Privacy Policy

    Last updated: May 11, 2026

    1. Information We Collect

    When you create an account, upload content, or contact support we collect:

    • Name, email, and (if you sign in via OAuth) avatar URL;
    • Payment-method metadata (processed by Stripe; we do not store card numbers);
    • Audio files you upload for processing;
    • The transcripts, show notes, and other assets generated from your audio;
    • Usage data: pages viewed, features used, error reports;
    • If you connect Twitter, LinkedIn, WordPress, or other integrations: OAuth tokens for those services (encrypted at rest in Supabase Vault).

    2. How We Use Your Information

    • To provide and improve the Service;
    • To transcribe and generate derivative content from your audio;
    • To send transactional emails (account, billing, processing status);
    • To send marketing emails only with your consent (you can opt out anytime);
    • To detect and prevent fraud, abuse, and security incidents;
    • To meet our legal obligations.

    3. Sub-Processors

    We use the following third-party processors to deliver the Service. Each processes only the data needed for its function and is bound by a data-processing agreement:

    VendorPurposeData sharedRegion
    StripePayments, billing, customer portalEmail, billing address, payment metadataUS
    SupabaseDatabase, auth, storage, edge functionsAccount, audio files, generated assetsUS
    VercelWeb hosting + CDNIP address, request metadataUS
    DeepgramAudio transcription (Nova-2)Audio file URL, transcript outputUS
    OpenAIGenerative AI for show notes, social posts, etc.Episode transcript + show metadataUS
    ResendTransactional emailEmail address, message bodyUS
    PostHogProduct analyticsUser ID, page views, feature eventsUS
    SentryError monitoring + session replay (5% sample, errors only)Error stack traces, session replays of errorsUS
    ModalServerless workers for clip rendering and YouTube audio extractionAudio file URLs, transcript word timings, video URLs you submitUS
    DecodoResidential proxy network used only for YouTube ingestion requestsOutbound IP routing only — no user data is shared with this vendorGlobal
    CloudflareBot defense (Turnstile) on landing-page paste box and embed widgetIP address, browser fingerprint for challenge solvingGlobal

    We will update this list when we add or change processors. Material changes are announced by email at least 14 days in advance for paying customers.

    4. AI Vendor Training and Your Content

    We do not use your audio, transcripts, or generated assets to train AI models.Our AI sub-processors (Deepgram, OpenAI) operate under their respective data-processing agreements which prohibit training on customer API data by default. See OpenAI's policy (DPA) and Deepgram's terms.

    5. Data Retention

    • Raw audio files (file upload) — retained for 30 days after successful processing, then automatically deleted. Re-uploadable from the original source if you ever need them again.
    • YouTube-ingested audio — cached for 14 days after last use to allow re-processing without re-downloading. Cached audio is shared across users who submit the same YouTube URL.
    • Generated assets (transcripts, show notes, clips, etc.) — retained for the lifetime of your account.
    • Embed widget queries — anonymous visitor queries to the embeddable AI chat widget are retained 90 days with a hashed IP address (not the raw IP) for abuse detection and per-episode usage caps. Question text is retained 30 days.
    • Account + billing records — retained while your account is active and for 1 year after closure to satisfy tax + auto-renewal recordkeeping requirements.
    • Logs + analytics — retained 90 days then aggregated.

    5a. YouTube Ingestion + DMCA

    When you submit a YouTube URL to be processed, you attest at submission time that you own the content or have a license to process it (we record this attestation with your account email, timestamp, and IP address). We download audio via yt-dlp routed through a residential proxy and process it identically to a file upload.

    DMCA notice and counter-notice: if you believe content processed through the Service infringes your rights, email dmca@episodeops.com with the required information under 17 U.S.C. § 512(c)(3). We respond to verified notices within 24 business hours, remove the affected content, and terminate accounts of repeat infringers in line with our published policy.

    6. Your Rights

    If you are in the EU/UK (GDPR Art. 13/14): you have rights to access, rectify, erase, and port your data; to restrict or object to processing; and to lodge a complaint with your supervisory authority. Our legal basis for processing is contract performance and our legitimate interest in operating the Service. Email privacy@episodeops.com to exercise any right.

    If you are a California resident (CCPA / CPRA): you have rights to know what we collect, to delete it, to correct it, to opt out of sale (we do not sell your data), and to non-discrimination for exercising these rights. We have not sold or shared personal information for cross-context behavioral advertising in the past 12 months.

    To delete your account and all associated data, sign in and visit Settings → Profile → "Delete account," or email privacy@episodeops.com. We honor verified requests within 30 days.

    7. Cookies and Tracking

    We use first-party cookies for authentication and load balancing. We use PostHog for product analytics (first-party, no cross-site tracking) and Sentry for error monitoring (5% session-replay sampling, errors only — no replay outside of error windows). We do not use third-party advertising trackers.

    8. Security and Breach Notification

    Audio files are stored in private buckets accessible only via short-lived signed URLs issued to authorized users. OAuth tokens for connected integrations are encrypted at rest in Supabase Vault. In the event of a confirmed personal-data breach, we will notify affected users by email within 72 hours and follow notification requirements of the applicable jurisdictions.

    9. International Transfers and Children

    Our infrastructure is hosted in the United States. If you access the Service from outside the US your data will be transferred to and processed in the US. We rely on EU Standard Contractual Clauses for transfers from the EU/UK.

    The Service is not intended for users under 16. We do not knowingly collect information from minors. If you believe a minor has created an account, email privacy@episodeops.com and we will remove the account.

    10. Contact

    For privacy questions or to exercise your rights, contact privacy@episodeops.com.