Privacy Policy

1. Information We Collect

When you sign in with Google, we receive your name, email address, and profile picture via Google OAuth. We do not store your Google password.

When you connect your YouTube account, we receive an OAuth access token scoped to read and update your YouTube video metadata (titles and descriptions). We do not store this token — it is held in memory for the duration of your session only.

We store your account information (name, email), credit balance, and translation history in our database to provide the service.

2. How We Use Your Information

• To authenticate you and identify your account.
• To fetch your YouTube channel and video metadata so you can select content for translation.
• To write translated titles and descriptions back to your YouTube videos when you request it.
• To manage your credit balance and process payments.
• To send transactional emails related to purchases (via Stripe).

3. Sharing and Disclosure of Google User Data

We do not sell, rent, or trade your Google user data. We disclose Google user data only to the following third parties, and only to the extent necessary to operate the service:

• Amazon Web Services (AWS) — Your account information (name and email address obtained from Google OAuth) and translation history are stored in AWS DynamoDB (us-east-1 region). AWS acts as our infrastructure provider and processes this data solely on our behalf.
• Power AI (translation engine) — When you request a translation, the YouTube video titles and descriptions you selected are transmitted to Power AI to generate translated text. We do not include your name, email, or any other Google account identifiers in these requests. Your YouTube OAuth token is never shared with Power AI.
• Stripe — To process credit purchases, Stripe receives your email address to issue payment receipts. No YouTube data or Google OAuth tokens are shared with Stripe. Stripe handles all payment card data under its own PCI DSS compliance program.
• Google / YouTube Data API — Translated metadata is written back to your YouTube videos through the YouTube Data API using the OAuth token you granted. This token is used exclusively for reading your channel/video data and writing translations you explicitly request.

We do not share Google user data with any advertising networks, analytics providers, or other third parties beyond those listed above.

4. Data Security and Protection

We apply the following technical and organisational measures to protect sensitive data:

• Encryption in transit — All communication between your browser, our API, and third-party services is encrypted using TLS (HTTPS). We do not support unencrypted HTTP connections.
• Encryption at rest — Account data stored in AWS DynamoDB is encrypted at rest using AWS-managed keys (AES-256).
• OAuth token handling — Your YouTube OAuth access token is never written to our database. It is held only in server-side memory for the lifetime of a single request, then discarded. Session tokens on the client side are stored in sessionStorage (cleared when the browser tab closes) rather than persistent storage.
• Least-privilege access — AWS Lambda functions and IAM roles are scoped to the minimum permissions required for each operation. No component has unrestricted access to the database or other services.
• No password storage — Authentication is handled entirely via Google OAuth and AWS Cognito. We never receive or store your Google password.
• Payment security — Credit card data is processed exclusively by Stripe and never passes through our servers. Stripe is PCI DSS Level 1 certified.

5. Data Retention

We retain your account and credit balance data for as long as your account is active. Translation history records expire automatically after 90 days. You may request deletion of your account and all associated data at any time by contacting us.

6. YouTube API Services

YubiLingo uses YouTube API Services. By using our service, you also agree to the YouTube Terms of Service. Google's Privacy Policy is available at https://www.google.com/policies/privacy.

You can revoke YubiLingo's access to your Google account at any time via Google Security Settings.

7. Cookies and Local Storage

We use browser localStorage and sessionStorage to store your authentication tokens and UI preferences (such as preferred translation languages). We do not use third-party tracking cookies.

8. Your Rights

You have the right to access, correct, or delete your personal data. To exercise these rights, contact us at [email protected].

9. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by updating the date at the top of this page. Continued use of the service after changes constitutes acceptance.

10. Contact

For privacy-related questions, contact us at [email protected].