Privacy Policy

1. Introduction

CleanQ ("we," "our," or "us") is an AI-powered YouTube playlist builder. This application uses YouTube API Services to provide its functionality. By using CleanQ, you agree to be bound by the YouTube Terms of Service and the Google Privacy Policy.

2. Data We Access, Collect, and Store

Through the YouTube API Services, CleanQ accesses and processes the following data:

• YouTube Subscriptions— We read your subscriptions to recommend relevant content and channels.
• Video Metadata— Titles, descriptions, thumbnails, durations, and other publicly available video information used to build and display playlists.
• Playlist Data— We access your existing playlists and create new playlists on your behalf when you choose to save them.
• Authentication Tokens— OAuth 2.0 tokens are stored securely to maintain your session and authorize API requests on your behalf.

3. How We Use, Process, and Share Your Data

Your data is used solely to provide CleanQ's core functionality. Below is the complete processing pipeline, in order, for every CleanQ session:

1. Authentication— When you sign in with Google, we receive an OAuth 2.0 access token, refresh token, your Google user ID, email, display name, and profile picture URL. The refresh token is encrypted at rest using AES-256 before being stored.
2. Topic input— When you type or click a topic, that text is sent to our backend, which submits it to Google's Gemini API to generate semantic search queries. Topic strings are not stored beyond the lifetime of the request.
3. YouTube API requests— Our backend uses our YouTube Data API v3 key (and, optionally, your OAuth token for subscription reads) to call search.list,videos.list,subscriptions.list, and (when you save a playlist)playlists.insert /playlistItems.insert.
4. AI ranking— Public video metadata (titles, descriptions, channel name, duration, view count) returned by YouTube is sent to Google's Gemini API for relevance ranking and curation. No personally identifiable information is sent to Gemini.Gemini is configured with zero-day data retention; per Google's API terms, your prompts are not used to train Gemini models.
5. Storage— Your account profile, saved playlist IDs, and YouTube playlist references are persisted in our database (Supabase). We do not store video content itself — only references and metadata snapshots used for display.
6. Billing— If you start a subscription, Stripe processes the payment. We never see or store your card number; we receive only a Stripe customer ID and subscription status via webhook.
7. Analytics— Anonymous interaction events (page views, button clicks, sign-in success, country derived from your IP) are sent to Google Analytics 4 and to our own analytics endpoint for product improvement. We do not send your YouTube content or watch history to analytics.

4. Data Sharing — Service Providers and Third Parties

CleanQ does not sell, rent, or disclose your data to advertisers, data brokers, or marketing partners, and CleanQ does not display advertisements of any kind. We do share specific data with the following service providers strictly to operate the service. Each provider is bound by its own privacy policy and acts as a data processor on our behalf.

• Google (YouTube Data API, Gemini API, Google OAuth)— receives OAuth requests, YouTube API calls on your behalf, and topic strings + public video metadata for ranking. Governed by the Google Privacy Policy.
• Supabase— hosts our PostgreSQL database containing your account profile, saved playlist references, and encrypted OAuth refresh tokens. Governed by the Supabase Privacy Policy.
• Vercel— hosts and serves the frontend and backend, and processes request logs (IP address, country, request path). Governed by the Vercel Privacy Policy.
• Stripe— processes payments and stores billing details if you subscribe. We never receive or store your full card number. Governed by the Stripe Privacy Policy.
• Google Analytics 4— receives anonymous product-usage events for measurement. No YouTube content or personal identifiers are sent. Governed by the Google Privacy Policy.
• Upstash (Redis)— temporary in-memory cache for YouTube API responses and Stripe webhook idempotency. Cached entries expire automatically. Governed by the Upstash Privacy Policy.

We may also disclose your data when required by law (subpoena, court order, or other valid legal process), to protect the safety or rights of CleanQ users, or to investigate fraud or abuse of the service.

Internally, CleanQ is operated by a single owner-operator (Jonathan Marino, Albuquerque Flibertygibbits LLC). No third parties inside the company access your data because there are no other personnel. Service-account credentials with database access are limited to production deployment systems.

5. Cookies, Local Storage, and Information We Access on Your Device

CleanQ stores, accesses, and recognizes information on your device using browser cookies,localStorage,sessionStorage, and IndexedDB. The complete list of what we set or read is below.

Cookies we set

• cleanq_guest— httpOnly, Secure, SameSite=Lax. A 1-year cookie identifying your anonymous 24-hour guest trial session. Used only to associate guest activity with the correct session row.

localStorage entries we set

• cleanq_session_token— your signed JWT session token, used to authenticate API calls. Cleared on sign-out.
• cleanq_google_token— your Google OAuth access token, used only for direct browser-to-YouTube IFrame requests. Cleared on sign-out.
• cleanq_session_expiry— JWT expiration timestamp, used to know when to refresh.
• cleanq_guest_id— mirror of the guest cookie, used as a fallback when cookies are blocked.
• cleanq_tutorial_complete,cleanq_has_seen_onboarding,cleanq_signin_tracked— one-time flags so we don't re-show tutorials or re-fire analytics events.
• Zustand persistence— your in-app preferences (font family, font size, color theme, autoplay, default duration) so they survive page reloads.

sessionStorage entries we set

• cq_sid— a random identifier used to group your interaction events into one analytics session. Cleared when you close the tab.
• upsell_banner_dismissed— remembers if you dismissed the upgrade banner this tab.

Third-party cookies and storage

The following third-party scripts and frames may set or read their own cookies and storage on your device, governed by their own privacy policies:

• Google Analytics 4— sets_ga and_ga_* cookies for anonymous traffic measurement.
• YouTube IFrame Player (youtube.com / youtube-nocookie.com)— embedded video frames may set YouTube cookies when you play a video. CleanQ uses the privacy-enhanced youtube-nocookie.comdomain where supported.
• Stripe— if you visit a checkout page, Stripe sets fraud-prevention cookies governed by their privacy policy.
• Vercel— may set short-lived cookies for deployment routing and analytics.

Your controls

You can block or delete cookies and local storage at any time using your browser settings. Blocking essential cookies (such as cleanq_session_token) will prevent you from staying signed in. Signing out (Settings → Account → Sign Out) or deleting your account (Settings → Account → Danger Zone) removes all CleanQ-set localStorage entries.

6. Data Retention

YouTube API metadata (such as video information, subscription data, and playlist details) is cached for a maximum of 30 days to improve performance and reduce redundant API calls. After 30 days, cached metadata is automatically purged and re-fetched from the YouTube API as needed.

Authentication tokens are retained only for the duration of your active session and are revoked when you sign out.

7. Data Security

We implement industry-standard security measures to protect your data, including AES-256 encryption of stored OAuth refresh tokens, HTTPS for all API communications, Row-Level Security on all user-scoped database tables, and httpOnly + Secure + SameSite cookies for session identifiers.

8. Revoking Access

You can revoke CleanQ's access to your Google account at any time by visiting the Google Security Settings page. Once access is revoked, CleanQ will no longer be able to access your YouTube data, and any cached data will be deleted within 30 days.

9. Data Deletion

You may request complete deletion of all your data stored by CleanQ at any time by contacting us at marinoonthelake@gmail.com. Upon receiving your request, we will:

• Delete all cached YouTube API metadata associated with your account
• Revoke and delete all stored authentication tokens
• Remove your account and any associated preferences
• Confirm deletion via email within 7 business days

10. GDPR Compliance

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access— You can request a copy of the personal data we hold about you.
• Right to Rectification— You can request correction of inaccurate data.
• Right to Erasure— You can request deletion of your data (see Section 8).
• Right to Restrict Processing— You can request that we limit how we use your data.
• Right to Data Portability— You can request your data in a machine-readable format.
• Right to Object— You can object to data processing based on legitimate interests.

To exercise any of these rights, contact us at marinoonthelake@gmail.com. We will respond to your request within 30 days.

11. Contact Us

If you have any questions, concerns, or data requests, please contact us:

• Email: marinoonthelake@gmail.com
• Business entity: Albuquerque Flibertygibbits LLC
• Mailing address: Albuquerque, NM, USA

We aim to respond to all enquiries within 7 business days, and to GDPR rights requests within 30 days.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date. Your continued use of CleanQ after changes are posted constitutes your acceptance of the revised policy.