← Back to home
Security & Data Handling
A clear, technical explanation of how WatchTogether protects your privacy and secures your streams. No marketing fluff — just architecture.
Peer-to-Peer Streaming
Our core streaming technology relies on WebRTC, a secure peer-to-peer protocol. When you share your screen or camera, the video and audio data flows directly between you and the other participants in the room — no media server in the middle.
- End-to-end encryption: WebRTC mandates encryption by default. All media streams are encrypted using DTLS for handshake and SRTP for media — the same standards used by enterprise video-calling software.
- No middlemen: We do not route your video or audio through our servers. We only facilitate the initial connection (signalling).
- Direct peer connections: Once connected, your stream travels the shortest possible network path between participants.
What We Do (and Do Not) Store
✅ We store
Account email, display name, friend list, room metadata (created-at, mode, participant count), chat messages while a room is active.
❌ We never store
Your screen share content. Your camera or microphone audio. Recordings of any kind. The contents of streamed videos or movies.
🔁 Auto-deleted
Chat messages are removed within 24 hours of the room closing. Server logs are kept for 30 days for abuse investigations and then deleted.
🔐 Encrypted at rest
All stored data is encrypted at rest using AES-256 (Google Cloud / Firestore's default encryption).
Authentication & Account Security
- Hashed credentials: Passwords are never stored — authentication is delegated to Firebase Auth using industry-standard PBKDF2/SCRYPT hashing.
- Sign in with Google: Optional OAuth login means no password to leak.
- Two-factor authentication: Available for accounts that need extra protection.
- Session tokens: Short-lived JWTs with automatic refresh; revocable from your account settings.
Network & Transport Security
- All web traffic uses TLS 1.2+ with HSTS preloaded (max-age 2 years, includeSubDomains, preload).
- Strict Content Security Policy blocks injected scripts and untrusted frames.
- X-Frame-Options set to SAMEORIGIN to prevent clickjacking.
- Permissions-Policy locks camera/microphone to first-party only.
- Subresource integrity used for third-party scripts where supported.
Abuse Prevention
- Cloudflare Turnstile bot challenges on signup and high-risk actions.
- Server-side rate limits enforced via Cloud Functions triggers (cannot be bypassed by clients).
- In-app reporting tools and a dedicated moderation pipeline.
- Automated detection of common abuse patterns (mass-room creation, friend-spam).
Responsible Disclosure
If you discover a vulnerability, please email security@watchtogether.watch. We acknowledge reports within 48 hours, do not pursue legal action against good-faith researchers, and credit disclosers in our changelog with their permission.
Compliance
WatchTogether's data handling is aligned with the UK GDPR, EU GDPR, and the UK Data Protection Act 2018. See the Privacy Policy for full details on lawful bases, retention, and your rights.