PRIVACY POLICY

// effective: 2026-03-20 | last_updated: 2026-03-20

1. WHAT WE COLLECT

AUTHEmail, name, avatar (from Google OAuth)YOUTUBEChannel ID, Shorts metadata, Analytics API data (read-only)BILLINGStripe customer ID, subscription status (Stripe handles payment details)GENERATEDDiagnostic results, hook scores, AI-generated suggestionsTECHNICALIP address (rate limiting only, not stored), browser type

2. WHAT WE DO NOT COLLECT

  • Video content (we never download, store, or process actual video files)
  • Revenue or AdSense data
  • Private or unlisted video data
  • Viewer personal information
  • Payment card numbers (handled entirely by Stripe)

3. HOW WE USE YOUR DATA

  • Generate diagnostic reports (hook scores, verdicts, title rewrites, tag suggestions)
  • Compute advanced metrics (replay ratio, share rate, suppression risk, viral coefficient)
  • Track diagnostic history for performance comparison over time
  • Process billing and manage subscriptions via Stripe

We do not sell, rent, or share your data with third parties for marketing purposes.

4. THIRD-PARTY SERVICES

SUPABASEDatabase and authentication (EU-Central-1, Frankfurt)STRIPEPayment processing (PCI DSS compliant)OPENAIAI analysis (data sent per-request, not used for training)GOOGLEYouTube API access (Google Privacy Policy)VERCELHosting and deployment (Vercel Privacy Policy)

5. DATA STORAGE & SECURITY

Data is stored in Supabase (PostgreSQL) with row-level security policies. Each user can only access their own data. All connections use TLS encryption. Database is hosted in EU-Central-1 (Frankfurt).

YouTube OAuth tokens are managed by Supabase Auth and stored encrypted. We use read-only OAuth scopes — the Service cannot modify your YouTube channel.

6. DATA RETENTION

  • Active accounts: data retained while subscription is active
  • Cancelled accounts: diagnostic data retained for 90 days, then permanently deleted
  • Deleted accounts: all data purged within 30 days of deletion request

7. YOUR RIGHTS

You have the right to:

  • Access all data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your diagnostic data in machine-readable format
  • Revoke YouTube API access at any time via Google Security Settings
  • Withdraw consent and close your account

For EU/EEA users: these rights are provided under GDPR. Legal basis for processing is consent (OAuth authorization) and contract performance (providing the diagnostic service).

8. COOKIES

Essential cookies only — authentication session cookies managed by Supabase. No tracking cookies, no advertising cookies, no third-party analytics cookies.

9. CHILDREN

The Service is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us data, contact us for immediate deletion.

10. GOOGLE API DISCLOSURE

Vitals' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

11. CHANGES

We may update this policy. Material changes will be communicated via email. Continued use after changes constitutes acceptance.

12. CONTACT

Privacy and data deletion requests: privacy@shortvitals.com