Privacy
policy.

Data we collect

• Account info: email, full name, password (bcrypt hash — we never see the plaintext)
• Usage data: keywords you've searched, video IDs you've analyzed, A/B test results
• YouTube OAuth data: info about your connected channel and an encrypted refresh token (AES-256-GCM)
• Payment data: order amount, plan, transaction ID. We never see or store card numbers — payment processors handle that
• AI inputs: the title/description/script text you submit to AI tools (sent to OpenAI or Anthropic for processing — see Section 3)
• IP address: kept for brute-force protection and session management (auto-deleted after 90 days)
• Browser fingerprint: User-Agent string only — for session validation
• Extension passive discovery data (anonymous): When you browse YouTube with the Vidlens extension installed, we capture publicly visible metadata from video cards that already appear on your screen (video ID, title, channel name, view count, age, duration). This data is stored without any link to your account or identity — it is aggregated to build a community-powered viral video and keyword ranking database. We do not record your browsing history, watch time, or any private YouTube activity. You can disable this in the extension's options page at any time.
• Search result ranking (anonymous): On YouTube search result pages, we capture which video IDs appear at which positions for a given query. Again, no user link — only the public ranking snapshot. This powers our keyword rank tracking and SEO tools.

How we use your data

• To provide the service (video analysis, keyword search, competitor tracking)
• To secure your account (login attempts, suspicious activity detection)
• To send transactional emails (password reset, payment confirmation, plan expiry)
• To generate anonymous, aggregate statistics for product improvement
• To comply with legal obligations (tax records, law enforcement requests)

We do not use your data for advertising, profiling, or sale to third parties.

Third-party services

We never sell your data. It is shared only with essential service providers, each operating under their own privacy policy:

• YouTube API Services (Google LLC) — Vidlens uses YouTube API Services to fetch public video data and, with your explicit OAuth consent, your own connected channel's data. By using Vidlens you agree to the YouTube Terms of Service. Data obtained via the YouTube API is handled in accordance with the Google Privacy Policy. We never combine YouTube API data with data from other sources in a displayed metric without clearly labeling the difference. Vidlens does not store YouTube API Data for more than 30 days unless you have explicitly authorized us to retain it (e.g., your saved keyword tracking lists). You can revoke our access at any time via your Google Account permissions page (myaccount.google.com/permissions); we delete the corresponding stored data within 7 calendar days of revocation. Any non-API derived metric (Vidlens SEO score, CTR prediction, AI suggestions, outlier flags) is clearly labeled "Vidlens estimate" in the UI to distinguish it from official YouTube data.
• OpenAI — processes text and images for AI features (title generator, AI thumbnails). Subject to OpenAI Privacy Policy. We do not opt into their training data.
• Anthropic — processes text for AI features (script generator, comment classifier). Subject to Anthropic Privacy Policy.
• NOWPayments — processes our USDT (TRC20) payments. The only payment processor currently in use. Subject to NOWPayments Privacy Policy.
• EU-based hosting infrastructure — our servers are located within the European Union. The hosting provider operates under its own privacy policy and applicable EU data protection law (GDPR).
• SMTP email provider — delivers transactional emails (password reset, etc.). Email content sent only to the registered recipient.

Data retention

• Active account: data is kept for as long as your account is active
• Account deletion: all personal data is wiped within 30 days (see Section 6)
• Search events & analytics: kept for 90 days, then aggregated and anonymized
• Login & IP logs: kept 90 days for security, then auto-deleted
• Payment records: kept 5 years (legal obligation — tax law)

Cookies

We use only strictly necessary cookies — no advertising, analytics, or tracking cookies:

• vidlens_web_session — session management (HttpOnly, Secure, SameSite=Strict). Required to stay logged in.
• vidlens_flash — temporary success/error messages (lifetime: 60 seconds)

No third-party cookies. No advertising cookies. No analytics cookies (no Google Analytics, no Facebook Pixel).

Your rights (GDPR)

If you reside in the European Union, UK, Switzerland, or any country with similar privacy laws, you have these rights regarding your personal data:

• Right to access — request a copy of all data we hold about you
• Right to rectification — correct inaccurate data
• Right to erasure — delete your account at any time from the profile page
• Right to data portability — receive your data in a machine-readable format (JSON)
• Right to object — opt out of any non-essential data processing
• Right to withdraw consent — for any processing based on your consent
• Right to revoke YouTube access — if you connected a YouTube channel, then in addition to deleting your data from within Vidlens (profile page), you can revoke Vidlens' access to your YouTube account at any time via the Google security settings page. When you disconnect a channel, all YouTube-derived data for that channel is deleted and the OAuth token is revoked on Google's side.

To exercise any of these rights, email info.spam-block@vidlens.app or use the contact page. We respond within 30 days.

Children's privacy

Vidlens is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has registered, please contact us immediately and we will delete the account.

Security

Passwords are hashed with bcrypt (cost factor 12). Sessions use cryptographically secure tokens stored as SHA-256 hashes. OAuth refresh tokens are encrypted with AES-256-GCM. All connections use HTTPS (TLS 1.2+). Sessions enforce SameSite=Strict cookie policy and validate Origin headers on every state-changing request.

Despite our efforts, no system is 100% secure. If you discover a vulnerability, please report it to info.spam-block@vidlens.app (see /.well-known/security.txt).

International transfers

Our infrastructure is hosted in Germany (EU). However, when you use AI features, your text data may be transferred to OpenAI or Anthropic servers in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.

Changes to this policy

We may update this policy from time to time. For significant changes, we'll notify registered users by email. The "Last updated" date at the top of this page reflects the most recent revision.

Contact & Data Controller

The data controller responsible for the processing of your personal data is:

For privacy-related questions or requests:

• Email: info.spam-block@vidlens.app
• Contact form: vidlens.app/contact
• Security issues: info.spam-block@vidlens.app