Privacy Policy

Last updated: 2026-05-03

Кратко (RU): worthwatch — Telegram-бот, который суммирует новые видео из ваших YouTube-подписок. Полный текст политики ниже на английском; для удаления данных используйте /delete_my_data в Telegram или ссылку, которую бот пришлёт по запросу.

1. Who we are

worthwatch ("we", "the Service") is a closed-beta Telegram bot that delivers AI-generated summaries of new videos from a user's own YouTube subscriptions. The Service is operated as a free, non-commercial beta by an independent operator and is not affiliated with Google, YouTube, Telegram, or Anthropic.

Contact: shyshlakov95@gmail.com

2. Data we collect

We collect the minimum data required to deliver the Service:

• Telegram user ID (numeric tg_user_id) — your stable identifier inside Telegram. We do not store your Telegram username, display name, or message text beyond what is required to route a single command (e.g. /start).
• Encrypted Google OAuth tokens — refresh and access tokens issued by Google after you complete the consent flow. Stored encrypted at rest with AES-256-GCM. We never log raw token bytes.
• Monitored channel IDs — the public YouTube channel identifiers extracted from your subscription list, used to poll public RSS feeds for new uploads. We do not store channel names, descriptions, thumbnails, or any other channel metadata.
• Per-user settings — your preferences (e.g. delivery time, language, paused state). Plain text in our database.
• Operational logs — own-generated identifiers (request IDs, job IDs, internal user row ID) plus error codes and timing. Per our logging policy, we never log raw external input (Telegram message text, OAuth authorization codes, OAuth state tokens, RSS payloads, or transcript bodies).

We do not collect:

• Your Google email address, profile name, or avatar.
• Your YouTube watch history, "watch later" list, or playlists.
• Your Telegram contact list, chats, files, or location.
• Cookies, browser fingerprints, advertising identifiers, or device sensor data.
• Payment data of any kind.

3. How we use your data

We use the data above only for these purposes:

• Authenticate you to Google so we can read your subscription list (youtube.readonly scope).
• Poll the public RSS feeds of the channels you subscribe to and detect new uploads.
• Fetch publicly available transcripts for those uploads, generate AI summaries, and deliver them to you in your Telegram chat with the bot.
• Operate the Service: fix bugs, monitor uptime, prevent abuse, and contact you about material changes.

We do not use your data to:

• Show advertising or sell to advertisers — there is no advertising in the Service.
• Train, fine-tune, or evaluate AI/ML models. Transcripts and summaries are processed in-flight and never persisted to our database; they exist only as ephemeral arguments to the processing job and as the message you receive in Telegram.
• Build user profiles, score behaviour, or share with data brokers.

4. Google API scope and use

The Service requests exactly one Google OAuth scope: https://www.googleapis.com/auth/youtube.readonly. We use this scope only to retrieve your subscription list (channel IDs) so we can poll those channels' public RSS feeds. We do not access video content, comments, ratings, playlists, watch history, or any other YouTube data via this scope. We do not transfer Google user data to any third party for advertising or for training AI/ML models, in accordance with Google's Limited Use requirements.

5. Subprocessors

We use the following third parties to deliver the Service. Each handles a narrow slice of data:

• Google LLC (United States) — issues OAuth tokens and serves the YouTube Data API.
• Telegram Messenger Inc. (operating from various jurisdictions) — delivers messages between you and the bot.
• Anthropic, PBC (United States) — generates summaries from transcripts. Transcripts are sent to Anthropic's Claude API in-flight; per Anthropic's API terms, inputs are not used to train Anthropic's models. We do not retain transcripts or summaries in our database after the request completes.
• Oracle Cloud Infrastructure (data centres in the EU and US) — hosts the Service infrastructure (compute, Postgres database, Caddy TLS termination).

If a fallback transcription provider is added in the future (currently planned: OpenAI Whisper API), this list will be updated and existing users will be notified before any data is sent there.

6. Transcripts and summaries are never stored

Transcripts retrieved from public YouTube captions and AI summaries derived from them are processed in memory only. They flow through a job queue (River) as job arguments and are sent to your Telegram chat. They are not written to our database, not archived, and not logged. Once the message is delivered to you, the only persistent copy lives inside your own Telegram chat — under your control, not ours.

7. Retention and deletion

We retain your encrypted OAuth tokens, monitored channel IDs, and settings until you remove them via one of:

• The /disconnect command in Telegram — revokes your Google OAuth tokens at Google's revocation endpoint and clears the tokens from our database. Channel IDs and settings remain so you can /start again later without re-importing.
• The /delete_my_data command in Telegram — does everything /disconnect does, then deletes your entire user row. All data we hold about you is removed; database cascades remove related rows.
• The POST /oauth/data-deletion HTTP endpoint — a Google-required public endpoint for users who can no longer reach Telegram. The bot issues you a one-shot HMAC-signed URL on request via Telegram; submitting that URL has the same effect as /delete_my_data.

Deletion is processed within 24 hours; OAuth token revocation at Google is performed synchronously during the command. Operational backups (encrypted nightly Postgres dumps) are retained for up to 30 days; a deletion request takes effect for new backups immediately, and any backup that contains your data is rotated out within the 30-day window.

8. Security

• OAuth refresh tokens are encrypted at rest with AES-256-GCM. The encryption key is held in operator-controlled environment variables, separate from database credentials, and never committed to source control.
• All public endpoints (Telegram webhook, OAuth callback, data deletion, /privacy, /terms) are served exclusively over HTTPS with TLS certificates issued by Let's Encrypt.
• The data deletion endpoint requires an HMAC-SHA-256 signature bound to your Telegram user ID, issued only via Telegram, to prevent forged deletion requests.
• Internal logs contain own-generated identifiers and error codes only. We never log raw OAuth codes, OAuth state tokens, refresh-token plaintext, Telegram message bodies, RSS payloads, or transcript text.

9. Your rights

Regardless of where you live, you can:

• Access the data we hold about you — request via the contact email above; we will reply with the row contents (Telegram ID, settings, monitored channel IDs, OAuth status, timestamps).
• Rectify inaccurate data — adjust settings via Telegram commands, or request correction via the contact email.
• Erase your data — use /delete_my_data in Telegram, or POST /oauth/data-deletion, or email us. There is no charge for any of these.
• Object to processing or withdraw consent at any time by disconnecting (/disconnect); the Service will stop polling and contacting you.
• Portability — export your monitored channel list via the contact email; we return a machine-readable JSON file.

If you are in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with comparable data-protection law, you have the rights granted by that law (GDPR Articles 15–22 and equivalents) and the right to lodge a complaint with your national supervisory authority. The Service operator acts as the data controller for the personal data described above.

10. Russian users — 152-FZ acknowledgement

Russian Federal Law No. 152-FZ ("On Personal Data") requires that personal data of Russian citizens be initially recorded in databases physically located in the Russian Federation. The Service's infrastructure is hosted outside Russia; we therefore cannot guarantee compliance with the localisation requirement of 152-FZ for Russian residents. Use of the Service from Russia is at your own discretion and risk. If you are a Russian resident and require 152-FZ-compliant processing, please do not use the Service.

11. Children

The Service is not directed at children under 13 (or under the higher minimum age in your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided data to us, contact the email above and we will delete it.

12. Changes to this policy

If we make material changes to this policy we will publish the new version at this URL and notify active users in Telegram at least 30 days before the change takes effect. The "Last updated" date at the top of this document tracks the most recent revision.

13. Contact

Questions, requests, or complaints: shyshlakov95@gmail.com