Privacy Policy

Deeporax, Inc. ("Deeporax", "we", "us") runs deeporax.com. a B2B SaaS product that ingests public YouTube channel data and uses AI to surface hooks, retention curves, tactics, and brief scripts for video creators tracking their competitors. This policy explains what data we handle when you use the website, sign in, and run analyses inside the app.

For data-protection purposes, Deeporax acts as the controller of the personal data you provide to us as a customer (your account, your billing, your settings). The processors listed below act on our instructions to help us deliver the service.

A few words appear throughout this policy. Here's what we mean by them:

Personal Data

Any information that identifies, or could reasonably be used to identify, a natural person. e.g. name, email, IP address, account ID.

Processing

Anything done with personal data. collecting, storing, analysing, displaying, sharing, deleting, and so on.

Controller

The party that decides why and how personal data is processed. For your Deeporax account data, that's us.

Processor

A third party that processes personal data on our behalf under a contract. for example our hosting or payments provider.

Service

The Deeporax website, dashboard, APIs, and any related apps or features we offer at deeporax.com.

We try to keep the dataset small. There are three buckets:

• Account data. your email, display name, profile image (if you sign in with an OAuth provider), hashed password or OAuth token, plan tier, and basic preferences.
• Billing data. handled by Stripe. We store a customer ID, plan, subscription status, invoices, and the last four digits / brand of the card. We never see or store full card numbers.
• Product usage data. the YouTube channels and videos you choose to track, the queries you run, the briefs and notes you save, app event logs (page views, button clicks), and basic device/browser metadata such as IP address and user agent for security and abuse prevention.

We also process public YouTube content. video metadata, captions, transcripts, thumbnails. that you ask us to analyse. This content is fetched from public sources and is not personal data of yours, but if it happens to include personal data of third parties (e.g. a creator's name in a video title), we handle it on the same terms as everything else here.

We use the data above to do exactly the things you'd expect from a product like ours:

• Run the service. authenticate you, render your dashboard, fetch the channels you're tracking, generate hooks and brief scripts, and keep your workspace in sync across devices.
• Bill you. create and charge subscriptions, send invoices and receipts, and handle refunds or plan changes.
• Improve the product. diagnose bugs, measure feature usage in aggregate, and prioritise what to build next. We use aggregated and de-identified data wherever possible for this.
• Communicate with you. send transactional emails (sign-in links, receipts, security alerts), respond to support requests, and occasionally send product updates you can unsubscribe from.
• Keep things safe. detect abuse, prevent fraud, enforce our Terms, and comply with legal obligations.

If you're in the UK, EEA, or Switzerland, we process your personal data under the following lawful bases:

• Contract (Art. 6(1)(b)). to create your account, run analyses you've requested, and bill you for your plan.
• Legitimate interests (Art. 6(1)(f)). to keep the service secure, prevent abuse, debug issues, and understand how Deeporax is used in aggregate so we can improve it. We balance these interests against your rights.
• Consent (Art. 6(1)(a)). for optional cookies and any marketing communications. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)). to keep tax records, respond to valid legal requests, and meet other regulatory requirements.

We use a small number of cookies and similar storage (localStorage, server-set session cookies) to keep you signed in, remember your preferences, and understand how the product is used.

• Strictly necessary. session and auth cookies that keep you logged in and the app functional. These can't be turned off without breaking the service.
• Preference. remembers things like your theme and last-viewed workspace.
• Analytics. first-party, privacy-respecting analytics so we can see which pages and features get used. You can opt out in the cookie banner.

We don't run third-party advertising trackers or cross-site retargeting pixels.

To run Deeporax we rely on a short list of vetted vendors. Each is bound by a Data Processing Agreement (or equivalent) and only handles the minimum data needed for their role:

• Vercel. hosts the website, runs our server-side code, and serves static assets. Processes request metadata such as IP address for performance and security.
• Supabase. provides authentication (email + OAuth providers) and our managed Postgres database, which stores your account metadata, workspace settings, and saved analyses.
• Stripe. processes payments, subscriptions, and invoices. Receives the billing details required to charge your card and issue receipts.
• LLM providers. we send transcript text and prompt context to large-language-model APIs to generate hooks, retention notes, and brief scripts. These providers process inference inputs on our behalf and, under our agreements, do not use that data to train their public models.
• An analytics provider. receives event data (page views, feature usage) tied to a pseudonymous ID to help us understand product usage in aggregate.
• Transactional email provider. sends sign-in links, receipts, and other account emails.

We keep personal data only as long as we need it for the purposes described above.

• Account data is kept while your account is active. If you delete your account, we remove it from our production systems within 30 days, except where we need to retain specific records for legal or tax reasons.
• Billing records are retained as long as required by applicable tax and accounting law (typically 7–10 years).
• Product usage logs are retained for up to 12 months, then deleted or anonymised.
• Cached YouTube content and generated analyses tied to your workspace are deleted alongside your account.
• Backups are rotated on a rolling schedule; deleted data persists in backups until those backups expire (typically within 30–90 days).

Depending on where you live, you have rights over your personal data. We honour these for every customer regardless of jurisdiction wherever we reasonably can.

If you're in the UK, EEA, or Switzerland (GDPR / UK GDPR), you have the right to:

• Access. get a copy of the personal data we hold about you.
• Correction. fix data that's wrong or out of date.
• Deletion. ask us to erase your data, subject to legal retention requirements.
• Portability. receive your data in a structured, machine-readable format.
• Restriction and objection. limit certain uses, or object to processing based on legitimate interests.
• Withdraw consent. for anything we process on a consent basis, at any time.
• Lodge a complaint. with your local data-protection authority. We'd love a chance to fix things first, but it's your right either way.

If you're a California resident (CCPA / CPRA), you have the right to know what personal information we collect, request deletion, request correction, and opt out of any sale or sharing of personal information. As noted above, we do not sell personal information, and we do not share it for cross-context behavioural advertising.

You can exercise most of these rights directly from your account settings. For anything you can't do in-app, email us at the address below and we'll handle it within the timeframe the law requires.

Deeporax is a global product. Our processors operate data centres in multiple regions, including the United States, which means your personal data may be transferred to and processed in countries other than the one you live in.

Where data leaves the UK, EEA, or Switzerland, we rely on appropriate safeguards. typically the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum. to make sure your data keeps the same level of protection it would have at home.

We take security seriously, both because we have to and because we'd want to as users ourselves.

• Data in transit is encrypted with TLS.
• Data at rest is encrypted by our hosting and database providers.
• Passwords are hashed; we never store plaintext credentials.
• Access to production systems is limited to staff who need it, protected by SSO and MFA, and logged.
• We follow secure-development practices, run dependency scanning, and patch known vulnerabilities promptly.

No system is bulletproof. If we ever experience a security incident that affects your personal data, we'll notify you and the relevant authorities as required by law.

Deeporax is a B2B product for video creators and is not intended for anyone under 16 (or the equivalent minimum age in your country). We don't knowingly collect personal data from children. If you believe a child has signed up, please contact us and we'll delete the account.

We'll update this policy as the product evolves or the law changes. When we make a material change, we'll update the "last updated" date at the top and, where appropriate, notify you in-app or by email before the change takes effect. Older versions are available on request.

Questions, data-subject requests, or anything else about how we handle your data. reach out using the contact details below. We read every email.