Privacy

Last updated: 2026-06-09

What we store

  • Account: your email and authentication identifier via Clerk.
  • YouTube connection: an OAuth refresh token per channel, scoped to youtube.upload (so we can publish videos to your channel on your behalf) and youtube.readonly (so the SEO insights panel can fetch top videos in your niche from the public YouTube Data API). We never see your password.
  • AI provider credentials (Starter plan only): the Suno + Google AI keys you enter, used only to call those services on your behalf.
  • Generated content: the audio, image, and video files produced for your channel, plus the prompts used.
  • Public YouTube stats (views, likes, comments) for the videos we uploaded, so the analyst loop can improve future generations.

Google API Services User Data Policy

voilaai's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Concretely, the OAuth scopes we request (youtube.upload, youtube.readonly, plus the basic userinfo.email / userinfo.profile scopes used for sign-in) are used only to provide the user-facing features described above. We do not use Google user data for advertising, allow humans to read it (except with the user's explicit consent or as required for security / debugging / legal reasons), or use it for any purpose outside the in-app workflows the user invoked.

How we use Google user data

We use each type of Google user data only for the purpose shown:

  • Google account email & basic profile (userinfo.email / userinfo.profile) — to create and identify your voilaai account at sign-in and to contact you about your account.
  • YouTube OAuth refresh token (youtube.upload) — to obtain short-lived access tokens so we can upload the videos you generate to your own YouTube channel, on your behalf and at your request. We never use it to read, modify, or delete anything else on your channel.
  • Public YouTube data (youtube.readonly) — to power the in-app SEO insights panel (top videos in your niche) and to read the public view, like, and comment counts of the videos we uploaded, so the analyst loop can improve future generations for your channel.

We do not use Google user data for any automated decision-making about you, for advertising, or to train generalized AI/ML models.

How we share, transfer, and disclose Google user data

"Google user data" means the information voilaai obtains through Google APIs and OAuth: your Google account email and basic profile (used for sign-in), the per-channel YouTube OAuth refresh token, and the public YouTube statistics for videos we uploaded on your behalf.

We do not sell Google user data, and we do not transfer or disclose it to third parties for advertising, market research, data-brokering, credit-worthiness or lending decisions, or for training generalized AI/ML models. We share Google user data only with the limited set of infrastructure and service providers (sub-processors) listed below, and only to the extent needed to operate the features you ask for:

  • Google / YouTube — we send the rendered video and its metadata back to YouTube's Data API to publish it to your channel, and call YouTube's public endpoints for the SEO insights panel. This is the transfer of Google user data back to Google to deliver the upload you requested.
  • Clerk (authentication provider) — receives your Google account email and basic profile to create and manage your sign-in identity.
  • Cloudflare (DNS, edge network/CDN, and R2 object storage) — serves the site and stores generated cover-art files as our infrastructure provider. The OAuth refresh token itself is held in our application database (see "How we store and protect your data" below), not at Cloudflare.

We may also disclose Google user data if required by law, regulation, legal process, or enforceable governmental request, or where necessary to detect, prevent, or address fraud, security, or technical issues. Our service providers are bound by contract to handle this data only on our instructions and consistent with this policy and Google's Limited Use requirements. Suno (music generation), the Gemini / Imagen generative-AI APIs (concept + cover art), Lemon Squeezy (billing), and Resend (transactional email) do not receive your Google user data.

What we don't store

  • Your YouTube password or any other Google credential beyond the OAuth token.
  • Private YouTube data — we only call public-data endpoints (search + statistics).
  • Tracking pixels, third-party advertising cookies, or behaviour analytics.

All service providers (sub-processors)

For completeness, here is every provider we share any data with, and only the providers we call on your behalf: Suno (music generation), Google Generative AI (concept + cover art via the Gemini and Imagen APIs), YouTube (video upload + SEO insights via the Data API), Clerk (authentication), Lemon Squeezy (billing — our payments merchant of record), Resend (transactional email), and Cloudflare (DNS + edge + R2 storage for cover art archives). We do not sell or share your data with anyone else. See the section above for which of these specifically receive Google user data.

How we store and protect your data

We treat the YouTube OAuth token, and the AI-provider keys and notification credentials you enter, as sensitive data and protect them with the following safeguards:

  • Encryption at rest: the YouTube OAuth refresh token and every third-party credential you give us (Suno + Google AI keys and any notification tokens) are encrypted at rest using authenticated symmetric encryption (Fernet — AES-128 in CBC mode with an HMAC-SHA256 integrity check) before they are written to the database. The encryption keys are held only in our application's runtime environment, never stored in the database itself, so a copy of the database or a backup file does not expose any usable credential.
  • Encryption in transit: all traffic to and from the app, and all calls to Google APIs, are encrypted over HTTPS/TLS.
  • Where it lives: account data and the encrypted YouTube OAuth token are stored in a PostgreSQL database running on our own dedicated server infrastructure. Generated cover-art files are stored in Cloudflare R2. We do not copy this data to any other location.
  • Tenant isolation: the database enforces forced PostgreSQL Row-Level Security, so every query is scoped to the owning account and one customer's data can never be read by another.
  • Access control: access to the production database and the encryption keys is restricted to the operator and used only for operating, securing, debugging, or legally complying with the service; we do not allow humans to read Google user data except with your explicit consent or for those limited reasons.
  • Retention & deletion: we keep Google user data only as long as your account is active or as needed to provide the service. Disconnecting your YouTube channel deletes our copy of its OAuth token immediately, and closing your account purges your data as described below.

Deleting your data

Email [email protected] from your account address and we'll purge your tenant within 7 days. Disconnecting your YouTube channel from the voilaai dashboard revokes our copy of the OAuth token immediately; you can additionally revoke voilaai's access from your Google Account permissions page at any time.

Contact

Serkan Cura · [email protected]

← back home