The legally binding version of this document is the French one. This English version is a courtesy translation.
Last updated: 2026-07-07
Privacy Policy — Tivera
Version: 2.1 — DRAFT pre-Play Store v1.0 (Free + Premium model) Effective date: 2026-07-07 Reference language: French — controller's jurisdiction: Morocco (Law 09-08, CNDP authority; GDPR applies extraterritorially — Art. 3.2 — for users residing in the EU/EEA/UK) Publisher: Mitchou, an individual under Moroccan law (independent publisher). Address: Tralles, rue Essanaouabar, Casablanca, Morocco.
⚠️ Draft to be validated by a lawyer (data protection: Law 09-08 / CNDP + GDPR/ePrivacy) before firm publication. The French version is the binding reference; the other languages are courtesy translations.
TL;DR
Tivera is a BYOC (Bring Your Own Content) IPTV player for Android (mobile + TV). You import your own streams (M3U / Xtream Codes / EPG XMLTV); no content is hosted by us.
- Personal data collected for commercial purposes: none. No resale, no data brokering.
- Diagnostic telemetry (crash reports + anonymized usage statistics + performance log): sent only to our own self-hosted server (
api.tivera.tv), never to a third party. Firebase Crashlytics and Firebase Analytics have been removed — no more crashes or analytics sent to Google. Outside the EU/EEA/UK, this channel is on by default (legitimate interest) and can be turned off at any time (Settings → Privacy → Diagnostic data). In the EU/EEA/UK, it stays off until your explicit consent. - Sharing with third parties: only Google AdMob (Free mode: ads, AAID advertising identifier) and Google Play Billing (Premium mode: subscription payment). The Premium cloud sync (profiles/favorites/history) goes to our self-hosted server, not to a third party.
- Local encrypted storage: SQLCipher AES-256 + Google Tink AEAD (Xtream credentials).
- No account required to play your streams. An account is only needed for Premium / cloud sync / device management.
1. Data controller (GDPR Art. 13.1.a)
| Field | Value |
|---|---|
| Publisher | Mitchou (individual under Moroccan law, independent publisher) |
| App commercial name | Tivera |
| Android package | com.mitchou.tivera |
| General contact email | contact@tivera.tv |
| Privacy email | privacy@tivera.tv |
| DMCA email | dmca@tivera.tv (see DMCA Policy) |
| Postal address | Tralles, rue Essanaouabar, Casablanca, Morocco |
| Formal DPO | Not required (GDPR Art. 37: independent publisher, < 250 employees, no large-scale processing of sensitive data) |
| EU representative (GDPR Art. 27) | Being designated before the general public rollout in the EU. In the meantime, EU/EEA residents exercise all their rights directly with the Publisher at privacy@tivera.tv; the representative's details will be published here and in the app once designated. |
| Applicable jurisdiction | Morocco — Law 09-08 on the protection of individuals with regard to the processing of personal data, under the supervision of the CNDP. GDPR (EU 2016/679) applies extraterritorially (Art. 3.2) for EU/EEA/UK users. |
Committed response time for any GDPR / CCPA request: 30 days (GDPR Art. 12.3) / 45 days (CCPA).
2. Nature of the application (GDPR Art. 13.1.c)
Tivera is a generic BYOC IPTV player distributed via Google Play Store (and direct APK download).
2.1 What Tivera IS
- A multimedia stream player (video / audio) that you bring yourself.
- A local organizer for your sources (M3U URL, Xtream Codes API credentials, EPG XMLTV URL).
- A local diagnostic tool (Quality Scanner) + a local recorder (DVR) on your demand.
- Available in two tiers: Free (with ads) or Premium (subscription-based, no ads, additional features).
2.2 What Tivera IS NOT
- Not a content distribution service (zero pre-loaded channels, zero catalog).
- Not an algorithmic recommendation service.
- Not a content storage service. The Premium cloud sync (profiles, favorites, history, selected settings) uses our own self-hosted server
api.tivera.tvand synchronizes only lightweight metadata (profile label, avatar, kids flag, encrypted PIN, opaque content identifiers) — never your streams or your source credentials. - Not a technical intermediary: you communicate directly with the server you choose.
You are solely responsible for the streams you import and for their compliance with applicable copyright law (see Terms of Service + DMCA Policy).
2.3 Free vs Premium differences on the data side
| Aspect | Free | Premium |
|---|---|---|
| Data collected by default | None | None |
| AdMob ads (banner + native + rewarded) | Yes (revenue model) | No |
| AAID (Android advertising ID) read by AdMob/Google | Yes (handled by Google Play Services) | No |
| UMP SDK (EU/GDPR ad consent) | Yes (on 1st EU launch) | Not applicable |
Self-hosted diagnostic telemetry (api.tivera.tv) | Outside EU: on by default (opt-out) · EU/EEA/UK: opt-in | Same |
| Firebase Analytics / Crashlytics | Removed (no longer used) | Removed |
| Play Billing (purchase tokens) | Not applicable | Yes |
3. Data processed
3.1 User-entered data — stored locally only
All of this data stays on your device. None of it is transmitted to Mitchou or to any third party in normal use.
- M3U URL / playlist: SQLCipher AES-256. Playback of your streams. GDPR legal basis 6.1.b (contract performance). Duration: until manual deletion / uninstall.
- Xtream Codes credentials (host, user, password): Google Tink AEAD (master key Android Keystore TEE/StrongBox) on top of SQLCipher, AAD bound to the source (anti cell-swap). Connection to your panel. GDPR legal basis 6.1.b.
- EPG XMLTV URL + mappings to channels: SQLCipher AES-256 (Tink AEAD if Basic Auth is embedded in the URL). Program guide. GDPR legal basis 6.1.b.
- Watch history (resume position): SQLCipher AES-256. "Continue Watching". GDPR legal basis 6.1.b.
- Favorites: SQLCipher AES-256. UI customization. GDPR legal basis 6.1.b.
- DVR recordings (
.ts) + offline VOD downloads (Premium): scoped storage, unencrypted. Time-shifted/offline playback on your demand. GDPR legal basis 6.1.b. - Parental PIN (4 digits): Tink AEAD (AAD
parental-pin-v1). Locking of adult content. GDPR legal basis 6.1.b. - UI preferences (language, theme, quality): DataStore Proto, non-sensitive. GDPR legal basis 6.1.f (legitimate interest).
3.2 Data automatically collected by the application
- AAID (Android advertising ID): Free = yes, read by Google Play Services on an AdMob impression. Premium = no.
- IP address: the telemetry payload does not contain your IP address as a data field. It remains visible at the transport layer to any server receiving the request: (a) the Xtream/EPG server you configure, (b) Google when AdMob fires in Free, (c) our
api.tivera.tvserver (+ Cloudflare in transit) when telemetry is active or when you use your account. Any IP addresses logged server-side are kept only for as long as strictly necessary for security and diagnostics, then deleted. - Precise geolocation: no. Approximate (IP-derived): not by Tivera (AdMob may infer the country via IP in Free).
- Contacts / SMS / call logs: no (permissions not declared). Microphone / camera: no (the camera is used only to scan a pairing QR code, 100% on-device, no image transmitted). IMEI / serial number / MAC: no.
- Android ID (
Settings.Secure.ANDROID_ID): read only when diagnostic telemetry is active (see 3.4), never transmitted in clear. It is used to derive, via a one-way app-namespaced SHA-256 hash, a pseudonymous technical device identifier — stable per device: it survives app reinstallation and clearing the app's data (it is only reset on a factory reset), and it is not a hardware identifier (a software, app-scoped identifier).
3.3 Technical data necessarily transmitted to the servers you configure
When you import an Xtream panel or an M3U/EPG URL, your requests leave your device towards the server you chose (neither Mitchou nor Tivera). That server necessarily receives your IP, your Xtream credentials and your User-Agent. We have no control over its privacy policy — review it before trusting it with your credentials.
3.4 Self-hosted diagnostic telemetry (api.tivera.tv)
To fix bugs and improve stability, Tivera collects technical diagnostic telemetry sent only to our self-hosted server api.tivera.tv (PocketBase, Publisher's infrastructure, Morocco / CNDP) — never to a third party.
Three channels: (1) Crash reports (crash_reports): stacktrace + an excerpt of the technical log at crash time; (2) Anonymized usage statistics (app_events): screen open (route), session start, playback start — no URL, no channel name; (3) Daily performance log (≤ 125 KB / 24 h): internal metrics (e.g. cold-start time) + device class (Build.MANUFACTURER + MODEL, e.g. "Samsung SM-S911B" — a device class, not personal data) + app/Android version + platform.
Identifier: each upload is tied to the pseudonymous technical device identifier (see 3.2) — stable per device, it survives app reinstallation and data clearing. It is not your identity.
Consent model (geo-conditioned):
| Region | Default state | Legal basis | How to withdraw |
|---|---|---|---|
| Outside EU / EEA / UK | On by default (opt-out) | Legitimate interest (GDPR Art. 6(1)(f)): internal, minimized, self-hosted diagnostics | Right to object (Art. 21): Settings → Privacy → Diagnostic data: OFF (effective immediately) |
| EU / EEA / UK | Off by default | Consent (GDPR Art. 6(1)(a)) — required because reading ANDROID_ID falls under Art. 5(3) of the ePrivacy Directive 2002/58/EC (and its national transpositions) | Decline, or withdraw (Art. 7(3)) via the same toggle |
The channel is never active before the age gate (13+ confirmation, see § 7). Withdrawal (toggle OFF) immediately purges any pending, not-yet-uploaded payloads.
Minimization: all content passes through the SecretRedactor + UrlRedactor filters client-side, before any upload (URLs, credentials, Bearer tokens, IBANs, long hex strings ≥ 32 characters stripped), channel identifiers are hashed/truncated, and the payload is capped at 125 KB.
Never transmitted: no name / email / phone; none of your sources, channels or history; no AAID; no ads, no resale.
Processor: none — api.tivera.tv is the Publisher's self-hosted server, not a data third party. Cloudflare provides only network transit + TLS (no storage). Encrypted in transit (HTTPS). Retention: 90 days (automatic server-side purge). This server is located in Morocco (see § 9).
3.5 Firebase Crashlytics / Analytics + GlitchTip/Sentry — REMOVED
Firebase Crashlytics, Firebase Analytics and the GlitchTip/Sentry channel are no longer used by the app. They are forced off at startup on all builds (debug / release / beta). No crash report or usage statistic is transmitted to Google or to any third party for those purposes anymore. The diagnostic function is now entirely handled by the self-hosted channel described in 3.4.
Note: Google AdMob (Free — § 3.6) and Google Play Billing (Premium — § 3.7) are separate Google services and are not affected by this removal; they remain declared.
3.6 Google AdMob (Free mode only)
In the Free tier, the app displays ads via the Google Mobile Ads SDK (AdMob). Formats: adaptive banner 320×50 dp at the bottom of the screen, native in the Browse rail, rewarded (opt-in) for an additional Quality Scanner run. No ads on Android TV / Leanback.
Data transmitted to Google by the AdMob SDK — in personalized mode (EU consent given): AAID, IP, User-Agent, device model, package + version, ad unit ID, history of ads viewed (frequency), inferred interests, past interactions. In non-personalized mode (consent refused): anonymized AAID, IP (coarse country targeting), User-Agent, model, package + version, ad unit ID — no history, no cohorts, no past interactions.
UMP SDK: on the 1st launch detected in the EU, a Google UMP dialog collects your consent for personalized advertising (accept = personalized; refuse = non-personalized). To fully disable AdMob: upgrade to Premium. No granular AdMob toggle in Free (revenue model).
Processor: Google LLC. Retention: per Google policy (typically ~14 months for advertising cohorts).
3.7 Google Play Billing (Premium mode only)
When you subscribe to the Premium tier (monthly subscription 3.99 USD / yearly 24.99 USD with a 7-day free trial on the yearly plan). No one-time "lifetime" purchase is offered.
- Data handled by Google Play (never seen by Tivera): payment method (card, PayPal, Google Pay, carrier billing), billing address.
- Data received by Tivera: purchase token (opaque proof of purchase) + subscription status (active / cancelled / grace period) via BillingClient.
- Stored locally by Tivera: Premium status (boolean, DataStore) + purchase token (Tink AEAD, AAD
play-billing-v1) for periodic re-validation.
No payment data (card number, CVV, expiry) is ever processed, seen or stored by Tivera. Cancellation: Google Play Store → Subscriptions → Tivera → Cancel. Refunds: standard Google Play policy (48 h for subscriptions) — request via Google Play, not via Tivera.
3.8 User profiles + Premium cloud sync (profiles)
Tivera lets you create several profiles on a single account (per-profile favorites and history, optional restricted profile). Profiles are stored locally (Room SQLCipher AES-256) and, only if you are a Premium subscriber and enable cloud sync, synchronized to our self-hosted server via the profiles collection (api.tivera.tv).
Data synced per profile (Premium + sync enabled only): name (label — potentially personal if you put a real first name in it; recommendation: use a pseudonym, especially for a child profile), avatarId (neutral illustration index), isKids (filtering flag chosen by the account holder, NOT an age declaration), pinCiphertext (PIN encrypted with Google Tink AES-256-GCM, never decrypted server-side). No date of birth is collected. Favorites and history are now per-profile; no stream, no channel/movie/series name, no Xtream credential is transmitted to api.tivera.tv (content identity = opaque SHA-256). Processor: none; sync is opt-in (Premium, enable/disable in Settings).
3.9 Tivera account (email address + OTP code)
The account is optional. No account is required to use the app in Free (import your sources, play your streams, scan your channels). You only create an account to unlock Premium, enable cloud sync, manage your devices, or redeem a promo code.
- Email address: provided by you; sign-in via one-time passcode (OTP) (no password). Transmitted to our self-hosted server
api.tivera.tv(Morocco / CNDP) and stored there to identify your account (Premium entitlement, device list, promo codes). Legal basis: GDPR 6.1.b (contract performance). Processor: none; encrypted in transit. Retention: until you delete your account (see § 5 + § 10). Your email is never used for advertising, never resold, never shared with brokers.
4. Data recipients (GDPR Art. 13.1.e)
| Recipient | Data concerned | Purpose | Location |
|---|---|---|---|
| You (on your device) | 100% of entered data | App usage | Local |
| IPTV/EPG servers you configure | Xtream credentials + IP + User-Agent | Authentication + playback | Variable (your choice) |
Self-hosted server api.tivera.tv — Account (Publisher, not a third party) | Account email (OTP) — optional | Account management / entitlement / sync / devices / promo codes | Morocco / CNDP |
Self-hosted server api.tivera.tv — Telemetry (Publisher, not a third party) | Stacktraces + usage statistics (screen routes) + perf log + device class + pseudonymous identifier | Diagnostics / stability | Morocco / CNDP |
| REMOVED — no more transfer to Google for those purposes (see 3.5) | — | — | |
| Google AdMob (Free) | AAID + IP + device + ad unit ID + cohorts (in personalized) | Ad display | USA + EU (SCC + DPF) |
| Google Play Billing (Premium) | Purchase token (no payment data) | Subscription validation | Google (global) |
Self-hosted server api.tivera.tv — Cloud sync (Publisher, not a third party) | Profiles (label, avatar, kids flag, encrypted PIN) + per-profile favorites + history (opaque SHA-256 content identity) | Multi-device synchronization | Morocco / CNDP |
| Cloudflare | Network transit (CDN + Tunnel + WAF) — sees IP/headers, stores no personal data | Routing + network security | Multinational (DPA) |
No sale of data to brokers or aggregators. No sharing for advertising purposes other than Google AdMob (Free only).
5. Your rights (GDPR Art. 13.2.b + Art. 15 to 22 + CCPA/CPRA)
5.1 GDPR rights (EU / EEA / UK residents)
- Access (Art. 15): your local data is on your device (Settings → Sources / Appearance…). Account data: machine-readable export (email, entitlement, devices, invoices, profiles, per-profile favorites + history, logs concerning you) — on request to
privacy@tivera.tv. - Rectification (Art. 16): directly in the app (Settings → Sources → Edit); account email editable, or request to
privacy@tivera.tv. - Restriction (Art. 18): disable telemetry (the "Diagnostic data" toggle, Settings → Privacy).
- Portability (Art. 20): Settings → Help → Send a diagnostic report (readable ZIP); account export on request to
privacy@tivera.tv. - Objection (Art. 21): outside the EU/EEA/UK, telemetry relies on legitimate interest → you can object at any time via the "Diagnostic data" toggle, with no service degradation. In the EU/EEA/UK, this channel is off until your consent anyway.
- Automated decision (Art. 22): no profiling or automated decision-making. The recovery/scanner engines use technical heuristics — no Machine Learning / AI within the meaning of EU Regulation 2024/1689 (EU AI Act).
Account deletion and erasure of your data (Art. 17)
- Local data: Settings → Clear cache deletes channels/EPG/recordings/downloads (the Xtream credentials are preserved for reconnection); uninstalling the app deletes everything (
/data/data/com.mitchou.tivera/). - Diagnostic telemetry: turning off the "Diagnostic data" toggle immediately purges pending uploads; to erase data already transmitted to
api.tivera.tv, write toprivacy@tivera.tvproviding your technical device identifier (Settings → Help) — deletion within 30 days (and automatic purge at 90 days). - Synced profiles: deleting a profile in the app triggers a soft-delete (immediate hiding, server purge within 30 days).
- Account deletion (cascade): from the app or on request to
privacy@tivera.tv. Deleting the account cascade-purges, server-side onapi.tivera.tv, all your profiles (includingisKidschild profiles), your per-profile favorites and history, your synced settings and sources, your Premium entitlement, your registered devices and your pairing tokens, and anonymizes your audit log lines. Your invoices are also deleted. You can export them beforehand (see § 5.1), and the payment provider keeps its own copy (see § 10). - Premium: cancel the subscription via Google Play, then uninstall.
5.2 CCPA / CPRA rights (California residents)
Tivera does not sell data. Right to Know — categories collected (last 12 months): Identifiers (AAID in Free; pseudonymous technical device identifier for telemetry; email if account); Commercial information (subscription status); Internet/Network Activity (AdMob interactions; telemetry screen routes); Geolocation (approximate country derived from IP by AdMob in Free). Sources: you + your device. Business purposes: advertising (Free), service delivery, diagnostics. Shared/"sold": only AAID + network activity via Google AdMob (Free) — a CPRA "share", opt-out via UMP; telemetry goes to our self-hosted server (not a third party — outside the scope of a CCPA "share"/"sale"). Right to Delete / Correct: see § 5.1. Opt-Out of Sale/Sharing: AdMob sharing (in personalized mode) can be refused via UMP consent (and is automatically non-personalized for CCPA users detected by Google). Limit Use of Sensitive PI: no sensitive data collected. Non-Discrimination + Authorized Agent apply. 45-day delay — privacy@tivera.tv.
5.3 Complaint
- CNDP (Morocco): https://www.cndp.ma
- EU/EEA residents: the supervisory authority of your residence (e.g. CNIL in France: https://www.cnil.fr/fr/plaintes). List: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
- California AG: https://oag.ca.gov
6. Data security (GDPR Art. 32)
6.1 Encryption at rest
- SQLCipher AES-256 on the local database (channels, EPG, sources, history, downloads).
- Google Tink AEAD (master key Android Keystore TEE/StrongBox) as an overlay for: Xtream credentials (AAD bound to the source, anti cell-swap), EPG credentials, parental PIN (AAD
parental-pin-v1), Play Billing purchase token (AADplay-billing-v1). - Recordings / VOD downloads: unencrypted
.tsfiles in scoped storage, deleted on uninstall.
6.2 Encryption in transit
- Strict HTTPS to first-party domains (Google Play Services / AdMob) + to our backend
api.tivera.tv. - Cleartext HTTP is tolerated only towards the IPTV/EPG servers you configure (most Xtream panels still serve over HTTP — refusing it would break BYOC usage).
6.3 Defensive architecture
- Minimal Android permissions; CAMERA only to scan a pairing QR code (100% local processing). Permissions added by the Google SDKs (published version):
com.android.vending.BILLING(Premium),AD_ID+ACCESS_ADSERVICES_*(AdMob, Free only),BIND_GET_INSTALL_REFERRER_SERVICE(install attribution),READ_EPG_DATA("Continue Watching" rail on the Android TV launcher). No dangerous runtime permission other than CAMERA. - R8/ProGuard in release; restrictive backup rules (exclude the encrypted Xtream credentials from the Google Drive backup);
SecretRedactor+UrlRedactoron every log AND every telemetry payload before sending.
6.4 Breach notification (GDPR Art. 33-34)
In the event of a breach affecting your rights, Mitchou notifies the competent supervisory authority (CNDP in Morocco; CNIL or the EU authority of the user concerned) within 72 hours, and you directly if the risk is high.
7. Minors (COPPA US + GDPR Art. 8)
Tivera is intended for people aged 13 or older. Declarative age gate on 1st launch ("I am 13" + acceptance of the Disclaimer). No intentional collection of data concerning children under 13. Diagnostic telemetry is gated behind the age gate: no persistent identifier is transmitted before the 13+ confirmation. 4-digit parental PIN + restricted profiles (isKids) = best-effort, optional parental control, no date of birth requested, no analytics or targeted ads scoped to a child profile. Parent/guardian: privacy@tivera.tv.
Advertising and minors (EU): in the EU/EEA, the age of digital consent (GDPR Art. 8) varies from 13 to 16 depending on the Member State. To protect users who may be minors, personalized advertising is never enabled without valid consent collected via the Google UMP SDK; failing that (or upon refusal), only non-personalized ads (NPA — with no profiling or behavioral targeting) are served. The Premium tier removes all advertising.
8. Cookies / third-party trackers
Tivera is a native mobile app (not a website). No HTTP cookies of its own; any third-party server cookies (e.g. __cf_bm from a panel) are managed in RAM (InMemoryCookieJar), never persisted. No proprietary pixel/beacon. The tivera.tv website: no third-party cookies, no third-party analytics/advertising script, no external CDN at runtime (internal rule R-NA-1) — calls go only towards our backend (api.tivera.tv) on a user action.
9. International transfers (GDPR Art. 44 to 50)
| Transfer | Legal framework |
|---|---|
| Your device → IPTV/EPG servers you configure | No transfer orchestrated by Mitchou (you choose the recipient). |
| Telemetry + Premium cloud sync → self-hosted server (Morocco) | Morocco does not benefit from an EU adequacy decision (Art. 45). Transfer bases relied upon for EU/EEA users: (a) diagnostic telemetry — explicit consent (Art. 49(1)(a) derogation), this channel being opt-in in the EU anyway; (b) account + Premium cloud sync — transfer necessary for the performance of the contract you request (Art. 49(1)(b)). Additional measures: pseudonymization + minimization (SecretRedactor/UrlRedactor) + encryption in transit; single controller (the Publisher self-hosts, no distinct third-party importer within the meaning of the EDPB 05/2021 guidelines); local legal framework Law 09-08 + CNDP authority. |
| AdMob (Free) / Play Billing (Premium) → Google LLC (USA) | SCC + DPF. |
| Cloudflare transit | Network routing (no storage of personal data); Cloudflare DPA. |
10. Data retention (GDPR Art. 13.2.a)
- Local data (Xtream, M3U, EPG, history, recordings, downloads): as long as the app is installed; immediate erasure on uninstall or via "Clear cache".
- Diagnostic telemetry (
crash_reports+app_events+ perf log): 90 days then automatic purge. Early withdrawal via the toggle. - Firebase Crashlytics / Analytics: n/a (removed, no more collection).
- Account (email, entitlement, devices, pairings, profiles, favorites, history): until the account is deleted (cascade purge). Entitlement: until expiry + dispute/refund window.
- Invoices (metadata): deleted when the account is closed (cascade purge). The payment provider keeps its own copy under its accounting obligation (also in case of a dispute).
- AdMob cohorts (Free): per Google policy (~14 months). Premium purchase token: as long as the subscription is active + grace period.
- Audit log (
audit_log, incl. client IP): 90 days; lines anonymized on account deletion.
11. Update of this policy
Any material modification triggers: in-app notification on the next launch (non-blocking banner + link to the diff) + update of the date + preservation of the publicly versioned Git diff + re-acceptance if a new category of processing is added (e.g. a new advertising network). Minor modifications do not trigger re-acceptance.
12. Contact
- General email:
contact@tivera.tv - Privacy email (exercise of rights):
privacy@tivera.tv - DMCA email:
dmca@tivera.tv(see DMCA Policy) - Postal address: Tralles, rue Essanaouabar, Casablanca, Morocco
Response time: 30 days (GDPR) / 45 days (CCPA).
13. Related documents
Status: DRAFT v2.1 — discloses the Free + Premium model (AdMob in Free, Play Billing in Premium), the self-hosted telemetry (Firebase removed) and the Premium cloud sync. To be validated by a lawyer (Law 09-08 / CNDP + GDPR/ePrivacy) before firm publication: the legal basis for telemetry, the Morocco → EU transfer safeguards, the opt-out mechanism. The French version is the binding reference; the other languages are courtesy translations.