Effective date: 21 May 2026 · Last updated: 21 May 2026 · Version 0.1
This Privacy Policy explains what personal data we process when you visit youasktube.com (the “Service”), why we process it, how long we keep it, who we share it with, and the rights you have under applicable data-protection law (including the EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK GDPR). It is written for the current Phase 0 state of the Service (a pre-launch construction page with optional e-mail signup) and pre-emptively discloses the data we will process once Phase 1 (chat-with-video) is activated. We will update the “Last updated” field above and notify confirmed signups before any material change becomes effective.
The data controller for the Service is BitVibe Labs Ltd (in formation), a private company limited by shares with registration pending at Companies House (United Kingdom). Until that registration completes, the natural person operating BitVibe Labs — a Greek tax resident — acts as the data controller and is personally responsible for the processing described in this Policy (including, where applicable to any pre-incorporation contractual processing, under section 51 of the Companies Act 2006). All data-protection enquiries should be sent to john@bitvibelabs.com. This Policy and the controller details will be updated within 14 days of Companies House issuing the certificate of incorporation; dated revisions of this Policy are listed under section 18 below.
EU representative (Article 27 GDPR). We do not currently designate a representative in the European Union. We rely on the exemption in Article 27(2)(a) GDPR: our processing of EU data subjects’ personal data is occasional, is not on a large scale, does not include special-category or criminal-conviction data, and — given that Phase 0 collects only short-term Cloudflare edge logs and consented signup metadata — is unlikely to result in a risk to the rights and freedoms of natural persons within the meaning of Recital 75 GDPR. We will designate a representative within 30 days if (a) monthly unique EU-located visitors regularly exceed 25,000, or (b) the Phase 1 marketing list grows to a scale where the Art. 27(2)(a) carve-out no longer fits, whichever occurs first. EU data subjects may, in the meantime, lodge a complaint with the supervisory authority of their EU Member State of habitual residence (the EDPB member list at edpb.europa.eu/about-edpb/about-edpb/members_en indexes every national authority).
The Service is launched in stages. This Policy distinguishes between what we collect today and what we will collect once additional features are activated:
youasktube.com/watch?v=… — YouTube transcripts and a multi-turn AI chat over those transcripts. Magic-link e-mail accounts, daily message quotas, and chat history. All Phase 1 routes currently return HTTP 503 or redirect to the construction page. Phase 1 processing only begins after a Policy update announcing the launch.consent_timestamp at submit, confirmed_at at link-click). Subsequent launch-update e-mails are sent on the basis of that confirmed consent. Consent can be withdrawn at any time via the one-click unsubscribe link in every e-mail.ip_records, and signed session cookies are processed under our legitimate interest in operating the Service securely, preventing abuse, and enforcing daily message quotas. We have weighed these interests against your interests, rights, and freedoms and consider the processing proportionate.| Category | Specifics | Where stored |
|---|---|---|
| Launch-notify signup | Your e-mail address (lowercased), a server-generated double-opt-in token, a server-generated unsubscribe token, plus consent-demonstrability metadata captured at the moment of submission: consent_timestamp (ISO 8601), consent_ip (the raw CF-Connecting-IP header — we do not currently hash this), consent_user_agent (raw User-Agent string), consent_origin (the HTTP Origin header), and confirmed_at (set when you click the confirmation link). |
Cloudflare Workers KV. Pending records under notify:pending:<token> auto-expire after 48 hours. Confirmed records stored persistently under notify:<email> until you unsubscribe. |
| Network metadata | IP address, URL, referrer (if sent), User-Agent, timestamp — the standard request data Cloudflare records at its edge. We do not run any custom log pipeline (no Logpush, no analytics provider). | Cloudflare edge logs, retained per Cloudflare’s policy (typically ≤30 days for raw logs; aggregated metrics longer but unlinkable to identifiable visitors). |
| Outbound-mail counters | Per-day count of confirmation e-mails sent (no personal data, no recipient list). Used to stay below our Migadu daily outbound cap. | Cloudflare Workers KV under migadu:out:<YYYY-MM-DD>, 48-hour TTL. |
| E-mail correspondence | If you e-mail us, we receive your e-mail address and message contents. | Migadu (our mailbox provider, established in Switzerland). |
The Phase 0 construction page sets no cookies, runs no analytics, embeds no third-party tracking pixels, uses no fingerprinting, and does not write to localStorage or sessionStorage. The signup form is a single fetch() to our own /api/notify endpoint.
The list below describes what we will store once Phase 1 is activated. Until then, none of these tables receive data — the relevant routes return HTTP 503 or redirect to the construction page.
| Table | Fields | Purpose |
|---|---|---|
users |
email, created_at, created_ip (raw), verified_at, cooldown_until, consent_logged_at. |
Magic-link account. Consent to the Terms and this Privacy Policy is captured at signup and persisted on the first magic-link click. |
sessions |
id (random token, set as a signed cookie), user_id, created_at, expires_at. |
Authenticated session lookup. Cookies are strictly necessary for the service you requested (login) and are not subject to consent-banner opt-in under PECR Reg. 6(4) / ePrivacy Directive Art. 5(3). |
quota_daily |
user_id, day (UTC), count. |
Enforcing the 10-messages-per-day signed-in quota. |
ip_records |
ip (raw — not hashed), day, user_count, chat_count, cooldown_until. |
Enforcing the 2-messages-per-day anonymous quota and the per-IP signup-rate limit. IPs are stored in raw form, same as Phase 0. |
verify_tokens |
token, user_id, redirect_to, expires_at. |
Single-use magic-link verification. |
chats |
id, user_id or anon_session_id, video_id, video_title, domain, created_at, last_message_at, title. |
Chat history grouping (one row per chat conversation). |
messages |
chat_id, role (user / assistant / system), content (the full text of your prompts and the AI’s replies), model, created_at. |
The actual chat content. Retained for signed-in users until you revoke consent or delete your account; retained 30 days for anonymous-only sessions. |
transcripts |
video_id, language, source, transcript_json (the timestamped caption JSON), duration_seconds, title, channel, fetched_at, expires_at. |
Cache of YouTube’s public timedtext caption file for a given video. Shared across all chats over the same video. Re-fetched after 90 days. |
consent_log |
user_id, event (granted or revoked), at, ip, user_agent. |
Audit trail of consent grants and revocations, kept to discharge our Article 7(1) GDPR demonstrability obligation. |
messages and returned to your browser.ip_records to enforce daily message limits and to short-circuit obvious abuse (denial-of-service, automated scraping).Phase 0 (LIVE) sets no cookies. The construction page does not write to localStorage, sessionStorage, IndexedDB, or any client-side identifier.
Phase 1 (when activated) will set one strictly-necessary cookie:
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
session_id (or equivalent) Phase 1 |
First-party, HttpOnly, Secure, SameSite=Lax, signed. | Authenticated session lookup after magic-link login. | Up to the expires_at value of the corresponding sessions row (typically days to weeks; configurable). |
Strictly-necessary cookies are exempt from the consent requirement under PECR Regulation 6(4) and Article 5(3) ePrivacy Directive: they are essential to deliver the authenticated session you explicitly requested by logging in. We do not use advertising, analytics, fingerprinting, or any other non-essential client-side identifier.
| Data | Retention |
|---|---|
Pending signup tokens (notify:pending:<token>) | 48 hours, then auto-expire from KV. |
Confirmed signup records (notify:<email>) | Until you unsubscribe via the one-click link or e-mail us to be removed. May be deleted earlier as part of periodic re-permission checks for long-inactive subscribers, per ICO direct-marketing guidance. |
| Migadu outbound counters | 48 hours. |
| Cloudflare edge logs | Per Cloudflare’s retention policy (typically ≤30 days for raw logs). |
| Migadu mailbox logs (transactional + inbox) | Per Migadu’s policy; transactional message envelopes are typically purged within 30 days. |
Phase 1 User account (users, sessions, verify_tokens) | Until you delete your account or after a long period of inactivity (24 months without login). |
Phase 1 Chat history for signed-in users (chats + messages) | Until you delete it via /me or revoke consent. Surviving messages may be retained in encrypted backups for up to 30 days after deletion. |
Phase 1 Anonymous chat history (no user_id) | 30 days, then auto-purged. |
| Phase 1 Transcripts cache | Up to 90 days per video, then re-fetched on next chat. |
Phase 1 ip_records daily counters | Rolling window; rows older than 30 days are purged. |
| Phase 1 Anthropic API call logs | Per Anthropic’s Commercial Terms: prompts and responses retained up to 30 days for abuse-monitoring purposes; not used for training. See anthropic.com/legal/commercial-terms. |
Phase 1 consent_log | For the lifetime of the related users row, plus 24 months for evidentiary purposes after account deletion. |
The Service relies on the following third parties. Each operates under its own privacy notice and (where applicable) a data-processing agreement with us:
timedtext endpoint on the user’s behalf, server-side. We do not share user-identifying information with YouTube. The request originates from our Cloudflare Worker; from YouTube’s perspective the requester is our infrastructure, not you. There is no controller-to-processor or controller-to-controller data flow between us and YouTube for personal data — we GET publicly-available caption files in the same way a browser would. If you follow an outbound link to youtube.com from our Service, your browser will contact YouTube directly under YouTube’s privacy policy.We do not currently use any analytics provider (no Google Analytics, no Plausible, no Cloudflare Web Analytics, no Mixpanel), no behavioural-advertising network, and no fingerprinting service. If we introduce any new subprocessor we will update this section and, for material additions, notify confirmed signups before the change takes effect.
Subject to certain exceptions, you have the following rights under the GDPR and the UK GDPR:
/me.To exercise any right, e-mail john@bitvibelabs.com. We aim to respond within the one-month period set by Article 12(3) GDPR. If you receive no acknowledgement within seven days, or if e-mail to that address is bouncing, you may write to us care of the BitVibe Labs Ltd registered office, which will be published on this page within 14 days of Companies House registration; in the meantime, the supervisory authority of your habitual residence will accept a complaint addressed to BitVibe Labs Ltd (in formation). Because Phase 0 collects very little — typically only your e-mail plus signup metadata if you submitted the form — identifying which records (if any) relate to you may require you to provide minimal identifying information.
Some processors are located outside the European Economic Area and the United Kingdom:
We take security seriously. Concretely:
min_tls_version=1.2 + always_use_https=on).secret_text values — encrypted at rest, never logged.X-Frame-Options: DENY, X-Content-Type-Options: nosniff, a tight Content-Security-Policy, and a hardened Permissions-Policy.No system can be guaranteed perfectly secure, and we make no warranty to that effect.
If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours of becoming aware of it (Article 33 GDPR). If the breach is likely to result in a high risk to your rights, we will also notify you directly without undue delay (Article 34 GDPR), using the e-mail address on file.
The Service is not directed at children under 16, and we do not knowingly collect personal data from anyone under that age. If you are a parent or guardian and believe a child has provided personal data to us, please contact john@bitvibelabs.com and we will erase it.
We do not use your personal data to make any legally-significant or similarly-significant automated decisions about you (Article 22 GDPR). The Phase 1 chat is an advisory AI feature: replies generated by the model are informational only, do not constitute legal, medical, financial, or professional advice, and are not used to grant or deny you any service, benefit, price, or treatment. We do not profile visitors, do not perform behavioural advertising, and do not score users for risk or eligibility.
Transcripts displayed in Phase 1 originate from YouTube and remain the copyright of the original video author. We act as a transient fetcher and cache of YouTube’s publicly-available timedtext caption files; we do not host the underlying video, and we do not publish, monetise, or rebroadcast the underlying creative work. Cached transcript rows are refreshed every 90 days against the public source.
The Service is independent and not affiliated with YouTube, LLC or Google LLC. “YouTube” is a trademark of Google LLC; we use the term solely to describe interoperability with publicly-available YouTube features. Rights-holders who believe transcript content surfaced through our Service infringes their rights may send a takedown request, including the elements required by 17 U.S.C. §512 (DMCA) and Article 17 of the EU Digital Single Market Directive (Directive (EU) 2019/790), to john@bitvibelabs.com. We will respond within a commercially reasonable time and, where the request is well-founded, will remove or restrict access to the offending content.
If you confirm your launch-notify subscription, we will e-mail you occasional launch updates from BitVibe Labs — a handful per year at most, exclusively about youasktube or directly-adjacent BitVibe Labs products. We do not sell, rent, share, or trade subscriber e-mail lists with any third party.
Unsubscribe. Every e-mail we send includes a one-click unsubscribe link (the URL pattern is https://youasktube.com/api/notify/unsubscribe/<token>). Clicking the link deletes both the notify:<email> record and its reverse-index notify:unsub:<token> from KV, removing you from the list immediately. You may also e-mail john@bitvibelabs.com with subject “unsubscribe” for the same effect.
We may update this Policy from time to time. The “Last updated” date at the top of the page reflects the most recent revision. For non-material changes (clarifications, typo fixes, formatting), we update the page silently. For material changes — new subprocessors, new data categories, new lawful bases, new retention periods that meaningfully expand processing — we will give at least 30 days’ notice by e-mailing confirmed signups before the change takes effect, and by displaying a banner on the home page during that window. Continued use of the Service after a revision becomes effective constitutes acknowledgement of the revised Policy.
We have not appointed a statutory Data Protection Officer because our processing does not meet the Article 37(1) GDPR thresholds (no core-activity large-scale monitoring, no core-activity special-category processing, no public-authority status). The natural-person operator named in section 1 above acts as the single point of contact for all privacy matters.
Questions, requests, or complaints about privacy may be sent to:
BitVibe Labs (in formation)
Attn: Privacy — john@bitvibelabs.com
E-mail: john@bitvibelabs.com
Postal address: to be published within 14 days of Companies House registration.
For complaints, you may contact the Hellenic Data Protection Authority (operator’s habitual residence) at dpa.gr/en, the UK Information Commissioner’s Office at ico.org.uk, or your own EU/EEA Member State’s supervisory authority.
← Back to You ASK Tube