Privacy Policy

1. Information We Collect

We collect several categories of personal information to provide and improve our Service:

1.1 Information You Provide Directly

Account Information: When you create an account, we collect:

• Full name
• Email address
• Password (encrypted)
• Country/region

Payment Information: If you subscribe to a paid plan, we collect payment card information (processed securely by third-party payment processors who comply with PCI-DSS standards). We do not store complete payment card numbers on our servers.

Communications: When you contact us for support, we collect the content of your messages, email address, and any information you choose to provide.

1.2 Information Collected Automatically

Usage Data: We automatically collect information about your use of the Service, including:

• YouTube video URLs you process
• Video titles and metadata
• Transcript extraction requests and timestamps
• Download history (TXT, CSV files)
• Feature usage patterns
• Error logs and diagnostic information

Device and Technical Information:

• IP address
• Device type, model, and operating system
• Browser type and version
• Screen resolution and device settings
• Referring URLs and pages visited
• Date and time of access

Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to:

• Maintain your session and authentication
• Remember your preferences
• Analyze usage patterns and improve the Service
• Prevent fraud and enhance security

1.3 Information Embedded in Transcripts

2. How We Use Your Information

We use your personal information for the following purposes:

2.1 To Provide the Service

• Process transcript extraction requests
• Generate and deliver transcripts in requested formats (TXT, CSV)
• Manage your user account and authentication
• Process payments and manage subscriptions
• Enforce usage limits and rate limiting
• Provide customer support

2.2 To Improve and Develop the Service

• Analyze usage patterns to improve features and performance
• Identify and fix technical issues
• Develop new features and functionality
• Conduct research and analytics (using aggregated, de-identified data)

2.3 For Security and Fraud Prevention

• Detect, prevent, and respond to security incidents
• Identify and prevent fraudulent transactions
• Monitor and prevent abuse of the Service
• Protect our legal rights and property

2.4 For Legal Compliance

• Comply with applicable laws, regulations, and legal processes
• Respond to lawful requests from government authorities
• Enforce our Terms of Service
• Maintain records for tax and accounting purposes

2.5 For Communications

• Send service-related announcements (account verification, security alerts, system maintenance)
• Respond to your inquiries and support requests
• Send marketing communications (only with your consent, where required)

2.6 Legal Basis for Processing (GDPR)

For users in the European Union, we process your personal data based on the following lawful bases:

• Consent: You have given clear consent for us to process your personal data for specific purposes (e.g., marketing communications, optional cookies)
• Contract Performance: Processing is necessary to provide the Service you have requested
• Legal Obligation: Processing is necessary to comply with legal requirements
• Legitimate Interests: Processing is necessary for our legitimate business interests (fraud prevention, service improvement, security), provided these interests do not override your fundamental rights

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following limited circumstances:

3.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Authentication Services: Clerk for user authentication and account management
• Payment Processors: Secure payment processing (PCI-DSS compliant)
• Cloud Hosting: Railway and database hosting providers
• Analytics Services: Website analytics and performance monitoring
• AI Services: OpenAI for transcript summarization features

All service providers are contractually obligated to protect your information and use it only for the purposes we specify.

3.2 Business Transfers

If we are involved in a merger, acquisition, bankruptcy, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our Site before your information is transferred and becomes subject to a different privacy policy.

3.3 Legal Requirements

We may disclose your information when required by law or in response to:

• Valid legal processes (court orders, subpoenas, warrants)
• Government or regulatory requests
• Law enforcement inquiries
• Protection of our legal rights, property, or safety
• Prevention of fraud, security threats, or illegal activity

3.4 With Your Consent

We may share your information with third parties when you specifically consent to such sharing.

4. International Data Transfers

Vertial Holdings Pty Ltd is based in Australia. If you access our Service from outside Australia, your personal information may be transferred to, stored, and processed in Australia and other countries where our service providers operate.

4.1 For EU Residents (GDPR)

When we transfer personal data from the European Union to Australia or other countries not recognized as providing adequate protection under GDPR Article 45, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary measures such as encryption and access controls
• Data Processing Agreements with all processors

You have the right to obtain information about the safeguards we use for international transfers by contacting us at vidscript@vertial.com.

4.2 For California Residents (CCPA)

We do not "sell" personal information as defined by CCPA. When we share information with service providers, we require that they use your information only for the purposes we specify and prohibit them from selling your information.

5. Data Retention

We retain your personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention Periods:

• Account Information: Retained while your account is active and for 7 years after account closure for legal, tax, and accounting purposes
• Transcript Data: Retained while your account is active. Deleted within 30 days of account deletion or after 24 months of account inactivity (unless you request retention)
• Usage Data: Aggregated data retained for 12 months; individual-level data de-identified or deleted after 90 days
• Payment Records: Retained for 7 years for tax and financial compliance
• Support Communications: Retained for 3 years
• Cookies: Vary by cookie type (see Section 6 below)

When we delete data, we use secure deletion methods including cryptographic erasure, secure overwriting, or physical destruction of hardware.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to provide, protect, and improve our Service. Cookies are small text files stored on your device that help us recognize you, remember your preferences, and analyze usage patterns.

6.1 Types of Cookies We Use

Essential Cookies (Required):

• Session management and authentication
• Security and fraud prevention
• Load balancing
• CSRF protection

These cookies are necessary for the Service to function and cannot be disabled.

Performance and Analytics Cookies (Optional):

• Usage analytics and statistics
• Error tracking and diagnostics
• Performance monitoring

Retention: Up to 12 months

Functional Cookies (Optional):

• User preferences and settings
• Language selection
• Customization features

Retention: Up to 12 months

6.2 Cookie Consent

For EU Users: We obtain your explicit consent before setting optional (non-essential) cookies. You can manage your cookie preferences at any time through our cookie consent banner or browser settings.

For Australian Users: While cookie consent banners are not legally required in Australia, we provide transparency about our cookie use and allow you to manage preferences.

For California Users: Cookies that track you across websites for advertising purposes are subject to your right to opt out under CCPA (see Section 10).

6.3 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to:

• View and delete cookies
• Block third-party cookies
• Block all cookies
• Receive warnings before cookies are stored

Note: Blocking essential cookies will prevent you from using the Service.

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction.

Security Measures Include:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• Encryption at Rest: Sensitive data stored in databases is encrypted using AES-256 or equivalent
• Access Controls: Role-based access controls restrict employee access to personal data on a need-to-know basis
• Multi-Factor Authentication: Required for administrative access to sensitive systems
• Audit Logging: We maintain logs of access to personal data for security monitoring
• Regular Security Assessments: Penetration testing and vulnerability assessments
• Incident Response: Procedures for detecting, responding to, and recovering from security incidents
• Vendor Security: All service providers undergo security assessments

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at vidscript@vertial.com.

8. Your Privacy Rights

Depending on your location, you have specific rights regarding your personal information:

8.1 Rights for All Users

• Right to Access: Request a copy of the personal information we hold about you
• Right to Correction: Request correction of inaccurate or incomplete information
• Right to Deletion: Request deletion of your personal information (subject to legal exceptions)

8.2 Additional Rights for EU Residents (GDPR)

• Right to Restriction: Request that we limit how we use your data while disputes are resolved
• Right to Data Portability: Receive your personal data in a structured, machine-readable format (JSON, CSV, XML) and transmit it to another service
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
• Right to Lodge a Complaint: File a complaint with your local Data Protection Authority
• Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of processing before withdrawal

8.3 Additional Rights for California Residents (CCPA/CPRA)

• Right to Know: Request disclosure of categories and specific pieces of personal information collected, sources of collection, purposes for collection, and categories of third parties with whom we share information
• Right to Delete: Request deletion of personal information (subject to exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt Out: Opt out of "sale" or "sharing" of personal information (we do not sell or share personal information)
• Right to Limit: Limit use and disclosure of sensitive personal information
• Right to Non-Discrimination: Exercise your rights without receiving discriminatory treatment

8.4 Additional Rights for Australian Residents (APPs)

• Right to Access: Request access to personal information we hold about you (APP 12)
• Right to Correction: Request correction of inaccurate, out-of-date, incomplete, or misleading information (APP 13)
• Right to Complain: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)

8.5 How to Exercise Your Rights

9. Children's Privacy

Our Service is not directed to children under 13 years of age (or 16 in the European Union). We do not knowingly collect personal information from children without proper parental consent.

If you are under 13 (or 16 in the EU), you must obtain verifiable parental consent before using the Service. If you are a parent or guardian and believe your child has provided personal information without consent, please contact us immediately at vidscript@vertial.com, and we will delete the information within 30 days.

YouTube Content: We do not actively monitor whether YouTube videos processed through our Service contain child-directed content. Users are responsible for complying with YouTube's child-directed content policies and applicable children's privacy laws (including COPPA in the United States).

10. California-Specific Disclosures

10.1 Notice at Collection

At or before the point of collection, we inform California residents about:

• Categories of personal information collected (see Section 1)
• Purposes for collection (see Section 2)
• Whether information will be sold or shared (we do not sell or share)
• Retention periods (see Section 5)

10.2 Categories of Personal Information

In the past 12 months, we have collected the following categories of personal information as defined by CCPA:

• A. Identifiers (name, email, IP address, device identifiers)
• B. Commercial information (subscription history, purchase records)
• C. Internet or network activity (browsing history, usage patterns)
• D. Geolocation data (approximate location from IP address)
• F. Inferences (preferences derived from usage patterns)

10.3 Do Not Sell or Share My Personal Information

We do not "sell" or "share" personal information as those terms are defined by CCPA. If our practices change in the future, we will update this Privacy Policy and provide California residents with a clear "Do Not Sell or Share My Personal Information" link.

10.4 Sensitive Personal Information

We do not intentionally collect sensitive personal information as defined by CPRA, though such information may be embedded in transcripts you process. We use such information only to provide the transcript extraction service.

11. Data Breach Notification

In the event of a data breach involving your personal information, we will notify you and relevant authorities in accordance with applicable laws:

• GDPR: Notification to supervisory authority within 72 hours; notification to affected individuals without undue delay if high risk
• Australian Privacy Act: Notification to OAIC and affected individuals as soon as practicable if serious data breach occurs
• CCPA: Notification to California residents within reasonable timeframe

Notifications will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you by email (if you have an account)
• Display a prominent notice on our Site
• For material changes affecting GDPR rights, obtain fresh consent where required

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

13. Contact Information and Complaints

13.1 Contact Us

13.2 Regulatory Authorities

You have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:

14. Additional Disclosures

14.1 YouTube API Services

Our Service uses YouTube API Services to access video metadata and captions. Your use of our Service is also subject to:

• YouTube Terms of Service
• Google Privacy Policy

14.2 Third-Party Links

Our Service may contain links to third-party websites or services (including YouTube). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

14.3 Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Last Updated: 3rd December 2025