Back to Home

Privacy Policy

1. Data Controller

Charles Imilkowski
Stubbenweg 29
DE-27753 Delmenhorst, Germany
Email: support@peppertools.de
VAT ID: DE316844774

No data protection officer has been appointed, as this is not required by law.

2. Overview of Data Processing

We operate the "PlaylistEditor" service (Website: playlisteditor.com, App: playlisteditor.com, API: api.playlisteditor.com), a web-based M3U playlist editor as a Software-as-a-Service (SaaS). In the course of providing this service, we process personal data of our users.

3. Legal Bases

The processing of personal data is based on the following legal bases of the GDPR:

  • Art. 6(1)(a) — Consent (e.g., email confirmation)
  • Art. 6(1)(b) — Performance of a contract (e.g., providing the service, payment processing, hosting playlists)
  • Art. 6(1)(c) — Legal obligation (e.g., retention of payment data)
  • Art. 6(1)(f) — Legitimate interest (e.g., IT security, abuse detection, server logging)

4. Data Collection When Visiting the Website (Landing Page)

When you visit our website, the web server automatically collects the following data:

  • IP address of the requesting device
  • Date and time of access
  • Requested page / URL
  • Browser and operating system used (User-Agent)
  • Referrer URL

This data is stored in server log files and automatically deleted after 30 days. Processing is based on Art. 6(1)(f) GDPR (legitimate interest in the security and stability of the website).

Additionally, we use Google Analytics (see Section 4a).

4a. Google Analytics

We use Google Analytics 4 (GA4) on the landing page and in the app, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

4a.1 Scope of Processing

Google Analytics uses cookies and similar technologies to analyze your usage behavior in pseudonymized form. The following data is collected:

  • Pages visited and time spent
  • Device type, operating system, screen resolution
  • Browser type and version
  • Approximate location (city level, based on anonymized IP)
  • Referrer (how you reached our site)
  • Interactions (clicks, scroll depth, events)

4a.2 IP Anonymization

We use Google Analytics with IP anonymization. Your IP address is truncated by Google within the EU/EEA before being transmitted to Google servers in the USA. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there.

4a.3 Purpose of Processing

The analysis of usage data serves the needs-based design and continuous optimization of our website and app. The collected data is not used to personally identify you.

4a.4 Legal Basis

Processing is based on your consent pursuant to Art. 6(1)(a) GDPR. You can withdraw your consent at any time with effect for the future by adjusting the cookie settings on our website.

4a.5 Recipients and Third-Country Transfer

Google may transfer the collected data to the USA. Google is certified under the EU-U.S. Data Privacy Framework, ensuring an adequate level of data protection.

More information:

4a.6 Storage Duration

Cookies set by Google Analytics have a duration of up to 14 months. Report-level data is automatically deleted after 26 months.

4a.7 Objection / Opt-Out

You can prevent data collection by Google Analytics by:

  1. Refusing or withdrawing consent in the cookie consent banner
  2. Installing the browser add-on to disable Google Analytics: https://tools.google.com/dlpage/gaoptout
  3. Disabling cookies in your browser

5. Registration and User Account

5.1 Required Information for Registration

  • Email address
  • Password (stored exclusively as a BCrypt hash; the plain-text password is never stored)

5.2 Optional Profile Information

The following information can be voluntarily provided in the user profile:

  • Display name
  • First name, last name
  • Company
  • Street, postal code, city, country
  • Phone number
  • Preferred language

5.3 Email Confirmation

After registration, a confirmation email is sent to the provided address. The confirmation token is valid for 48 hours.

5.4 Legal Basis and Storage Duration

Processing is based on Art. 6(1)(b) GDPR (performance of a contract). Data is stored until the user account is deleted.

6. Authentication and Security

6.1 Token-Based Authentication

For secure authentication, we use a token-based system:

  • Access Token (JWT): Valid for 15 minutes, stored only in browser memory
  • Refresh Token: Valid for 30 days, stored in the browser's localStorage and as an HttpOnly cookie

6.2 Collection of IP Address and Device Information

With each login and token renewal, we store:

  • IP address of the user
  • User-Agent (browser/device identifier)

This data is stored together with the refresh token in our database. Purpose: Detection of misuse and unauthorized access. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in account security). Storage duration: Refresh tokens and associated data are deleted after expiration (30 days) or upon revocation.

6.3 Device Registration (App Logins)

When using our Android/TV app, the following device data is collected and stored in our database with each login:

  • Device ID (Android ID): Unique device-bound identifier for device recognition
  • Device name (manufacturer and model, e.g., "Samsung Galaxy S24")
  • MAC address of the active network interface (if available)
  • IP address at the time of login
  • User-Agent (operating system and app identifier)

Exactly one entry per device is stored (identified by user ID + device ID). When the same device logs in again, the existing entry is updated (timestamp, IP address, etc.), not duplicated.

Purpose: Overview of devices used for the user and technical support, detection of unauthorized access.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in account security).
Storage duration: Until the user account is deleted (CASCADE deletion).

7. Two-Factor Authentication (2FA)

Users can optionally enable two-factor authentication via TOTP (Time-based One-Time Password). The following data is processed:

  • TOTP Secret (for generating one-time codes)
  • Recovery Codes (10 single-use recovery codes)
  • Device Token (HttpOnly cookie, 90-day validity) — allows skipping 2FA on trusted devices

Processing is based on Art. 6(1)(f) GDPR (legitimate interest in account security).

8. Cookies and localStorage

We use technically necessary cookies and localStorage entries, as well as — with your consent — analytics cookies (Google Analytics). A cookie consent banner is displayed on your first visit.

8.1 Technically Necessary Cookies

CookiePurposeDurationType
refreshTokenAuthentication30 daysHttpOnly, Secure, SameSite=Strict
deviceToken2FA device recognition90 daysHttpOnly, Secure, SameSite=Strict
cookie_consentStores your cookie preferences12 monthsTechnically necessary

8.2 Analytics Cookies (with consent only)

CookiePurposeDurationProvider
_gaUser distinction14 monthsGoogle
_ga_<ID>Session status14 monthsGoogle

8.3 localStorage

KeyPurposeContent
m3u_refresh_tokenAuthenticationRefresh token
m3u_user_cacheOffline availabilityUser ID, email, display name, role, language

This data is deleted upon logout.

9. Payment Processing via PayPal

For processing premium subscriptions, we use the payment service PayPal.

Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

9.1 Payment Flow

For payments, you are redirected to PayPal. Payment processing takes place directly at PayPal. After the payment is completed, we receive the following data from PayPal:

  • PayPal Order ID
  • Email address of the PayPal account
  • First and last name
  • Country
  • Shipping address (if stored with PayPal)
  • Payment amount and currency

9.2 Storage

This data is stored in our database and linked to the user account. If no address data has been stored in the user profile yet, the address data transmitted by PayPal is automatically added to the profile.

9.3 Legal Basis and Storage Duration

  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Storage duration: Payment data is retained for 10 years in accordance with statutory retention periods (§ 147 AO, § 257 HGB, German tax and commercial law)

PayPal Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

10. Playlist Management and Hosting

10.1 Storage of Playlists

Playlists created or imported by the user are stored as files on our server. These contain:

  • Playlist metadata (name, description, groups)
  • Channel entries (name, URL, logo URL, group name)

10.2 Public Hosting (Premium Feature)

Premium users can host playlists publicly. Static files are generated that are accessible via public URLs without authentication. We record a download counter for each retrieval (without personal data of the requesters).

10.3 Legal Basis and Storage Duration

  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Storage duration: Until the playlist or user account is deleted

11. Stream Check and Auto-Sync

11.1 Stream Check

Users can check the availability of their streams. Our server sends HTTP requests to the stream URLs configured by the user. Only the HTTP headers are read; no content is downloaded.

11.2 Auto-Sync

Users can configure external M3U sources to be automatically synchronized (daily at 03:00 UTC). Our server retrieves the URLs provided by the user.

11.3 Xtream API

For playlists with Xtream API support, account information (expiration date, status, maximum connections) is automatically retrieved from the Xtream server.

Note: For Stream Check, Auto-Sync, and Xtream API, the URLs configured by the user are contacted. We have no influence over data processing by these third-party servers.

12. EPG Data (Electronic Program Guide)

Our service automatically retrieves EPG data from the following public sources:

  • iptv-org (via GitHub)
  • epg.pw

These retrievals occur twice daily (06:00 and 18:00 UTC) and contain no personal data of our users. EPG data is used exclusively to display TV program information.

13. Email Sending

We send emails exclusively for the following purposes:

  • Email address confirmation upon registration
  • Confirmation when changing the email address
  • Password reset
  • Premium access confirmation (contract confirmation)
  • Cancellation confirmation
  • Decision on extraordinary termination

Emails are sent via our own SMTP server (s14.peppertools.de). No email marketing services or newsletter providers are used.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

14. Server Logging

Our API server logs technical events using Serilog in log files. The following are logged, among other things:

  • Registrations and login attempts (email address, no password)
  • Token renewals
  • Email dispatch (recipient, subject)
  • Payment transactions (user ID, plan type, order ID)
  • Stream check and sync operations
  • Error messages and exceptions

Storage duration: Log files are automatically deleted after 30 days (rolling file).
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in troubleshooting and security)

15. Admin Access (Impersonation)

For technical support purposes, the administrator can log into a user account (impersonation). This access is logged in the system:

  • The JWT token includes the claim impersonated_by
  • The User-Agent is marked as admin-impersonate:{adminId}

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in effective technical support)

16. Recipients and Third-Country Transfer

16.1 Hosting Provider (Data Processor)

Our server is hosted by:

WIIT AG
Joachim-Erwin-Platz 3
40212 Düsseldorf, Germany

A data processing agreement pursuant to Art. 28 GDPR is in place with WIIT AG. The server is located in Germany.

16.2 PayPal

Data is transmitted to PayPal for payment processing (see Section 9). PayPal may also process data in the USA. The transfer is based on Standard Contractual Clauses (Art. 46(2)(c) GDPR).

16.3 No Further Recipients

Beyond this, personal data is not shared with third parties unless we are legally obligated to do so (e.g., upon request from law enforcement authorities).

17. Storage Duration Overview

Data CategoryStorage Duration
User account and profile dataUntil account deletion
Password hashUntil account deletion
Refresh tokens (incl. IP, User-Agent)30 days or upon revocation
Device data (app logins)Until account deletion
Device tokens (2FA)90 days
TOTP secret and recovery codesUntil 2FA deactivation or account deletion
Payment data / subscription history10 years (statutory retention requirement)
Playlists and filesUntil deletion by user or account deletion
Server log files30 days (rolling)
Cookies (refreshToken)30 days
Cookies (deviceToken)90 days
localStorageUntil logout or manual deletion

18. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

18.1 Right of Access (Art. 15 GDPR)

You have the right to request information about your personal data stored by us.

18.2 Right to Rectification (Art. 16 GDPR)

You have the right to have inaccurate personal data corrected.

18.3 Right to Erasure (Art. 17 GDPR)

You have the right to request the deletion of your personal data, provided no statutory retention obligations apply.

Account Deletion

You can delete your user account at any time through the account settings in the app. The deletion process includes the following steps:

  1. Identity verification: Enter your password and, if applicable, your 2FA code
  2. Confirmation email: After successful verification, you will receive an email with a confirmation link (valid for 24 hours)
  3. Final deletion: By clicking the link, your account is irrevocably deleted

The following data is removed upon deletion:

  • User profile (email, name, address, phone, password hash)
  • All playlists and associated files on the server
  • Authentication tokens (refresh tokens, device tokens)
  • Registered devices (device ID, device name, MAC address, IP address)
  • 2FA data (TOTP secret, recovery codes)
  • Synchronization sources and logs
  • EPG favorites and custom channel lists
  • Hosted playlists and EPG files

Not deleted (statutory retention requirement):

  • Payment data and subscription history (10 years pursuant to § 147 AO / § 257 HGB, German tax and commercial law). This data is anonymized and can no longer be linked to your deleted account.

Note regarding premium subscriptions: When deleting an account with an active premium subscription, the remaining term expires without replacement. Refunds or transfers to another account are not possible.

18.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of processing of your data.

18.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used, and machine-readable format.

18.6 Right to Object (Art. 21 GDPR)

You have the right to object to the processing of your personal data insofar as the processing is based on Art. 6(1)(f) GDPR (legitimate interest).

18.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you can withdraw it at any time with effect for the future.

18.8 Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

The State Commissioner for Data Protection of Lower Saxony
Prinzenstraße 5
30159 Hannover, Germany
Phone: +49 511 120-4500
Email: poststelle@lfd.niedersachsen.de
Website: https://www.lfd.niedersachsen.de

19. Obligation to Provide Data

Providing an email address and password is required for registration and use of the service. Without this data, no user account can be created.

All other profile information (name, address, phone, etc.) is voluntary and not strictly required for using the service.

For payments via PayPal, providing payment data is required for contract performance (premium subscription).

20. No Automated Decision-Making

No automated decision-making or profiling within the meaning of Art. 22 GDPR takes place.

21. Currency and Changes to This Privacy Policy

This privacy policy is currently valid as of March 2026.

We reserve the right to amend this privacy policy to adapt it to changed legal requirements or changes to the service or data processing. The current version is always available at the privacy policy URL on our website.

If you have questions about the processing of your personal data, please contact: support@peppertools.de