What we store, and what we never touch.
We store your email, hashed password, device list, server invites, and login timestamps. We never see what you watch or your media. No data sales, no ad tracking. You can access, export, or delete everything any time.
What we collect
The complete list of data tied to your Finderwave account:
- Your email address.
- A hashed password (Argon2id) — we cannot recover or read it.
- Your registered devices: name, type, last-seen time, approximate country.
- Which Jellyfin servers you've been invited to or own.
- Login timestamps and approximate IP country, used for security alerts.
- Your MFA secret, encrypted at rest.
That's the whole list. We say the same thing on the How it works page, because it's the part that should make a privacy-conscious user comfortable.
What we never collect
- What you watch. No access to your library or playback history.
- Your media files. They never leave your server on direct tiers.
- Your Jellyfin password. The plugin holds a scoped token, not your credentials.
- Behavioural tracking. No ad networks, no third-party analytics profiles, no data sales.
How we use what we collect
Only to run the service you signed up for:
- Authenticate your logins and link your devices.
- Show you the servers you're invited to.
- Send security alerts (new device, new login location).
- Send essential account email (receipts, important service notices).
We do not sell your data, and we do not use it to build an advertising profile. Ever.
Relay data handling
On paid relay tiers, your media bytes pass through our edge servers so remote access works without port forwarding. We do not inspect, log, or store those bytes beyond what's needed to route the connection, and the stream is encrypted in transit end-to-end. On direct tiers, no media reaches us at all.
Data retention
We keep account data while your account is active. Login and security logs are retained for up to 12 months, then deleted. If you delete your account, we erase your personal data within 30 days, except where law requires us to keep billing records longer.
Your rights (GDPR)
Finderwave is operated from the EU, and we apply GDPR rights to everyone. You can:
- Access a copy of your data.
- Correct anything inaccurate.
- Delete your account and data.
- Export your data in a portable format.
- Object to processing or withdraw consent.
Email [email protected] and we'll action it. You also have the right to complain to your local data-protection authority.
Subprocessors
We use a small set of vetted providers strictly to operate the service — payment processing, transactional email, and cloud hosting for the relay edge. They process data only on our instructions, and we keep the current list available on request. We don't share your data with anyone for their own purposes.
Security
Passwords are hashed with Argon2id. MFA secrets are encrypted at rest. Relay traffic is encrypted end-to-end in transit. The plugin guarding your server is open source, so you can verify our claims rather than take them on trust.
Contact & changes
Questions about privacy go to [email protected]. If we make a material change to this policy, we'll notify account holders by email before it takes effect. The data controller is AXL Online Solutions SRL, Romania.