Privacy

Privacy policy

Last updated: 2026-05-02 · v1.3.0

TL;DR

• Cureyt requires a free account (email + password). We store your email, a salted PBKDF2 hash of your password, and a count of your extractions.
• For each extraction, the transcript briefly passes through our Cloudflare Worker so the AI call uses our Moonshot key. The transcript is not stored beyond the request.
• Saved mentions and episode history live in your browser's local storage only — we don't sync them.
• We do not sell or share user data.

What we keep on the server

A few rows live on our Neon Postgres database:

• Your account — email, a normalized "canonical" form of it (Gmail dots/+aliases collapsed for abuse defense), PBKDF2 password hash (we never see the plaintext), email-verified flag, plan tier, created-at, last-seen-at, and the IP your account was created from.
• Your active sessions — JWT IDs so you can sign out from one device without rotating every device's token.
• OTP codes (signup verification + password reset) — SHA-256 hashed, expire in 10 minutes, attempt counter for brute-force defense.
• Your extraction audit log — per-call: video ID, model used, token counts, estimated spend, mention count, success/failure, and the IP the request came from. Used to enforce the weekly free-tier quota and throttle multiple accounts extracting from the same network. The transcript itself is not saved.

Abuse defense

To stop free-tier farming we layer a few light-touch checks at signup and at extraction time. We deliberately do not require phone verification or a credit-card hold. Instead:

• Canonical email — we collapse [email protected], [email protected], and [email protected] to one identity to detect when the same Gmail mailbox tries to create multiple accounts.
• Per-IP signup cap — we cap account creation to 3 per IP per 24 hours. Your signup IP is stored on your account row.
• Per-IP extraction throttle — when too many distinct accounts extract from one IP in 24 hours, we throttle. Your extraction IP is stored per request in the audit log.
• Velocity guard — a brand-new account that immediately burns through extractions is throttled. No additional data stored.
• Browser fingerprint (hash only) — at signup time only, the open-source @fingerprintjs/fingerprintjs library computes a stable browser-characteristic ID. We store the SHA-256 hash of that ID — never the underlying characteristics — and use it to detect 3+ accounts from the same device in 30 days. The hash cannot be reversed. Browsers that block fingerprinting (Brave shields, Firefox strict mode, etc.) still sign up successfully — the other layers above still apply. Not collected on subsequent visits or extractions.

Legal basis (GDPR Art. 6(1)(f) / India-DPDP "legitimate use"): abuse defense — without these signals, free-tier farming would degrade service quality and inflate costs for all users. You can request deletion of these records by deleting your account.

What flows through the Worker

For each extraction, the Worker receives the YouTube transcript text, calls Moonshot with our API key, returns the mentions, and writes the audit row above. The transcript is not persisted past the request. We don't keep audio, raw captions, video metadata, or any per-mention text on the server.

What never leaves your browser

• The full transcript caches (per-(model, video), 7-day TTL) — so re-opening a video within a week is free + instant.
• Saved mentions (the bookmark icon → Saved Mentions tab).
• Episode history (the Watch History tab).
• Your session JWT (in chrome.storage.local).

Full policy

This policy is current as of the date shown above. For prior versions or a full copy, contact [email protected].

Contact

Privacy questions: [email protected]