Privacy Policy

This page explains what data we collect, why, where it lives, and what your rights are. If anything is unclear, reach us via our contact page.

1. What we collect

We collect only the minimum needed to provide the service:

• Account info — email address and a hashed password (see section 2). Required to save your processed videos and vocabulary.
• Content you process — the YouTube URLs you submit, the resulting study documents (PDF, Word, flashcards, Anki CSV), and the vocabulary added to your library.
• Usage info — basic logs of your activity (which routes you hit, processing job timestamps) to help us debug and prevent abuse.
• Cookies — a single session cookie used to keep you logged in. No third-party tracking, no analytics cookies.
• Feedback you submit — ratings, free-text messages, and the email you optionally provide so we can reply.

2. Passwords

We never store your password in readable form. We use industry-standard bcrypt hashing with a unique random salt per user. This means:

• Even our team cannot retrieve your password — only reset it.
• If our database were ever exposed, your password could not be recovered from the stored hash by any practical means.
• Forgot your password? Use the reset link on the sign-in page. We email you a one-time link valid for 1 hour. Once you set a new password, the old hash is overwritten.

Your password is never logged, never sent in email, and never shared with any third party.

3. Where data is processed

To deliver the service we send some of your content to third-party providers. Each has its own privacy policy and terms — we use them under their data-processing agreements.

• AI language-model provider (USA) — receives the YouTube transcript text to generate vocabulary, summaries, and definitions. Under our agreement, prompts and responses are not used to train their models.
• Transcript provider (UK/EU) — fetches the YouTube transcript on our behalf using your submitted URL.
• File-storage provider — stores the generated PDFs, Word docs, flashcards, and CSV files so you can re-download from anywhere.
• Email provider (USA/EU) — sends transactional emails (welcome, password reset, vocabulary-share notifications). Email content is not retained beyond delivery.
• Hosting provider — hosts the application servers and the PostgreSQL database holding your account.

We do not sell or share your data with anyone outside of the providers above. The specific providers we use may change as the service evolves; we will keep this list current. You may request the names of our current sub-processors at any time via our contact page.

4. How long we keep your data

• Account data — kept while your account is active.
• Processed videos and vocabulary — kept while your account is active. Deleted entries are removed immediately from the database; backup copies may persist for up to 30 days.
• Usage logs — automatically rotated and discarded within 30 days.
• If you delete your account, all personal data is removed within 30 days.

5. Your rights

If you live in the EU, EEA, UK, or Switzerland, GDPR (and equivalents) gives you the right to:

• Access a copy of your personal data.
• Correct inaccurate data.
• Delete your account and associated data.
• Export your vocabulary library and processed videos in a machine-readable format.
• Object to certain types of processing.
• Withdraw consent at any time (e.g., for marketing emails — though we currently send only transactional emails).

To exercise any of these rights, reach us via our contact page. We respond within 30 days.

6. Cookies

We use a single essential cookie called session to keep you logged in across page loads (90-day duration). This cookie is required for the service to work and is exempt from cookie-consent requirements under EU law. We do not use third-party analytics, advertising, or tracking cookies.

7. Children

Aftertape is not intended for users under 16 in the EU, or under 13 elsewhere. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will remove the account.

8. Security

We take reasonable steps to protect your data, including:

• HTTPS everywhere — all traffic between your browser and our servers is encrypted.
• Bcrypt-hashed passwords with per-user salts (see section 2).
• Rate limiting to prevent brute-force login attempts.
• Standard security headers (CSP, HSTS, X-Frame-Options) on every response.
• Database backups encrypted at rest by our hosting provider.

No system is 100% secure. If you suspect a breach affecting your account, change your password immediately and email us.

9. Changes to this policy

If we make material changes to how we handle your data, we'll update this page and notify registered users by email at least 14 days before the changes take effect. The "Last updated" date at the top of the page always reflects the most recent revision.

10. Contact

Questions, complaints, or data requests: reach us via our contact page.

See also our Terms of Service.