PRIVACY POLICY

1. INTRODUCTION

Welcome to TooLong.XYZ (https://toolong.xyz). We are committed to protecting the privacy of our users and complying with Singapore's Personal Data Protection Act (PDPA). This Privacy Policy outlines the types of personal and non-personal data we collect, the purposes for which it is collected, and how we handle it.

Data Controller: TooLong.XYZ is the data controller responsible for your personal data collected through our platform.

Data Protection Officer: For privacy inquiries, please contact our Data Protection Officer at hello@toolong.xyz

2. DATA COLLECTION

Personal Data Collected Directly:

• Name and email address (for account creation)
• Payment information (processed by third-party payment providers)
• YouTube video links you submit for summarization
• User preferences and settings

Data Collected Automatically:

• Device information (browser type, operating system, device identifiers)
• Usage analytics (pages visited, features used, time spent)
• IP address and geolocation data
• Cookies and tracking technologies (see Section 9)

Data from YouTube API:

• Video metadata (title, description, duration)
• Video transcripts and captions
• Channel information

3. PURPOSE OF DATA COLLECTION AND LEGAL BASIS

Under the PDPA, we process your personal data for the following purposes:

• Service Delivery: Generating AI-powered video summaries (your consent)
• Account Management: Creating and maintaining user accounts (your consent)
• Payment Processing: Processing orders and payments (contractual obligation)
• Customer Support: Responding to inquiries and providing assistance (your consent)
• Service Improvement: Analyzing usage patterns to enhance user experience (legitimate interests)
• Communications: Sending important notifications, updates, and security alerts (contractual obligation and legitimate interests)
• Legal Compliance: Meeting legal and regulatory obligations (legal requirement)
• Security: Detecting and preventing fraud, abuse, and security incidents (legitimate interests)

We do not use your personal data for purposes beyond those stated without obtaining your explicit consent.

4. DATA SHARING AND DISCLOSURE

We do not sell or rent your personal data to third parties. We may share your data with:

• Service Providers: Third-party vendors who assist with hosting, payment processing, analytics, and customer support (under data processing agreements)
• AI Model Provider: Google Gemini processes YouTube data to generate summaries (with appropriate safeguards and data protection agreements)
• Legal Authorities: When required by law, court order, or to protect our legal rights
• Business Transfers: In the event of a merger, acquisition, or sale of assets (with notification to affected users)

All third-party service providers are required to protect your personal data in accordance with the PDPA and our data protection standards.

5. CHILDREN'S PRIVACY

TooLong.XYZ does not knowingly collect any personal data from children under the age of 13. If we discover that we have inadvertently collected such data, we will delete it immediately.

6. DATA SECURITY

We implement industry-standard security measures to protect your personal information. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

7. AI-SPECIFIC PRIVACY PRACTICES

YouTube Data Usage: Data obtained from YouTube (including video metadata, transcripts, and captions) is used solely to provide our summarization service to you. We do not use YouTube data to train, improve, or develop AI/ML models. YouTube data is processed only for the purpose of generating summaries and is not retained beyond what is necessary to deliver the service.

Third-Party AI Services: We use Google Gemini models exclusively to generate summaries. Google processes YouTube data only to generate your requested summaries and is contractually prohibited from using this data for model training or other purposes.

AI Limitations: Our AI-generated summaries may contain inaccuracies, reflect biases present in training data, or fail to capture important context. We recommend verifying important information against original sources.

No Sensitive Data: Our AI system is not designed to handle sensitive personal information. Please do not input confidential or sensitive material into the system.

8. YOUR RIGHTS UNDER THE PDPA

Under Singapore's PDPA, you have the following rights:

Right of Access: You have the right to request access to all personal data we hold about you, including information about how your data is used and disclosed for the preceding 12 months. You may request this information in machine-readable format.

Right of Correction: You can request correction of inaccurate or incomplete personal data. We will verify your request and make corrections within a reasonable timeframe.

Right to Withdraw Consent: You can withdraw any consent you've given us at any time (as long as data processing is not required by law). Withdrawing consent will cause us to cease processing your data for the purposes you've withdrawn consent for. Note that withdrawal does not affect processing that occurred before withdrawal, and may render certain services unavailable.

Right to Data Portability: You have the right to receive your personal data in a machine-readable format (such as JSON or CSV) and to request that we transmit this data to another organization.

How to Exercise Your Rights: To exercise any of these rights, please contact our Data Protection Officer at hello@toolong.xyz. We will respond to your request within a reasonable timeframe and may charge minimal fees for providing access to data.

Complaint to PDPC: If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore.

9. COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies to enhance user experience and analyze service usage.

Essential Cookies: Required for core service functionality (authentication, security, load balancing). These cannot be disabled.

Analytics Cookies: Help us understand how users interact with our service (Google Analytics, usage metrics). You can opt-out through browser settings or our cookie preferences.

Preference Cookies: Store your settings and preferences to provide a personalized experience.

Managing Cookies: You can control cookies through your browser settings. Note that disabling certain cookies may affect service functionality.

10. DATA RETENTION

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account Data: Retained while your account is active, plus 90 days after account closure
• Video Summaries: Retained for 12 months or until you delete them
• YouTube Data: Video metadata, transcripts, and captions from YouTube are cached temporarily (30 days) to improve service performance, then automatically deleted
• Usage Analytics: Retained for 24 months in aggregated form (excludes YouTube data)
• Payment Records: Retained for 7 years to comply with Singapore tax and accounting laws
• Legal Compliance: Data required for legal obligations retained as required by law

When retention periods expire, we securely delete or permanently anonymize your data.

11. CROSS-BORDER DATA TRANSFERS

The PDPA does not require data localization within Singapore. However, we ensure appropriate safeguards when transferring your data internationally:

Transfer Destinations: Your data may be transferred to and processed in:

• United States (cloud hosting and AI model providers)
• European Union (analytics and support services)
• Other jurisdictions where our service providers operate

Safeguards: We implement the following protections:

• Standard contractual clauses with all international service providers
• Encryption in transit and at rest
• Regular security audits of third-party processors
• Compliance with PDPA transfer limitation obligations

For sensitive data transfers, we obtain explicit consent where appropriate.

12. DATA BREACH NOTIFICATION

In the event of a data breach affecting your personal data, we will:

• Notify the Personal Data Protection Commission (PDPC) without unreasonable delay
• Notify affected users as soon as practicable
• Provide information about the nature of the breach, affected data, and remedial actions
• Implement measures to prevent future breaches

Our breach notification procedures comply with PDPA requirements and prioritize user protection.

13. UPDATES TO THE PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:

• We will notify users via email at least 30 days before changes take effect
• We will update the "Last Updated" date at the top of this policy
• For significant changes expanding data use, we will require explicit re-acceptance
• We will maintain archived versions of previous policies with dates

We encourage you to review this Privacy Policy periodically. Continued use of our service after changes take effect constitutes acceptance of the updated policy.

14. CONTACT US

If you have any questions or concerns about our Privacy Policy, please contact us at:

Email: hello@toolong.xyz