privacy

Privacy Policy

Effective date: February 1, 2026

1. Introduction

Polisht ("we", "us", "our") is a YouTube optimization tool operated from Canada. This Privacy Policy explains what data we collect when you use polisht.ca and our mobile apps (collectively, the "Service"), how we use it, and your rights regarding it.

Polisht uses YouTube API Services. By using Polisht, you also agree to be bound by the YouTube Terms of Service and Google's Privacy Policy. You can revoke Polisht's access to your Google data at any time via the Google security settings page.

2. Information we collect

We collect only the data necessary to operate Polisht. Specifically:

2.1 Account data (when you sign in)

  • Google profile basics: email, display name, profile photo URL, and Google account ID — pulled from Google's OAuth profile/userinfo endpoints during sign-in.
  • OAuth tokens: a refresh token and short-lived access token for your YouTube account. These are stored encrypted in our database and used only to read/write the channels you authorize.
  • Tier and usage counters: your subscription tier, monthly video quota, and the number of videos you've analyzed this period.

2.2 Content data (when you analyze a video)

  • YouTube video metadata: the title, description, tags, thumbnails, captions, recording date, category, language, and statistics of the video you submit. We fetch this from YouTube's API.
  • Audio + frame samples: when generating transcripts and visual analysis, we temporarily extract audio and sample frames from the video. These are deleted from our servers within 24 hours of analysis completion.
  • Transcript text: generated by OpenAI's Whisper model. Stored alongside your analysis so you can re-use it. You can delete any analysis at any time from the History tab.
  • AI-generated content: proposed titles, descriptions, tags, chapter timestamps, and thumbnails generated by Anthropic Claude, OpenAI, and Google Gemini models. Stored as part of your analysis.
  • Brand Kit settings: your channel's color scheme, branding text, default category, etc., if you've configured them.

2.3 Operational data

  • Logs: request timestamps, IP addresses, user agents, error stacks, and API response codes. Retained for 30 days for debugging and security; auto-deleted after.
  • Snapshots: before each "Apply to YouTube" action, we save a snapshot of the previous YouTube state so you can revert within 7 days. Snapshots are auto-deleted after 7 days.

3. How we use your information

We use the data described above solely to:

  • Authenticate you and maintain your session
  • Read and edit the YouTube videos you explicitly submit for analysis
  • Generate AI suggestions (titles, descriptions, tags, chapters, thumbnails, captions)
  • Push approved changes to YouTube on your behalf
  • Enable revert / history features
  • Diagnose errors and improve reliability
  • Send transactional emails (sign-in confirmations, quota notices) — never marketing without explicit opt-in

We do NOT use your content to train AI models. We do not sell, rent, or share your data with advertisers. We do not show advertisements inside Polisht.

4. YouTube API services compliance

Polisht's use of information received from YouTube API Services adheres to the YouTube API Services Terms of Service and the Google Privacy Policy.

Specifically, Polisht does NOT:

  • Use any YouTube API data to build user profiles, target ads, or train machine learning models
  • Share YouTube API data with third-party advertisers
  • Store YouTube API data longer than necessary for the user-requested operation
  • Aggregate YouTube API data with personally identifiable information from other sources

You can revoke Polisht's access to your YouTube data at any time via: https://security.google.com/settings/security/permissions

5. Third-party services

To deliver Polisht, we send your data to the following processors. Each operates under their own privacy policy:

  • Google (YouTube, OAuth, Gemini): reads and writes your YouTube data with your consent; provides AI image generation. Privacy policy.
  • OpenAI: provides Whisper transcription. OpenAI does not use API inputs to train models (per their API data usage policy).
  • Anthropic: provides Claude AI text generation. Anthropic does not use API inputs to train models (per their privacy policy).
  • MongoDB Atlas: stores our database. Hosted in North America.
  • Emergent.sh: our application hosting platform.
  • Resend: sends transactional emails (sign-in confirmations).

We do not use analytics trackers (no Google Analytics, no Mixpanel) in the core app. The marketing site at the root domain may use privacy-respecting analytics in the future; if so, this policy will be updated and you'll see a cookie consent banner.

6. Data retention

  • Account data: retained while your account is active. Delete your account anytime — all account data is removed within 30 days.
  • Analyses and AI-generated content: retained until you delete them. We never delete your work without your action.
  • Audio/frame extracts: deleted within 24 hours of analysis completion.
  • Snapshots (for revert): auto-deleted after 7 days.
  • Logs: auto-deleted after 30 days.
  • OAuth tokens: deleted immediately if you revoke access via Google or delete your Polisht account.

7. Your rights (GDPR / CCPA / PIPEDA)

Regardless of where you live, you have the following rights:

  • Access: request a copy of all data we hold about you. Email hello@polisht.ca; we respond within 30 days.
  • Correction: update incorrect data via your profile or by emailing us.
  • Deletion: delete your account or any specific analysis at any time. Account deletion is permanent and triggers removal of all associated data within 30 days.
  • Portability: request your data as a downloadable JSON archive.
  • Revoke consent: revoke Polisht's Google OAuth access via Google's permissions page (link above). This immediately stops Polisht from reading/writing your YouTube data.
  • Lodge a complaint: if you're in the EU, you may file a complaint with your local data protection authority.

8. Security

We take reasonable steps to protect your data:

  • OAuth tokens are encrypted at rest in our database
  • All connections use TLS 1.2+
  • Production databases are network-isolated
  • Access to production systems is restricted to authorized engineers with MFA
  • We follow industry-standard security practices and update our systems regularly

No system is 100% secure. If we discover a security incident affecting your data, we will notify you within 72 hours of discovery.

9. International transfers

Polisht is operated from Canada. Our data processors are located in the United States and Europe. By using Polisht, you consent to your data being processed in these jurisdictions. We rely on Standard Contractual Clauses (SCCs) for EU/UK data transfers where applicable.

10. Children's privacy

Polisht is not directed at children under 13 (or 16 in the EU/UK). We do not knowingly collect data from children. If you believe a child has provided us with personal information, contact hello@polisht.ca and we will delete it.

11. Cookies and local storage

We use only essential cookies and local-storage entries to operate Polisht:

  • JWT session token: stored in localStorage on web / SecureStore on mobile. Lasts 30 days unless you sign out.
  • Draft auto-save: in-progress reviews are saved locally so you don't lose work on a refresh.

We do not use any third-party tracking cookies in the app.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced via email to active users at least 30 days before taking effect. The "Effective date" at the top of this page reflects the most recent update.

13. Contact

Questions, requests, or complaints? Email hello@polisht.ca. We respond within 5 business days.

For mailing-address requirements (GDPR/CCPA disclosure): contact us by email and we will provide the registered business address.


Last revision: February 1, 2026. Previous versions of this policy are available on request.