Privacy Policy — YTube Transcript Pro
Your privacy matters. This Privacy Policy explains how YTube Transcript Pro (the “Service”) processes personal data when you use our website and/or our Chrome extension.
The Service is built following privacy-by-design, data minimization, and Bring Your Own Key (BYOK) principles.
1. Data Controller and contact details
Data Controller: Salvatore Natalello.
Contact: saxgroup@saxgroup.it.
The Service includes: (i) the YTube Transcript Pro website and (ii) the YTube Transcript Pro Chrome extension.
This policy covers processing performed by the Data Controller. Third-party providers (e.g., Google, PayPal, OpenAI, Anthropic, Notion) may act as independent controllers or processors depending on the specific service.
2. Privacy-First architecture (summary)
- Client-side AI: AI requests (prompts/transcripts/outputs) occur directly between the user’s browser and the selected AI provider.
- No server-side AI proxy: our servers do not forward AI requests and do not store prompts or outputs.
- BYOK: users provide their own AI API keys.
- Minimal backend: the backend handles authentication, licensing, quota, support and optional backup only.
3. Categories of personal data processed
We process only the data necessary to operate the Service and the features requested by the user.
3.1 Authentication data (Google Sign-In)
- Data: email address (and temporary technical session identifiers).
- Purpose: create and manage accounts, apply Free quota, verify PRO licenses, prevent abuse.
- Minimization: we do not store OAuth refresh tokens or permanent credentials to access Google accounts.
3.2 License and quota data
- Data: license_key, license status, plan type, expiration date, email (linked to the license), randomly generated device identifier (device_id), usage_count, last_reset_date, last_seen.
- Purpose: enable PRO features, manage Free quota, prevent unauthorized license use across devices, support resets when requested.
3.3 Support messages and assistance
- Data: message content, timestamps, license identifier, minimal technical metadata.
- Purpose: provide support, troubleshoot issues, maintain request history.
3.4 Optional Cloud Backup (Cloud Sync)
If you voluntarily enable Cloud Sync, the Service may store a configuration package to allow restoration on other devices.
- Possible included data: preferences, settings, custom prompts, AI API keys entered by the user, integration tokens (e.g., Notion).
- Purpose: sync and restore settings across devices.
- Control: you can choose not to use Cloud Sync; in that case, settings remain local only.
If you include API keys or third-party tokens in backup, such data is stored only to enable restore. Users are responsible for protecting their credentials and revoking them with the relevant providers if unauthorized access is suspected.
3.5 Payments and transactions (PayPal)
- Data: payer email, transaction id (txn_id), payment status, purchased plan, date.
- Purpose: license activation, transaction verification, administrative/accounting handling.
The Service does not store full payment card details. Payments are processed by PayPal under its own terms.
3.6 Website usage and Analytics data
The website uses technical cookies and Google Analytics for statistics and service improvement. Analytics cookies are enabled only after consent where required.
3.7 Technical and operational logs
- Data: technical logs (timestamp, operation type, log message) and admin operational logs (actions performed by admin via management tools).
- Purpose: security, fraud/abuse prevention, debugging, technical audit and service continuity.
4. Data not collected (or not stored)
- We do not systematically store YouTube transcripts, AI prompts sent to models, or AI outputs generated by models.
- We do not sell personal data.
- We do not track your global browsing history.
5. Purposes and legal bases (Art. 6 GDPR)
| Purpose | Examples | Legal basis |
|---|---|---|
| Service delivery | Account, Google sign-in, Free quota, PRO features | Contract performance / pre-contractual measures (Art. 6(1)(b)) |
| Payments & licensing | License activation, txn verification, purchase communications | Contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) |
| Optional Cloud Backup | Saving/restoring configurations | Consent (Art. 6(1)(a)) / Requested feature delivery |
| Support | In-app messages / support requests | Contract (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)) |
| Security & abuse prevention | Logs, device_id controls, antifraud | Legitimate interest (Art. 6(1)(f)) |
| Website analytics | Usage statistics (analytics cookies) | Consent (Art. 6(1)(a)) where required |
6. Recipients, processors and third-party services
We rely on third-party providers to operate the Service. Depending on the context, they may act as processors or independent controllers.
- Google: technical infrastructure (e.g., Apps Script, Sheets, email) and authentication (Google Sign-In).
- PayPal: payment processing and IPN notifications.
- User-selected AI providers (e.g., OpenAI, Google Gemini, Anthropic): process data sent directly from the user’s browser under their own policies.
- Notion / Obsidian (if configured): data export to user services on explicit request.
7. Transfers outside the EU/EEA
Some providers (e.g., Google, PayPal, AI providers) may process data outside the EU/EEA. Where applicable, transfers rely on GDPR safeguards (e.g., adequacy decisions, Standard Contractual Clauses, supplementary measures).
8. Data retention (prudent approach)
We retain data only for as long as necessary for the stated purposes. The timelines below are conservative and may be reduced when possible.
| Category | Retention | Notes |
|---|---|---|
| License & quota data (license_key, device_id, usage_count, etc.) | While the account/license is active; then up to 24 months for disputes/abuse prevention | Deletion upon request when compatible with legal obligations |
| Transaction data (txn_id, payer email, plan) | Up to 10 years if needed for accounting/tax obligations (e.g., receipts) | Typical timeframe for administrative compliance |
| Support messages | Up to 24 months | Support continuity and request history |
| Cloud backup (config incl. API keys/tokens if user includes them) | While the user keeps backup enabled; deletion upon request | Optional feature |
| Technical/operational logs | Up to 90 days | Security, debugging, technical audit |
| Temporary session tokens (token-to-license exchange) | Minutes/hours (single-use) | Automatically removed after use |
10. Security measures
- HTTPS encrypted communications.
- Data minimization and single-use session tokens.
- Anti-abuse controls (e.g., device_id and operational logs).
- Restricted admin access for management/security purposes only.
We recommend protecting your Google account, not sharing licenses, and revoking API keys or third-party tokens immediately if unauthorized use is suspected.
11. Data subject rights (Art. 15–22 GDPR)
You may exercise GDPR rights (access, rectification, deletion, restriction, portability, objection) by contacting saxgroup@saxgroup.it.
You also have the right to lodge a complaint with your competent supervisory authority (Italy: Garante per la protezione dei dati personali) or the relevant authority in your EU/EEA country.
12. Policy updates
We may update this Policy to reflect service or legal changes. The “Last updated” date indicates the most recent revision.
13. Contact
For privacy questions or GDPR requests: saxgroup@saxgroup.it.
AI Transparency & Data Flow Statement
YTube Transcript Pro uses Client-Side AI Processing and a BYOK architecture. AI requests are sent directly from the user’s browser to the selected provider and do not pass through our servers.
User → Browser → AI Provider (OpenAI / Gemini / Anthropic)
✖
YTube Transcript Pro ServersThe Service backend handles authentication, licensing, quota, support, and optional backup, but it is not used as an AI proxy.
- ✔ No server-side AI processing
- ✔ No systematic storage of prompts/outputs
- ✔ Users provide their own API keys (BYOK)
PRO tip (optional but powerful)
You can place this quick trust block under the AI section:
- ✔ No server-side AI processing
- ✔ No content storage
- ✔ Your Keys, Your Control
LEGAL-GRADE Appendix (almost Google audit-ready)
This appendix summarizes key Art. 13 GDPR items in a structured, audit-friendly format.
| Item | Details |
|---|---|
| Data Controller | Salvatore Natalello — saxgroup@saxgroup.it |
| Purposes | Service delivery, licensing/quota, support, optional backup, security, website analytics |
| Legal bases | Contract (Art. 6(1)(b)), consent (Art. 6(1)(a)), legal obligation (Art. 6(1)(c)), legitimate interest (Art. 6(1)(f)) |
| Data categories | Email, license data, device_id, support messages, optional backup, logs, PayPal transaction data, website analytics |
| Recipients | Google (infrastructure), PayPal (payments), user-selected AI providers and integrations |
| Transfers | Possible EU/EEA-external processing with GDPR safeguards where applicable |
| Retention | Prudent: logs 90 days; support 24 months; licenses while active + 24 months; transactions up to 10 years if needed; backup while enabled |
| Rights | Access, rectification, deletion, restriction, portability, objection; complaint to supervisory authority |
The Service is not an AI proxy: it does not receive or store AI prompts/outputs. AI requests occur between the user’s browser and the selected provider.