Tubeboxd

Privacy Policy

Last updated: July 4, 2026

Tubeboxd ("we", "us", "the service") lets you keep a diary of the YouTube videos you watch, rate them, review them, and share those reviews with friends. This policy explains what data we collect, why, and what you can do about it.

What we store

Account data. When you sign up with email + password we store your username, email, and a bcrypt hash of your password. When you sign in with Google we store your Google-issued subject id, your email, your name, and your profile picture URL.

YouTube data. If you connect your Google account for YouTube import, we store an encrypted OAuth refresh token so we can call the YouTube Data API on your behalf. We use it only to import the specific playlists you request (e.g. your Liked videos). We do not read your subscriptions, watch history, or comments.

Your content. Diary entries, ratings, reviews, favorites, watchlist entries, lists, and follows that you create. We render your reviews to other users on your public profile, on video pages, and on discovery pages.

API tokens. If you use the Chrome extension, we store the tokens you mint from /settings/extension, along with their name, expiry, and the time they were last used.

Server logs. Request method, path, response code, duration, and the IP address you connected from, retained for up to 30 days for abuse prevention.

What we do not store

Cookies

We set one cookie, tbx_session, which holds your signed session JWT. It is HttpOnly, SameSite=Lax, and Secure in production. That's it.

How we share data

Public parts of your profile — username, display name, avatar, bio, public diary entries, public reviews, public lists, favorites, and watchlist — are visible to anyone who visits your profile URL. Private data (email, session token, API tokens, Google refresh token, IP addresses) is never shared with other users.

We use these subprocessors:

We do not sell data to advertisers or data brokers.

Your rights

You can export everything we store about you as JSON at /settings/account. You can delete your account at the same URL — this cascades to every table (entries, videos-you-logged, lists, follows, favorites, watchlist, API tokens) and, for Google-linked accounts, revokes the OAuth grant at Google.

Security

Passwords are hashed with bcrypt. Sessions use signed JWTs with a rotating secret. Google refresh tokens are encrypted at rest. Rate limits protect the auth and token-mint endpoints against credential stuffing.

Children

Tubeboxd is not intended for children under 13. If you believe a child under 13 has created an account, email us and we will delete it.

Contact

Questions, deletion requests, or data-portability requests: gondil.tanay@gmail.com.

Changes

If we materially change how we handle data, we'll update this page and, for account holders, send a notice by email at least 14 days before the change takes effect.

← Back home