Privacy Policy
Who we are
Data controller: Blazing Cacti LLC (Nevada, USA)
Address: 9750 W. Skye Canyon Park Dr., Ste. 160 – #161, Las Vegas, NV 89166, USA
Phone: +1 (702) 799‑9989
General inquiries: info@mixitupapp.com
Privacy contact: privacy@mixitupapp.com
Security contact: security@mixitupapp.com
Scope
This Policy applies to personal information processed by us in connection with the Services, including our websites under *.mixitupapp.com, Windows desktop applications (.NET WPF), mobile apps, browser extensions, public APIs/SDKs/CLIs, developer documentation, and support channels. It does not apply to third‑party services that have their own privacy practices.
Territorial scope
We are a U.S. company and the Services are operated from the United States. We do not specifically target or market the Services to individuals in the EEA or the UK. Creators may use the Services to monitor, track, dissect, and retain information about their audiences, which can include EU/UK users; we process such audience data as a service provider/processor at the creator’s direction.
Jurisdictional Scope
Mix It Up is developed and operated in the United States by Blazing Cacti LLC. Our compliance program is designed to U.S. law. We do not undertake to comply with non-U.S. legal regimes; any overlap with non-U.S. requirements is incidental to our U.S. program. We do not specifically target or market Mix It Up to residents of the EEA or the UK.
Products & Roles
Desktop (local). The application connects from the user’s device to platforms the user authorizes (e.g., Twitch/YouTube/Discord) and stores resulting data locally on the user’s device. Blazing Cacti does not host this content.
Online (hosted). When you use Mix It Up Online, audience and account data are processed and stored on U.S. infrastructure under your account.
Retention
Retention — Desktop. Application content (including audience/chat history, overlays, logs) is stored indefinitely on the user’s device and remains until the user deletes the files or uninstalls/cleans the application data. Blazing Cacti cannot access or delete local data.
Retention — Online. We retain account and audience data indefinitely for as long as the account is active, and delete data when the account is explicitly deleted by the account owner (subject to limited security logs and disaster-recovery backups retained on U.S. systems). Backups and security logs are not used for any other purpose.
Requests from Non-U.S. Authorities
We respond to valid U.S. legal process. We do not produce data directly to non-U.S. governmental authorities; such requests must proceed through applicable U.S. mechanisms.
Notice at collection (California)
This table serves as our Notice at Collection under the California Consumer Privacy Act as amended by the CPRA. It summarizes the categories of personal information (“PI”) we collect, typical sources, purposes, retention by category, who we disclose it to, and whether it is sold or shared (as defined by California law).
Retention periods reflect our current practices. Some records may be kept longer where required by law, to establish or defend legal claims, prevent fraud, or ensure security and service continuity.
| Category | Examples | Sources | Purposes | Retention | Disclosed to | Sold/Shared |
|---|---|---|---|---|---|---|
| Identifiers | name, email, account ID; IP addresses in logs; device IDs | you; automatically from your device | account creation; login; security; support; notifications | Until account deletion for account identifiers; indefinite for IPs in security logs | cloud hosting; auth and support providers | Sold: No; Shared: No |
| Customer records | billing name/address, transaction history | you; payment processors | billing; fraud detection; tax; receipts | 7 years | payment processors; accounting; billing tools | Sold: No; Shared: No |
| Internet activity | website/app page views, events, app logs, crash data | automatically from your device | security; analytics; product improvement | Indefinite | analytics; security; crash reporting | Sold: No; Shared: No |
| Geolocation (coarse) | city/region from IP | automatically | localization; compliance; abuse prevention | Indefinite (as part of analytics/security logs) | analytics; security | Sold: No; Shared: No |
| User content | overlays, commands, scripts, files, settings, feedback | you | provide and improve Services; troubleshooting | Online app: until account deletion; Desktop app: stored locally under your control | cloud hosting (online app); none (desktop, local) | Sold: No; Shared: No |
| Audience/visitor data | viewer usernames, chat messages, channel events | from connected platforms with your authorization | overlays, alerts, moderation, analytics for creators | Online app: until account deletion; Desktop app: stored locally under your control | hosting (online app); none (desktop, local) | Sold: No; Shared: No |
| Inferences | usage segments, feature cohorts | derived from usage | product improvement; personalization where permitted | Indefinite | analytics | Sold: No; Shared: No |
| Sensitive PI (if provided) | OAuth refresh tokens, payment tokens; precise location (opt‑in) | you; device | authentication; fraud prevention; legal compliance | Purged immediately on unlink or account deletion; otherwise retained as needed to provide the Service | security providers; payments | Sold: No; Shared: No |
We use Sensitive Personal Information only for permitted purposes such as authentication, security, fraud prevention, and legal compliance, and not for inferring characteristics about you.
Do Not Sell or Share. We do not sell personal information and we do not share personal information for cross‑context behavioral advertising.
GPC. We honor Global Privacy Control (GPC) signals as an opt‑out for sale/sharing (even though we do not sell/share) and treat them as a request to restrict such processing for that browser.
Information we collect and sources
We collect the information described in the table above from: you (including through forms, prompts, files, and support requests); automatically from your device (cookies, SDKs, logs); third‑party platforms you connect; and service providers acting on our behalf.
Information you provide directly
- Account and contact information. When you create an account or contact us, we collect identifiers such as display name, email address, and other details you choose to provide.
- Platform authentication tokens and permissions. To integrate with Twitch, YouTube, Discord, and Trovo, you provide OAuth tokens or API keys so we can read chat messages (including private messages and private channels if you explicitly grant that scope), send messages on your behalf, and configure alerts and automation. You can revoke these permissions at any time in the relevant platform and you can unlink within Mix It Up. Private messages accessed via granted scopes are used only to provide requested features (for example, moderation or automation) and are retained under the same rules as audience/visitor data. Creators can request export and bulk deletion of message logs for their account, and data is deleted when the account is deleted.
- Configuration and user‑generated content. You may upload or create scripts, commands, overlays, community guides, or other settings (“User Content”). Such content may include metadata or personal information depending on what you include.
Information collected automatically
- Usage data and analytics. Feature interactions, log files, timestamps, time on screens, error reports, IP addresses, device identifiers, browser type/version, operating system, and other diagnostic data.
- Cookies and similar technologies (website). We use Google Analytics on our website for analytics only.
- Telemetry (desktop app). OS version, hardware profile, app version, feature flags, crash traces, anonymized IDs, and linked‑account metadata (not credentials).
- Location data. Approximate location derived from IP; precise location only where you grant permission.
Information from third parties
- Connected platforms. If you link a platform account (e.g., Twitch or YouTube), we receive information like channel IDs, chat messages, and follower or channel events. We use this data solely to provide the Services and subject to the platform’s terms and your settings.
How we use personal information
We use personal information to:
- Provide and secure the Services; authenticate and manage accounts; deliver alerts and overlays; process commands and automation; personalize settings; provide support.
- Improve and develop the Services by analyzing usage patterns and feedback to fix bugs, add features, and enhance performance.
- Communicate about updates, security, and support; and, with your consent or where permitted, send marketing or promotional emails.
- Comply with law and enforce agreements; detect, investigate, and prevent fraud, abuse, or security incidents.
- Analytics only. We use analytics to understand usage; we do not use cookies for marketing or cross‑context behavioral advertising.
Legal bases (GDPR/UK GDPR)
We process personal data based on: contract performance; legitimate interests (for example, security and product improvement) balanced against your rights; consent (for marketing and certain cookies in regions that require it); and legal obligations (for tax, accounting, and compliance).
Sharing and disclosure
We share personal information only as described below:
- Service providers. Cloud hosting, analytics (Google Analytics; Azure Application Insights), crash/telemetry (Prometheus, Seq), and customer support platforms process data on our behalf under contracts that limit their use.
- Third‑party platform partners. When you integrate with a platform (for example, Twitch, YouTube, Discord, Trovo), we share data as necessary to deliver functionality, subject to each platform’s policies and your settings.
- Legal compliance and protection. To respond to lawful requests, enforce our rights, or protect users and the public.
- Business transfers. In connection with a merger, acquisition, reorganization, or sale of assets, we may transfer data. We will notify you of any material changes in ownership or use of personal information.
Law-enforcement requests. We may disclose information in response to lawful requests. Where permitted by law, we notify affected users before producing data so they can seek remedies, unless doing so would be futile or the request prohibits notice.
Service provider role. For creators’ audience data processed through integrations, we act as a service provider/processor to the creator to the extent permitted by law and our agreements. Creators are responsible for providing any required notices and obtaining any required consents from their audiences. A Data Processing Addendum (DPA) is available upon request.
Nevada disclosure. We do not sell “covered information” as defined by NRS 603A. If our practices change, we will update this Policy and add a sale opt‑out method in the website footer and in this section.
International transfers
We may transfer personal information to countries that may not provide the same level of protection as your home country. Where personal data is transferred internationally, we rely on the European Commission’s Standard Contractual Clauses (SCCs) (and the UK Addendum where applicable) with supplemental security measures such as encryption and access controls. We review subprocessors and data locations periodically and publish updates in our Data Processing Addendum (DPA). We may use regional data centers to minimize transfers.
EU/UK representatives. We have not appointed representatives under Article 27 GDPR/UK GDPR. If we later appoint representatives, we will update this Policy and our website with their contact details. Individuals in the EEA/UK may still contact us at privacy@mixitupapp.com with questions.
Data retention
Retention varies by category (see the Notice at Collection table). Additional practices:
- Accounts (profile & settings): retained until you delete your account; certain records may be kept up to 24 months in backups/audit logs.
- OAuth tokens: retained until you unlink or delete your account; purged immediately thereafter (subject to backup cycles).
- Billing and transaction records: retained 7 years to meet tax, accounting, and audit obligations.
- Analytics & usage events: retained indefinitely, with annual necessity reviews.
- Security logs/fraud data: retained indefinitely to investigate abuse and protect service integrity.
- Backups: retained indefinitely for disaster recovery; restoration requests trigger the same deletion routines described here.
Deletion requests and holds. Email privacy@mixitupapp.com to request deletion, correction, or export. We log each request, verify identity before acting, apply legal exceptions, and document any holds (for example, fraud, disputes, or statutory retention requirements). When a deletion is approved, production systems are updated promptly and backups age out per the cycles above.
Long-term retention rationale. We retain certain categories (for example, analytics, security logs, and backups) indefinitely to ensure service continuity, integrity, and abuse prevention. We restrict internal access and review whether continued retention remains necessary at least annually. Where U.S. law imposes specific minimum or maximum retention periods, we apply those requirements.
For the desktop app, most data is stored locally on your device and is under your control. We cannot access or delete local device data. Uninstalling or clearing the app data on your device removes that local data.
Your rights and choices
Depending on your location, you may have rights under applicable law, which can include the right to access, delete, correct, port, opt out of certain processing (including sale/sharing/targeted advertising), and limit use of sensitive personal information. We respond to requests as required by applicable law.
How to exercise your rights. Submit a request by emailing privacy@mixitupapp.com. Include (a) the account email or unique identifier we should look up, (b) the type of request you are submitting (for example, access, delete, correct, portability, restrict/object, limit sensitive personal information), and (c) your region or governing privacy law (for example, EU, UK, California, Virginia). If an authorized agent acts for you, attach evidence of their authority.
We verify identity to a reasonable degree before fulfilling requests, log each request in our compliance tracker, and respond within 30–45 days unless the law allows an extension (in which case we will notify you). We do not discriminate against you for exercising your rights.
Appeals. If we deny your request, you may appeal by replying to our decision email with “Appeal.” We will review and respond within 45 days as required by applicable law.
Cookies, DNT, and opt‑out preference signals
Our website uses analytics cookies only (Google Analytics). We do not use cookies for marketing or cross‑context behavioral advertising. We do not provide a separate in‑product cookie preferences page, and we do not block analytics prior to consent. You can control cookies via your browser settings and Google’s opt‑out tools.
Do Not Track (DNT). Some browsers send DNT signals; there is no industry consensus on how to respond, so we do not respond to DNT. Global Privacy Control (GPC). We honor recognized browser‑level opt‑out signals, including GPC, for sale/sharing where applicable.
Children’s privacy
The Services are not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that a child under 13 has provided personal information, we will delete that information and disable the account. Parents or guardians may request deletion by emailing privacy@mixitupapp.com with “Children’s Data Request” in the subject line.
Data security and breach notification
We implement administrative, technical, and physical measures designed to protect personal information, including encryption in transit and at rest (for example, OAuth refresh tokens and secrets), role‑based access controls, logging, and vulnerability management. No method of transmission or storage is completely secure. In the event of a data breach, we will evaluate risk and, where required by law, notify affected individuals and regulators.
Marketing communications (CAN‑SPAM)
Marketing emails include an unsubscribe link. We honor opt‑outs within 10 business days and include our physical address in each commercial email. Transactional messages may still be sent.
California and Nevada privacy rights
California and Nevada residents may have additional rights under the CPRA and NRS 603A, including the right to know, delete, and opt out of sale. We do not sell personal information. To exercise rights contact us at privacy@mixitupapp.com.
Financial incentives. We do not offer programs that provide price or service differences in exchange for personal information. If we introduce paid add-ons in the future, we will collect only the personal information necessary to process the transaction and will update this Policy as required.
Changes to this Policy
We may update this Policy from time to time. For material changes, we will provide notice (for example, in‑product or by email) at least 15 days before the changes take effect, unless a shorter period is required by law or for security. The Effective date above reflects the latest version.
Contact us
Blazing Cacti LLC
9750 W. Skye Canyon Park Dr., Ste. 160 – #161
Las Vegas, NV 89166, USA
General: info@mixitupapp.com
Privacy: privacy@mixitupapp.com
Security: security@mixitupapp.com
Changelog
- v1.0.0 (2025-10-11): Initial published version of the statement under the consolidated Mix It Up suite.
- v0.1.0.0 (2024-04-01): Initial pre‑release draft (superseded).