Privacy Policy
Whisgram is a Chrome extension and web app that turns videos (YouTube and 1,000+ other sites) into AI-generated study notes, Mermaid diagrams, and transcripts. Using Whisgram requires an account so your credits and history follow you across devices. This policy explains exactly what we collect, why, who we share it with, and how you can delete it. We collect the minimum needed to run a paid, account-based service — and we never sell your data.
1. What we collect
1.1 Account & authentication
- Your email address. You sign in with Google or an email "magic link." We receive and store your email address (and, from Google, your name and profile photo URL) as your account identity. Authentication is handled by Supabase; we never see or store your Google password.
- Authentication tokens. A session token is stored in your browser so you stay signed in. It is sent with requests to authenticate you.
1.2 Data you submit
- Video URLs you choose to transcribe (e.g. YouTube links). We use these to download the audio for transcription, and we save them with your transcript history (see 1.4) so you can revisit past results.
- Uploaded files (audio/video you choose to transcribe). These are written to a temporary directory on our server during transcription and deleted immediately after the job finishes — typically within minutes. The original media is never persisted to permanent storage.
1.3 Data the service generates
- Transcripts and AI-generated notes (the transcript text, key takeaways, Markdown summary, and Mermaid diagram). These are returned to your browser and saved to your account history so you can access them later and across devices (see 1.4).
- Credit balance. A number representing your remaining credits, stored against your account.
1.4 Transcript history (stored in your account)
- Your transcript history — the video title, source URL, transcript, summary, and diagram for your recent transcriptions (up to 50) — is stored in our database (Supabase Postgres), tied to your account. Database row-level security ensures only you can read your own history. It is also cached locally in your browser for instant access.
- You can delete any entry, or clear your entire history, from the History view at any time — which removes it from both your browser and our database.
- Theme preference (light / dark / system) is stored only in your browser and never sent to us.
1.5 Payment data
- When you buy credits, payment is processed by Stripe on Stripe-hosted checkout pages. We never see or store your card number. Stripe sends us only a confirmation that a payment succeeded, which we use to add credits to your account.
1.6 Data we observe in the request
- Your IP address, used transiently for rate-limiting and abuse prevention (e.g. blocking a single source from submitting hundreds of jobs per minute). Not sold or shared with third parties for marketing.
- Basic HTTP headers (User-Agent, Accept-Language) — logged transiently by our hosting provider and discarded on rotation.
1.7 Usage analytics
- We use privacy-respecting analytics to understand how Whisgram is used (which pages are visited, where visitors come from, broad device/country breakdowns) so we can improve it. Today this is Cloudflare Web Analytics, which is cookieless — it sets no cookies, does not fingerprint your device, and does not collect personally identifiable information. We may add or change analytics tools over time; if we adopt one that uses cookies or collects more, we will update this policy and, where the law requires it, ask for your consent first.
2. What we do NOT collect
- No access to your Google account beyond sign-in. We use Google only to verify your identity (email, name, photo). We do not request access to your YouTube account, Gmail, Drive, or any other Google service.
- No browsing history. The extension only acts on videos you explicitly submit; it does not track or collect the other pages you visit.
- No card numbers. Card data goes directly to Stripe; it never touches our servers.
- No advertising. No ad networks, no advertising pixels, no third-party advertising SDKs. We use only basic, privacy-respecting usage analytics (see §1.7) — never for advertising.
- No selling or sharing of personal data. Ever.
3. Third-party processors
To do its work, Whisgram relies on a small number of third parties. Each one only receives what it needs for its specific task.
| Service | What it receives | Why |
|---|---|---|
| Supabase | Your email/name (authentication), credit balance, and transcript history | Authentication and database. Subject to Supabase's privacy policy. |
| Stripe | Your payment details (entered directly on Stripe), and your email for the receipt | Processing credit purchases. Subject to Stripe's privacy policy. |
| Modal | The audio extracted from your video | GPU-accelerated transcription (Whisper). Modal does not retain audio after processing. |
| OpenRouter → Anthropic (Claude) | The text transcript only | Generating the summary, key takeaways, and Mermaid diagram. Subject to OpenRouter and Anthropic privacy policies. |
| Fly.io | Standard HTTP request metadata (IP, headers) | Hosting the application server. Subject to Fly's privacy policy. |
| Cloudflare | Aggregate, anonymous page-view data (no cookies, no personal data) | CDN, and privacy-first cookieless traffic analytics. Subject to Cloudflare's privacy policy. |
| Video platforms (e.g. YouTube) | The URL you submitted | Downloading the audio for transcription, via yt-dlp. We do not authenticate to these platforms. |
4. Cookies
Whisgram does not use cookies for advertising or cross-site tracking. Authentication uses browser storage (not third-party cookies) to keep you signed in. The extension uses only browser-extension storage APIs, which are sandboxed to the extension.
5. Children
Whisgram is intended for a general audience of learners and is not directed at children under 13. If you are under 13, please do not use it. If you believe we have unintentionally collected data from a child under 13, contact us at the email below and we will delete it.
6. Your rights (GDPR, CCPA, and similar)
You can access and delete your data directly: your transcript history is deletable from the History view, and you can request deletion of your account and all associated data (email, credit balance, history) by emailing us.
To exercise any right under GDPR, CCPA, or similar laws — access, portability, correction, or deletion — email us at the address below. We respond within 30 days. Deleting your account removes your email, credit balance, and stored transcripts from our database.
7. Security
- All traffic between your browser and Whisgram is encrypted with TLS (HTTPS).
- Your transcript history is protected by database row-level security, so only your authenticated account can read it.
- Card data is handled entirely by Stripe; we never receive or store it.
- API keys and database credentials are stored as encrypted server-side secrets and never exposed to clients.
- The application server runs with rate limiting to prevent abuse and runaway resource consumption.
8. Changes to this policy
We may update this policy as Whisgram evolves. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced on the Whisgram website.
9. Contact
Questions, concerns, or data-rights requests: [email protected].