Privacy Policy

We collect different categories of information depending on how you use Arthyion. We are committed to collecting only the minimum information necessary to provide and improve the Service.

A. Information You Provide Directly:

• Account Registration: When you create an account with email, we collect your display name, email address, and a hashed version of your password. We never store your password in plaintext — it is processed through SHA-256 with a unique salt before storage.
• OAuth Sign-In: If you sign in via Discord, we receive your Discord email address, username, and Discord user ID. We do not receive your Discord password or payment information.
• Profile Updates: Display name changes you make through the settings page.
• Communications: If you contact us via email for support, ban appeals, or other inquiries, we retain that correspondence to assist you and improve our service.

B. Information Collected Automatically:

• Session Data: A unique session token (stored in your browser as an HttpOnly cookie named "asess") that identifies your authenticated session. This expires after 30 days of inactivity.
• Watch Progress: Your viewing progress (last watched position, completion status) for content you have started watching, to enable the "Continue Watching" feature.
• Watchlist: Titles you have added to your personal watchlist.
• Preferences: Theme selection and display preferences stored via browser localStorage (never transmitted to our servers).
• Access Logs: For security and operational purposes, we maintain limited server-side access logs containing request paths and timestamps. These logs are automatically pruned and retained for a maximum of 500 entries.
• Error Logs: Technical error logs to help identify and fix bugs. These are retained for up to 200 entries and contain no personal identifying information beyond session context.
• IP Addresses: Authentication events (login, signup, Discord OAuth) may log your IP address as provided by Cloudflare's infrastructure for security monitoring and abuse prevention.

C. Information We Do NOT Collect:

• We do not collect payment card information (Arthyion+ is managed externally)
• We do not collect biometric data of any kind
• We do not track your activity outside of arthyion.com
• We do not use advertising pixels, tracking beacons, or similar technologies
• We do not collect device identifiers, hardware fingerprints, or location data

We use the information we collect solely to provide, maintain, and improve the Arthyion service. Specifically:

• Account Operations: To create and manage your account, authenticate your identity, and maintain your session across visits
• Personalization: To power features like "Continue Watching," personalized watchlists, and AI-powered recommendations based on your viewing history
• Watch Parties: To enable synchronized viewing sessions and associated real-time chat functionality between party members
• Security & Abuse Prevention: To detect and prevent fraudulent account activity, spam, ban evasion, and other violations of our Terms of Service
• Service Improvement: Aggregate, anonymized usage patterns help us understand which features are most valuable and prioritize our development roadmap
• Legal Compliance: To comply with applicable laws, respond to valid legal process, and enforce our Terms of Service
• Communications: To respond to your support requests, bug reports, and other inquiries you send to us directly

We do not use your personal information for any purpose not listed above without first obtaining your consent. We do not perform automated decision-making that produces legal or similarly significant effects on you based solely on algorithmic processing.

Infrastructure: All user data is stored in Cloudflare Workers KV, a globally distributed key-value storage system operated by Cloudflare, Inc. Data is replicated across Cloudflare's network and is encrypted at rest using AES-256 encryption. Data centers are located primarily in the United States.

Password Security: Passwords are never stored in plaintext. We use SHA-256 cryptographic hashing with a server-side salt ("arthyion_2025_salt") before storing any password. This means even if our database were ever compromised, your actual password would not be exposed.

Session Security: Session tokens are 64-character cryptographically random hex strings generated using the Web Cryptography API's `crypto.getRandomValues()`. Sessions expire after 30 days and are invalidated upon logout.

Transport Security: All communications between your browser and Arthyion are encrypted via TLS (HTTPS). We enforce HTTPS-only access and use Cloudflare's security features including DDoS protection and Web Application Firewall.

Cookie Security: Our session cookie uses the `HttpOnly` flag (preventing JavaScript access), `SameSite=Lax` (preventing CSRF), and is scoped to the arthyion.com domain only.

Security Incident Response: In the event of a security incident that may affect your personal data, we will notify affected users as required by applicable law and provide information about the nature of the incident and steps you can take to protect yourself.

Arthyion integrates with several third-party services to provide functionality. We are transparent about these integrations:

• The Movie Database (TMDB): We use the TMDB API to display movie and TV show metadata including titles, posters, descriptions, cast, and ratings. When you search or browse content, queries are sent to TMDB's servers. TMDB's privacy policy applies to their processing of these requests.
• Streamed.pk: We fetch sports stream availability data from Streamed.pk's API. This is a server-side request and does not expose your personal information to Streamed.pk.
• Videasy & VidKing: Video playback is provided through embedded iframes from these providers. When you play content, your IP address and browser information may be transmitted to these services. We recommend reviewing their respective privacy policies.
• Cloudflare Stream: Live streams are hosted via Cloudflare's streaming infrastructure. Cloudflare may process technical data including IP addresses and viewing metadata. Cloudflare's privacy policy governs their data practices.
• Anthropic Claude API: AI features use Anthropic's API. Queries to our AI assistant are processed by Anthropic. We do not send personally identifying information to Anthropic beyond the content of your AI query.
• Cloudflare AI: Some AI features use Cloudflare's AI inference API, subject to Cloudflare's data processing terms.
• Discord OAuth: If you choose to sign in with Discord, Discord's OAuth2 system processes your authentication. Discord's privacy policy governs their handling of this process.
• Google Fonts: We load font files from Google Fonts CDN. This may allow Google to log the request. You can opt out by using a browser extension that blocks Google Fonts.

We do not share your personal account data with any of these third parties beyond what is necessary to provide the specific feature. We do not sell your data to any third party under any circumstances.

Cookies We Set: Arthyion sets exactly one first-party cookie:

• asess — An HttpOnly, SameSite=Lax session authentication cookie. It contains your encrypted session token and is essential for keeping you logged in. It expires after 30 days. This cookie cannot be used to track you across other websites.

What We Do NOT Use:

• No analytics cookies (no Google Analytics, no Mixpanel, etc.)
• No advertising or retargeting cookies
• No third-party tracking pixels or beacons
• No fingerprinting techniques

Browser Local Storage: We use your browser's localStorage (a client-side storage API that never sends data to our servers) to remember your theme preference (dark/light mode, color scheme) and certain UI preferences. You can clear this at any time through your browser settings without affecting your account.

Managing Cookies: You can configure your browser to refuse cookies or delete existing cookies at any time. Deleting the asess cookie will log you out of Arthyion. We do not use cookies for any purpose that requires your opt-in consent under GDPR or similar frameworks beyond the essential session cookie.

We do not sell, rent, or trade your personal information to any third party. We will only share your information in the following limited circumstances:

• With Your Consent: We may share information when you have given explicit consent for a specific purpose
• Service Providers: We share information with the third-party services described in Section 4 solely to the extent necessary to provide those specific features
• Legal Requirements: We may disclose your information if required to do so by law, court order, or valid legal process (such as a search warrant or subpoena). Where permitted by law, we will attempt to notify you before disclosing your information in response to legal process
• Safety & Security: We may share information where we believe in good faith that disclosure is necessary to protect the safety of any person, investigate fraud, or respond to a government request
• Business Transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred. We will provide notice via a prominent notice on our website before your data becomes subject to a different privacy policy

We respect your rights regarding your personal data. You have the following rights:

• Right of Access: You may request a copy of the personal data we hold about you at any time by contacting kyattou@arthyion.com
• Right to Rectification: You can update your display name at any time through the Settings page. For email or other account corrections, contact us directly
• Right to Erasure ("Right to be Forgotten"): You may request deletion of your account and all associated personal data. We will process deletion requests within 30 days. Note that some anonymized or aggregated data may be retained for analytical purposes
• Right to Restriction: You may request that we restrict processing of your data in certain circumstances
• Right to Data Portability: Upon request, we can provide your personal data in a machine-readable format (JSON)
• Right to Object: You may object to certain processing activities, including any profiling or automated decision-making
• Opt-Out of Watch History: You can clear your watch history and watchlist through the Settings page at any time

To exercise any of these rights, please contact us at kyattou@arthyion.com. We will respond to all requests within 30 days. We may need to verify your identity before processing your request.

We retain your personal data only for as long as necessary to provide the Service and fulfill the purposes described in this policy, subject to the following:

• Active Accounts: Account data is retained for as long as your account remains active
• Session Tokens: Sessions expire automatically after 30 days of inactivity or upon logout
• Access Logs: Automatically truncated to the most recent 500 entries on an ongoing basis
• Error Logs: Automatically truncated to the most recent 200 entries
• Authentication Logs: Automatically truncated to the most recent 500 entries
• Watch Party Data: Party sessions expire automatically after 6 hours
• QR Login Tokens: Expire after 2 minutes, then are deleted from storage
• Deleted Accounts: Upon account deletion request, we will remove your personal data within 30 days, subject to any legal obligations to retain certain records

Arthyion is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take immediate steps to delete that information.

If you are a parent or guardian and believe your child under the age of 13 has provided personal information to Arthyion, please contact us immediately at kyattou@arthyion.com so that we may take appropriate action.

Users between the ages of 13 and 17 may use Arthyion only with the involvement and consent of a parent or guardian. If you are a minor, please review these Terms and this Privacy Policy with a parent or guardian before using the Service.

Arthyion is operated and data is stored using Cloudflare's infrastructure, which maintains data centers in the United States and globally. By using the Service, you acknowledge that your information may be transferred to, stored, and processed in the United States or other countries where our infrastructure providers operate.

We rely on Cloudflare's data processing agreements and privacy commitments, which include Standard Contractual Clauses for international data transfers as required by applicable law.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) or equivalent legislation. Our legal bases for processing your personal data are: (1) Performance of our contract with you (account operations and core Service features), (2) Legitimate interests (security, fraud prevention, service improvement), and (3) Compliance with legal obligations.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will indicate the date of the most recent update at the top of this policy.

For material changes that significantly affect how we use your personal data, we will provide notice within the Service before the changes take effect. Your continued use of Arthyion after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

We encourage you to periodically review this Privacy Policy to stay informed about our data practices and your rights.