Privacy Policy

Effective Date: March 2026

This Privacy Policy explains how YouTubeCommentDownloader (“we,” “us,” or “our”) collects, uses, stores, and protects information about you when you use our website and Service. By using the Service you agree to the practices described in this policy.

1. Information We Collect

We collect the following categories of information:

  • Account information: your name and email address when you register or sign in with Google OAuth.
  • Authentication tokens: Google OAuth tokens used to authenticate your session. These are stored securely and used only to maintain your logged-in state.
  • Usage and export history: records of URLs you have submitted, export options selected, and the number of comments retrieved. This data is used to enforce plan limits and display your export history.
  • Payment information: billing details (card type, last four digits, billing address) collected and stored by our payment processor, Stripe. We do not store full card numbers on our servers.
  • Technical data: IP address, browser type, device type, and pages visited, collected automatically via server logs and analytics. This is used for security monitoring and service improvement.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and improve the Service.
  • Authenticate your identity and maintain your session.
  • Process subscription payments and manage your billing account.
  • Enforce plan limits and prevent abuse of the YouTube Data API quota.
  • Send transactional emails such as receipts, password resets, and service notifications.
  • Investigate and respond to security incidents or violations of our Terms of Service.

3. Data Retention

We retain your account information and export history for as long as your account is active. If you delete your account we will delete your personal data within 30 days, except where we are required to retain it for legal, tax, or accounting purposes (typically up to 7 years for billing records).

Server logs containing IP addresses and technical data are retained for up to 90 days and then deleted.

4. Third-Party Services

We rely on the following trusted third-party services to operate:

  • Supabase — authentication and database hosting. Your account data and export history are stored in Supabase-managed infrastructure. Supabase is SOC 2 Type II certified.
  • Stripe — payment processing. Stripe stores your payment method details under PCI DSS compliance. We receive only tokenised references to your payment method.
  • Vercel — website hosting and serverless functions. Your requests are processed on Vercel's infrastructure. Vercel is SOC 2 Type II certified.
  • YouTube Data API v3 — comment retrieval. When you submit a YouTube URL, we make requests to the YouTube Data API on your behalf. This is subject to Google's Privacy Policy.

We do not sell your personal data to any third party. We share data with third-party services only to the extent necessary to operate the Service.

5. Cookies

We use session cookies to maintain your authenticated state. These cookies are essential to the operation of the Service and are set only after you log in. They expire when your session ends or after 7 days of inactivity.

We do not use tracking cookies, advertising cookies, or any third-party analytics cookies that monitor your behaviour across other websites. We do not serve or participate in behavioural advertising.

6. Your Rights

Depending on your jurisdiction you may have the following rights with respect to your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request that we correct inaccurate or incomplete data.
  • Deletion: request deletion of your personal data (subject to retention obligations).
  • Portability: request an export of your data in a machine-readable format.
  • Objection or restriction: object to certain processing or ask us to restrict it.

To exercise any of these rights, contact us. We will respond within 30 days.

7. Security

We implement industry-standard security measures including HTTPS encryption for all data in transit, secure storage of credentials via Supabase (bcrypt hashing for passwords), and access controls limiting who within our team can access production data. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

8. GDPR and CCPA

GDPR (EU/EEA users): Our lawful bases for processing are performance of a contract (to provide the Service you signed up for), compliance with legal obligations, and our legitimate interests (security monitoring and abuse prevention). You have the right to lodge a complaint with your local data protection authority.

CCPA (California residents): We do not sell your personal information. California residents have the right to know what personal information is collected, the right to delete personal information, and the right not to be discriminated against for exercising these rights. To submit a request, contact us.

9. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page and, where required by law, notify you by email. Your continued use of the Service after any update constitutes acceptance of the revised policy.

11. Contact

For privacy-related questions or requests, contact us.