Last updated: 2026-06-02
worthwatch ("we", "the Service") is a Telegram bot that delivers AI-generated summaries of new videos from a user's own YouTube subscriptions. The Service is operated as a freemium offering — a free tier with a daily summary cap, plus an optional Pro tier paid in Telegram Stars — by an independent operator resident in Ukraine. The Service is not affiliated with Google, YouTube, Telegram, or Anthropic.
Contact: privacy@worthwatch.app
We collect the minimum data required to deliver the Service:
tg_user_id) — your stable identifier inside Telegram. Used to route every message between you and the bot.tg_username, optional) — your publicly visible Telegram handle, stored only if your Telegram account has one. Populated on every /start via the UpsertUserByTGUserID upsert so the operator can address support requests by handle. If you do not have a handle, this field stays empty.tg_lang_hint) — the mapped two-letter language code we derive from Telegram's From.LanguageCode field, used to choose the bot's reply language. We do not store the raw LanguageCode payload.title and handle. Both are public YouTube metadata returned by the youtube.subscriptions.list?part=snippet call. We use the title to render readable delivery messages in your Telegram chat and the handle to deep-link back to YouTube.pro_subscriptions containing: tier (pro), period_start, period_end, last_invoice_id (the opaque Telegram Stars charge identifier), telegram_subscription_id (the Telegram Stars recurring-subscription token), and is_recurring / auto_renew flags. We do NOT see, receive, or store your payment card number (PAN), card expiry, CVC, or billing address — those data live with Telegram and Telegram Stars. We persist only the opaque charge identifier so we can issue refunds and answer audit questions.pro_subscriptions record above, we append one immutable row to a pro_transactions ledger for each Telegram Stars payment and refund. Each row stores the opaque Telegram Stars charge identifier, your Telegram user ID, the amount and currency (for example 20 XTR), the payment payload, and timestamps. Like the subscription record it contains no card number, expiry, CVC, or billing address. This is our financial record of the transaction and, unlike most other data, it is retained after account deletion for tax, refund, and audit purposes — see §7.2.tg_user_id), error kinds, and timings. Some payment audit-log entries also include the Telegram Stars telegram_payment_charge_id so refunds can be reconciled. Per our logging policy we never log OAuth authorisation codes, OAuth state tokens, plaintext refresh or access tokens, Telegram message bodies, RSS payloads, or transcript text.We do not collect:
We use the data above only for these purposes:
youtube.readonly scope).AI-generated summaries are cached for 24 hours in a summary_cache table keyed on (video_id, lang) so the same video shared inline through @worth_watch_bot can be re-delivered without paying Anthropic twice. Demo-mode summaries are cached for 7 days in a separate demo_cache table. Both caches are keyed on the public YouTube video ID, not on your identity, and are purged automatically by a background GC worker once their TTL expires.
Transcript text and summary text may briefly appear inside background River job arguments (river_job.args JSONB), retained per River's defaults — roughly 24 hours for completed jobs and 7 days for cancelled ones — to support retries and operator audit. They are never queried back into a user-facing pipeline.
We do not use your data to:
The Service requests exactly one Google OAuth scope: https://www.googleapis.com/auth/youtube.readonly. We use this scope only to retrieve your subscription list — specifically the channel IDs and channel titles that youtube.subscriptions.list?part=snippet returns — so we can poll those channels' public RSS feeds. We do not access video content, comments, ratings, playlists, watch history, or any other YouTube data via this scope. We do not transfer Google user data to any third party for advertising or for training AI/ML models, in accordance with Google's Limited Use requirements.
By using the Service you are also bound by the YouTube Terms of Service and your interaction with the YouTube Data API is subject to the Google Privacy Policy.
We use the following third parties to deliver the Service. Each handles a narrow slice of data:
SENTRY_DSN env not set). When enabled, Sentry receives error events tagged with tg_user_id and stack traces; no transcript text, no OAuth tokens, no Telegram message bodies. We will notify active users in Telegram at least 30 days before activating Sentry in production.SUPADATA_API_KEY not set). When enabled, Supadata receives the public YouTube video ID and fetches the transcript on its own infrastructure; no user identity is sent. We will notify active users in Telegram at least 30 days before activating Supadata in production.Transcript text is never written to any worthwatch database table outside transient River job arguments (retained per River's defaults — roughly 24 hours for completed jobs and 7 days for cancelled ones). AI-generated summaries ARE cached for 24 hours in summary_cache, and demo-mode summaries for 7 days in demo_cache. Both caches are keyed on the public YouTube video ID, not on your identity, and are automatically purged after their TTL by a background GC worker. Once we deliver a summary to your Telegram chat, the persistent copy you can see lives in your Telegram chat — under your control, not ours.
We retain your encrypted OAuth tokens, monitored channel records, settings, and Pro subscription row (if any) until you remove them via one of:
/disconnect command in Telegram — revokes your Google OAuth tokens at Google's revocation endpoint, clears the tokens from our database, and trims your monitored channels down to the free guest-tier allowance, keeping the alphabetically-first ones. Reconnecting re-imports your subscription list up to the tier you return to; channels dropped during disconnect are not specially restored./delete_my_data command in Telegram — does everything /disconnect does, then deletes your entire user row. All data we hold about you is removed; database cascades remove related rows.POST /oauth/data-deletion HTTP endpoint — a Google-required public endpoint for users who can no longer reach Telegram. The bot issues you a one-shot HMAC-signed URL on request via Telegram; submitting that URL has the same effect as /delete_my_data.Deletion is processed within 24 hours; OAuth token revocation at Google is performed synchronously during the command. The DeleteUserCascade operation explicitly removes related rows in pro_subscriptions, oauth_states, user_subscriptions, user_quotas, user_usage, user_feedback, delivery_log, channel_gone_notices, policy_violations, abandoned_onboarding_nudges, and audit_log (the audit-log purge is explicit, not via FK cascade, so we can keep generic operational events while erasing per-user trails).
summary_cache and demo_cache rows are keyed on video_id rather than user identity and contain no link back to the deleted user; they age out by their own TTL (24 hours and 7 days respectively). monitored_channels rows are shared resources — once no user is subscribed to a given channel, the row is garbage-collected by the channel_gc worker.
Operational backups (encrypted nightly Postgres dumps) are retained for up to 30 days; a deletion request takes effect for new backups immediately, and any backup that contains your data is rotated out within the 30-day window.
When you run /delete_my_data, we erase your account and revoke Google access immediately. To prevent the same-day summary cap from being reset by repeated delete-and-rejoin, we keep a pseudonymised counter for up to 30 days:
The counter cannot be used to message you, profile you, or share with anyone. After 30 days it is automatically purged.
You can ask us to erase the counter sooner — email privacy@worthwatch.app and we will do it within 7 days. This is your right under GDPR Article 21.
Lawful basis: Article 6(1)(f) GDPR (legitimate interest in preventing service abuse). A written Legitimate Interests Assessment is published at deploy/legal/LIA-quota-persistence.md in our public repository.
Pseudonymisation per Article 4(5) GDPR: the hash is HMAC-SHA-256 truncated to 128 bits, keyed with a secret held in environment variables separate from the database. Per EDPB Guidelines 01/2025 the hash remains personal data, so all GDPR rights apply to it.
Right to object (Article 21): you may object at any time on grounds relating to your particular situation. We will not contest individual objections.
One category of data deliberately survives account deletion: the Pro payment ledger (pro_transactions) described in §2. If you have ever upgraded to Pro, running /delete_my_data does not erase these financial records. Each retained row holds only the opaque Telegram Stars charge identifier, your Telegram user ID, the amount and currency, the payment payload, and timestamps — never card data, never transcript or summary text. We keep them so we can issue and reconcile refunds, meet tax and accounting obligations, and respond to payment audits or disputes.
Lawful basis: GDPR Article 17(3)(b) and (e) — the right to erasure does not apply where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims. We retain these records for as long as applicable accounting, tax, and consumer-protection law requires, and no longer than necessary for those purposes, after which they are erased.
Consequence — Pro is restored if you return within the period you paid for. Because the ledger survives, if you delete your data and then reconnect Google before your paid Pro period has ended (Pro is sold in 30-day periods), the Service finds the surviving, non-refunded payment and automatically restores Pro for the remainder of that period, sending you a confirmation message — we honour the time you already paid for, even across a deletion. If you do not want Pro restored, request a refund first (a refunded ledger row never restores Pro), or delete your data only after your paid period has ended.
/privacy, /terms) are served exclusively over HTTPS with TLS certificates issued by Let's Encrypt.tg_user_id, error kinds, and timings; some payment audit entries also include the Telegram Stars telegram_payment_charge_id. We never log raw OAuth codes, OAuth state tokens, refresh-token plaintext, Telegram message bodies, RSS payloads, or transcript text.Regardless of where you live, you can:
/delete_my_data in Telegram, or POST /oauth/data-deletion, or email us. There is no charge for any of these. The one exception is the Pro payment ledger (pro_transactions), which we are legally required to retain after deletion — see §7.2./disconnect); the Service will stop polling and contacting you.If you are in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with comparable data-protection law, you have the rights granted by that law (GDPR Articles 15–22 and equivalents) and the right to lodge a complaint with your national supervisory authority. The Service operator acts as the data controller for the personal data described above.
Transfers to processors outside the EEA (Anthropic, Cloudflare, Sentry when enabled, Supadata when enabled, Google, Telegram) rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or equivalent adequacy mechanisms.
The Service is not directed at children under 13 (or under the higher minimum age in your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided data to us, contact the email above and we will delete it.
If we make material changes to this policy we will publish the new version at this URL and notify active users in Telegram at least 30 days before the change takes effect. The "Last updated" date at the top of this document tracks the most recent revision.
Questions, requests, or complaints: privacy@worthwatch.app