Privacy Policy

1. Who We Are

Xtrakt is operated by PixEye Inc., a corporation registered in the Province of Ontario, Canada ("Xtrakt", "we", "us"). This Privacy Policy describes what data we collect, why, and how we handle it. It applies to the Xtrakt Chrome extension and our services at xtrakt.app and api.xtrakt.app.

2. What We Collect

Account data. When you sign in with Google, we receive your email address, display name, and profile picture. This is used solely to identify your account.

Content you save. When you use Xtrakt, we process YouTube video transcripts and store your saved summaries, knowledge base entries, chat messages, folder organization, and user preferences on our servers, associated with your account.

Usage and product analytics. We collect anonymous product events (e.g., "insight started", "video saved", feature clicks, error signals) to understand how the extension is used and to improve it. See Section 4 for the full list of third-party processors.

Payment data. If you subscribe to Pro, Stripe collects and processes your payment information directly. We never see or store your full card number.

3. How We Use Your Data

• Account management: Your email and name are used to manage your account and subscription, and to send service-related emails (welcome, receipts, billing issues).
• Knowledge base: Your saved videos, summaries, embeddings, and chat history are stored to provide the core Xtrakt service. This data is private to your account.
• AI processing: Video transcripts and prompts are sent to third-party AI providers (OpenAI, Anthropic, Google) to generate insights and summaries. These providers process data under their own terms and do not use it to train their models on your data.
• Product improvement: Anonymous usage events help us understand which features are used and where users get stuck. We do not sell this data.
• Payment processing: Stripe processes payments for Pro subscriptions. We do not store credit card details.

4. Third-Party Processors

We share only the data necessary with a small set of trusted processors:

• Supabase — authentication and account data storage. Supabase acts as our database and auth provider.
• OpenAI, Anthropic, Google — AI model providers that process transcripts to generate summaries and chat responses under their API terms. These terms prohibit training on your data.
• Stripe — payment processing for Pro subscriptions. Governed by Stripe's privacy policy.
• Resend — transactional email delivery (welcome emails, billing notices).
• PostHog — anonymous product analytics. We use PostHog to capture product events (e.g., which features are used, where errors occur) so we can improve the product. We have disabled session replay and autocapture, so PostHog only receives the specific events we send.
• Railway — infrastructure hosting for our backend API.
• Cloudflare and Netlify — DNS and static content delivery for our website.

We do not sell, rent, or share your personal data with any other third parties for marketing purposes.

5. Where Your Data Is Processed

Our backend is hosted in the United States (via Railway). Supabase infrastructure may be in the United States or Canada depending on project region. AI providers and payment processors may route requests through their own global infrastructure. By using Xtrakt, you consent to the transfer and processing of your data in these jurisdictions.

6. Data Isolation

Each user's knowledge base is completely isolated. Your saved videos, summaries, embeddings, and chat history are not visible to or accessible by any other Xtrakt user.

7. Data Retention and Deletion

Your data is retained as long as your account is active. You can delete individual saved videos at any time from the extension. If you delete your account, all associated data (knowledge base, summaries, chat history, account profile) will be permanently deleted from our production systems within 30 days. Backups are purged on a rolling 90-day cycle.

Certain records required for legal, tax, or fraud-prevention purposes (e.g., Stripe billing records) may be retained longer as required by law.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access a copy of the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your data ("right to erasure").
• Export your data in a machine-readable format ("data portability").
• Object to or restrict certain processing activities.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

Canadian residents can also file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca). California residents have additional rights under the CCPA and can contact us with "CCPA request" in the subject line.

9. Chrome Extension Permissions

The Xtrakt Chrome extension requests the following permissions:

• activeTab: To detect when you are on a YouTube video page and display the sidebar.
• storage: To store your preferences and authentication session locally in your browser.
• scripting: To inject the Xtrakt sidebar into YouTube pages.
• identity: To enable Google sign-in via Chrome's built-in identity flow.
• Host permissions (youtube.com): To inject the Xtrakt sidebar and read video transcript data on YouTube pages.
• Host permissions (api.xtrakt.app): To communicate with our backend API.
• Host permissions (auth.xtrakt.app): To authenticate with our identity provider.
• Host permissions (us.i.posthog.com, us-assets.i.posthog.com): To send anonymous product analytics events to PostHog.

The extension does not read your browsing history, access other open tabs, or transmit any data from websites other than YouTube.

10. Cookies and Local Storage

The Xtrakt extension stores a session token, your preferences, and a locally generated anonymous analytics identifier in your browser's extension storage. Our website (xtrakt.app) does not use tracking cookies. It may set basic functional cookies required for the site to work.

11. Children's Privacy

Xtrakt is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us personal information, we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-extension notice before taking effect. The "Last updated" date at the top reflects the most recent revision.

13. Contact

PixEye Inc.
375 University Avenue 3293
Toronto, ON M5G 2J5, Canada
Email: [email protected]