Get started for freeStart free

Privacy Policy

Effective date: May 31, 2026

Last updated: May 31, 2026

In short

We collect your email and password for your account (password stored encrypted). The outputs we generate from your content (transcripts, summaries, translations) are stored in your account while it is active so you can access your history, anonymized when you delete your account, and never used for AI training. We don't store your payment details (Stripe handles them). You can delete your account anytime. Questions: [email protected].

At CreatorNote, we care about your privacy. This Privacy Policy explains how we collect, use, and protect your personal information. By using the Service, you accept these practices.

This Policy applies to the Service delivered through creatornote.ai, browser extensions, and API. It is designed to protect your rights under Turkish KVKK (Personal Data Protection Law), EU GDPR (General Data Protection Regulation), and California CCPA (Consumer Privacy Act).

2.1 Information You Provide Directly:

  • Account registration: name (optional), email, password (bcrypt-hashed, never stored as plaintext), avatar (optional).
  • Profile data: preferred language, plan choice.
  • User content: PDFs, audio, video, text, URLs, transcripts you upload.
  • Communications: support requests, blog comments, feedback.
  • Payment: Credit card data is NOT stored by us; processed by PCI DSS-compliant Stripe. We retain only your subscription status and Stripe customer/subscription IDs (NOT card numbers or digits).

2.2 Automatically Collected Information:

  • Usage analytics: which tools you use, daily character/file counts (anonymized/aggregated). Google Analytics 4 (only with your consent).
  • Device/browser: IP address (rate limit & fraud prevention), browser type, OS, language, visit timestamp.
  • Cookies: See our Cookie Policy for details.

2.3 Information from Third Parties:

  • Third-party login: Google or Apple Sign-In, email and name. Passwords not shared.
  • Payment provider: Subscription status from Stripe (active/canceled/renewal date).

3.1 Service Delivery and Improvement: create accounts, deliver core features (YouTube transcripts, summaries, translation, AI chat), analyze usage, and improve the system.

3.2 Communication and Support: respond to inquiries, send account notifications (password reset, subscription renewal).

3.3 Legal Compliance, Security, and Fraud Prevention: comply with laws, enforce Terms, prevent fraud, abuse, and cybersecurity threats.

3.4 Marketing (Only with Express Consent): email newsletters for new features, blog posts, product news. Every email contains an unsubscribe link.

For full details see our Cookie Policy. In summary:

  • Strictly necessary: authentication, security (session cookies). No consent required.
  • Functional: theme, language preference (localStorage).
  • Analytics: Google Analytics, active only with your consent via the cookie banner.
  • Advertising: Not used at present.

AI and your data: The content you upload (video links, files, text) is sent to AI providers solely to fulfill your request and is never used to train AI models. The generated outputs are stored on our systems while your account is active so you can access your history; they are anonymized when you delete your account (see Section 7). Providers we use or may use include Groq, Google Gemini, OpenAI, Anthropic (Claude), Mistral and similar enterprise AI services.

5.1 Third-Party Service Providers:

  • Stripe (US): Payment processing, PCI DSS compliant.
  • Groq (US): AI summary, transcript, translation outputs. User content is deleted after processing and never used to train models.
  • Google Gemini (Fallback AI provider): Activated when Groq is unavailable.
  • Resend (EU): Transactional email (account verification, notifications).
  • Sentry (US): Error tracking and logging (personal data auto-masked).
  • Google Analytics 4 (US): Anonymous usage analytics, only with your consent.
  • Cloud hosting: Hetzner (Germany, European data center).

5.2 Legal Requirements: We may disclose information when required by court order, prosecutor request, or legal obligation. We notify you to the extent legally permitted.

5.3 Business Transfers: In merger, acquisition, or bankruptcy, personal data may transfer to successor entities. You will receive prior email notice and retain your rights.

5.4 With Your Consent: For disclosures not described above, we obtain your express consent.

5.5 Anonymized/Aggregate Data: Non-identifiable statistical data (e.g., "N summaries produced daily") may be shared without restriction.

The main measures we apply to protect your data:

  • HTTPS/TLS encryption for all traffic; HSTS (1 year) enforced in production.
  • Passwords are hashed with bcrypt (cost 12) and never stored in plain text.
  • Email-verification and password-reset link codes are stored hashed with SHA-256.
  • Content Security Policy (CSP) and security headers (Helmet) for XSS/clickjacking protection.
  • All database queries are parameterized (Prisma ORM), protection against SQL injection.
  • IP-based rate limiting to prevent brute-force and abuse.
  • CORS allow-list, requests are accepted only from authorized origins.
  • Hosting in a European data center (Hetzner, Germany).

However, no internet transmission is 100% secure; you share responsibility for protecting your account password.

  • Account data: retained while your account is active. When you delete your account, identifying data is anonymized IMMEDIATELY; only anonymized/aggregate records may be kept for legal obligations (tax, audit).
  • Usage/analytics: 3 months to 2 years, then anonymized or deleted.
  • Content: while your account is active. Anonymized on account closure (KVKK Article 7, GDPR Article 17).
  • Backups: rolling backups retained up to 30 days.
  • Communications: until support is resolved + 2 years archive.

Under applicable laws, you have the following rights:

  • Right of access: request access to your personal data.
  • Right to rectification: request correction of inaccurate data.
  • Right to erasure: You can delete your account yourself anytime from Settings → Delete Account by entering your password and confirming. You may also request deletion by emailing [email protected]; in that case we delete it after verifying your identity.
  • Right to restrict processing: limit specific processing activities.
  • Data portability: request your data in a machine-readable format.
  • Right to object: object to marketing processing.
  • Automated decision-making/profiling: right to not be subject to automated decisions.
  • Withdraw consent: withdraw consent at any time.
  • Right to lodge a complaint: file with Turkish Personal Data Protection Authority (KVKK) or relevant EU data protection authority (GDPR).

To exercise any of these rights, simply email [email protected]. After identity verification, we respond within 30 days.

Some of our service providers are located in the US and EU. Therefore, your data may be transferred beyond country borders. For EU transfers, we use Standard Contractual Clauses (SCCs) under GDPR Article 46 and other appropriate safeguards. Under KVKK Article 9, transfers occur with your express consent or legal exemptions.

The Service is not directed to children under 13, and we do not knowingly collect data from those under 13. The age limit is 16 for EU users (GDPR Article 8). If you discover your child has opened an account, please notify us; the account will be deleted promptly.

We may update this Policy to reflect operational, technological, or legal developments. We announce material changes at least 30 days before they take effect, via email or in-Service notification. The "Effective date" is updated with every revision.

Data Controller: CreatorNote (legal entity name and MERSIS number will be updated on the Contact page when published).

Contact: [email protected]

KVKK Data Controller Representative: to be designated post-launch.

We use optional analytics cookies to improve the product. Details