privacy · v1.0Updated 2026-05-12

Privacy Policy

Short version: Trendnaut analyzes your own YouTube channel data to suggest what to post next. We collect what we need for that, share with the services that make it possible, and don't sell your data. We follow LGPD (Brazil) and GDPR (EU) as our defaults. Wherever you live, you get those protections. If anything below trips you up, that's on us. Write to hello@trendnaut.com and we'll walk you through it.

1. Who we are

Trendnaut is software operated from Jundiaí, São Paulo, Brazil. We're the data controller for your account.

For privacy questions, data requests, or anything covered by this policy, write to hello@trendnaut.com — our designated Encarregado contact for LGPD purposes (Art. 41). We respond to most messages within 2 business days, and to formal data requests within 15 days as required by LGPD.

2. The promise

Three things we don't do, in plain English:

  • We don't sell your data. No advertisers, no data brokers, no "data partners."
  • We don't train AI models on your content. The AI we use is a third-party service that analyzes your data once per analysis, then forgets it. Details in section 7.
  • We don't compare you to other creators. Your analysis uses only your own channel data. We don't pool data across users to build benchmarks.

Three things we do:

  • We connect to your YouTube account through Google's official OAuth. You grant specific, limited permissions. You can revoke them anytime at myaccount.google.com/permissions.
  • We process your data through service providers (database, hosting, AI, email). They're listed in section 6 with what each one receives.
  • We keep your data while your account is active. When you delete your account, we permanently erase it within 30 days.

3. What we collect

We collect three kinds of data: what you give us, what you generate by using Trendnaut, and what your connected platforms send us.

What you give us

  • Email address when you sign up.
  • Name if you choose to share it (optional, from your Google profile during sign-in).
  • Language preference when you set it in your account.
  • Subscription decision when you upgrade to Pro through Polar.sh, our payment processor. Polar.sh stores your card details. We never see or store them. We receive only a customer ID and subscription status.

What you generate by using Trendnaut

  • Session data: when you log in, we store your session with an associated IP address and basic browser metadata. Stays in our database for 30 days, then gets deleted.
  • Cookies: a small number of cookies for authentication and preferences. Analytics cookies require opt-in consent for EU and Brazilian users; opt-out for users elsewhere. Details in section 10.
  • Product usage: which pages you visit, which features you use, which recommendations you act on. We process this through PostHog for product analytics. See section 6.
  • Schedule data: when you schedule a post through Trendnaut, we store the scheduled time, the post content, and the publishing status.

What your connected platforms send us

When you connect your YouTube channel, Google sends us:

  • Channel metadata: channel ID, name, owner status.
  • Video metadata: titles, descriptions, durations, thumbnails (URLs only, we don't store the images), tags, publish times.
  • Analytics: views, average view duration, retention curves, traffic sources, audience demographics (aggregated only, no individual viewer data).
  • OAuth tokens: an access token and a refresh token, encrypted at rest in our database. The access token expires every hour. The refresh token is used to obtain new access tokens silently. You can revoke our access any time through your Google account.

We don't request access to comments, individual viewer information, or write permissions on your channel.

4. Why we collect each thing

LGPD and GDPR both require us to have a specific purpose for every piece of data we collect. Here's the full list.

  • Email: to identify your account, send transactional emails (trial reminders, weekly letters, billing receipts), and respond to support requests.
  • Name: to personalize emails ("Hi Felipe" instead of "Hi there").
  • Language preference: to display the product in your chosen language.
  • Subscription data: to manage your access (trial, active, expired), bill you correctly, and provide receipts.
  • Session data and IP: to keep you logged in, detect suspicious activity (for example, logins from unexpected countries), and prevent abuse.
  • Cookies: authentication cookies are strictly necessary. Preference cookies remember your settings. Analytics cookies help us understand which features creators actually use.
  • Product usage: to improve the product. We look at aggregate patterns ("most creators check the dashboard on Monday morning"), not individual behavior.
  • Schedule data: to publish posts to your platforms at the times you set.
  • YouTube channel and video data: to analyze your performance and generate recommendations. This is the core of what Trendnaut does. Without this data, there's no product.
  • OAuth tokens: to make API calls to YouTube on your behalf. Without these, we can't read your analytics.

We don't collect anything we don't use. If you spot something in this list and can't see why we'd need it, email us. We'll explain or stop collecting it.

6. Who we share data with

We use service providers ("subprocessors" in privacy law terminology) to operate Trendnaut. Each receives only what they need to do their job.

We have data processing agreements with these providers where they offer them, and we choose providers based partly on their compliance posture (GDPR, SOC 2 where available). Some of our providers are smaller and don't yet have formal SOC 2 reports. We've chosen them for reliability and engineering quality, and we monitor their practices.

We don't share your data with advertisers, data brokers, marketing companies, or any party not listed above.

Neon

Database hosting. They store everything we store. Data is encrypted at rest and in transit. Located in the United States with EU regional options.

Privacy policy ↗
Railway

Application hosting and background job workers. They process server logs and request metadata. Located in the United States.

Privacy policy ↗
Cloudflare R2

File storage for thumbnails and exports. Located globally with EU regional options.

Privacy policy ↗
Google

OAuth provider and source of YouTube data. They authenticate you and send us channel data based on the permissions you grant.

Privacy policy ↗
OpenRouter

AI gateway. They route our analysis requests to the underlying language model and return the response. They don't store request content beyond what's required for routing and abuse prevention.

Privacy policy ↗
DeepSeek

The AI model that processes our analysis requests through OpenRouter. They receive the analysis input and return interpretation text. They don't retain the data for training.

Privacy policy ↗
Polar.sh

Payment processing. They receive your email, subscription state, and payment metadata. They handle all card details directly. We never see them.

Privacy policy ↗
SendGrid

Email delivery. They receive recipient email addresses and message content for transactional emails (trial reminders, weekly letters, account notifications).

Privacy policy ↗
PostHog

Product analytics. They receive anonymized event data tied to a user ID (not your email), along with IP and basic browser metadata. EU users must opt in before any PostHog data is sent.

Privacy policy ↗

7. What we send to AI providers

This section matters because it's where a third-party AI processes your content. Read it carefully.

When Trendnaut runs a pattern analysis on your channel, we send the following to OpenRouter (which routes to DeepSeek):

  • Aggregated metrics: view counts, retention percentages, traffic source breakdowns by category, weekday averages, format duration buckets.
  • Post titles: the titles of your own videos.
  • Post duration: how long each video is.
  • Computed hypothesis results: yes/no/inconclusive outcomes from deterministic statistical tests we run before calling the AI.
  • Pattern signals: which weekdays performed better, which formats are most common, how many breakout videos you've had.

We do NOT send:

  • Your email address or name
  • Your OAuth tokens (these stay on our servers, encrypted)
  • Video thumbnails or visual content
  • Individual viewer data, comments, or messages
  • Identifiers that map back to you outside Trendnaut

The AI provider receives a creator UUID (a random identifier we generated) and the data above. They process the request, return interpretation text, and don't retain the data for model training. We've confirmed this in their terms.

For the weekly post drafts generation, we send the same kind of analysis summary plus pre-computed candidate signals (format, suggested weekday, topic tags from your own posts). The AI generates draft titles, insights, and captions, which we save to your dashboard.

If this disclosure matters to you and you don't want any data sent to a third-party AI provider, the product doesn't work without it. Analysis is core. You can close your account anytime if this is a deal-breaker.

8. Google OAuth: what we ask for and why

When you sign in with Google to connect your YouTube channel, we request these specific scopes:

We don't request:

  • Write access (we cannot post, edit, or delete videos through these scopes)
  • Comment access
  • YouTube Premium scopes
  • Administrative or force-SSL scopes
  • Access to viewer-level data

You can review what you've granted at myaccount.google.com/permissions and revoke our access at any time. Revocation immediately stops data sync. Your historical data remains visible in Trendnaut until you delete your account.

We follow Google API Services User Data Policy, including the Limited Use requirements. Specifically: we use Google user data only to provide and improve the Trendnaut service for you. We don't transfer it to third parties except as described in section 6 (which is required to operate the service). We don't use it for serving ads. We don't allow humans to read your Google user data, except (a) with your explicit consent, (b) when necessary for security purposes, (c) when required by law, or (d) when the data has been aggregated and anonymized.

https://www.googleapis.com/auth/youtube.readonly

Read your video metadata: titles, descriptions, durations, thumbnails (URLs), tags. We use this to identify your videos and their content characteristics for analysis.

https://www.googleapis.com/auth/yt-analytics.readonly

Read your video performance data: views, retention, traffic sources. We use this to identify patterns in what's working and generate recommendations.

https://www.googleapis.com/auth/youtube.channel-memberships.creator

Identify you as the owner of the channel during sign-in. We use this only to confirm you have the right to connect this channel.

9. International data transfers

Trendnaut is operated from Brazil. Our service providers are based mainly in the United States and the European Union. This means your data crosses borders.

For users in the European Union, transfers from the EU to other countries are protected by:

  • European Commission's 2021 Standard Contractual Clauses (SCCs) with providers that use them. Where providers participate in the EU-US Data Privacy Framework (adequacy decision, 2023), that applies instead.
  • Adequacy decisions where applicable (for example, transfers between EU countries, or to countries the European Commission has deemed adequate).
  • Provider-specific safeguards documented in their respective privacy policies.

For LGPD purposes, international transfers from Brazil rely on specific contractual clauses (LGPD Art. 33, II) or the controller's compliance guarantee (Art. 33, V), using contractual safeguards with each service provider.

10. Cookies and tracking

We use cookies in three categories:

Strictly necessary cookies (always active)

These keep you logged in and the product functioning. Without them, the product doesn't work. They include your session token and a CSRF protection cookie. No consent is required for these under LGPD or GDPR.

Preference cookies (active by default, can be opted out)

These remember your settings: language, theme preference, dismissed onboarding messages. They make the product feel personal. You can disable them in your browser settings. Some interfaces will reset to defaults if you do.

Analytics cookies (consent-based)

We use PostHog for product analytics. It sets a cookie to track which features you use, with all data tied to a randomly generated user ID rather than your email.

  • EU and Brazilian users: analytics are off by default. Both GDPR and LGPD require opt-in consent for non-essential tracking. You see a consent prompt on first visit. We enable PostHog only after you accept.
  • Users outside the EU and Brazil: analytics are on by default with an option to opt out in settings.

You can withdraw consent at any time. Withdrawal applies going forward. Historical data already collected stays until our normal retention window expires.

We don't use cross-site tracking, advertising cookies, or fingerprinting.

11. Your rights

Under LGPD (Brazil), GDPR (EU), and equivalent laws elsewhere, you have rights over your personal data. Trendnaut honors these rights for all users, regardless of location.

You can:

  • Access your data. Request a copy of everything we have about you.
  • Correct inaccurate data. Tell us what's wrong and we'll fix it.
  • Delete your data. Close your account, and we erase it within 30 days.
  • Export your data. Download a structured copy from settings, anytime. Under GDPR Art. 20, you can also request direct transmission of your data to another controller.
  • Restrict processing. Ask us to limit how we use your data in specific situations.
  • Object to processing, particularly for analytics, where you can withdraw consent.
  • Request review of automated decisions. Under LGPD Art. 20 and GDPR Art. 22, you can ask us to explain or review any recommendation our AI generated. Our recommendations are suggestions, not binding decisions, but the right exists and we'll honor it.
  • Anonymize your data. For LGPD users, request that we keep aggregate insights but remove identifiers.
  • Revoke consent for anything we process based on consent (analytics cookies primarily).
  • Be informed about data sharing. See section 6 for our full subprocessor list.
  • File a complaint with a supervisory authority. In Brazil: ANPD (https://www.gov.br/anpd/). In the EU: your country's data protection authority.

To exercise any of these rights, email hello@trendnaut.com. We respond within 15 days as required by LGPD. If your request is complex, we may extend that to 30 days and let you know.

We may ask you to verify your identity before processing a deletion or export request. This protects you against impersonation.

CCPA (California): Trendnaut does not currently meet CCPA applicability thresholds (annual revenue above $25M, processing data of 100,000+ California consumers, or 50%+ of revenue from selling personal information). We don't sell personal data. If our scale changes, we'll add explicit CCPA disclosures.

12. How long we keep your data

When you delete your account, we mark your data for deletion immediately and remove it from active systems. Backups containing your data are overwritten within 30 days. Billing records are kept for tax and audit purposes for 5 years, in compliance with Brazilian law.

Active account dataWhile your account is active
Data after account deletion request30 days, then permanently erased
Backups containing deleted data30 days, then erased from backups
Application logs30 days
Email delivery logs (SendGrid)30 days
Session data and IP addresses30 days from last session
PostHog analytics events1 year
Billing records5 years (Brazilian tax law requirement)

13. Security

We protect your data with industry-standard practices: TLS encryption for all data in transit, encryption at rest in the database, OAuth tokens encrypted with an additional layer, and access controls limiting which parts of our team can see what.

We can't promise no incident will ever happen. Nobody honest can. We can promise that if one does, we notify the relevant supervisory authority within 72 hours (GDPR Art. 33) or 3 business days (LGPD, ANPD Resolution 15/2024), and notify you directly without undue delay when your data is at high risk. We'll be specific about what was affected.

For more detail on our security practices, see the Security Statement.

To report a vulnerability, write to security@trendnaut.com. We acknowledge security reports within 48 hours.

Security Statement

14. Children's privacy

Trendnaut isn't for users under 18. Creators on YouTube must be old enough to have a Google account that can monetize a channel (typically 13+ in the US, 18 in some jurisdictions), but Trendnaut specifically requires you to be 18 to use the product.

We don't knowingly collect data from anyone under 18. If you become aware that a minor has signed up, email us and we'll close the account and delete the data within 30 days.

15. Changes to this policy

We may update this policy as the product evolves. For material changes, like adding a new subprocessor that receives sensitive data or changing retention periods, we email you at least 30 days before the change takes effect. For minor changes (typo fixes, clarifying language), we update the "Last updated" date at the top and don't email everyone.

Previous versions of this policy are archived and available on request.

16. Contact

For privacy questions, data requests, or anything covered by this policy:

For LGPD-specific concerns, you can also contact Brazil's data protection authority directly at ANPD (https://www.gov.br/anpd/).

Email · privacy questions and data requests
hello@trendnaut.com
Email · security and vulnerability disclosure
security@trendnaut.com