request path, query parameters, response status code, and timestamp
  • • Worker invocation logs (kept by Cloudflare typically for ~24-48 hours at the standard tier)
  • • Rate-limit signals (request counts per IP per endpoint, kept for short rolling windows)
  • • Cookies described in section 5

3. How Your Information Is Used

  • Authenticate you with Twitch and keep your Toolset session active.
  • Save and load your widget, source, bot, stream, and command settings.
  • Issue, rotate, validate, and delete hosted OBS / browser-source tokens.
  • Connect Spotify features such as now-playing, song requests, queue controls, and playlist updates.
  • Fetch Twitch clips, videos, stream markers, chat color, profile color, and bot-account details for tools that need them.
  • Pair local ForgetMeNot runtimes and deliver bot settings and policy to those runtimes.
  • Process supporter donations through Stripe and grant the matching cosmetic and active-supporter perks.
  • Protect the service with CSRF checks, CORS allowlists, rate limits, encrypted records, and security headers.
  • Review operational logs when investigating bugs, abuse, or reliability issues.
  • Respond to support, privacy, and security requests.

4. Data Processors and Third-Party Services

The services below process or receive data on behalf of Toolset. Twitch, Spotify, Discord, Stripe, and Google Gemini act as independent data controllers for data flowing to their platforms — their use of that data is governed by their own privacy policies, not by this one.

ServicePurposeData involvedLocation
CloudflareHosting, Workers, CDN, KV storage, abuse protection, edge logsIP address, request path, response code, timestamp, user agent, encrypted KV recordsUnited States (with CDN edge cache globally)
Twitch (Amazon)Sign-in, account identity, chat/bot tooling, clips, markers, profile colorTwitch user ID, login, display name, profile image, chat color, OAuth tokens, clips/VOD metadata that you requestUnited States — Twitch acts as an independent data controller for your Twitch account
SpotifyMusic widgets, !sr chat song requests, playback controls, playlist featuresPer-user Spotify Developer client ID/secret you provide, OAuth tokens, profile name/ID/image, now-playing/playback/queue/library/playlist dataSweden / United States — Spotify acts as an independent data controller for your Spotify account
StripeSupporter donations and recurring monthly support tier; Stripe Customer Portal for self-serviceCard details (handled by Stripe, never seen by Toolset), email, payment status, amount, Stripe customer/session IDsUnited States — Stripe acts as an independent data controller for payment data
Google Gemini / Google AI StudioOptional ForgetMeNot AI replies — only if you provide a key and only on your local machineYour Gemini API key is sent to your local ForgetMeNot runtime at localhost; chat prompts and responses stay between your machine and GoogleUnited States — Google acts as an independent data controller; Toolset infrastructure never receives the key or the prompts
DiscordOptional community support — invite link onlyWhatever you choose to share if you join the Discord serverUnited States — Discord acts as an independent data controller

5. Cookies and Local Storage

Toolset uses a minimal cookie model. The auth worker sets a secure, HTTP-only dm_session cookie for the signed-in session and a JavaScript-readable dm_csrf cookie used to protect mutation requests against cross-site forgery. Cloudflare may also set security cookies for bot management, load balancing, and abuse prevention.

The browser may store local Toolset preferences such as the selected accent color and a "last-seen" timestamp for the What's-new feed in the topbar. Blocking strictly necessary cookies may prevent sign-in or dashboard requests from working.

6. Data Retention

  • Toolset session cookies expire 24 hours after issue (refreshable by activity).
  • OAuth state and pairing codes are short-lived (typically under 10 minutes) and deleted or allowed to expire after use.
  • Twitch profile data, encrypted OAuth tokens, tool configuration, source tokens, and ForgetMeNot bot settings are retained for the life of your Toolset account.
  • Deleting a hosted source from a tool page removes its record immediately. Disconnecting Spotify removes stored Spotify credentials, tokens, and profile data immediately.
  • Donor records (Stripe customer ID, lifetime total, sub state, perk window) are retained for the life of your Toolset account so cosmetic tiers and supporter perks remain accurate. Stripe retains payment records under Stripe's own retention policy and applicable financial regulations.
  • Monthly funder pool records (total raised, supporter count, donor handles for the month) are retained indefinitely as part of the public funding history; opting out of the public list at checkout means your handle never lands there in the first place.
  • Cloudflare retains security and operational edge logs at the standard tier for approximately 24-48 hours; longer-retained security telemetry is governed by Cloudflare's own policies.
  • Account deletion: email the contact address below with the Twitch login associated with the account. Account-level deletion removes all per-user records (tokens, settings, source records, donor record); aggregate financial records held by Stripe and totals already credited to public monthly funder pools are not deleted.

7. Data Security

Toolset uses HTTPS everywhere, secure session cookies, CSRF checks on mutation routes, CORS allowlists that distinguish private dashboard endpoints from public widget-read endpoints, rate limits per endpoint and per token, no-referrer and standard security headers on worker responses, and ownership checks on opaque source tokens. Twitch, Spotify, and bot-account OAuth tokens, plus Spotify client credentials, are encrypted at rest with AES-GCM envelopes in Cloudflare KV using a versioned encryption key. Installation secrets are stored as SHA-256 hashes after the initial pairing exchange.

No electronic transmission or storage system is perfect. If you believe there is a security issue, contact the address below — security reports are reviewed on priority.

Breach notification. If a security incident affecting your personal data occurs, affected users will be notified without undue delay and in accordance with applicable law.

8. Your Rights and Choices

You have the following rights with respect to data Toolset holds about your account:

  • Request a copy of the personal data Toolset stores about your account.
  • Ask for correction of inaccurate account or configuration data.
  • Ask for deletion of Toolset data associated with your Twitch account, subject to operational and security limits described below.
  • Disconnect Spotify from the Connections page — this removes stored Spotify credentials, tokens, and profile data.
  • Delete hosted source tokens from the relevant tool pages.
  • Cancel or change recurring support from the Stripe Customer Portal linked under Settings → Billing.
  • Use browser settings to clear local Toolset preferences, theme accent, and cookies.

Depending on your location, you may have additional rights under laws such as the EU GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA / CPRA), or similar state privacy laws.

Making a privacy request

Email [email protected] and include the Twitch login associated with the account. Privacy requests are acknowledged within 7 days and fulfilled within 30 days; if more time is needed, you'll be notified with a reason and a revised timeline.

Identity verification. You may be asked to confirm control of the Twitch login you reference (for example, by signing in to Toolset and emailing from the address you sign-in messages are sent from, or by posting a unique string to your Twitch chat). Verification protects your account from someone else using your name to delete your data.

EU / UK GDPR. You may lodge a complaint with your local supervisory authority if you believe your privacy rights have not been respected.

California (CCPA / CPRA). You have the right to know what personal information is collected and how it is used, the right to delete personal information, the right to correct inaccurate personal information, and the right to opt out of "sale" or "sharing" of personal information. Toolset does not sell or share personal information for cross-context behavioral advertising — see the data sale section below — but the right is acknowledged regardless. Authorized agents may submit requests on your behalf with verifiable written authorization. Toolset honors Global Privacy Control signals where they apply.

9. Children's Privacy

Toolset is made for Twitch creators and stream operators. It is not directed at children under 13, and personal information from children under 13 is not knowingly collected. The minimum age aligns with Twitch's own age policy, which Toolset users inherit through Twitch sign-in. If you believe a child has provided personal information through Toolset, contact the address below so it can be reviewed and deleted where appropriate.

10. Data Sale Policy

Toolset user data is not sold. Toolset is not funded by advertisers or data brokers. Your Twitch, Spotify, bot, widget, hosted source, and donor data is not sold to third parties and is not shared with third parties for their own marketing.

For California residents: Toolset does not "sell" or "share" personal information as those terms are defined under the CCPA / CPRA, including for cross-context behavioral advertising.

11. International Data Transfers

Toolset infrastructure (Cloudflare Workers, KV, Pages) is hosted in the United States, with Cloudflare's CDN providing edge caching at points of presence worldwide. If you use Toolset from outside the United States — including from the European Economic Area, the United Kingdom, or other jurisdictions with data-transfer requirements — your personal data will be transferred to and processed on US infrastructure.

Where required, transfers rely on the recipient's own legal mechanisms (for example, Cloudflare publishes Standard Contractual Clauses and a Data Processing Addendum available on its trust site). Twitch, Spotify, Stripe, Discord, and Google each maintain their own legal mechanisms for their independent processing.

12. Changes to This Policy

This Privacy Policy may change as Toolset evolves. The "Last Updated" date at the top of this page reflects the most recent revision. Material changes will be highlighted on the Toolset What's-new feed. Continued use of Toolset after a policy update means the updated policy applies to your use of the service.

13. Contact

For privacy questions, data requests, or security concerns, email [email protected] or check the docs for setup help.

For copyright, DMCA notices, and rules of use, see the Terms of Service.