TubeVault · tubevault.io
Last updated: May 3, 2026 · Operator: Robin Jost, Cottbus, Germany
Data Controller within the meaning of Art. 4 No. 7 GDPR:
Robin Jost
Ziegeleigrund 10, 03051 Cottbus, Germany
Phone: +49 176 22789264
Email: jost@ikigai-dynamics.com
Website: https://tubevault.io
Note: Robin Jost operates as a freelancer (Freiberufler) under §18 EStG and is registered with the Finanzamt Cottbus. The Kleinunternehmerregelung pursuant to §19 UStG applies; no VAT is charged. No trade registration (Gewerbeanmeldung) is required under German law for freelance activity. The appointment of a Data Protection Officer is not required under Art. 37 GDPR given the nature and scale of processing activities.
When you use TubeVault, we process the following categories of personal data:
We process personal data on the following legal bases:
To create an account, we collect your email address and a password you choose. This data is processed and stored via Supabase Auth (see Section 12).
Legal basis: Art. 6(1)(b) GDPR
Retention: For the duration of the contractual relationship; deletable at any time upon request (Section 15).
Alternatively, you may sign in using your Google account. Google transmits the following data to us: email address, display name, profile picture URL, and an anonymised Google user ID. We do not receive your Google password or access any Google data beyond what is necessary for authentication.
Google Privacy Policy: https://policies.google.com/privacy
Legal basis: Art. 6(1)(b) GDPR
TubeVault enables semantic search across indexed YouTube channel archives. Each search query is processed to generate an AI-assisted answer with source references.
Purpose: Performance of contract (provision of the platform's core functionality)
Legal basis: Art. 6(1)(b) GDPR
Search queries may be stored in our server logs for a maximum of 30 days for abuse prevention and IT security purposes. No personalised analysis of individual queries is carried out.
When you use TubeVault while signed in, your conversations (questions and AI-generated answers) are stored in your account so you can revisit them later across sessions and devices.
Purpose: Providing the chat history feature as part of the platform's core functionality, allowing you to continue conversations and review past answers.
Legal basis: Art. 6(1)(b) GDPR (contract performance)
Conversations are stored for as long as your account exists. You can delete individual conversations at any time from your dashboard. When you delete your account, all conversations and messages are permanently deleted.
To help you identify conversations, a short topic title is automatically generated for each conversation using OpenAI's API (the same provider used for answer generation; see Section 12.3). The first question and answer of a conversation are sent to OpenAI to produce a brief title. You can rename conversations at any time.
To improve TubeVault and understand how users interact with the platform, we collect pseudonymised product analytics. All analytics data is stored exclusively on our own servers (Hetzner, Germany). We do not use any third-party analytics services such as Google Analytics or Mixpanel.
TubeVault uses two distinct tracking systems:
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in improving the product and understanding user needs
Retention: Raw queries: 7 days. Event logs: 30 days. Aggregates: indefinite (no personal data).
To limit use of the free tier to 5 queries per day for unauthenticated users, we generate a non-persistent hashed fingerprint from the following information:
This fingerprint is stored as a cryptographic hash value. It does not enable identification of your person, is not stored persistently, and is scoped to the current calendar day. No cookies are set for this purpose.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in preventing abuse of the free offering)
TubeVault uses the following client-side storage mechanisms:
You can manage your consent at any time via the “Cookie settings” link in our footer.
When you visit our landing pages, we may capture:
This data is only collected after you grant attribution consent via our cookie banner. Without consent, no attribution data is recorded.
Retention: Attribution records are automatically deleted after 90 days. Consent records (consent_log) are retained for the duration of our legal accountability obligations under GDPR Art. 7(1).
In compliance with §25 TTDSG and GDPR Art. 6(1)(a), we obtain your explicit consent before storing non-essential information on your device. Our cookie banner offers three options:
Your consent choice is stored in localStorage (tv_consent) and a cookie (tv_consent) for server-side enforcement. Both expire after 12 months, after which you will be asked again.
You can revoke or change your consent at any time via the “Cookie settings” link in the footer of our website.
Subscription payments are processed by Stripe Payments Europe Ltd., Ireland. We do not store credit card numbers or full payment details. Stripe acts as a data processor under Art. 28 GDPR; a Data Processing Agreement is in place. For payments routed through US-based Stripe entities, Standard Contractual Clauses ensure adequate protection.
Stripe Privacy Policy: https://stripe.com/privacy
Legal basis: Art. 6(1)(b) GDPR
Retention: Stripe retains payment records in accordance with applicable financial record-keeping obligations (Germany: 10 years under HGB). Full deletion of Stripe payment data after account closure is therefore not always possible; such data is anonymised where deletion is not legally permissible.
We engage the following service providers, each under a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR:
Supabase is used as our authentication provider and user data database, configured with an EU server location (Frankfurt). A DPA under Art. 28 GDPR is in place.
Privacy information: https://supabase.com/privacy
Our servers (application, vector database, embeddings, analytics) are located exclusively at Hetzner data centres in Germany. A DPA is in place with Hetzner.
Privacy information: https://www.hetzner.com/legal/privacy-policy
Your search queries are transmitted to OpenAI for AI answer generation. OpenAI processes this data in the USA. The transfer is based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and a Data Processing Agreement. Under OpenAI's API terms (as of 2024), data submitted via the API is not used by default for training AI models; we have contractually ensured this.
Privacy information: https://openai.com/policies/privacy-policy
Payment processing is handled by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland. Stripe processes:
Legal basis: Contract performance (Art. 6(1)(b) GDPR).
Data location: EU (Stripe Payments Europe Ltd., Ireland).
For payments routed through US-based Stripe entities, Stripe maintains Standard Contractual Clauses for adequate protection.
Privacy information: https://stripe.com/privacy
When you access our platform, technical information is automatically recorded in server log files:
This data is used solely to ensure technical operation, IT security and abuse prevention. It is not combined with other data.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Retention: Maximum 30 days, then automatically deleted
We implement appropriate technical and organisational security measures, including:
Please note that no data transmission over the internet is entirely secure.
Under the GDPR, you have the following rights regarding your personal data:
You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data free of charge.
You have the right to request correction of inaccurate or incomplete personal data.
You have the right to request deletion of your data, provided no statutory retention obligations apply. You can delete your account directly in your account settings under “Delete Account”. Upon deletion we will erase:
Stripe payment data cannot be fully deleted due to statutory retention obligations (German Tax Code / AO: 10 years); such data will be anonymised.
You have the right to request restriction of the processing of your data under the conditions set out in Art. 18 GDPR.
You have the right to receive your data in a structured, commonly used and machine-readable format.
You have the right to object at any time to processing of your data based on Art. 6(1)(f) GDPR (legitimate interest), including profiling based on those provisions.
You have the right to lodge a complaint with a supervisory authority. The authority competent for us is:
Die Landesbeauftragte für den Datenschutz Brandenburg (LDA Brandenburg)
Stahnsdorfer Damm 77, 14532 Kleinmachnow, Germany
www.lda.brandenburg.de
You may also lodge a complaint with the supervisory authority in your country of residence or place of work within the EU.
Personal data is deleted as soon as it is no longer required for the processing purpose and no statutory retention obligations apply. Key retention periods:
See the specific sections above for additional details on each data category.
TubeVault is not directed at children under the age of 16. We do not knowingly collect personal data from persons under 16. If we become aware that a person under 16 has created an account, we will delete the account and all associated data without delay.
We reserve the right to update this Privacy Policy as necessary, in particular when the platform changes, new service providers are engaged, or the legal framework evolves. Registered users will be notified of material changes by email. The date of the most recent update is always shown at the top of this document.
For questions about data protection or to exercise your rights, please contact:
Email: jost@ikigai-dynamics.com
We respond to requests within 30 days as required by Art. 12(3) GDPR.
You can also submit GDPR requests directly via our online form: Submit a Data Request →
TubeVault · Robin Jost · Cottbus, Germany