Last updated: May 2025
This Privacy Policy explains what data Velvo collects, why, how long it is kept, and what rights you have over it. Velvo is committed to collecting the minimum data necessary to operate the service.
Velvo ("we", "us") operates the Velvo Smart TV player application and the associated setup website at velvo.tv. For data-related enquiries, contact us at contact@velvo.tv.
| Data | Why we collect it | Where it's stored | Retention |
|---|---|---|---|
| Device identifier (MAC-format ID derived from TV hardware) | To identify your device and link it to your subscription or trial | Our server (database) | Until you request deletion |
| Device key (short alphanumeric code) | To authenticate API requests from your TV | Our server (database) | Until you request deletion |
| IPTV credentials (server URL, username, password or M3U URL) | To relay your credentials to your TV after setup | Our server (database, encrypted at rest with AES-256-GCM) | Until you update or request deletion |
| Subscription / trial status and PayPal transaction IDs | To verify access rights and process payments | Our server (database) | Until you request deletion |
| IP address | Rate-limiting API requests to prevent abuse | Server filesystem (temporary files, auto-expired) | 60 seconds per request window |
| Watch progress & bookmarks | To let you resume playback and save favourites | Your TV's local storage only — never sent to our servers | Until you clear app data or reset your TV |
| User preferences (language, theme, stream format) | To remember your settings | Your TV's local storage only — never sent to our servers | Until you clear app data or reset your TV |
| Device location, name, and network info (via Firebolt SDK on LG/Samsung) | Provided by the TV platform to the app — used only to display device info in Settings | Never stored on our servers — read-only at runtime | Not retained |
Your IPTV username, password, and server URL are stored on our server encrypted at rest using AES-256-GCM. They are decrypted only when your TV requests them over an authenticated HTTPS connection, and are never logged, shared, or used for any purpose other than relaying them to your TV.
We strongly recommend using credentials that are unique to Velvo's setup — i.e. do not reuse passwords from other services. You can update or delete your credentials at any time by contacting us.
We do not sell, rent, or share your personal data with any third party, except as required by law or to process payments via PayPal.
If you are located in the European Economic Area, you have the following rights:
To exercise any of these rights, email contact@velvo.tv with your device ID (visible in the app under Settings → About). We will respond within 30 days. Note that deleting your data will revoke access to the app on that device.
We retain server-side data (device ID, credentials, subscription status) until you request deletion. IP addresses used for rate limiting are stored in temporary files that expire automatically after 60 seconds. We do not retain logs of your viewing activity.
All communication between the app, the setup website, and our servers takes place over HTTPS. IPTV credentials are encrypted at rest. Access to credentials requires both a valid device ID and device key. We apply rate limiting to all API endpoints to prevent brute-force attacks.
Velvo is not directed at children under 18. We do not knowingly collect data from minors.
We may update this policy from time to time. The "last updated" date at the top of this page will reflect any changes. Continued use of the App after changes constitutes acceptance.
For any privacy-related questions or data requests: contact@velvo.tv