Privacy Policy
Last updated: March 2026
The key thing to know: TubeCommand is self-hosted software. Your YouTube data, OAuth tokens, and analytics live on YOUR server. We never have access to your credentials or channel data.
1. Overview
TubeCommand ("we", "us") respects your privacy. This policy explains what data we collect, why, and how we protect it. Because TubeCommand is self-hosted, most of your data never touches our servers.
2. What We Collect
On our servers (if you purchase a plan):
- Email address (for account management and communication)
- Name (for personalisation)
- Payment information (processed securely through Stripe — we never see your full card number)
- Plan and subscription status
On YOUR server (self-hosted data we never access):
- YouTube OAuth2 tokens (encrypted with AES-256)
- YouTube channel data (names, statistics, video metadata)
- YouTube Analytics data (views, revenue, watch time)
- Video files, thumbnails, and subtitles you upload
- Comments, playlists, and automation logs
3. How We Use Your Data
We use account data only to:
- Provide and maintain your TubeCommand account
- Process payments and manage your subscription
- Send important service-related emails (billing, security, updates)
- Respond to support requests
We do NOT use your data for advertising, profiling, or sharing with third parties.
4. YouTube API Data
TubeCommand uses the YouTube Data API v3 and YouTube Analytics API. When you connect a channel:
- OAuth tokens are stored encrypted on YOUR server only
- We access your YouTube data only through the scopes you explicitly grant
- You can revoke access at any time through Google Account → Security → Third-party access
- We comply with the Google API Services User Data Policy
5. Data Security
We take security seriously:
- OAuth tokens are encrypted using AES-256-CBC with a unique encryption key
- Passwords are hashed with bcrypt (cost factor 12)
- Sessions expire after 30 days of inactivity
- All API communication uses HTTPS
- Database credentials are stored in server configuration, not in code
6. Cookies
We use a single session cookie (tc_session) for authentication. It is:
- HttpOnly (not accessible to JavaScript)
- Secure (HTTPS only in production)
- SameSite=Lax (prevents cross-site request forgery)
- Expires after 30 days
We do not use tracking cookies, analytics pixels, or third-party cookies.
7. Data Retention
Account data is retained while your account is active. Self-hosted data on your server is entirely under your control. If you delete your account, we remove your account data from our systems within 30 days. Backups are purged within 90 days.
8. Your Rights
Under GDPR and UK data protection law, you have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your account and data
- Export your data
- Withdraw consent for data processing
- Lodge a complaint with the ICO (UK) or your local data protection authority
9. Third-Party Services
The only third-party services involved in TubeCommand are:
- Google/YouTube APIs — for channel management (governed by Google's privacy policy)
- Stripe — for payment processing (governed by Stripe's privacy policy)
10. Children's Privacy
TubeCommand is not intended for children under 16. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this policy from time to time. We will notify users of material changes via email at least 14 days before they take effect.
12. Contact Us
For privacy-related questions or to exercise your data rights, contact us at privacy@yourdomain.com.