Privacy Policy

Gotcha is a Chrome extension that produces language-learning briefings for YouTube videos. This policy explains what we collect, why, and who we share it with.

What we collect

• Google account info (email, account ID) — collected when you sign in via Google OAuth. Used to identify your account and enforce per-user quotas.
• Subscription data (Stripe customer ID, subscription status, billing period) — collected when you subscribe. Stored to determine your tier.
• Settings and preferences (briefing mode, known words, known phrases) — stored locally in your browser via chrome.storage.sync. Synced across your signed-in Chrome instances by Chrome itself.
• Anonymous usage ID — a random UUID generated locally for users who haven't signed in, used to enforce anonymous-tier daily limits. Hashed with your IP to form a quota key.
• YouTube video metadata (video ID, title, language, duration) — sent to our backend each time you request a briefing.
• Video transcripts — fetched from YouTube via Apify (a third-party scraping service) and processed by Groq (an AI inference provider). Transcripts are not retained after briefing generation; the resulting briefing is cached on Cloudflare KV for ~30 days.

Who we share with

• Google — only when you sign in (we read your email + account ID from Google's tokeninfo endpoint).
• Stripe — when you subscribe (Stripe handles all payment data; we never see your card).
• Apify — receives the YouTube video ID to fetch its transcript. No personal data.
• Groq — receives the transcript text + your known-words list to generate a briefing. No personal data tied to your identity.
• Cloudflare — hosts our backend Worker, KV, D1 database, and Durable Objects. Sees all data above as part of normal request processing.

We do not sell your data. We do not use it for advertising. We do not share with anyone other than the four providers above.

Data retention

• Account row (email, tier, Stripe link) — kept while your account is active. Deleted on request.
• Quota counters — reset daily at UTC midnight; concurrent counters auto-clear when streams end.
• Briefing cache — 30-day TTL on Cloudflare KV.
• Webhook idempotency keys — 1 hour TTL.
• Anonymous quota entries — 25 hours TTL.

Your rights

You can sign out at any time (clears the local JWT). To delete your account and associated data, email support@getgotcha.app from the email address on the account; we will delete your row from D1 and reset your Durable Object state within 7 days.

Cookies

Gotcha does not use cookies. Authentication is via a JWT stored in chrome.storage.sync, sent on each request to our backend. No tracking cookies, no analytics cookies.

Changes

If we update this policy, the "Last updated" date at the top changes. Material changes will be announced via the extension's settings page.

Contact

support@getgotcha.app