Privacy

Everything you configure or accumulate while using Sipario is stored in your browser’s local storage and origin private file system (OPFS) only. None of it is transmitted to a Sipario-operated server in the default configuration:

• Addon manifest URLs you add in Settings → Sources.
• Any credentials those URLs embed.
• Watch progress and the Continue Watching shelf.
• Reactions, theme, language and subtitle preferences.
• Your TMDB API key, if you provided one in Settings → TMDB.
• The local OPFS cluster cache — cluster bytes from streams you have watched, mirrored to your browser so backward seeks are instant.
• Live-channel sources (M3U playlists / Xtream Codes accounts) and any credentials they embed.

These are commitments, not implementation details:

• Stream URLs. The full URL of any stream you play is never logged, never sent to telemetry, and never shared with the federated CORS pool or any other backend service Sipario operates.
• Title metadata about what you watched. No endpoint Sipario operates ever receives titles, IMDb IDs, or episode numbers tied to your device.
• Debrid / addon credentials. Whatever you enter in Sources stays in localStorage. The Sipario byte-proxy forwards bytes only; it does not parse, log, or persist authentication headers.
• Audio fingerprints. Sipario does not fingerprint the audio of streams you play to identify them.
• Background recording. Sipario is not a DVR. The 30-minute OPFS ring buffer is ephemeral and only persisted when you explicitly save a clip.

Three pools exist to make playback faster and more reliable. All transmit only opaque hashes — never full URLs, never titles, never anything tied to your identity. All are toggleable in Settings.

• Federated CORS pool. When ON (default), the first time your browser encounters a host that other Sipario users have already probed, you skip the 200–500 ms local probe by reading the global verdict (~10 ms). Your own probe outcomes are contributed back. The pool sees sha256(hostname) and the verdict (works / does not work via direct fetch). It does not see paths, query strings, your IP-derived identity, or anything else.
• Channel quality pool. Off by default. When ON and a pool URL is configured, every successful WebCodecs probe of a live-channel stream contributes a hashed observation back. Same hashing rules: only sha256(channel-url) + the probe verdict.
• Subtitle alignment pool. Off by default. When ON, helps your subtitles snap to per-cue accuracy against the audio. The pool stores per-cue timing offsets keyed on a pair of opaque hashes: movieHash (the OpenSubtitles content hash of the video file — head + tail bytes, file size; not reversible to title or URL) and subHash (a SHA-256 of the parsed subtitle cue list). The pool sees those two 16-character hashes plus an array of {cueIdx, offsetSec} entries and the model identifier (e.g. whisper-tiny.en).
  • Fetch-only mode reads other users’ offsets to align your subtitles — never publishes. The pool sees only the hash pair you query.
  • Fetch-and-share mode reads AND writes: when your local on-device alignment produces offsets, they’re published to the pool keyed on the same hash pair. Other users with the byte-identical file + subtitle benefit on first watch.
  The pool does not see audio bytes, subtitle text, transcripts, file names, or any URL.

When you enable subtitle perfect-sync in Settings, Sipario runs a small speech-recognition model entirely in your browser. Audio bytes never leave your device.

• The model (Whisper-tiny.en by default; ~30 MB once unpacked) is fetched on first use from the Hugging Face content delivery network. That fetch transmits no information about what you’re watching; the request is for the model file itself. The model is cached in your browser thereafter.
• The audio stays on your device. The PCM tap reads samples from the same AudioContext that’s already decoding your stream for playback, buffers a sliding 60-second window in memory, and feeds it to the model running in a browser Web Worker. Nothing is recorded to disk; nothing is uploaded.
• The transcript the model produces stays on your device too. It’s used in-memory to match your subtitle’s words against the audio and compute per-cue offsets, then discarded. Only the offsets themselves can be published to the alignment pool, and only when you’ve enabled fetch-and-share mode above.
• WebGPU / WASM. Inference uses your device’s GPU when available, falling back to CPU (WebAssembly). The choice is made by the browser; no capability information about your device is reported anywhere.

The Diagnostics toggle in Settings is the master gate for any future client-to-server diagnostics beacon. It is OFF by default, and today nothing is transmitted regardless of its state — the toggle ships ahead of the endpoint so the user-visible opt-in is in place before a single line of telemetry-emitting code lands in the player.

If and when a diagnostics endpoint is shipped, the toggle being ON would permit transmission of the following classes of data:

• Bucketed connection class (e.g. 4g-fast, wifi) with differential-privacy noise applied to bandwidth numbers before they leave the device.
• Codec selection counts (e.g. aac=4, eac3=1) and decode-failure counts, in K-anonymous histograms with k ≥ 10.
• UA-class buckets (browser family + OS family + device class), never the full UA string.
• The Sipario version that emitted the report.

What the diagnostics endpoint will never accept:

• Stream URLs (full or partial), titles, IMDb IDs, episode identifiers.
• Credentials, API keys, addon URLs.
• Watch progress, history, or per-title metadata.
• Anything that, alone or combined, could re-identify a single device or user.

The /api/metrics endpoint on Sipario’s origin records aggregate counts of TMDB metadata calls and similar server-side operations — the kind of observability any web service has. These counts are aggregated (not per-user), do not contain your IP address (Cloudflare handles that layer), and are never tied to your device. They exist so the operator can see the service is alive and scale it. There is no client-side opt-out because there is no client-side participation.

Sipario uses TMDB (The Movie Database) for metadata under their API terms. Streams you play are fetched from upstream hosts named by the addons you have configured; those hosts have their own terms and privacy policies, and Sipario has no relationship with or control over them.

Because nothing leaves your device by default, deleting your data means clearing your browser’s storage for sipario.tv:

• Settings. Settings → Reset → Restore defaults wipes prefs back to defaults.
• Watch history. Settings → Watch history → Clear wipes the Continue Watching shelf and per-title progress.
• Cluster cache. Settings → Local cluster cache → toggle off, or clear the site’s OPFS via your browser settings.
• Everything. Browser settings → Site data → clear data for sipario.tv.

This document describes Sipario’s privacy posture at the date above. Material changes — particularly the launch of any client-side diagnostics endpoint — will be reflected by an updated “Last updated” date and documented in this page before the corresponding code merges.

Privacy questions can be sent to the contact listed on the DMCA / takedown page.