TubeSignalHQ

Legal

Privacy Policy

Effective date: 1 June 2025. Last updated: 9 June 2026.

1. Who we are

TubeSignalHQ ("we", "us", "our") is a software-as-a-service platform for YouTube creators. Our registered contact for privacy matters is support@tubesignalhq.com.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we act as the **data controller** for your personal data under the General Data Protection Regulation (GDPR) and equivalent national laws. If you are located in California, USA, additional rights apply under the California Consumer Privacy Act (CCPA) — see Section 7.

2. What data we collect and why

**Account data** — your email address, display name, and optionally a profile picture from Google sign-in. Legal basis: contract performance.

**YouTube channel data (My Channel & Experience Risk)** — when you connect a YouTube channel via Google OAuth, we request read-only access using the following scopes: `youtube.readonly` (channel and video metadata), `yt-analytics.readonly` (performance analytics: views, watch time, CTR, impressions, traffic sources, audience retention), and `yt-analytics-monetary.readonly` (monetization data: estimated revenue, RPM, CPM). We do not request write access and cannot modify your channel, videos, or settings. Legal basis: contract performance.

**Video transcripts** — for Experience Risk analysis, we process and store video transcripts to detect topic repetition, authenticity signals, and audience fatigue patterns. Transcripts are sourced from publicly available YouTube caption data, stored in our database linked to your account, and deleted when you delete your account. Legal basis: contract performance.

**Audit inputs** — video titles, thumbnail images, opening hook text, and transcript excerpts you submit for packaging analysis. Thumbnails are stored in a private storage bucket accessible only to your account. Opening hook text and transcript excerpts are stored in our database linked to your account. All audit input data is deleted when you delete your account. Legal basis: contract performance.

**Production Calendar data** — content you create in the Production Calendar, including video titles, script outlines, thumbnail concepts, hook text, tags, scheduled publish dates, niche categories, notes, and workflow status (draft through published). This data is scoped to your account and not visible to other users. Legal basis: contract performance.

**Competitive intelligence data** — YouTube channel and video metadata for competitor channels you add to War Rooms. This data is sourced entirely from the public YouTube Data API and does not include any personal data of our users. Legal basis: contract performance.

**Automated analysis outputs** — scores, risk assessments, and diagnostic results produced by our analysis pipeline from the data you provide. Legal basis: contract performance.

**Billing data** — subscription plan, billing interval (monthly or annual), billing period dates, and subscription status. We store Stripe customer and subscription identifiers to manage your subscription. We never see, receive, or store your card number or bank details — payment processing is handled entirely by Stripe. Legal basis: contract performance and legal obligation.

**Registration and waitlist data** — if you join our waitlist or request early access, we collect your name, email address, YouTube channel name and URL, and content niche. This information is used solely to process your access request and notify you when access is available. Legal basis: consent. You may withdraw at any time by emailing support@tubesignalhq.com.

**Analytics and behaviour data** — page views, feature interactions, and in-product events (e.g. audit submitted, plan upgraded) collected via Google Analytics 4 and PostHog. Used to understand how the Service is used and to improve it. Legal basis: legitimate interests (see Section 7).

**Technical data** — standard server logs (IP address, browser type, referring URL) retained for security and debugging. Error reports are processed through Sentry (see Section 4). Legal basis: legitimate interests.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Third-party processors

We share data only with processors that support the operation of the Service:

| Processor | Purpose | Location | DPA | |---|---|---|---| | Supabase | Database and file storage | EU (Frankfurt) | Signed | | Stripe | Payment processing | United States | Signed | | Vercel | Hosting and CDN | United States | Signed | | Resend | Transactional email delivery | United States | Signed | | Sentry | Error monitoring | United States | Signed | | PostHog | Product analytics | United States / EU | Signed | | Google Analytics 4 | Usage analytics | United States | Google DPA | | Google (YouTube Data API) | Channel and video data | United States | Google standard terms |

Transfers to processors outside the EEA are governed by the EU Standard Contractual Clauses (SCCs) or an equivalent transfer mechanism.

4. Data retention

Your data is retained for as long as your account is active. When you delete your account:

  • All personal data, channel data, audits, war rooms, experience risk records, and calendar events are permanently and immediately deleted.
  • Stripe retains billing records as required by financial regulations (typically 7 years) — this is outside our control.
  • Analytics events in GA4 and PostHog are anonymised or deleted within 90 days.
  • Server logs are deleted within 90 days.
  • Error reports in Sentry are purged within 30 days of account deletion upon request.

5. Your rights — EEA, UK, and Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

**Right of access (Art. 15)** — request a copy of all personal data we hold about you. Email support@tubesignalhq.com.

**Right to erasure (Art. 17)** — request deletion of your account and all associated data. Use the "Delete account" option in Settings, or email support@tubesignalhq.com. Deletion via Settings is immediate; requests by email are completed within 30 days.

**Right to data portability (Art. 20)** — receive your personal data in a machine-readable format. Email support@tubesignalhq.com.

**Right to rectification (Art. 16)** — correct inaccurate personal data. Update your profile in Settings or email support@tubesignalhq.com.

**Right to object (Art. 21)** — object to processing based on legitimate interests, including analytics tracking. Email support@tubesignalhq.com.

**Right to restrict processing (Art. 18)** — request that we suspend processing in certain circumstances. Email support@tubesignalhq.com.

**Right to withdraw consent** — where processing is based on consent (e.g. waitlist registration), you may withdraw at any time without affecting the lawfulness of prior processing.

**Right to lodge a complaint** — you have the right to complain to your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU) if you believe we have mishandled your data.

We will respond to all rights requests within **30 days**.

6. Cookies and analytics

We use the following cookies and tracking technologies:

**Strictly necessary — no consent required**

A session authentication cookie set by Supabase Auth is required for you to stay logged in. This cookie is essential and cannot be disabled without breaking the Service.

**Analytics and performance — legitimate interests**

  • **Google Analytics 4** (cookies: `_ga`, `_gid`, `_ga_*`) — measures page views, feature usage, and conversion events. Data is sent to Google servers in the United States under Google's Data Processing Amendment.
  • **PostHog** (cookies: `ph_*`) — product analytics to understand feature usage patterns and user flows within the application. PostHog is not initialised when your browser has Do Not Track enabled.

**Opting out of analytics**

You can opt out at any time by: - Installing the [Google Analytics Opt-out Browser Add-on](https://tools.google.com/dlpage/gaoptout) for GA4. - Enabling "Do Not Track" in your browser settings (PostHog will not initialise when DNT is active). - Emailing support@tubesignalhq.com to request account-level analytics opt-out.

We do not use advertising cookies or cross-site behavioural tracking cookies.

7. California residents — CCPA / CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

**Right to know** — you may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the third parties with whom we share it.

**Right to delete** — you may request deletion of personal information we have collected from you, subject to certain legal exceptions.

**Right to correct** — you may request correction of inaccurate personal information we hold about you.

**Right to opt out of sale or sharing** — we do not sell your personal information and do not share it for cross-context behavioural advertising.

**Right to limit use of sensitive personal information** — we do not use sensitive personal information beyond what is necessary to provide the Service.

**Right to non-discrimination** — we will not discriminate against you for exercising any of your CCPA rights.

To exercise your California rights, email support@tubesignalhq.com with "California Privacy Request" in the subject line. We will respond within 45 days, with a possible 45-day extension where permitted by law.

8. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has provided us with personal data, please contact support@tubesignalhq.com and we will delete it promptly.

9. Security

Data is stored in Supabase (PostgreSQL) with row-level security policies enforced at the database level. File storage uses private buckets inaccessible to other users. All data in transit is encrypted via TLS 1.2+. Access to production systems is restricted to authorised personnel under the principle of least privilege. We conduct regular security reviews and address critical vulnerabilities promptly.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notice at least 14 days before they take effect. The effective date at the top of this page will always reflect the most recent version.

11. Contact

For all privacy questions, data requests, or complaints:

**Email:** support@tubesignalhq.com

We aim to respond within 5 business days and will always complete substantive requests within 30 days.