Privacy Policy

Privacy Policy

Your privacy is of utmost importance to us. This Privacy Policy outlines the manner in which we gather, utilize, and share your personal data when you interact with our website. When you access or use our website, you acknowledge and agree to the data collection, usage, and sharing practices detailed in this Privacy Policy.

Information We Collect

As you interact with our website, we may gather personal details that you voluntarily share with us, including your full name, email address, and additional contact details. Additionally, we automatically collect certain information related to your website usage, such as the specific date and time of each visit, which pages or sections you view, and your device's IP address.

Use of Information

Your personal data may be utilized to deliver our services to you, address your questions and support requests, and keep you informed about updates, features, and services available on our platform. Furthermore, we may leverage your personal information to enhance the functionality and user experience of our website, perform analytical research, and fulfill any legal requirements we are obligated to meet.

Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal bases:

  • Contract (Article 6(1)(b)): Processing is necessary for the performance of a contract with you, such as providing access to our services, processing payments, and managing your subscription.
  • Legitimate Interest (Article 6(1)(f)): We process data for our legitimate interests, including improving our services, ensuring platform security, preventing fraud, and analyzing usage patterns to enhance user experience.
  • Consent (Article 6(1)(a)): Where you have provided explicit consent, such as for marketing communications or optional features, we process your data based on that consent. You may withdraw your consent at any time.
  • Legal Obligation (Article 6(1)(c)): We may process your data to comply with legal obligations, such as retaining financial records for tax and accounting purposes.

Disclosure of Information

We may share your personal information with external service providers that assist us in operating our platform. Additionally, we reserve the right to disclose your personal information when required by law, to enforce our Terms of Service, or to safeguard the rights, property, security, or well-being of Bek Labs Ltd, our users, or the general public.

Third-Party Service Providers

We work with the following third-party service providers to deliver our services. Each provider is contractually obligated to protect your data and use it only for the purposes we specify:

Supabase (Database & Authentication)

Purpose: We use Supabase to store and manage your account data, authentication information, course enrollments, progress tracking, and notes.

Data Shared: User ID, email address, authentication tokens, course data, progress information, and user-generated content (notes).

Data Location: Data is stored in Supabase's cloud infrastructure. Supabase operates data centers in multiple regions including the United States, European Union (Ireland, Germany), and Asia-Pacific. The specific region depends on Supabase project configuration. Supabase uses Standard Contractual Clauses (SCCs) for data transfers and is GDPR compliant.

Privacy Policy: https://supabase.com/privacy

Paddle (Payment Processing)

Purpose: We use Paddle to process payments, manage subscriptions, and handle billing for our Pro plan services.

Data Shared: Email address, customer ID, subscription status, payment information (processed securely by Paddle), and billing history.

Data Location: Paddle processes payment data primarily in the United States and European Union (Ireland). Paddle is PCI DSS Level 1 certified and participates in the EU-US Data Privacy Framework. Payment card information is encrypted and handled in compliance with PCI DSS standards. Paddle uses appropriate safeguards including Standard Contractual Clauses for international data transfers.

Privacy Policy: https://paddle.com/privacy

OpenRouter (AI Services)

Purpose: We use OpenRouter to provide AI-powered content generation services, including course summaries and lesson information generation from YouTube video transcripts.

Data Shared: YouTube video transcripts and course content are sent to OpenRouter's AI models for processing. This data is used solely for generating course summaries and educational content.

Data Location: OpenRouter routes requests to various AI model providers globally, which may include processing in the United States, European Union, or other regions depending on the specific AI model provider used. OpenRouter maintains data processing agreements with AI providers and implements security measures. Note that video transcripts sent for processing are temporary and not stored by OpenRouter after processing.

Privacy Policy: https://openrouter.ai/privacy

Google (OAuth Authentication)

Purpose: We offer Google OAuth as an optional authentication method, allowing you to sign in to YouTubeLMS using your Google account.

Data Shared: When you choose to sign in with Google, we receive your Google account email address and basic profile information necessary for account creation and authentication.

Data Location: Google processes OAuth authentication data through their global infrastructure, which includes data centers in the United States, European Union, and other regions worldwide. Google is certified under the EU-US Data Privacy Framework and maintains compliance with GDPR. When you sign in with Google, only your email address and basic profile information are shared with us, and this data is stored in our Supabase database (subject to our data location policies).

Privacy Policy: https://policies.google.com/privacy

International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) or your country of residence. We take appropriate measures to ensure that your data receives an adequate level of protection when transferred internationally.

Data Transfer Locations

The following third-party services may process your data in locations outside the EEA:

  • Supabase: Data may be stored in the United States, European Union, or other regions depending on Supabase project configuration. Supabase is GDPR compliant and uses Standard Contractual Clauses (SCCs) for data transfers outside the EEA.
  • Paddle: Payment processing data is primarily processed in the United States and European Union. Paddle is PCI DSS compliant and uses appropriate safeguards including SCCs for international transfers. Paddle participates in the EU-US Data Privacy Framework.
  • OpenRouter: AI processing may occur in the United States or other regions depending on the AI model provider used. OpenRouter routes requests to various AI providers globally. We ensure that data processing agreements are in place with OpenRouter.
  • Google (OAuth): Authentication data is processed through Google's global infrastructure, which may include data centers in the United States, European Union, and other regions worldwide. Google is certified under various data protection frameworks including the EU-US Data Privacy Framework.

Safeguards for International Transfers

When we transfer your personal data to countries outside the EEA that do not have an adequacy decision from the European Commission, we implement appropriate safeguards to ensure your data is protected:

  • Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses with all third-party service providers that process data outside the EEA. These clauses ensure that your data receives the same level of protection as it would within the EEA.
  • Adequacy Decisions: Some of our service providers operate in countries with adequacy decisions (e.g., UK, Switzerland) or participate in recognized frameworks such as the EU-US Data Privacy Framework.
  • Data Processing Agreements: All third-party service providers are contractually bound through Data Processing Agreements (DPAs) that require them to:
    • Process data only for specified purposes
    • Implement appropriate technical and organizational security measures
    • Comply with applicable data protection laws
    • Notify us of any data breaches
    • Assist with data subject rights requests
  • Technical Safeguards: We use encryption in transit and at rest, access controls, and other technical measures to protect your data during transfer and storage.

Your Rights: You have the right to request information about the safeguards we have in place for international data transfers. If you would like more details about specific transfers or safeguards, please contact us at support@ytlms.com. You also have the right to object to certain international transfers, though this may affect your ability to use our services.

Cookies

Our website employs cookies and similar tracking technologies to gather data about how you interact with our platform. Cookies are small text files that are automatically saved to your device when you browse our website. We utilize cookies to customize your browsing experience, understand how visitors use our website, and enhance the overall quality and performance of our platform and services. While you have the option to disable cookies through your browser's privacy settings, please be aware that blocking cookies may limit or prevent certain features and functionality of our website from working properly.

Third-Party Links

Our website may feature hyperlinks to external websites and online services operated by third parties that are independent of Bek Labs Ltd, such as YouTube. We do not exercise control over, and therefore cannot be held responsible for, the privacy policies, data handling practices, or content found on these external websites and services. We strongly recommend that you carefully review the privacy policies of any third-party websites or services before sharing any personal information with them.

Security

We implement appropriate technical and organizational safeguards designed to prevent unauthorized individuals from accessing, using, or sharing your personal information. Despite our efforts to maintain robust security protocols, it is important to understand that no method of data transmission or storage can be considered completely secure or invulnerable to potential breaches. Therefore, while we strive to protect your information, we cannot provide an absolute guarantee of security.

Data Retention Policy

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Our data retention policy is designed to balance your privacy rights with our legal obligations and legitimate business needs.

Retention Periods by Data Type

  • Active Account Data: We retain your account information (email, user ID, authentication data), course enrollments, progress tracking, and user-generated content (notes) for as long as your account is active. If your account becomes inactive (no login activity for 3 years), we will contact you to confirm if you wish to keep your account. If no response is received, we may delete or anonymize your account data.
  • Account Deletion Requests: When you request account deletion, we will delete or anonymize your personal data within 30 days of your request, except where we are required to retain certain information for legal, regulatory, or legitimate business purposes (as outlined below).
  • Subscription Status Records: We retain subscription status information (subscription ID, customer ID, subscription status) for as long as your account is active and for 1 year after account deletion or subscription cancellation. Note: Actual payment processing, billing, and transaction data are handled entirely by Paddle, our payment processor. We do not store credit card numbers, payment details, or detailed transaction records. For information about Paddle's data retention practices, please refer to their Privacy Policy.
  • Course Content and Transcripts: Course information, video transcripts, and AI-generated summaries are retained for as long as they are associated with an active account. When all associated accounts are deleted, this content is deleted within 90 days.
  • Support Communications: Email correspondence and support tickets are retained for 2 years from the date of last contact to assist with future support requests and quality improvement.
  • Logs and Analytics Data: Server logs, access logs, and analytics data are retained for 12 months, after which they are automatically deleted or anonymized.
  • Cookie Data: Cookie consent preferences are stored for 365 days, after which consent will be requested again.

Extended Retention Periods

In certain circumstances, we may be required or permitted to retain your data for longer periods:

  • Legal Obligations: We may retain data when required by law, court orders, or regulatory requirements. Note that actual financial transaction records are maintained by Paddle, our payment processor, in accordance with their legal obligations.
  • Dispute Resolution: If you are involved in a dispute or legal proceeding, we may retain relevant data until the matter is resolved and any applicable limitation periods have expired.
  • Contract Enforcement: Data necessary to enforce our Terms of Service or other agreements may be retained until the relevant limitation period expires (typically 6 years from the end of the contract).
  • Fraud Prevention: Data related to suspected fraudulent activity may be retained for up to 7 years to prevent future fraud and comply with anti-fraud regulations.
  • Legitimate Business Interests: We may retain anonymized or aggregated data indefinitely for business analytics, service improvement, and research purposes, provided it cannot be used to identify you.

Data Deletion and Anonymization

When data is deleted, we use secure deletion methods to ensure it cannot be recovered. In some cases, we may anonymize data instead of deleting it, which means we remove all personally identifiable information while retaining the data in a form that cannot be linked back to you.

Backup Data: Data stored in backups may be retained for up to 90 days after deletion, as backups are typically overwritten during this period. We ensure that deleted data is not restored from backups unless required by law.

Your Control: You can request deletion of your account and data at any time through the Privacy Settings page in your account dashboard or by contacting us at support@ytlms.com. We will process your request within 30 days as required by GDPR.

Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or United Kingdom, you have certain rights regarding your personal data:

  • Right to Access: You have the right to request a copy of the personal data we hold about you. You can request your data by contacting us at support@ytlms.com or using the "Download My Data" feature in your account settings.
  • Right to Rectification: You can update your account information at any time through your account settings or by contacting us.
  • Right to Erasure: You have the right to request deletion of your personal data. You can request account deletion by contacting us at support@ytlms.com or using the "Delete Account" feature in your account settings.
  • Right to Data Portability: You can request your data in a structured, machine-readable format (JSON or CSV).
  • Right to Object: You can object to certain types of data processing, such as direct marketing.
  • Right to Restrict Processing: You can request that we limit how we process your personal data in certain circumstances.
  • Right to Withdraw Consent: Where we process your data based on consent, you can withdraw that consent at any time.

To exercise any of these rights, please contact us at support@ytlms.com. We will respond to your request within 30 days as required by GDPR.

Children's Privacy

Our Services are designed for users who are 13 years of age or older. We do not intentionally gather or retain personal information from individuals who are under 13 years old. If you are a parent or legal guardian and have reason to believe that your child who is under 13 has submitted personal information to us, please reach out to us immediately at support@ytlms.com, and we will take prompt action to remove such information from our systems.

Changes to Privacy Policy

We maintain the right to make changes, revisions, or updates to this Privacy Policy at any point in time, and we are not required to provide advance notification of such modifications. Should you continue to access or use our website following the implementation of any changes to this Privacy Policy, your ongoing use will be interpreted as your acknowledgment and acceptance of the updated policy.

Contact Us

Should you have any inquiries, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please do not hesitate to reach out to us via email at support@ytlms.com. We are committed to addressing your privacy-related questions in a timely and transparent manner.