Privacy Policy — YouTube AI Summarizer

0 Operating modes

You choose how AI requests are made. You can use BYOK without signing in, or use managed AI without BYOK keys, subject to credits and plan limits.

BYOK — Bring your own key Local-first

Transcripts and prompts are sent directly from your browser to AI hosts you enabled (Groq, Ollama Cloud, Google Gemini for TTS).
Your API keys live in chrome.storage.local (obfuscated) — the publisher never receives them.
No Google sign-in, no server-side account, no Stripe.

Managed AI — Optional Account required

Sign in with Google via Supabase Auth to get free credits.
Transcript excerpts are processed by Edge Functions that call server-side AI (DeepSeek / Gemini) with publisher-held keys.
Stripe handles optional paid plans only when you open a checkout link.

1 Data we access

YouTube transcripts — Captions for the video on the tab you are viewing are read only when you start a summary, chat, or podcast flow. We do not scrape unrelated pages.
BYOK: your API keys (Groq, Ollama Cloud, Google Gemini for TTS) — Stored locally in the extension (obfuscated). Used only to authenticate to those providers when you use BYOK.
Managed AI: Google account — If you sign in, Supabase receives standard OAuth tokens from Google. We use Google’s identifiers to create your app account. We do not receive your Google password.
Device identifier for abuse prevention — For managed sign-in, the extension derives a browser/device fingerprint (FingerprintJS-based) and a persistent local ID (chrome.storage.local). A fingerprint value is sent to our backend during auth registration so we can limit free-tier abuse (e.g. many accounts on one device). This is not used for advertising.
Extension preferences — Provider, model, language, cache toggles, theme, and similar settings. Stored locally; some flags also affect which network paths run (BYOK vs managed).

2 How data is used

BYOK path

Summaries — Transcript text is sent to your chosen AI provider (Groq or Ollama Cloud) to generate summary, key points, and detailed analysis. Responses return to your browser.
Chat — Your messages, transcript context, and recent conversation history go to that same provider. The extension publisher does not proxy those requests.
Podcast — A generated script may be sent to Google Gemini TTS (using your key when in BYOK mode) to produce audio, played in the browser and optionally cached locally.
API keys — Used only to authenticate to the vendors you configured. They are not sent to the extension author.

Managed AI path

Auth & credits — Your session JWT and fingerprint are sent to Supabase Edge Functions (e.g. auth-callback, check-credits) to create/update your account, enforce free-tier and Pro limits, and return checkout links when applicable.
Summaries & chat — When you run managed AI, transcript excerpts and prompts are sent to our Edge Function summarize, which calls server-side AI providers (DeepSeek and Google Gemini as configured) using keys held on the server, not your BYOK keys. Results return to your browser.
Billing — If you subscribe, Stripe processes payment; we store subscription status in our database as needed to unlock Pro features. Opening checkout uses Stripe-hosted pages (and may set Stripe cookies under their domain).

We do not use your data for advertising or sell personal information. We do not collect your full browsing history. For managed users, account email and usage metadata may exist on Supabase as described above; IP addresses may appear in standard service logs per Supabase/Stripe/provider policies.

3 Storage & retention

On your device — Settings, optional caches, BYOK keys (obfuscated), OAuth session tokens, persistent device id, and fingerprint cache use Chrome’s chrome.storage.local / session APIs as applicable. BYOK secrets are not uploaded to our servers.

Summaries: optional LRU cache (max 20 videos) Transcripts: optional; off by default BYOK keys: obfuscated locally Chat (BYOK): in-memory for the current page session Managed: Supabase session in local storage

On our backend (managed users only) — Supabase may store account row (e.g. credits, subscription flags), device fingerprint associations for abuse prevention, and usage records needed to enforce limits. Retention follows operational need and provider capabilities; contact us for deletion requests (see §7).

Clear local cache anytime via the panel trash control or Clear Cache in extension settings. Sign out clears the managed session from the extension. Uninstalling the extension removes extension storage on that browser profile.

4 Third-party services

Always declared in the extension (see §6) — network calls only happen when you use a feature that needs them.

BYOK AI vendors

Groq — groq.com · Privacy policy
Ollama Cloud — ollama.com · Terms
Google Gemini (e.g. TTS in BYOK podcast flows) — ai.google.dev · AI terms

Managed AI & billing

Supabase — Auth, PostgreSQL, and Edge Functions for our project (smvnsfznxctkegjbckmt.supabase.co, as declared in the manifest). Supabase privacy
Google — Google OAuth when you choose managed sign-in. Google privacy policy
Stripe — Payments and Customer Portal when you upgrade. Stripe privacy
DeepSeek — Server-side text generation for managed summaries/chat when our Edge Function calls their API. See DeepSeek’s current privacy terms on deepseek.com.
Google Gemini — Also used from our servers for parts of managed generation/TTS per deployment configuration.

We do not embed analytics SDKs, ads, or cross-site trackers in the extension.

5 Data sharing

We do not sell your personal information and do not share it for advertising or profiling.

Data leaves your device when you use a feature: (a) BYOK — direct calls to AI vendors you configured; (b) Managed AI — calls to our Supabase Edge Functions and, from there, to AI/billing providers as needed to perform the service.

6 Permissions

Chrome extension permissions

storage — settings, session, keys, caches locally activeTab — access the current tab when you use the extension identity — Google OAuth redirect for Supabase sign-in (managed AI)

Host access (declared in the manifest)

youtube.com / youtu.be api.groq.com ollama.com generativelanguage.googleapis.com *.supabase.co (project API + Auth)

Checkout and Customer Portal links open in the browser under Stripe’s domain (not listed as a static host permission because links are created at runtime from your account/checkout configuration).

7 Your rights

Delete cached content and reset options from the extension UI; use Sign out for managed AI.
BYOK: Revoke Groq keys at console.groq.com/keys; Ollama at ollama.com/settings/keys; Gemini at aistudio.google.com/apikey.
Google (managed): Remove the app’s access from your Google Account security settings if you wish to disconnect OAuth.
Stripe: Manage payment methods and invoices via the Customer Portal link shown in the extension when available, or Stripe’s account email flows.
Remove the extension to delete its local stored data from your browser profile.
For copies, correction, or deletion of server-side managed account data where applicable, contact us (§10) and we will assist within reasonable limits and provider tools.

8 Children’s privacy

The extension is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has disclosed data in a way that concerns you, contact us (below).

9 Compliance & safety

Open-source extension codebase (MIT) — you can review client behavior on GitHub. Server-side Edge Function source lives in the same repository under backend/supabase/functions for transparency of managed-AI flows (deployment config and secrets are not in the repo).

The extension does not ship analytics or ads. Diagnostic messages may appear in the browser extension context (e.g. console) when something fails; they are not used for cross-site tracking.

When this policy changes, we update the Last updated date above. Continued use after an update means you accept the revised policy.

10 Contact

Questions about this policy or the extension:

GitHub Issues Chrome Web Store