Privacy Policy

1. Data Controller

The data controller within the meaning of the GDPR is:

A data protection officer is not required.

2. What this website does NOT do

Our website and Chrome extension are explicitly designed with data minimization in mind:

• No advertising tracking: We do not use Google Analytics, Facebook Pixel, or advertising cookies.
• No own backend: We do not operate a server that stores your transcripts or usage data. Processing of your YouTube transcript is carried out by the AI provider you choose (e.g. OpenAI) — more in section 4.
• No profiling: We do not create user profiles.
• No sharing with advertising networks: We do not sell or share data with advertising or data brokers.

3. What the Chrome extension stores locally

The extension stores the following items in your browser via the Chrome Storage API (chrome.storage.local):

• Your selected prompt preset (e.g. "Executive Summary")
• A usage counter for the Free Tier limit (3 videos per 7 days)
• Your Pro status after purchase via Lemon Squeezy — including the license key, which is stored in plain text. This is the Chrome-extension standard: chrome.storage.local is sandboxed per extension and not accessible to web pages or other extensions.
• A random install ID (UUID) generated on first run. It never leaves your device in its raw form — only a SHA-256-truncated 8-byte hash of it is attached to anonymous Plausible analytics events (see section 7).
• A device-name string in the format "Chrome on Windows · <8-hex>", built from the browser name, the OS family and a random 8-hex suffix. It is sent once to Lemon Squeezy via our Supabase backend on license activation to occupy a single "device slot" so the per-license device limit works (see section 8a). It contains no account name, no MAC address and no hardware identifier.
• Optional custom prompts that you set yourself
• Optional usage history of recently processed videos (title + URL, no content) — can be disabled at any time
• A small error bucket holding the most recent anonymized error fingerprints, batched into error telemetry events (only if telemetry is enabled)

Apart from the items explicitly described above (license key, install-ID hash, device-name), none of this data leaves your browser. Upon uninstalling the extension, the local storage is automatically deleted.

4. Processing by your selected AI provider (third-country transfer)

Important to know: The core function of the extension is to pass the YouTube-provided transcript of a video to the AI you have selected (ChatGPT by default — see section 5 for the full list). Once you trigger the action button, the transcript is transmitted directly from your browser to that provider and processed there.

Most of these providers are based outside the EU (USA in particular). This typically constitutes a third-country transfer within the meaning of Art. 44 et seq. GDPR. The U.S.-based providers we currently support (OpenAI, Anthropic, Google, xAI, Perplexity, DeepSeek) operate under either the EU-U.S. Data Privacy Framework (adequacy decision of the EU Commission of July 10, 2023, Art. 45 GDPR) and/or Standard Contractual Clauses (Art. 46 GDPR). Section 5 lists the controllers and their privacy policies in detail.

Legal basis for the transfer is Art. 6(1)(b) GDPR (contract performance — you installed the extension for exactly this purpose) as well as your specific trigger action per video (clicking the button).

We technically have no knowledge of which video you process or what content is transmitted. The transfer occurs directly from your browser to the AI provider — without intermediate storage on our systems.

You can avoid processing at any time by simply not clicking the button. Each provider's privacy policy is linked in section 5.

5. Optional additional AI providers

Besides ChatGPT (default), the extension allows you to select another AI as the delivery target. When you choose one, your prompt + cleaned transcript is delivered to a tab on that provider's website on the same principles as described in section 4 (in-browser, under your account, no relay through our servers). Supported targets are:

• Anthropic, PBC — claude.ai (USA; EU-U.S. Data Privacy Framework / SCCs apply)
• Google LLC — gemini.google.com (USA; EU-U.S. Data Privacy Framework)
• xAI Corp. — grok.com (USA)
• DeepSeek — chat.deepseek.com (operated from outside the EU/USA — please review their policy carefully before using)
• Perplexity AI, Inc. — www.perplexity.ai (USA)

Each provider is an independent data controller once the prompt enters their tab. Their privacy policies apply. You can switch the target — or set a custom URL — at any time in the extension's settings.

6. Hosting by Vercel (third-country transfer to USA)

This website is hosted by:

When the page is accessed, Vercel automatically processes server log data:

• Truncated IP address
• Date and time of access
• URL accessed
• Browser and operating system used (User-Agent)
• Referrer URL

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and stable provision of the website).

Storage duration: maximum 14 days in server logs.

Third-country transfer: Vercel processes data in the USA. Vercel is certified under the EU-U.S. Data Privacy Framework; this ensures an adequate level of data protection within the meaning of Art. 45 GDPR. Additionally, a data processing agreement (standard contractual clauses pursuant to Art. 46 GDPR) has been concluded.

Vercel's privacy policy: vercel.com/legal/privacy-policy

7. Plausible Analytics (cookie-free product telemetry)

The Chrome extension sends anonymous product-usage events to Plausible Insights OÜ (Västriku tn 2, 50403 Tartu, Estonia) via the endpoint https://plausible.io/api/event. Plausible

• sets no cookies and no local storage entries
• creates no user profiles and does no cross-site tracking
• stores no IP addresses — they are only used in transit for a daily rotating hash
• is hosted in the European Union (no third-country transfer)

Data sent per event (all small, all non-PII):

• the event name
• the extension version
• a hashed install ID (the install_id UUID from section 3, SHA-256-truncated to 8 bytes — not reversible to the original UUID)
• the AI target you selected (e.g. chatgpt, claude)
• the prompt preset key (e.g. executive_summary)
• the UI language code
• for error events: a short anonymized error fingerprint

Significant events tracked: install, update, license_activated, payment_completed, payment_refunded, payment_checkout_opened, panel_trigger, quota_blocked, inject_success, inject_failed, error.

Opt-out: open the extension's settings and toggle "Disable anonymous usage analytics". The flag is honored immediately and persists across updates. No events are sent while the flag is on.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in measuring product usage at an aggregate level). Given the absence of cookies, IP retention and profiling, this interest is not outweighed by your rights and freedoms.

Plausible's privacy policy: plausible.io/privacy

Note on the website itself: this website does not currently use any analytics — only the Vercel server logs described in section 6.

7a. Supabase (license backend, third-country transfer)

To keep the Lemon Squeezy API key out of the public extension bundle, license activation and validation go through Edge Functions we operate on Supabase. The Chrome extension calls these endpoints:

• https://gnpjuxclcdrldnwoyulc.supabase.co/functions/v1/activate-license — first-time activation when you paste your license key
• https://gnpjuxclcdrldnwoyulc.supabase.co/functions/v1/validate-license — periodic status checks (refund / disable detection)
• https://gnpjuxclcdrldnwoyulc.supabase.co/functions/v1/get-checkout-url — fetches the current Lemon Squeezy checkout URL

Data sent to Supabase: your license key, the LemonSqueezy instance_id returned on first activation, and the device-name string described in section 3. No IP-level data is retained on our side; Supabase Edge Functions may log request metadata briefly for abuse / error monitoring.

Processor:

The Supabase project for this extension is hosted in the European Union. A data processing agreement (standard contractual clauses pursuant to Art. 46 GDPR) is in place. Supabase's privacy policy: supabase.com/privacy.

Legal basis: Art. 6(1)(b) GDPR (license enforcement is part of the paid contract).

8. Payment processing via Lemon Squeezy (Merchant of Record)

When you purchase the Yearly subscription, payment processing is handled by

Lemon Squeezy acts as the "Merchant of Record" and is itself the data controller within the meaning of Art. 4 No. 7 GDPR, processing the payment transaction on its own responsibility. Data collected includes:

• Name and email address
• Payment data (credit card/PayPal data — these are passed to the respective payment service providers, not stored by Lemon Squeezy)
• Billing and tax address for calculation of applicable taxes
• IP address and browser data for fraud prevention

Legal basis: Art. 6(1)(b) GDPR (contract performance).

Third-country transfer: Lemon Squeezy processes data in the USA. Standard contractual clauses pursuant to Art. 46 GDPR and DPF certification of subsidiary structures apply, where applicable.

Lemon Squeezy transmits to the Provider (Luis Ens) only name, email address, purchase date and license key ID for provision of the software license. Payment details (credit card etc.) are never received by the Provider.

Lemon Squeezy's privacy policy: lemonsqueezy.com/legal/privacy

9. Newsletter via Buttondown (optional, third-country transfer to USA)

If you sign up for our newsletter, we store your email address to send product updates and occasional tips.

Sending and address management is handled by

Legal basis: Art. 6(1)(a) GDPR (your explicit consent by signing up).

Third-country transfer: Data processing takes place in the USA. A data processing agreement with standard contractual clauses pursuant to Art. 46 GDPR has been concluded with Buttondown.

Storage duration: Until revocation of your consent. You can unsubscribe at any time via the unsubscribe link at the bottom of any newsletter email — the address will then be promptly deleted.

Buttondown's privacy policy: buttondown.com/privacy

10. Email contact

If you contact us by email at support@ai-transcriptor.com, your details will be stored for processing the inquiry and any follow-up questions. Legal basis: Art. 6(1)(b) or (f) GDPR. We do not pass this data on without your consent. Storage duration: as long as the matter requires clarification, maximum 3 years.

11. Your rights as a data subject

Under GDPR you have the following rights:

• Access (Art. 15 GDPR) — which data about you is being processed
• Rectification (Art. 16 GDPR) — in case of inaccurate data
• Erasure (Art. 17 GDPR) — "right to be forgotten"
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR) — against processing based on Art. 6(1)(f)
• Withdrawal of consent (Art. 7(3) GDPR) — e.g. newsletter unsubscribe

To exercise your rights simply write to us at support@ai-transcriptor.com.

12. Right to lodge a complaint with a supervisory authority

You have the right under Art. 77 GDPR to lodge a complaint with a data protection supervisory authority. The authority responsible for us is:

13. Changes to this Privacy Policy

We reserve the right to adapt this policy when features or legal requirements change. The current version is always available at this URL. Significant changes affecting your rights will be actively communicated (e.g. by email to existing customers).