channelid.app ("we", "us", "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights.

1. Data We Collect

Account data: When you sign in via OAuth (Google, Microsoft, GitHub, or Apple), we receive your email address and a unique provider identifier (sub). Your email is stored in encrypted form (AES-GCM) and is never stored in plaintext. We also store a one-way hash of your email for account lookup purposes only.

Usage data: We log each lookup attempt as a hashed URL (SHA-256), a success/fail flag, and a timestamp. We do not store the raw URLs you resolve.

Payment data: Payments are handled entirely by Paddle. We receive a webhook notification containing a transaction ID and your account tier. We do not store your card number, bank details, or billing address.

Log data: Our hosting infrastructure (Google Cloud Run) collects standard HTTP access logs (IP address, browser user agent, request path, timestamp). These are retained for up to 30 days.

2. How We Use Your Data

• Authenticate your account and maintain your session
• Enforce the free-tier lookup quota (2 lookups)
• Upgrade your account after a confirmed payment
• Respond to support requests
• Monitor service health and prevent abuse

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described below.

3. Third-Party Services

• OAuth providers (Google, Microsoft, GitHub, Apple) — used for authentication only. Governed by their respective privacy policies.
• Paddle — processes payments as our merchant of record. See paddle.com/legal/privacy.
• Google Cloud — hosts the application and database in the us-central1 region. See cloud.google.com/privacy.
• Sentry (optional) — used for error monitoring. No personal data is intentionally sent to Sentry; PII scrubbing is enabled.
• YouTube Data API v3 — we send the URL/handle you provide to YouTube's API to resolve the channel ID. Subject to Google's Privacy Policy.

4. Cookies and Sessions

We use a single session cookie to maintain your login state. This cookie is HttpOnly, Secure, and SameSite=Lax. We do not use tracking cookies, analytics cookies, or advertising cookies.

5. Data Retention

Your account data is retained as long as your account exists. Lookup logs are retained indefinitely for quota enforcement purposes but contain no raw URLs. You may request deletion of your account and all associated data at any time.

6. Your Rights

Depending on your jurisdiction, you may have rights to: access your personal data, correct inaccuracies, request deletion, object to processing, or request data portability. To exercise any of these rights, contact us at support@channelid.app.

If you are in the European Economic Area, you have rights under GDPR. If you are in California, you have rights under CCPA. We will respond to verifiable requests within 30 days.

7. Data Security

Email addresses are encrypted at rest using AES-GCM. Database traffic is encrypted in transit (TLS). Application traffic is HTTPS-only with HSTS enforced. Secrets are stored in Google Cloud Secret Manager, not in environment variables or code.

8. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us for immediate deletion.

9. Changes to This Policy

We may update this policy. Significant changes will be communicated via the Service or email where possible. Continued use after changes constitutes acceptance.

10. Contact

Privacy questions: support@channelid.app

---