Privacy Policy
Last Updated: June 29, 2026 | Effective Date: May 1, 2026
1. Introduction
This Privacy Policy ("Policy") describes how Vid Receipts, Inc., a Delaware corporation ("Vid Receipts," "we," "us," or "our"), collects, uses, shares, and protects information in connection with your use of the Vid Receipts web application and all related services, features, content, APIs, and functionality (collectively, the "Service"). Our registered agent address is 131 Continental Dr, Suite 305, Newark, DE 19713, New Castle County, Delaware, United States.
By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, please do not use the Service. This Policy applies to all users of the Service, including visitors, registered users, subscribers, and contributors.
The Service uses YouTube API Services. By using our Service, you are also bound by the Google Privacy Policy.
2. Information We Collect
We collect information in multiple ways depending on how you interact with the Service. The categories below describe the types of information we may collect.
2.1 Account and Registration Information
When you create an account, we collect information provided through our authentication providers, which include Google Sign-In and email/password registration. This may include:
- Full name and display name
- Email address
- Profile photograph or avatar
- Unique Google account identifier (when using Google Sign-In)
- Authentication credentials (passwords are hashed and never stored in plaintext)
We use Firebase Authentication (provided by Google) to manage all account creation, authentication, and session management.
2.2 User-Generated Content
When you use the Service, you may create and contribute various types of content, including:
- Receipts: Timestamped, rich-text posts pinned to YouTube videos, including text, images, and timestamps
- Comments: Text responses to other users' Receipts
- Votes: Validation or invalidation votes on Receipts and Comments
- Feeds: Curated collections of videos and Receipts, including Public Feeds, Custom Feeds, Private Feeds, and Draft Feeds
- Personas: Alternate identities users may create for authoring Receipts
- Uploaded Media: Images, screenshots, and avatar photographs uploaded through the Service
All User-Generated Content is stored using Google Firebase services (Firestore for structured data and Firebase Storage for media files). The public profile attributes of a Persona, its display name, unique handle, and avatar, are visible to other users wherever that Persona has posted, and are additionally served from low-latency public read replicas (Firebase Realtime Database mirrors) within our infrastructure to render content attribution efficiently.
2.3 Payment and Subscription Information
If you subscribe to a paid plan (Individual Pro, Creator Pro, Creator Elite, Business Starter, or White Label Business), we collect:
- Subscription tier and billing period
- Stripe customer identifier and subscription identifier
- Billing period start and end dates
- Plan selection history
Important:We do not directly collect, process, or store your credit card numbers, bank account details, or other payment instrument information. All payment processing is handled exclusively by our third-party payment processor, Stripe, Inc. ("Stripe"). Please review Stripe's Privacy Policy for information on how Stripe handles your payment data.
2.4 YouTube and Third-Party Platform Data
If you connect your YouTube account to the Service via OAuth, we may access:
- YouTube channel information and subscriptions
- Your liked videos
- The topics and categories associated with your subscriptions and liked videos
- Video metadata (titles, descriptions, thumbnails, durations, publish dates)
- Playlist information
- OAuth access and refresh tokens (stored securely and encrypted)
From your subscriptions and liked videos we build a private interest profile, computed on your device, that chooses what appears in your Discover feed, including recent uploads from the channels you already follow and videos in the topics your subscriptions and likes cover. If you verify a YouTube channel you own for gold creator receipts, we reuse the same read-only access to confirm the channel is yours, without a second sign-in. These signals stay private to you: we never sell or share them, and we never show you (or anyone else) a derived score or ranking number built from them. We cache only the raw data needed for this and refresh it on a rolling basis; if you revoke access, or your authorization lapses, we delete this YouTube-derived data within thirty (30) days.
This data is accessed via the YouTube Data API v3 in accordance with YouTube's API Services Terms of Service. You may revoke our access to your YouTube data at any time through your Google Security Settings.
Vid Receipts' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. For a focused summary of how we access, use, store, and share YouTube data, see our YouTube API Services & Limited Use disclosure.
Browser extension.The Vid Receipts browser extension does not perform its own YouTube sign-in or OAuth. Instead, the video titles, thumbnails, channel names, and durations it displays are YouTube Data API results served to it by our first-party backend, the same backend the web app uses. This use is limited to displaying that information alongside the matching video's receipts and is subject to the same Google API Services User Data Policy, including the Limited Use requirements, referenced above. We do not sell this data, transfer it to third parties, or use it for advertising. The extension reads the current video ID and playback time from the YouTube watch page locally, to identify which video's feed to show, and sends only that video ID to our backend; it does not collect your YouTube watch history, subscriptions, or any other YouTube account data, and it carries no analytics or crash reporting of any kind. This statement is specific to the extension; YouTube API Services & Limited Use describes the separate, OAuth-based creator connection available in the web app.
2.5 Usage and Analytics Data
We collect usage data through Firebase Analytics (Google Analytics 4) to understand how the Service is used and to improve it. This may include:
- Device type, operating system, and browser information
- IP address (used for approximate geolocation, then discarded)
- Pages visited, features used, and navigation patterns
- Session duration and frequency of use
- Referring URLs and search terms that led you to the Service
- Interaction events (e.g., button clicks, form submissions, feature engagement)
- Quota and resource usage counters (e.g., receipts created per month, storage consumed)
Analytics data is collected only in production environments and is processed by Google in accordance with Google's Privacy Policy.
Server-side conversion measurement. When you complete a paid subscription purchase, we record that conversion to Google Analytics 4 from our own servers (the Measurement Protocol) so we can measure subscription performance and keep accurate financial and conversion reporting. We send this server-side event even if you have declined analytics cookies, because it measures your own completed transaction rather than tracking your browsing: it uses a server-generated identifier (never your _ga browser cookie), it carries no personal information beyond your account identifier (no name, no email), and it is never used for advertising or cross-site tracking. Our lawful bases are performance of our contract with you and our legitimate interest in measuring and reporting on sales (GDPR Article 6(1)(b) and 6(1)(f)).
We also use Sentry for error tracking and performance monitoring. When an application error occurs, Sentry may collect error details, stack traces, browser and device metadata, and request context to help us diagnose and fix issues. This data is processed by Functional Software, Inc. in accordance with Sentry's Privacy Policy. We filter personally identifiable information (PII) from error reports before transmission.
2.6 AI-Processed Data
We use Google Gemini artificial intelligence (via Google Genkit) for automated content moderation. When you create or edit a Receipt or a comment, or upload an image or PDF document, that content may be sent to Google's Gemini AI service for analysis against our community guidelines. Much text content is screened first by automated, non-AI checks that run entirely on our own infrastructure; only content those checks escalate is sent to the AI service. This processing determines whether content is safe and appropriate for the platform. Google processes this data in accordance with its Gemini API Terms of Service.
2.7 Cookies and Local Storage
The Service uses the following client-side storage mechanisms:
- Strictly necessary (cookies): Firebase Authentication session cookies and an auth-state hint cookie keep you signed in; a consent-region cookie (
vr.consent_regime) records which privacy regime applies so we can apply the correct consent default; a UI sidebar-state cookie remembers whether the navigation rail is collapsed. These are required for the Service to function and are not used for tracking. - Functional and preferences (local storage): Your privacy choice (
vr.consent), YouTube authentication state, application state (via Zustand stores), cached feed data, and interface preferences are stored in your browser's local storage. This data stays on your device and is not a cookie. - Analytics (cookies, only with consent): Google Analytics 4 (Firebase Analytics) sets cookies (for example
_ga) to measure usage as described in Section 2.5. These are set only when you allow analytics. Analytics is denied by default, and in the EU, EEA, and UK it stays denied until you opt in. We run no advertising and set no advertising cookies.
You can review or change your choice at any time using the "Cookie settings" link in the footer, or in Settings under Data & Privacy. You can also manage cookies through your browser settings, although disabling strictly necessary cookies may impair sign-in and session persistence.
2.8 Organization and Team Data
If you create or join an Organization (Business Starter or White Label Business plans), we additionally collect:
- Organization name and identifiers
- Team membership records (member user IDs and roles)
- Pending invitations and invitation metadata
- Shared storage and resource usage across the organization
3. How We Use Your Information
We use the information we collect for the following purposes:
- Service Provision: To create and maintain your account, authenticate your identity, provide the core functionality of the Service (including creating Receipts, Feeds, comments, votes, and personas), and manage your subscription.
- Content Moderation: To automatically review user-generated content against our community guidelines using AI-powered moderation (Google Gemini), and to manually review flagged content.
- Payment Processing: To manage subscriptions, process billing through Stripe, enforce tier-based quotas and feature access, and handle subscription upgrades, downgrades, and cancellations.
- Service Improvement: To analyze usage patterns, identify bugs and performance issues, develop new features, and improve the overall user experience.
- Communication: To send transactional emails (e.g., account verification, password resets, billing notifications), and, with your consent where required by law, marketing or promotional communications.
- Security and Fraud Prevention: To detect, investigate, and prevent unauthorized access, abuse, fraud, and violations of our Terms of Service.
- Legal Compliance: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
- Permission and Access Control: To enforce role-based access controls (Owner, Admin, Contributor, Commenter, Viewer) within Feeds and subscription-tier-based feature gating across the platform.
4. How We Share Your Information
We do not sell, rent, or trade your personal information to third parties. We may share your information in the following circumstances:
4.1 Service Providers
We share information with third-party service providers who perform services on our behalf, subject to contractual obligations to protect your information:
- Google / Firebase: Cloud infrastructure, authentication, database (Firestore), file storage (Firebase Storage), serverless functions (Cloud Functions), real-time database, and analytics (Firebase Analytics / Google Analytics 4)
- Stripe, Inc.: Payment processing, subscription management, and billing
- Google AI (Gemini): Automated content moderation via the Genkit framework
- YouTube / Google: Video metadata retrieval and YouTube account integration via the YouTube Data API v3
- Sentry (Functional Software, Inc.): Error tracking, performance monitoring, and application stability reporting. Sentry may receive error details, stack traces, browser/device metadata, and request context when application errors occur. Sentry processes this data in accordance with its Privacy Policy.
- Resend (Resend, Inc.): Transactional email delivery (account verification, password resets, billing notices, and other service emails). Resend receives the recipient email address and the message content needed to send these emails. Resend processes this data in accordance with its Privacy Policy.
- Klipy (Klipy, Inc.): GIF search and delivery in the receipt composer. GIF searches are routed through our own servers, so your search terms are forwarded to Klipy to return matching GIFs while your IP address is not shared with Klipy directly. Klipy processes this data in accordance with its Privacy Policy.
- Tenor (Google LLC): GIFs added to receipts before our move to Klipy may still load from Tenor. When such a GIF is displayed, your IP address is sent to Tenor to deliver the image. Tenor processes this data in accordance with the Google Privacy Policy.
4.2 Public Content
Certain information you contribute is publicly visible by design. This includes your display name and avatar on Public Receipts and Comments, your vote activity, and content contributed to Public Feeds. Custom Feeds may be shared with specific users or made discoverable at the Feed owner's discretion.
4.3 Legal Requirements
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including to meet national security or law enforcement requirements. We may also disclose information when we believe in good faith that disclosure is necessary to protect our rights, your safety or the safety of others, investigate fraud, or respond to a government request.
4.4 Business Transfers and Assignments
Vid Receipts, Inc. reserves the right to assign, transfer, or delegate this Policy, along with any and all rights, obligations, and user data (including personal information), to any subsidiary, affiliate, successor entity, or third party in connection with a merger, acquisition, reorganization, sale of assets, change of control, or similar corporate transaction, without requiring additional consent from you. In such an event, the acquiring entity will be bound by the terms of this Policy with respect to your information. We will notify you via prominent notice on the Service or by email if a material change to this Policy results from such a transaction.
4.5 With Your Consent
We may share your information with third parties when you have provided explicit consent to do so.
5. Data Retention
We retain your personal information for as long as your account is active or as needed to provide you with the Service and to fulfill the purposes described in this Policy. Specific retention practices include:
- Active Accounts: Your account data, User-Generated Content, and associated metadata are retained for the duration of your active account.
- Deleted Accounts: When you request account deletion, your account is immediately deactivated (content creation is paused and you remain able to log in to cancel). After a thirty (30) day grace period your account is permanently erased: private profile information (name, email, avatar, payment identifiers), private feeds, personas, playlists, and private receipts are deleted. You may cancel the deletion at any time during the grace period from Settings → Data & Privacy. Pursuant to our Immutable Public Record policy (see Section 5.1), Public Receipts and other publicly contributed content are retained in anonymized form.
- YouTube Data: Data accessed from the YouTube Data API, your subscriptions, liked videos, and the channel and video metadata used to personalize your Discover feed, is cached only while your YouTube connection is active and is deleted within thirty (30) days of you revoking access or your authorization lapsing, in accordance with the YouTube API Services Terms of Service.
- Payment Records: Billing and transaction records may be retained for up to seven (7) years to comply with tax and accounting obligations.
- Backup Data: Residual copies of your information may persist in encrypted backup systems for up to ninety (90) days following deletion.
- Legal Holds: We may retain information beyond these periods as necessary to comply with legal obligations, resolve disputes, or enforce our agreements.
- Fraud-Prevention Records: To prevent abuse of our free trials — for example, one person repeatedly opening or re-registering accounts to obtain multiple no-card Pro trials — we retain a one-way cryptographic hash (SHA-256) of your email address in a fraud-prevention ledger. This hash cannot be reversed to recover your email address. It is deliberately retained beyond account deletion, surviving the erasure described above, solely to enforce the one-trial-per-person limit. Our lawful basis is our legitimate interest in preventing fraud and abuse (GDPR Article 6(1)(f); Recital 47 recognizes fraud prevention as a legitimate interest).
5.1 Immutable Public Record
Vid Receipts is designed to create a verifiable, persistent public record of video annotations. Public Receipts that you contribute to Public Feeds constitute part of this historical record. If you delete your account, your Public Receipts are not deleted.Instead, they are permanently anonymized, your display name, avatar, and personal identifiers are removed and replaced with a generic "Deleted User" attribution. The substantive content of the Receipt (text, timestamp, images) remains part of the public record. Similarly, if a source YouTube video is removed or made unavailable, any associated Receipts are preserved on a "Ghost Video" page as part of the historical record. By using the Service and contributing to Public Feeds, you acknowledge and consent to this Immutable Public Record policy.
Shared Feed Succession: If you own a custom (shared) Feed at the time your account is permanently erased, ownership is automatically transferred to the most privileged remaining member (admin, then contributor, then viewer). If the Feed has no other members it is dissolved. You are encouraged to transfer ownership manually before deleting your account if you wish to choose a specific successor.
6. Your Rights and Choices
Depending on your location and applicable law, you may have certain rights regarding your personal information:
6.1 General Rights (All Users)
- Access: You may request a copy of the personal information we hold about you.
- Correction: You may update or correct inaccurate personal information through your account settings or by contacting us.
- Deletion: You may delete your account yourself at any time from Settings → Data & Privacy → Delete Account (or by visiting
/account/deletedirectly), or request deletion by contacting us, in both cases subject to the Immutable Public Record policy described in Section 5.1 and any legal retention obligations. Deletion enters a thirty (30) day grace period during which you may cancel; permanent erasure occurs after the grace period expires. - Data Portability: You may download an export of your data in a structured, commonly used, machine-readable format yourself at any time from Settings → Data & Privacy, or request one by contacting us.
- Opt-Out of Analytics (Consent Mode): We use Google Analytics 4 Consent Mode v2. Analytics is off by default until you accept the consent banner that appears on your first visit. You may withdraw or reinstate your consent at any time from Settings → Data & Privacy → Analytics & Tracking, or by using the Google Analytics Opt-out Browser Add-on.
- YouTube Data Revocation: You may revoke our access to your YouTube data at any time through your Google Security Settings.
- Cookie Management: You may manage or disable cookies through your browser settings, though this may affect the functionality of the Service.
6.2 California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights:
- Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.
- Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (including the Immutable Public Record policy).
- Right to Correct: You have the right to request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
- Right to Limit Use of Sensitive Personal Information: If we collect sensitive personal information beyond what is necessary to provide the Service, you may request that we limit its use.
To exercise your rights under the CCPA/CPRA, please contact us at privacy@vidreceipts.com. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf. In the twelve (12) months preceding the effective date of this Policy, we have not sold personal information, and we do not have actual knowledge that we sell the personal information of minors under 16 years of age.
6.3 European Economic Area, United Kingdom, and Swiss Residents (GDPR)
If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, the General Data Protection Regulation (GDPR) and applicable national implementing laws provide you with additional rights:
- Legal Basis for Processing: We process your personal data on the following legal bases: (a) performance of a contract (to provide the Service); (b) your consent (for analytics and optional integrations); (c) our legitimate interests (service improvement, security, fraud prevention); and (d) compliance with legal obligations.
- Right of Access: You have the right to obtain confirmation as to whether we process your personal data and to request a copy of such data.
- Right to Rectification: You have the right to request correction of inaccurate personal data.
- Right to Erasure ("Right to Be Forgotten"): You have the right to request deletion of your personal data, subject to the Immutable Public Record policy (Section 5.1) and applicable legal retention requirements.
- Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data under certain circumstances.
- Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format.
- Right to Object: You have the right to object to the processing of your personal data based on our legitimate interests, including for direct marketing purposes.
- Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
- Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.
To exercise your GDPR rights, please contact us at privacy@vidreceipts.com.
7. International Data Transfers
Vid Receipts, Inc. is based in the United States, and the Service is hosted on Google's global cloud infrastructure. Your personal information may be transferred to, stored, and processed in the United States or any other country in which our service providers maintain facilities. By using the Service, you consent to the transfer of your information to countries outside of your country of residence, which may have different data protection laws than your country.
For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on: (a) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, as applicable; (b) Standard Contractual Clauses approved by the European Commission; and/or (c) other lawful transfer mechanisms under applicable data protection laws. Google (including Firebase and Google Cloud services) maintains compliance with these frameworks for data processed through their services.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
- All data transmitted between your browser and the Service is encrypted using TLS/HTTPS
- Firebase Authentication with secure session management and token-based access control
- Granular Firestore Security Rules that enforce role-based and owner-based access controls at the database level
- Firebase Storage Security Rules that restrict file access to authorized users
- Firebase Custom Claims for server-side permission verification (three-axis identity: account class, system role, subscription tier)
- Server-side validation in Cloud Functions for all sensitive operations
- Stripe PCI-DSS compliance for all payment processing
- Regular security updates and dependency auditing
While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
9. Children's Privacy
The Service is not intended for use by children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child under 13 has provided us with personal information, please contact us at privacy@vidreceipts.com, and we will take steps to delete such information. Users between the ages of 13 and 17 may use the Service with the consent of a parent or legal guardian, but may not purchase subscriptions (which require users to be at least 18 years of age). We comply with the Children's Online Privacy Protection Act (COPPA) and similar laws in other jurisdictions.
10. Third-Party Links and Services
The Service may contain links to or embed content from third-party websites and services, including YouTube videos, external images (Klipy, Tenor, Giphy, Gfycat, Imgur), and payment processors. This Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party services you access through the Service. Key third-party privacy policies include:
- Google Privacy Policy (Firebase, YouTube, Analytics, Gemini AI)
- Stripe Privacy Policy (Payment Processing)
- Klipy Privacy Policy (GIF search)
- YouTube Terms of Service
11. Do Not Track and Global Privacy Control
Some browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no common industry standard for interpreting DNT signals, the Service does not currently respond to DNT signals. We will continue to monitor developments in DNT technology and adjust our practices as industry standards evolve.
The Service does honor the Global Privacy Control (GPC) signal. When your browser sends a GPC signal and you have not already made a consent choice, we treat it as a request to opt out: analytics are disabled by default and your preference is recorded. This is consistent with the California Consumer Privacy Act (as amended by the CPRA) and its implementing regulations. You can review or change your choice at any time using the "Cookie settings" link in the footer.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will: (a) update the "Last Updated" date at the top of this Policy; (b) provide a prominent notice on the Service (such as a banner notification); and (c) where required by applicable law, send you an email notification. We encourage you to review this Policy periodically. Your continued use of the Service after any changes to this Policy constitutes your acceptance of the revised Policy.
13. Assignment
Vid Receipts, Inc. may assign, transfer, or delegate this Privacy Policy and all associated rights, obligations, and user data (including personal information collected under this Policy) to any subsidiary, affiliate, successor, or acquiring entity in connection with a merger, acquisition, corporate reorganization, sale of all or substantially all assets, change of control, or any similar transaction, without requiring your prior consent. In the event of such assignment, the successor entity shall be bound by the terms of this Privacy Policy. You may not assign or transfer your rights or obligations under this Policy without our prior written consent.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Vid Receipts, Inc.
131 Continental Dr, Suite 305
Newark, DE 19713
New Castle County, Delaware, United States
Privacy Inquiries: privacy@vidreceipts.com
Legal Inquiries: legal@vidreceipts.com
For CCPA/CPRA requests, please include "California Privacy Rights" in the subject line. For GDPR requests, please include "GDPR Data Subject Request" in the subject line. We respond to verified GDPR requests within one calendar month of receipt, extendable by up to two further months where the request is complex or numerous (Article 12(3) GDPR); we will tell you within the first month if an extension is needed. We answer CCPA/CPRA requests within the 45-day period that law provides, extendable once as permitted.