What we read. What we store. How we protect it.
Last updated · July 4, 2026
Creatorscope never writes to your channel. We never publish, edit, or delete anything — and we wrote this page in plain language, including every OAuth scope we ask for and why, so you can verify that.
What we read from YouTube
When you connect a channel, Google's OAuth screen asks for four scopes. Here's each one, and why it exists:
youtube.readonly— read your videos, titles, descriptions, thumbnails, comments, and channel data.yt-analytics.readonly— read your growth and retention analytics: retention curves, view counts, impressions.yt-analytics-monetary.readonly— read the revenue metrics inside those same analytics, so the briefing can talk about earnings, not just views.youtube.force-ssl— used solely to download your caption transcripts via the official captions API. The transcripts are what the voice model trains on, and Google doesn't offer a narrower scope that unlocks caption downloads.
The first three are read-onlyby definition. The fourth is broader than we'd like — Google gates caption downloads behind it — but we use it for exactly one call: downloading captions. We never publish, edit, or delete anything on your channel. You can revoke our access from your Google account at any time. The full data breakdown lives in the privacy policy.
What we store
A cached copy of the YouTube data we pulled — videos, metadata, thumbnails, retention curves, analytics — so the app doesn't hammer YouTube's API on every page load.
The things you create in the app: pipeline cards, drafts, scripts, ideas, voice-model source documents, and settings.
Every row is scoped to your user account. Your videos, your scripts, your voice profile — they are joined to your user ID at the database level. They are not visible to other accounts. They are not pooled into a shared corpus.
How we protect it
Ownership checks on every multi-tenant request. Every API endpoint that touches a video, channel, comment reply, script, or voice document runs an ownership check (ownsVideo, ownsChannel, ownsCommentReply, etc.) before doing anything. If the row doesn't belong to your user ID, the request returns 404 — same response as if it didn't exist.
Error messages never leak details. The client sees a generic message. Raw errors, stack traces, and database messages are logged server-side via Sentry — never returned to the browser. A prior sweep patched 113+ raw error leaks out of 65 API routes and the policy is now enforced on new code.
Sentry strips PII from session replays. Replays run with maskAllText and blockAllMedia — text and media are masked before they leave your browser. Cookie and Authorization headers are stripped from every event before send. We can debug a bug; we can't read your script.
Stripe webhooks are idempotent. Every event ID is logged in a stripe_events table before processing, so a replayed webhook can't double-charge or double-grant entitlements.
Rate limiting is persistent. Public endpoints (Title Oracle, marketing forms) run a per-IP sliding window backed by the same Turso database that holds your data — not an in-memory cache that resets on every deploy.
Data deletion
When you cancel, your data stays for 30 days so you can change your mind without losing your scripts and pipeline history. After 30 days, we wipe it from the database.
Want it gone same-day? Email hello@creatorscope.studio and we'll do it that day. No forms, no tickets, no retention specialists trying to talk you out of it.
Where data lives
The application runs on Vercel. The database is Turso (libSQL) with an EU region available — your data sits in Europe if that matters to you. Encryption is in transit (TLS) and at rest. Session cookies are HttpOnly and signed.
We follow GDPR-aligned data practices — read-only access, scoped storage, explicit consent for analytics cookies, plain deletion on request. We do not currently hold a SOC 2 or ISO 27001 certification, and we'd rather say so than fake a badge.
What we don't do
- We never write to your YouTube channel. No publishing, no edits, no deletions, no scheduled uploads. The one broad scope we hold (
youtube.force-ssl, see section 01) exists solely to download caption transcripts — we never call a write endpoint with it. - We never sell or share your data.Not to advertisers, not to data brokers, not to anyone. The only third parties that touch your content are the AI providers that generate output for you (Anthropic, Google) — and under our agreements, they don't train on it.
- We never share your scripts or voice profile with anyone else. Your voice model is yours. It doesn't leak into other accounts and it isn't visible to other users.
- We never use your data to train models that other users benefit from. Your channel doesn't become someone else's head-start. Each account's voice and history stays isolated to that account.
Questions or disclosure
Found something that looks like a security issue? Email hello@creatorscope.studio with the details. That's the founder. You'll get a real reply, usually within a day. The machine-readable version of this section lives at /.well-known/security.txt. The full policy detail — retention, third parties, your rights — lives in the privacy policy.