Privacy Policy
Last updated: 27 February 2026
1. Who We Are
TubeNotes is operated by Wandering Bots Ltd, a company registered in England and Wales. We provide an AI-powered YouTube video summarization service. For any privacy-related questions, you can reach us at privacy@tubenotes.io.
2. What Data We Collect
We collect the following categories of personal data:
- Account data: email address, display name, and avatar (provided via OAuth when you sign in).
- Content data: YouTube URLs you submit, AI summaries generated from those videos, and any custom prompts you provide.
- Payment data: Stripe customer ID and subscription ID. We do not store your credit card number, expiry date, or CVC — Stripe holds that information directly.
- Technical data: IP address, device type, browser type, screen resolution, and operating system.
- Usage data: page views, session events, and feature usage collected via our custom analytics tracker and PostHog.
3. How We Use Your Data
We use your data for the following purposes, each mapped to a legal basis:
- Provide the service — processing your YouTube URLs and generating summaries (legal basis: contract).
- Process payments — managing subscriptions and credit purchases via Stripe (legal basis: contract).
- Prevent abuse and fraud — rate limiting, IP reputation checks, and bot detection (legal basis: legitimate interest).
- Improve the product — analytics on feature usage, performance monitoring, and error tracking (legal basis: legitimate interest).
- Send service notifications — emails about your account, subscription changes, or service disruptions (legal basis: contract).
4. Legal Basis for Processing (GDPR Article 6)
We process your personal data under the following legal bases as defined by the UK GDPR and EU GDPR:
- Contract: processing necessary to provide the service you signed up for, including account management, summary generation, and payment processing.
- Legitimate interest: processing necessary for fraud prevention, product improvement, and security — where our interests do not override your rights.
- Consent: where we use non-essential analytics cookies or tracking. You can withdraw consent at any time.
5. Cookies and Tracking
We use the following cookies and local storage:
- Essential (session): Supabase authentication cookies required to keep you signed in. These are strictly necessary and cannot be disabled.
- Analytics: PostHog cookies (prefixed
phc_) and custom tracker localStorage keys (tn_anon,tn_session,tn_session_idx) used to understand how the service is used and to improve it.
We do not use any advertising or third-party tracking cookies.
6. Third-Party Services (Sub-Processors)
We share data with the following third-party services to operate TubeNotes:
| Service | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | United States |
| OpenAI | AI summarization | United States |
| Supabase | Database and authentication | United States |
| Vercel | Frontend hosting | United States |
| Railway | Backend hosting | United States |
| PostHog | Product analytics | United States |
| ipapi.is | IP reputation lookup | — |
| Cloudflare | CDN and security | Global |
7. International Data Transfers
Your data is processed in the United States by the sub-processors listed above. These transfers are covered by Standard Contractual Clauses (SCCs) and/or adequacy decisions as required by UK GDPR and EU GDPR. By using TubeNotes, you acknowledge that your data will be transferred to and processed in the United States.
8. Data Retention
We retain your data for the following periods:
- Account data: retained until you request deletion of your account.
- Summaries: retained until you delete them or your account is deleted (summaries are deleted automatically when your account is removed).
- IP cache: automatically expires after 24 hours.
- Analytics data: retained for product improvement purposes and reviewed annually.
- Stripe event records: retained indefinitely for payment integrity and dispute resolution.
9. Your Rights Under GDPR
If you are located in the UK or European Economic Area, you have the following rights under the UK GDPR and EU GDPR:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate or incomplete data.
- Right to erasure: request deletion of your personal data.
- Right to restrict processing: request that we limit how we use your data.
- Right to data portability: request your data in a structured, machine-readable format.
- Right to object: object to processing based on legitimate interest.
- Right to withdraw consent: withdraw consent at any time where processing is based on consent.
- Right to complain: lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or with your local data protection authority.
To exercise any of these rights, contact us at privacy@tubenotes.io. We will respond within 30 days.
10. Your Rights Under CCPA
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):
- Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to delete: request deletion of your personal information.
- Right to opt-out of sale: direct us not to sell your personal information (see Section 11).
- Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights.
To exercise any of these rights, contact us at privacy@tubenotes.io.
11. Do Not Sell My Personal Information
We do not sell your personal information to third parties. We do not share your data with third parties for their own marketing purposes.
12. Children's Privacy
TubeNotes is not intended for children under the age of 16 (as required by UK GDPR) or under the age of 13 (as required by COPPA in the United States). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@tubenotes.io and we will delete it promptly.
13. Data Security
We take appropriate technical and organisational measures to protect your personal data. These include TLS encryption for all data in transit, row-level security on our database to ensure users can only access their own data, and no storage of plaintext credentials. While no system is 100% secure, we are committed to protecting your information to the best of our ability.
14. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect. The “Last updated” date at the top of this page will be revised accordingly. Continued use of TubeNotes after the notice period constitutes acceptance of the updated policy.
15. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please contact us:
- Email: privacy@tubenotes.io
- Wandering Bots Ltd, England and Wales