Last updated: 2 July 2026
Privacy Policy
This policy explains how The operator of Tubask (“we”, “us”) processes personal data when you use Tubask (tubask.app) and our MCP service. We comply with the EU General Data Protection Regulation (GDPR) and applicable national law.
1. Data controller
The operator of Tubask
privacy@tubask.app · support@tubask.app
We do not publish personal contact details on this website. For privacy requests, legal notices, or official correspondence, use the email addresses above.
We have not appointed a Data Protection Officer. For privacy requests, contact privacy@tubask.app.
2. What we process
- Account data: email address, optional name, password (stored as an Argon2id hash — we never store plain-text passwords).
- YouTube API key: encrypted at rest (Fernet). Used only to fulfill your MCP requests via Google's YouTube Data API.
- Usage data: tool call metadata (tool name, timestamp, success, latency, approximate quota cost). Not the full text of your AI conversations.
- OAuth connections: identifiers and labels for MCP clients you authorize (e.g. Claude, Cursor).
- Billing data: if you subscribe, payment is processed by Stripe. We receive subscription status and customer reference — not full card numbers.
- Technical logs: IP address, user agent, and security events for fraud prevention and service reliability (short retention).
We do not store full YouTube video files, re-host media, train AI models on your queries, or sell personal data.
3. Purposes and legal bases
- Provide the service (account, MCP, dashboard) — Contract (Art. 6(1)(b) GDPR).
- Billing and subscription management — Contract and Legal obligation (tax/accounting where applicable).
- Security, abuse prevention, rate limiting — Legitimate interests (Art. 6(1)(f) GDPR): protecting our service and users.
- Essential cookies (session) — Legitimate interests / Contract. See our Cookie Policy.
- Support communications — Contract or Legitimate interests when you contact us.
4. Recipients and processors
We share data only when necessary to run the service:
- Google (YouTube Data API) — when your API key is used to fetch public YouTube metadata, captions, and search results. Governed by Google's Privacy Policy.
- Stripe — payment processing for paid plans. Stripe Privacy Policy.
- Infrastructure providers — hosting and database (EU or adequacy-covered regions where possible). Bound by data processing agreements.
We do not allow processors to use your data for their own marketing.
5. International transfers
Some subprocessors (e.g. Google, Stripe) may process data outside the European Economic Area. Where required, we rely on Standard Contractual Clauses, adequacy decisions, or equivalent safeguards under GDPR Chapter V.
6. Retention
- Account data: until you delete your account, then erased within 30 days except where law requires longer retention.
- Usage logs: typically 12 months, then aggregated or deleted.
- Security logs: up to 90 days unless needed for an incident.
- Billing records: as required by tax and commercial law (often 6–10 years in the EU).
7. Your rights (GDPR)
If you are in the EEA, UK, or Switzerland, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase data (“right to be forgotten”) — also available via Settings → Delete account
- Restrict or object to certain processing
- Data portability (account and usage data in a structured format)
- Withdraw consent where processing is consent-based
- Lodge a complaint with your local data protection authority (e.g. CNIL in France)
To exercise your rights, email privacy@tubask.app. We respond within one month as required by GDPR.
8. Security
We use encryption for API keys, secure password hashing, HTTPS, signed session cookies, CSRF protection on mutating requests, and OAuth for MCP clients. Details in our Security documentation.
9. Children
Tubask is not directed at children under 16. We do not knowingly collect data from children. Contact us if you believe a child has provided personal data.
10. Automated decisions
We do not make decisions based solely on automated processing that produce legal or similarly significant effects.
11. Changes
We may update this policy. Material changes will be posted on this page with a new “Last updated” date. Continued use after changes constitutes acknowledgment where permitted by law.
12. Contact
Privacy: privacy@tubask.app
Support: support@tubask.app