Privacy Policy

Last updated: March 30, 2026

NiPa Studio ("we", "our", or "us") operates the NiPa Player mobile application (the "App"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our App, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"), and other applicable data protection legislation.

By using the App, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the App.

⚠️ Important Notice:

NiPa Player is exclusively a media player application. We do not provide, sell, distribute, host, stream, or commercialize any IPTV playlists, channels, media content, or streaming services of any kind. All content accessed through the App comes from external sources provided solely by the user. NiPa Studio has no affiliation with any IPTV service provider and bears no responsibility for the content, legality, or availability of any third-party streams.

1. Data Controller

The data controller responsible for processing your personal data is:

You may contact us at any time regarding questions about data protection or to exercise your rights.

2. Information We Collect

We apply the principle of data minimization — we only collect data that is strictly necessary for the App to function. Below is a detailed breakdown:

a) Account Information (optional — only if you create an account):

  • Email address — used for authentication and account recovery
  • Hashed password — your password is never stored in plain text; Firebase Authentication handles credential security using industry-standard hashing algorithms

b) Subscription Data:

If you subscribe to NiPa Player Pro, all payment processing is handled entirely by Apple (App Store) or Google (Google Play). We never collect, access, or store your payment information (credit card numbers, billing addresses, bank details, etc.). We only receive a confirmation of your subscription status (active/inactive/expired) through RevenueCat, our subscription management service.

c) User-Provided Content:

The App allows you to add your own IPTV playlists (M3U URLs or Xtream Codes API credentials). This data is:

  • Stored locally on your device by default, encrypted at rest using AES-256. The encryption key is stored securely in the device's native keychain (Keychain on iOS, EncryptedSharedPreferences on Android)
  • If you voluntarily enable Cloud Sync, your playlist data is synced to your account on Cloud Firestore, protected by Firebase Security Rules and encrypted in transit (TLS) and at rest
  • We do not monitor, access, inspect, or control the content of your playlists or the streams you access

d) Crash Data:

We use Firebase Crashlytics (Google LLC) to collect anonymous crash reports. This data includes device model, OS version, and stack traces. It does not identify you personally and is used solely to fix bugs and improve app stability.

e) Technical and Diagnostic Data:

We may collect anonymous, aggregated diagnostic data solely to improve the App, including:

  • General device information (OS version, device model) for compatibility purposes

This data cannot be used to identify individual users and is not linked to any account or personal information.

f) Data We Do NOT Collect:

  • We do not collect your location data
  • We do not collect your contacts, photos, or files
  • We do not collect advertising identifiers (IDFA/AAID)
  • We do not track you across other apps or websites
  • We do not use cookies or web tracking technologies within the App

3. Legal Basis for Processing

Under the GDPR (Article 6), we process your personal data based on the following legal grounds:

  • Contractual necessity (Art. 6(1)(b)): Processing your account data is necessary to provide the App's services (authentication, cloud sync, subscription management)
  • Legitimate interests (Art. 6(1)(f)): Processing anonymous diagnostic data to improve App stability, fix bugs, and enhance performance. This processing does not override your fundamental rights as the data is non-identifiable
  • Consent (Art. 6(1)(a)): Where required, we obtain your explicit consent before processing (e.g., enabling push notifications, activating cloud sync). You may withdraw consent at any time

4. How We Use Your Information

We use the information we collect exclusively for the following purposes:

  • To provide, operate, and maintain the App
  • To authenticate your account and enable cloud sync functionality
  • To verify and manage your subscription status
  • To send local push notifications for program reminders you have set (these are processed entirely on your device; no notification data is sent to our servers)
  • To send essential service communications (e.g., password reset emails)
  • To improve the App through aggregated, anonymous diagnostic data
  • To respond to your support inquiries

We do not use your data for advertising, profiling, automated decision-making, or any purpose not listed above.

5. Data Storage, Security, and Retention

Storage:

  • Local data (playlists, favorites, settings, viewing history) is stored solely on your device and is not accessible to us
  • Account data (if you create an account) is stored securely using Google Firebase services (Firebase Authentication and Cloud Firestore), hosted in the European Union

Security measures:

  • All data transmitted between the App and our servers is encrypted using TLS (Transport Layer Security)
  • Playlist credentials stored locally on your device are encrypted at rest using AES-256, with the encryption key secured in the device's native keychain
  • Data at rest in Firebase is encrypted using AES-256
  • Access to user data is restricted by Firebase Security Rules to the authenticated user only
  • Passwords are hashed using industry-standard algorithms and are never stored in plain text

Data retention:

  • Account data is retained for as long as your account is active
  • When you delete your account (Settings → Account → Delete Account), all associated data is permanently and irrecoverably deleted from our servers within 30 days
  • Anonymous diagnostic data is retained for a maximum of 12 months, after which it is automatically purged
  • Local data on your device is retained until you uninstall the App or clear App data

6. Third-Party Services

We use the following third-party services to provide App functionality. Each service processes data in accordance with their own privacy policies:

  • Firebase Authentication (Google LLC) — user account management and authentication. Data processed: email address, hashed password. Privacy Policy
  • Cloud Firestore (Google LLC) — cloud storage for synced playlist data. Data processed: playlist URLs, favorites, settings (only if cloud sync is enabled). Privacy Policy
  • RevenueCat (RevenueCat, Inc.) — subscription status management. Data processed: anonymous user identifier, subscription status. RevenueCat does not receive your email or personal details. Privacy Policy
  • Firebase Crashlytics (Google LLC) — anonymous crash reporting. Data processed: device model, OS version, stack traces. No personally identifiable information is collected. Privacy Policy
  • Google Cast SDK (Google LLC) — Chromecast functionality. No personal data is transmitted; only media playback commands are sent to the Cast device on your local network.

We have ensured that all third-party processors offer adequate levels of data protection. Firebase and Google services operate under Google's Data Processing Terms, which include Standard Contractual Clauses for international transfers.

7. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically to servers operated by Google LLC in the United States. These transfers are protected by:

  • The EU-U.S. Data Privacy Framework (DPF), under which Google LLC is certified
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Google's Data Processing Terms and security commitments

8. Data Sharing

We do not sell, trade, rent, or otherwise disclose your personal information to third parties for their own purposes. Data is only shared with the third-party service providers listed in Section 6, strictly as necessary to provide App functionality.

We may disclose personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court order or government agency).

9. Your Rights Under GDPR

Under the GDPR and LOPDGDD, you have the following rights regarding your personal data:

  • Right of Access (Art. 15) — You can request a copy of all personal data we hold about you
  • Right to Rectification (Art. 16) — You can request correction of inaccurate or incomplete data
  • Right to Erasure (Art. 17) — You can request deletion of your personal data ("right to be forgotten"). You can do this directly in the App (Settings → Account → Delete Account) or by contacting us
  • Right to Restriction of Processing (Art. 18) — You can request that we limit how we process your data under certain circumstances
  • Right to Data Portability (Art. 20) — You can request your data in a structured, commonly used, machine-readable format
  • Right to Object (Art. 21) — You can object to the processing of your personal data where we rely on legitimate interests
  • Right to Withdraw Consent (Art. 7(3)) — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at dev@nipaplayer.com. We will respond within 30 days as required by law.

You also have the right to lodge a complaint with a supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD) — www.aepd.es.

10. Children's Privacy

NiPa Player is not directed to children under the age of 16 (or the applicable minimum age in your jurisdiction under GDPR). We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at dev@nipaplayer.com and we will promptly delete such information.

11. Content Disclaimer

NiPa Player is a media player application. We do not provide, host, stream, distribute, or have any control over any media content. The App plays content from sources (IPTV playlists) provided exclusively by the user. Users are solely responsible for the content they access and must ensure compliance with applicable copyright laws, intellectual property rights, and the terms of service of their content providers.

NiPa Studio bears no responsibility for the nature, legality, or availability of any content accessed through user-provided playlists.

12. Push Notifications

The App may send local push notifications for program reminders that you have explicitly set. These notifications are:

  • Processed entirely on your device (no data is sent to our servers)
  • Only triggered after you grant notification permission
  • Fully optional — you can disable them at any time in your device settings or within the App

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (AEPD) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
  • Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34)
  • Document the breach, its effects, and the remedial actions taken

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or App functionality. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you through the App or via email for significant changes

Continued use of the App after any changes constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: dev@nipaplayer.com

Developer: NiPa Studio

We aim to respond to all inquiries within 30 days.