Privacy Policy

Last updated: July 12, 2026

1. What we collect

We collect the minimum data needed to run the Service:

  • Account data: email address, name (optional), password hash (bcrypt), or Google account ID if you sign in with Google.
  • Content data: YouTube URLs you submit, audio/video files you upload, the derivative transcripts and summaries we generate, the chunks and embeddings we use for search and chat.
  • Subscription data: Stripe customer ID, subscription tier, subscription status, period dates. Card numbers are stored only by Stripe — we never see them.
  • Usage data: anonymized event logs (page views, button clicks) via PostHog. IP addresses are stored only transiently for rate-limiting.
  • Integrations: Notion integration secret and database ID (if you connect Notion); Discord webhook URL (if you connect Discord); Google OAuth tokens and IDs of Google Docs created by VidBrief (if you connect Google Drive). These are stored encrypted at rest.

2. How we use it

  • Operate the Service: process videos, run AI summaries, build your personal knowledge base.
  • Provide account support and notifications (welcome email, payment-failed reminders, channel-subscription alerts).
  • Bill for paid subscriptions via Stripe.
  • Aggregate anonymized usage analytics to improve the product. We do not sell personal data.

3. Who we share data with

We use a small set of subprocessors, each with their own security commitments:

  • Vercel — hosting & serverless functions (US data center).
  • Neon — Postgres database (US-East).
  • Stripe — payment processing.
  • Resend — transactional email.
  • PostHog — product analytics (US-hosted; events are pseudonymized).
  • DashScope (Alibaba) — Paraformer audio transcription and embedding model. Audio is sent transiently and not retained by DashScope per their API terms.
  • DeepSeek — LLM for summary, outline, and chat. Transcripts are sent transiently.
  • Anthropic / OpenAI — optional LLM providers used in some code paths.
  • YouTube — public video metadata and captions are fetched via YouTube's public endpoints.
  • Google Drive and Google Docs — optional export destination. VidBrief requests the narrow drive.file permission and can access only files it creates or that you explicitly share with it.

We never sell your data. We disclose data only when legally required by valid court order.

4. Cookies

We use a session cookie for authentication (set by NextAuth) and a small set of first-party analytics cookies via PostHog to count visits and feature usage. We do not use third-party advertising cookies.

5. Chrome extension

The VidBrief Chrome extension runs only on YouTube watch pages. It reads the current YouTube video ID and title so it can request a summary, show an outline, and seek the player when you click a timestamp. It does not read unrelated browsing history, form entries, private messages, or pages outside its declared YouTube scope.

Connecting the extension opens a VidBrief authorization page. After you approve, the extension stores a revocable session token in Chrome extension storage; it never receives or stores your password. Requests, selected video URLs, chat questions, and generated answers are sent to VidBrief over HTTPS to provide the features you request. We do not use extension data for advertising or sell it to third parties.

6. Your rights

  • Access — see every video, transcript, and summary tied to your account from your dashboard.
  • Export — download any summary as Markdown / push to your own Notion / Obsidian.
  • Delete — permanently delete your account and account-linked content from the mobile app. You may also contact us for assistance; required accounting records are anonymized or retained only as required by law.
  • EU/UK residents (GDPR) — you also have rights to rectification, portability, and to lodge a complaint with a supervisory authority.

7. Data retention

Account-linked data is retained while your account is active. If you cancel and the account is unused for 6 months, we may delete inactive data after notice. Backup snapshots are rolled-over within 30 days.

8. Security

Data is encrypted in transit (TLS 1.2+) and at rest (Neon AES-256). Passwords are hashed with bcrypt. Third-party tokens (Notion, Discord) are encrypted in the database. We follow least-privilege access for production credentials.

9. Children

The Service is not directed at children under 13. We don't knowingly collect their data.

10. Changes

Material changes to this policy will be announced via email or an in-app notice at least 14 days before they take effect.

11. Contact

Questions or privacy requests: contact@zczy318.com.

See also: Terms of Service.