This policy explains what personal data SlipStream collects, why, and what your rights are. It covers the marketing site at slipstreamlab.io, the product at app.slipstreamlab.io, and the SlipStream browser extension (together, the “Service”). We wrote it to be read, not skimmed past — it is short by design because we collect little.
1. Who is responsible (data controller)
The data controller is Relay Labs Ltd, 35 Lower Sherrard Street, Dublin, Ireland. For anything in this policy, contact tomi.vida@gmail.com. We process personal data under the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.
2. What we collect, and why
Account data
When you sign in with Google we receive your name, email address, and Google account identifier. We use these to create and operate your account. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
YouTube channel data (only if you connect a channel)
Connecting a channel grants SlipStream two read-only Google OAuth scopes (youtube.readonly and yt-analytics.readonly). With them we retrieve your channel and video metadata (titles, durations, publish dates, thumbnails) and your channel’s analytics: audience-retention curves, impressions, click-through rates, and view counts. This data powers the core of the Service — showing you where viewers leave your videos and generating recommendations from it. We cannot upload, edit, or delete anything on your channel. Legal basis: your consent (Art. 6(1)(a)), which you may withdraw at any time (section 8). OAuth tokens are encrypted at rest with AES-256-GCM.
Content you provide
Thumbnail images you upload for scoring or A/B experiments, video topics and prompts you enter, and settings you choose. Legal basis: performance of a contract.
Generated content and feature-improvement observations
Scripts, titles, insights, and thumbnail scores generated for you are stored so you can revisit them. To make thumbnail scoring more accurate for you and other creators, we also retain observations pairing thumbnails with their performance signals. Observations derived from your private analytics are used solely to provide and improve the Service’s user-facing features, consistent with the Google Limited Use policy in section 4 — they are never sold, never used for advertising, and never transferred to train third-party or generalized AI models. Legal basis: legitimate interest (Art. 6(1)(f)) in improving the Service; you can object (section 8).
Technical data
Server logs (IP address, timestamps, requested URLs) for security and debugging, and error reports via Sentry if an error occurs. Legal basis: legitimate interest in keeping the Service secure and working. Logs are kept for up to 90 days.
Payments (paid plans)
Subscriptions are handled by our payment provider acting as merchant of record; they process your payment and billing details under their own privacy policy. We never see or store your card number. We receive confirmation of your plan and billing status. Legal basis: performance of a contract and legal obligations (tax and accounting records).
What we do not collect
- No advertising trackers, no analytics pixels, no fingerprinting — on the marketing site or in the app.
- No data about your viewers as individuals — YouTube analytics are aggregate curves and counts only.
- No special-category (sensitive) data, and we do not want any in prompts you write.
3. Cookies
The marketing site sets no cookies. The app sets only strictly necessary cookies: your sign-in session and CSRF protection. Because we use no optional or tracking cookies, no consent banner is required under the ePrivacy Regulations (S.I. 336/2011).
4. Google API Services & YouTube API Services
SlipStream’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
SlipStream uses YouTube API Services. By connecting your channel you also agree to the YouTube Terms of Service; the Google Privacy Policy applies to Google’s handling of your data. YouTube data we store (section 2) is refreshed when you sync and is deleted per section 7. You can end SlipStream’s access to your Google data at any time, two ways: use “Delete account & data” in the app, which erases your stored tokens and all channel data immediately; or revoke access from your Google security settings, which cuts our access instantly — we delete the stored tokens as soon as we detect the revocation, and the analytics already in your account stay until you delete the account or ask us to erase them.
5. Who we share data with (processors)
We use a small number of service providers, bound by data-processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting (servers, database, backups) | Germany (EU) |
| Anthropic | AI processing — generating insights, scripts, titles, and thumbnail scores from data we send | United States |
| Sign-in (OAuth) and YouTube API Services | EU/US | |
| Sentry | Error monitoring | EU/US |
| Payment provider (merchant of record) | Subscription billing for paid plans | EU/UK/US |
We do not sell personal data, and we do not share it with anyone else except where the law requires it.
6. International transfers
Your data lives on servers in the EU. Where a provider processes data in the United States (Anthropic, and Google/Sentry in part), the transfer is protected by the EU–US Data Privacy Framework and/or the European Commission’s Standard Contractual Clauses. Content sent to Anthropic to generate output is not used by Anthropic to train its models, per its commercial API terms.
7. How long we keep data
- Account data, channel data, and tokens: while your account exists. Using “Delete account & data” in the app (or emailing us) erases all of it from our live systems immediately; copies in encrypted backups expire within 35 days.
- If you revoke access from Google instead: our access ends instantly and we delete the stored tokens as soon as we detect the revocation; analytics already in your account remain until you delete the account or ask us to erase them.
- Generated content and uploads: until you delete them or your account.
- Server logs: up to 90 days. Encrypted backups: up to 35 days.
- Billing records: as long as Irish tax law requires (currently 6 years).
8. Your rights
Under the GDPR you can, at any time and free of charge:
- Access the personal data we hold about you (Art. 15);
- Correct inaccurate data (Art. 16);
- Delete your data (Art. 17) — the “Delete account & data” control in the app does this immediately;
- Receive your data in a portable format (Art. 20);
- Restrict or object to processing based on legitimate interests (Arts. 18, 21);
- Withdraw consent (e.g. disconnect your YouTube channel) without affecting past processing.
Email tomi.vida@gmail.com to exercise any of these; we respond within one month. You also have the right to lodge a complaint with the Irish supervisory authority: the Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland — dataprotection.ie — or with your local EU supervisory authority.
9. Security
TLS everywhere in transit; OAuth tokens encrypted at rest (AES-256-GCM); least-privilege, read-only YouTube scopes; EU hosting; access to production systems restricted and logged. No system is perfectly secure — if a breach affects your data we will notify you and the DPC as the GDPR requires (within 72 hours to the DPC).
10. Automated decision-making & children
SlipStream generates recommendations, but no processing produces legal or similarly significant effects about you without human involvement (GDPR Art. 22 does not apply). The Service is not directed at children and requires users to be at least 16 years old — the digital age of consent in Ireland.
11. Changes to this policy
If we change this policy in any material way we will notify you in the app or by email before the change takes effect, and update the date at the top. The current version is always at slipstreamlab.io/privacy.
12. Contact
Privacy: tomi.vida@gmail.com · General: tomi.vida@gmail.com · Controller: Relay Labs Ltd, 35 Lower Sherrard Street, Dublin, Ireland.
Effective 8 July 2026. This is version 1 of this policy — no earlier version exists.