Privacy Policy

Last Updated: 5 May 2026

This Privacy Policy explains what the Twitch Mini Player — Multi-Stream, Clips, VODs, Emotes Chrome extension ("the extension") does with your information.

It is written in plain language. If something is unclear, please contact thomas.doganay@gmail.com.

Who We Are

The extension is built and operated by an independent developer. It is not affiliated with, endorsed by, or sponsored by Twitch Interactive, Inc. or Amazon. "Twitch" is a trademark of Twitch Interactive, Inc.

In this policy, "we" / "us" refers to the developer of the extension.

What This Extension Does

The extension is a viewer tool for Twitch. After you sign in with your Twitch account, it can:

Show your followed live channels.
Show channel pages with recent clips, VODs, an upcoming schedule, and channel emotes.
Open a draggable Twitch mini player on top of any web page you are visiting, so you can keep watching while you browse.
Open a multi-stream view that shows up to four channels at once.
Search for Twitch channels and browse popular categories.
Save streamers, clips, and VODs to a local "favorites" library.
Optionally show desktop notifications when one of your followed (or pinned) streamers goes live.

You stay in control: signing in, enabling notifications, pinning streamers, and saving items are all explicit actions you take.

Information We Access

When you use the extension, the following information is involved.

From your Twitch account (after you sign in)

When you complete the Twitch sign-in flow, our backend exchanges the Twitch authorization code for an access token, then asks Twitch for your basic identity. The extension then stores:

Your Twitch user ID, login name, and display name.
Your Twitch profile image URL.
Your email address, only if Twitch returns one with the requested scope. The extension does not request the user:read:email scope, so in current versions Twitch normally returns null here, but the field exists in the data shape returned by Twitch.
The access token Twitch issues for your session.
A refresh token if Twitch returns one.

While you are signed in, the extension uses your access token to ask Twitch (through our backend) for things like your followed live streams, a channel's clips and VODs, channel schedule, channel emotes, search results, and top games / streams. The extension does not request any other personal information from Twitch.

The only Twitch OAuth scope the extension requests is user:read:follows, which is the scope Twitch requires to list the channels you follow that are currently live.

From your browser

The extension reads only what it needs to work:

The hostname of the active tab when you choose to open the mini player there. This is required by Twitch's embedded player, which requires the parent page hostname (parent= query parameter) to allow embedding. The extension does not read page text, form fields, page DOM content, or your browsing history.
A handful of Chrome extension APIs (storage, identity, notifications, alarms, tabs) — see the "Browser Permissions" section below.

From you

Searches you type in the search box are sent to Twitch (through our backend) so Twitch can return matching channels.
Items you save or pin (streamers, clips, VODs) are stored locally on your device.

We do not ask for your name, address, phone number, payment details, location, or any other identifier beyond what Twitch returns about your own account.

How We Use Information

We use the information described above only to:

Sign you into Twitch and keep you signed in.
Show you Twitch data your account has access to (followed live streams, channel pages, clips, VODs, schedules, emotes, search results, top games).
Render the mini player and the multi-stream view.
Trigger optional go-live desktop notifications when you turn them on.
Keep your saved streamers, clips, VODs, recent searches, and mini-player preferences on your device so they are still there next time.

We do not sell your personal information. We do not use it for advertising, profiling, or tracking, and we do not run analytics, telemetry, or third-party tracking SDKs in the extension.

Twitch Login and OAuth

The extension uses Twitch's official Authorization Code OAuth flow:

The extension opens Twitch's authorize page through chrome.identity.launchWebAuthFlow. You sign in directly to Twitch — the extension never sees your Twitch password.
Twitch redirects back to a per-extension chromiumapp.org URL with a short-lived authorization code.
Our backend exchanges that code with Twitch for an access token (and a refresh token if Twitch returns one). The Twitch client secret lives only on the backend.
The backend calls Twitch's /helix/users endpoint once to identify you, then returns the access token, refresh token (if any), and your basic profile to the extension.
The extension saves the access token, refresh token, expiry, and your profile in your local browser storage so it can call Twitch on your behalf next time.

Scope requested: user:read:follows only.

If your access token expires, the extension uses the refresh token (if available) to ask the backend to get a new one, transparently. If that fails or returns 401, the extension clears your session locally and asks you to sign in again.

When you sign out, the extension calls Twitch's revoke endpoint (through our backend) on a best-effort basis, then deletes the saved token, refresh token, and profile from local storage.

Local Storage

All app data lives on your own device, in your browser. Specifically:

chrome.storage.local — used only to store your active session under the key session. This object contains accessToken, refreshToken (if Twitch returned one), expiresAt, and user (id, login, displayName, profileImageUrl, and email if Twitch returned it). This is not synced across devices.
IndexedDB database twitch-ext-db — used for everything else:
- cache — short-lived cached responses from Twitch (followed streams, channel info, clips, schedules, VODs, emotes, top games, search) so the UI loads fast. Each entry has a TTL.
- preferences — notification settings (enabled, pinnedOnly, includeTitle, includeCategory, baselineDone, lastLiveIds, lastSentAt, lastCheckAt, lastError, reconnectNotifiedAt).
- pinnedStreamers — the streamers you have pinned, plus a small bit of metadata about them (display name, profile image URL).
- miniPlayer — the mini player size/position preset you chose.
- multiStream — the channel list for the multi-stream view.
- recentSearches — your last few search queries, so the search box can suggest them again.
- savedClips — the clips you saved, stored as metadata only (id, URL, title, thumbnail URL, broadcaster name, view count, duration, created-at, saved-at). No video files are downloaded or stored by the extension.
- savedVods — the VODs you saved, stored as metadata only (similar fields). No video files are stored.

This data is not encrypted at rest beyond the standard protection your browser and operating system already apply to extension storage and IndexedDB. We do not add any extra encryption layer.

This data is not synced to your other devices. We do not use Chrome sync storage.

You can clear all of it at any time — see "Your Choices and Controls".

Backend Processing

The extension does not call Twitch directly. Instead, it calls our small backend (twitch-extinction-server), which:

Builds the Twitch authorize URL and signs a short-lived state token.
Exchanges your authorization code with Twitch for an access token, using the Twitch client secret (which only the backend has).
Forwards your authenticated requests to the Twitch Helix API (/helix/users, /helix/streams, /helix/streams/followed, /helix/clips, /helix/schedule, /helix/videos, /helix/chat/emotes, /helix/games/top, /helix/search/channels) and returns the response.
Can refresh, validate, or revoke your Twitch token on request.

The backend does not use a database. Based on the current code, it has no persistent server-side storage of user profiles, tokens, saved items, search history, or app activity. Each request is handled in memory and the response is returned to the extension. The Twitch access token is included in your request as a Bearer header and is only used to make the matching Twitch call; it is not written to disk.

The backend does emit operational JSON logs for each HTTP request, containing the request method, path, status code, and duration. The OAuth controller additionally logs whether a code and state were present and the Twitch login of the user who just signed in (so we can debug failed sign-ins). These logs do not contain access tokens, refresh tokens, email addresses, saved items, or your search queries.

Like most hosted web services, our hosting provider may also process standard technical request data (such as IP addresses, request times, and HTTP status codes) for security, abuse prevention, and reliability. We do not combine that data with anything else or use it to build a profile of you.

Notifications

Go-live notifications are off by default. If you turn them on:

The extension uses the chrome.alarms API to wake the background service worker about every 5 minutes.
On each tick, it asks the backend for your current followed live streams, compares them to the last list it saw, and shows a Chrome notification for any newly-live streamer (with a per-channel cooldown to avoid spam).
If you enable "pinned only", it filters that list to streamers you have pinned.
If your token has expired, it shows a one-off "Reconnect Twitch" notification and stops checking until you sign in again.
A "Test alert" button creates a single local Chrome notification.

All notification settings and bookkeeping (the last-seen live IDs, the last time we alerted for each channel, the last error, etc.) are stored only in local IndexedDB. Whether the OS / browser actually displays a notification is controlled by your Chrome and operating system notification settings. Closing the browser may stop notifications from appearing.

You can turn notifications off at any time from the extension's Settings.

Browser Permissions

The extension declares these permissions in its manifest. Each one is used only for the purpose listed.

storage: Read/write the locally-stored session in chrome.storage.local and watch for session changes after sign-in.
identity: Run the Twitch OAuth flow via chrome.identity.launchWebAuthFlow.
notifications: Show optional go-live alerts and test notifications.
alarms: Wake the background service worker on a schedule to check for newly-live followed streams (only when notifications are on).
tabs: Find the active tab so the mini player can be opened on its hostname; open a Twitch tab when you click a notification or use a "watch on Twitch" action.
host_permissions: <all_urls>: Inject the mini-player content script so the floating player can appear on any normal http(s) page you visit. The content script does not read your page content, form fields, or browsing history. It only injects a Twitch player iframe when you ask for it.

The extension does not declare the downloads permission. The "download emote" button creates an <a download> link in the popup, which uses Chrome's normal anchor-download behavior; any saved file is written by your browser to your usual download location. The extension never reads or indexes those files.

Third-Party Services

The extension does not embed analytics, error tracking, advertising, or third-party tracking SDKs. The only third parties involved are the ones needed to run the extension:

Twitch Interactive, Inc. — All Twitch data, the OAuth flow, and the embedded player are provided by Twitch. Your use of Twitch (through this extension or otherwise) is also governed by Twitch's own privacy policy and terms.
Google / Chrome — The extension runs inside Chrome and uses Chrome extension APIs (storage, identity, notifications, alarms, tabs).
Our backend hosting provider — Currently the backend is configured to deploy on Vercel. The hosting provider receives each HTTP request to the backend (including standard technical metadata such as IP address and request path) so it can serve the response.

We do not share data with any other third party.

Data Sharing

We do not sell your personal information. We do not share it with advertisers, data brokers, or any other party.

We share data only as needed to make the extension work:

Requests you make in the extension are sent to our backend, which forwards the relevant ones to Twitch as authenticated Twitch API calls.
The backend itself runs on a hosting provider, which sees the same requests as part of normal infrastructure operation.

If we are ever required to disclose information by law (for example, in response to a valid legal process), we may do so. Because the backend has no database, the only data we have is what is in transient request logs.

Data Retention

On your device: Your session, preferences, saved clips, saved VODs, pinned streamers, recent searches, and cached Twitch data stay until you remove them, sign out, uninstall the extension, or clear browser storage. Cached Twitch data also expires automatically based on a short TTL.
On the backend: Requests are processed in memory and not stored in a database. Operational logs may be retained by the hosting provider on the provider's standard schedule, then dropped.
At Twitch: Twitch keeps its own records under its own privacy policy.

Your Choices and Controls

You can:

Sign out from the extension. This clears your session, access token, refresh token, and profile from local storage, and asks Twitch to revoke the token (best effort).
Turn off notifications in Settings. This also clears the alarm.
Unpin streamers and remove saved clips, saved VODs, or recent searches from inside the UI.
Clear all extension data by removing the extension from chrome://extensions, or by clearing site data for IndexedDB (twitch-ext-db) and chrome.storage for this extension in your browser.
Revoke this app from your Twitch account at https://www.twitch.tv/settings/connections at any time. After that, the extension's tokens will stop working and you can sign out from the extension to remove the local copy.

Security

We take reasonable steps to handle your data carefully:

The Twitch client secret stays only on the backend and is never sent to the extension.
The OAuth state value is an HMAC-signed, short-lived token verified on every exchange.
All traffic between the extension, the backend, and Twitch goes over HTTPS.
The backend is stateless and does not store your token in a database.

No system can be guaranteed 100% secure. If you believe you have found a security issue, please email thomas.doganay@gmail.com.

Children's Privacy

The extension is intended for users who are old enough to use Twitch under Twitch's terms. It is not directed at children under 13 (or the equivalent minimum age in your jurisdiction), and we do not knowingly collect information from such users.

International Users

The extension may be used worldwide. If you are in the European Economic Area, the United Kingdom, or another region with similar data-protection laws, you may have rights to:

access the personal data we hold about you,
correct inaccurate data,
request deletion of your data,
object to or restrict certain processing.

Because the backend has no user database, the only personal data we "hold" is what is in transient request logs and what stays on your own device. To make a request or ask a question, email thomas.doganay@gmail.com.

Changes to This Policy

If the extension changes in a way that affects this policy, we will update this document and bump the "Last Updated" date at the top. Substantial changes (for example, new Twitch OAuth scopes, new third-party services, or a backend database) will be reflected here before the new version ships.

Your Consent

By using the extension, you consent to this Privacy Policy.

Contact Us

Questions, requests, or security reports: thomas.doganay@gmail.com.

Disclaimer

This extension is an independent project. It is not affiliated with, endorsed by, or sponsored by Twitch Interactive, Inc. or Amazon. "Twitch" and the Twitch logo are trademarks of Twitch Interactive, Inc.

This document is a plain-language description of how the extension handles data, written from the current code. It is not a legal opinion and is not a guarantee of compliance with any specific law. It should be reviewed by the developer (and, if needed, a qualified legal professional) before publication.