Legal
Privacy Policy
Last updated: July 2026 (rev. July 3)
What we collect
When you sign in with Google, we receive your display name and email address from Google. We use these only to identify your account — we never read your Gmail, Google Drive, or any other Google service unless you explicitly connect YouTube playlists (which requires a separate permission).
What we store
The following data is stored in our database (Supabase / PostgreSQL):
- Your account profile (name, email, preferences)
- YouTube video URLs you add to your inbox
- AI-generated summaries, verdicts, and key points for those videos
- Collections and tags you create
- Your watch queue order
- Usage events — a rolling 24-hour ledger (
summary_usage_events) that records when you request a video or text summary, which mode was used, and whether the result came from cache or a fresh AI run. This is used solely for enforcing free-tier limits and Pro quota tracking. Events older than 24 hours are automatically discarded.
Browser storage. We also use your browser's localStorage to cache your video library, preferences, and collections for fast offline access. This data stays on your device and is never uploaded. When you sign in, we store a separate copy of your data in our cloud database (Supabase) so it syncs across devices — your localStorage copy remains local regardless. The analytics consent flag (yap-analytics-consent) is also stored in localStorage. If you enable analytics, PostHog may write additional cookies and localStorage keys for session tracking; these are scoped to PostHog and contain no video content.
How we use your data
Your data is used solely to provide the Too Much Yap service — showing you your video inbox, storing your triage decisions, and syncing across devices when you’re signed in. We do not sell your data. We do not use it for advertising.
AI processing
Video summaries are generated by Google Gemini (via Google AI Studio). When you request a summary, we send the YouTube video URL (and optionally a transcript) to Gemini for processing. This data is subject to Google’s Privacy Policy. We do not store the raw video data — only the AI-generated output.
Analytics
We use PostHog for product analytics (page views, feature usage). The PostHog SDK is not loaded at all on a first-time visit — no script is fetched, no network request is made to PostHog, and no event is captured until you click Acceptin the cookie banner. If you decline, the SDK is never loaded, no cookies are written, and event capture stays disabled. Returning visitors whose previous decision was “accepted” get the SDK loaded immediately so pageviews during the session are captured.
We never send your email address to PostHog — we identify your analytics session only by your Supabase user id. PostHog cannot reverse this identifier to your name or email because we do not share authentication state with them. The browser-side SDK also does not receive video URLs, transcripts, or AI-generated summaries — only event metadata (page path, button clicks, verdict selections) joined to that opaque identifier.
Server-side telemetry. These server-side events fire regardless of your cookie banner choice — the banner only gates the browser SDK, not the API requests. A smaller set of events fires from our API routes — when a video summary completes, when a Stripe subscription event arrives, or when a usage limit is hit. Events identify you only by your Supabase user id (no email, no name) and carry narrowly-scoped metadata: video duration, verdict classification, subscription lifecycle events Stripe sends back to us, the Stripe-assigned customer id on subscription events (only Stripe and this app can map it back to your account), cache hit/miss, rate-limit hits, your subscription tier (e.g. free, pro), and on rare Gemini failure paths the YouTube video id (which is publicly resolvable to a URL) alongside a small failure-category label such as both_modes_failed. They never include the video URL, video title, your notes, or AI-generated summary content. To stop server-side telemetry tied to your account, sign out (which clears the persisted identifier) or email us to delete the analytics identity.
PostHog processes data on servers in the United States. You can opt out at any time by clearing your browser's localStorage key yap-analytics-consent or by emailing us at hello@toomuchyap.com. PostHog's privacy policy: posthog.com/privacy.
Error monitoring
We use Sentry for error tracking on our API routes and server functions. When an error occurs, Sentry receives the error message, stack trace, and your Supabase user id (so we can correlate errors with affected accounts). Sentry does not receive your email address, video URLs, AI summaries, or any content data. Sentry processes data on servers in the United States. See Sentry's Privacy Policy.
Third-party services
- Supabase — database and authentication infrastructure
- Google — OAuth sign-in, Gemini AI analysis, and YouTube metadata
- Stripe — payment processing for Pro subscriptions (billing only — not analytics). We share with Stripe only what's needed to bill you: your email address, your subscription tier, and the subscription lifecycle events Stripe sends back to us (renewed, canceled, payment failed). We do not send Stripe any video URLs, summaries, triage decisions, watch-time data, or usage analytics, and we do not use any Stripe analytics or data-mining products. Stripe stores your card details and subscription state on their side. See Stripe's Privacy Policy.
- PostHog — analytics (see section above)
- Sentry — error monitoring (see section above)
- Vercel — hosting and serverless functions
Data retention
Your data remains in our database as long as your account is active. To delete everything immediately and self-serve, open Settings → Account → Delete account. That action permanently removes your profile, inbox, watch queue, collections, and AI-generated summaries, and cancels any active Pro subscription, in a single step with no waiting period. If you need help with the process, email hello@toomuchyap.com.
Your rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Right to access (GDPR Art. 15) — You can request a copy of all data we hold about you. Use the Export button in Settings for an immediate JSON download, or email us for a complete dump.
- Right to rectification (GDPR Art. 16) — Update your profile name or email at any time in Settings.
- Right to erasure / deletion (GDPR Art. 17) — Use the Delete account button in Settings for immediate self-serve deletion. No email required.
- Right to data portability (GDPR Art. 20) — Export your data anytime via the Export button in Settings.
- Right to object (GDPR Art. 21) — Decline analytics cookies in the cookie banner or in Settings → Privacy & Cookies. Server-side telemetry cannot be opted out per-request, but signing out clears the analytics identity, and account deletion removes all server-side event associations.
California residents have equivalent rights under the CCPA. Contact us at hello@toomuchyap.com to exercise any of these rights.
Security
Data is encrypted in transit (HTTPS/TLS) and at rest. Access to the database is controlled by Supabase Row Level Security — each user can only read and write their own data.
Contact
Questions about this policy? Email us at hello@toomuchyap.com.