Privacy Policy

Effective date: April 2, 2026 · Last updated: April 2, 2026

Scope & Overview
Information We Collect
How We Use Your Information
Video Content & Processing
AI Studio Data Processing
Analytics & View Tracking
Data Storage & Security
Third-Party Services
Data Sharing & Disclosure
Cookies & Tracking Technologies
Data Retention
Your Rights
International Data Transfers
Children's Privacy
Changes to This Policy
Contact Us

1. Scope & Overview

This Privacy Policy explains how AVCaption ("we", "us", "our") collects, uses, stores, and protects your personal information when you use our encrypted video hosting platform at avcaption.com, dashboard.avcaption.com, and avcaption.com (collectively, the "Service").

This policy applies to two categories of individuals:

Account holders — users who register, upload videos, and manage content
Viewers — individuals who watch embedded videos on third-party websites

By using the Service, you consent to the practices described in this policy. This policy should be read in conjunction with our Terms of Service.

2. Information We Collect

2.1 Account Information

When you register for an account, we collect:

Email address — used for authentication and account notifications
Username — used for account identification
Password — stored exclusively as a bcrypt hash; we never store or have access to your plaintext password

2.2 Video Content

When you upload videos, we process and store:

The video file itself (source file and encoded HLS segments)
Video metadata: title, duration, resolution, codec, bitrate, frame rate, file size
Generated assets: thumbnails, poster images, sprite images
Upload integrity data: SHA-256 file hash
Subtitle tracks (user-uploaded or AI-generated)

2.3 Technical Data (Account Holders)

When you access the dashboard, we automatically collect:

IP address (for security, rate limiting, and abuse prevention)
User agent string (browser type and version)
Request timestamps

2.4 Technical Data (Viewers)

When viewers watch embedded videos, we collect minimal data:

IP address (used only for per-viewer view deduplication; not stored long-term in identifiable form)
Referer/Origin headers (used for domain restriction enforcement)
View events (video ID, timestamp, count) — stored in aggregated form

We do not collect viewer names, email addresses, browsing history, or behavioral profiles.

2.5 Payment Information

If you subscribe to a paid plan, payment is processed by our third-party payment processor. We do not store credit card numbers, CVVs, or full payment details on our servers.

2.6 API Keys

If you generate an API key, it is displayed once at creation time. We store only a hashed version of the key — we cannot retrieve your original key after generation.

2.7 AI Service API Keys

Enterprise users who use AI Studio provide their own API keys for third-party AI services (Anthropic Claude, Google Gemini). These keys are stored encrypted in your account settings and are used only when you explicitly initiate OCR or translation jobs.

3. How We Use Your Information

Purpose	Data Used	Legal Basis
Provide the Service (encode, encrypt, store, stream videos)	Video content, metadata, account info	Contract performance
Authentication & account security	Email, password hash, JWT tokens, IP address	Contract performance
Analytics dashboards for video owners	Aggregated view counts, timestamps	Legitimate interest
Domain restriction enforcement	Referer/Origin headers	Contract performance
Abuse prevention & rate limiting	IP address, request patterns	Legitimate interest
Account-related communications	Email address	Contract performance
AI subtitle extraction & translation	Video frames (OCR), subtitle text (translation)	Explicit user action

We do not use your data for advertising, sell your data to third parties, or create behavioral profiles.

4. Video Content & Processing

Content Access

We do not view, review, or analyze the content of your videos except as technically necessary to provide the encoding service (e.g., FFprobe extracts duration and resolution metadata). We do not perform content moderation scanning unless required by law or in response to abuse reports.

Encryption

All video segments are encrypted using multi-key batches before storage. Encryption keys are generated using cryptographically secure random number generation and are stored in your video's metadata. This means your video content is encrypted at rest on our CDN — neither CDN operators nor unauthorized parties can view the raw video content without the decryption keys.

Segment Storage

Encrypted video segments are stored on Cloudflare R2 with immutable cache headers (max-age=31536000). Segment filenames are randomized hex strings — they do not reveal video titles, order, or content.

5. AI Studio Data Processing

If you use AI Studio (Enterprise plan), the following data processing occurs:

OCR (Subtitle Extraction)

Video frames are extracted at intervals for text detection
Frames are processed locally on our servers — they are not sent to external services
Extracted frames are temporary and are deleted after the OCR job completes or is canceled
Only the resulting subtitle text (with timestamps) is retained

AI Translation

Subtitle text (not video content) is sent to your chosen AI provider (Claude by Anthropic or Gemini by Google) for translation
Translation is processed in batches of 20 subtitle cues at a time
Your AI provider API key is used for authentication — we do not use a shared key
We do not retain copies of text sent to AI providers beyond the active translation job
AI providers' own privacy policies govern how they handle text sent for processing — refer to Anthropic's Privacy Policy and Google's Privacy Policy for details

6. Analytics & View Tracking

What We Track

We track video view events to provide analytics to video owners. Each view event records:

Video ID
A hashed viewer identifier (derived from IP address — not the raw IP)
View count
Timestamp

How Analytics Work

View events are batched in memory and flushed to our analytics database (ClickHouse) every 10 seconds. This minimizes write load and ensures no individual request is tracked in real-time.

Analytics Data Retention

Raw view event data in ClickHouse is retained for 1 year, after which it is automatically purged. Aggregated totals (total view count per video) are retained in the primary database indefinitely.

No External Analytics

We do not use Google Analytics, Facebook Pixel, or any third-party analytics or advertising tracking on the dashboard or embed player. All analytics are first-party and self-hosted.

7. Data Storage & Security

Infrastructure

Data Type	Storage Location	Encryption
Account data, video metadata	MySQL database	TLS in transit
Video segments (HLS)	Cloudflare R2 (300+ global edge locations)	Encrypted at rest + TLS in transit
View analytics	ClickHouse database	TLS in transit
Passwords	MySQL (bcrypt hashed)	One-way hash (not reversible)
API keys	MySQL (hashed)	One-way hash (not reversible)

Security Measures

All connections use TLS 1.2 or TLS 1.3 with modern cipher suites
HTTP requests are automatically redirected to HTTPS
HTTP/2 enabled for all domains
Passwords hashed with bcrypt (adaptive cost factor)
API keys stored as irreversible hashes
Rate limiting on sensitive endpoints (login, registration, upload, API key regeneration)
CSRF token validation on all form submissions
SQL injection prevention via parameterized queries throughout the codebase
Security headers: X-Content-Type-Options: nosniff, X-Frame-Options, Referrer-Policy: strict-origin-when-cross-origin

8. Third-Party Services

We use a limited set of third-party services to operate the platform:

Service	Purpose	Data Shared
Cloudflare R2	Video segment storage and global CDN delivery	Encrypted video segments (Cloudflare cannot read content)
Google Fonts	Web fonts on landing page only	Standard HTTP request data (IP, user agent) — see Google Fonts privacy FAQ
Anthropic (Claude API)	AI subtitle translation (Enterprise, opt-in)	Subtitle text only — using your own API key
Google (Gemini API)	AI subtitle translation (Enterprise, opt-in)	Subtitle text only — using your own API key

We do not integrate with advertising networks, social media tracking pixels, or behavioral analytics platforms.

We do not sell, rent, or trade your personal information. We may disclose your information only in the following circumstances:

Service providers: third-party services listed above that process data on our behalf to operate the platform
Legal requirements: when required by law, subpoena, court order, or governmental request
Safety: to protect the rights, safety, or property of AVCaption, our users, or the public
Business transfer: in connection with a merger, acquisition, or sale of assets (you would be notified)
With your consent: when you explicitly authorize disclosure

10. Cookies & Tracking Technologies

Cookies We Use

Cookie	Type	Purpose	Duration
`token`	Strictly necessary	JWT session authentication (HTTP-only, SameSite=Lax, Secure)	Configurable (default 72 hours)

That is the only cookie we set. We do not use:

Third-party tracking cookies
Advertising or targeting cookies
Analytics cookies (Google Analytics, Mixpanel, etc.)
Social media cookies (Facebook, Twitter, etc.)
Fingerprinting or canvas tracking

Embed Player

The embedded video player (served from avcaption.com) does not set any cookies on viewer browsers. No cross-site tracking occurs through video embeds.

11. Data Retention

Data Type	Retention Period	Deletion Method
Account data (email, username)	Until you delete your account	Account deletion via dashboard
Video content (source + HLS segments)	Until you delete the video or account	Video deletion or account deletion
Subtitle tracks	Until you delete the track, video, or account	Studio interface or video/account deletion
View analytics (detailed)	1 year (auto-purged from ClickHouse)	Automatic TTL-based purge
View counts (aggregate)	Lifetime of the video	Deleted when video is deleted
Server logs	30 days	Automatic rotation
OCR temporary frames	Duration of OCR job only	Automatic cleanup after job completion
Deleted content	Permanently removed within 30 days	Purged from database, local storage, and CDN

12. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access: request a copy of the personal data we hold about you
Correction: update or correct inaccurate account information via your dashboard settings
Deletion: delete your account and all associated data from your dashboard (permanent within 30 days)
Export: download your original video source files before account deletion
Restriction: request that we limit processing of your data in certain circumstances
Objection: object to processing based on legitimate interest
Portability: request your data in a structured, machine-readable format

To exercise these rights, contact us at [email protected]. We will respond within 30 days. You may be required to verify your identity before we process your request.

GDPR (European Economic Area)

If you are in the EEA, you have the rights listed above under the General Data Protection Regulation. Our legal bases for processing are: contract performance (providing the Service), legitimate interest (security, analytics), and consent (AI Studio usage).

CCPA (California)

If you are a California resident, you have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

13. International Data Transfers

Video content is distributed globally via Cloudflare R2's CDN network (300+ edge locations). Account data is stored on servers that may be located outside your country of residence. By using the Service, you consent to the transfer of your data to these locations. We ensure that appropriate safeguards are in place for cross-border data transfers.

14. Children's Privacy

AVCaption is not intended for users under 18 years of age. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a person under 18, we will promptly delete the account and associated data. If you believe a minor has created an account, please contact us at [email protected].

15. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email or dashboard notification at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes constitutes acceptance of the updated policy.

16. Contact Us

For privacy-related questions, data requests, or concerns, please contact us:

Privacy inquiries: [email protected]
General support: [email protected]
Website: avcaption.com

We aim to respond to all privacy-related requests within 30 days.