Note: This is a working draft prepared for public discussion and beta testing. The document will be reviewed by a lawyer before commercial launch with paying users.
🧑🤝🧑 For parents — PC, mobile, tablet
YouTube Mentor
Version 1.0 — effective from 2026-MM-DD
Public URL: https://mentor.vinarice.net/en/privacy
1. Who we are
Data Controller:
Ladislav Kepl, Vinařice, Czech Republic
Contact: ladislav.kepl@gmail.com
This Privacy Policy describes how we process personal data of users of the YouTube Mentor service, available at https://mentor.vinarice.net/ including the Chrome browser extension (Manifest V3).
The service is intended for:
- Parents (referred to as "Mentor") — who want oversight of their children's YouTube viewing
- Children and teenagers (referred to as "Student") — whose YouTube activity is monitored with parental consent
2. What data we collect
2.1 Mentor data
- Email address (login + communication)
- Password (stored as Argon2 hash, never plaintext)
- Name (optional)
- IP address at login (security audit, retention 12 months)
- Subscription data: Stripe customer ID, subscription status
2.2 Student data
- Name or nickname (entered by Mentor)
- Optional: avatar URL, age, education tier
- Phone number — ONLY if Mentor uses "Invite via SMS" (retention: 30 days)
- Pairing code (8 characters, 1-hour validity)
- Device info (browser version, OS, extension version)
- Last activity timestamp
2.3 YouTube activity data
We collect only when the Student has YouTube open and the YouTube Mentor extension is active:
- Currently watched video URL
- Video title, channel ID, channel name
- Playback position (seconds)
- Watch duration (session start/end)
- Playback state (playing/paused)
- "Short" flag (true/false)
Heartbeat (telemetry signal) is sent every 5 seconds while a YouTube tab is active.
2.4 Google API data (only with OAuth)
Currently NOT enabled. Reserved for future use after Chrome Web Store CASA Tier 2 verification.
2.5 What we DO NOT collect
- Audio or video recordings
- Data from non-youtube.com sites
- Data from other devices or apps
- Geolocation
- Keystrokes
- Communication content (emails, messages)
3. Legal basis (GDPR Art. 6)
| Purpose |
Legal basis |
| Service provision to Mentor |
Contract performance (Art. 6(1)(b)) |
| Service for Student under 15 (Czech age) |
Parental consent (Art. 6(1)(a) + Art. 8 GDPR) |
| Service for Student 15+ |
Consent + parent informed |
| Marketing communication |
Opt-in consent |
| Security audit, abuse prevention |
Legitimate interest (Art. 6(1)(f)) |
| Accounting obligations |
Legal obligation (Art. 6(1)(c)) |
Czech Republic applies the age limit of 15 for consent to information society services (Art. 8 GDPR, § 7 Act 110/2019).
4. Purposes of processing
- Service operation — providing the parental dashboard
- Communication — SMS, emails, support
- Service improvement — anonymized aggregate statistics
- Security — abuse detection, brute-force protection
- Payments — Stripe subscription processing
- Legal compliance — accounting, tax records, regulatory requests
5. Data retention
| Data type |
Retention |
Action after expiry |
| Mentor account |
Active subscription + 30 days |
Anonymize then delete |
| Student account |
Same as Mentor |
Delete all related records |
| Heartbeats |
7 days (FREE) / 90 days (FAMILY) |
Delete |
| Watch sessions |
7 / 90 days |
Delete |
| Daily aggregates |
24 months |
Delete |
| Phone number (SMS pair) |
30 days |
NULL out column |
| Pairing code |
1 hour |
Delete |
| Audit log |
12 months |
Delete |
| Accounting records |
10 years |
Delete (legal obligation) |
| Backups |
30-day rotation |
Overwrite |
6. Recipients of data (subprocessors)
| Subprocessor |
Purpose |
Location |
Agreement |
| Stripe Payments Europe Ltd |
Payments |
EU + US (SCC) |
DPA + SCC |
| T-Mobile Czech Republic a.s. |
SMS delivery |
Czech Republic |
Standard telecom |
| Sentry (optional, planned) |
Error monitoring |
EU region |
DPA + SCC |
| Cloudflare (planned) |
CDN, DDoS |
EU edge |
DPA |
We NEVER sell personal data to third parties.
International transfers: Stripe operates in US under Standard Contractual Clauses (SCC) and EU-US Data Privacy Framework certification.
7. Google API Limited Use disclosure
YouTube Mentor uses the Chrome extension to monitor YouTube DOM directly. We do NOT currently use Google API. If we enable Google API integration in the future, our use will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements:
- Data from Google API used ONLY for parental dashboard features visible in UI
- NEVER used for advertising, retargeting, or third-party profiling
- NEVER sold or transferred to unrelated third parties
- NOT subject to human review except: user consent, security incidents, legal compliance
8. Your rights (GDPR Art. 15–22)
As a data subject you have the right:
- Access to your data (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure ("right to be forgotten") — self-service in dashboard (Art. 17)
- Restriction of processing (Art. 18)
- Data portability in machine-readable JSON format (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7(3))
- Lodge complaint with supervisory authority — Czech DPA (ÚOOÚ), www.uoou.cz
Exercise of rights: email ladislav.kepl@gmail.com or dashboard buttons. We respond within 30 days.
9. Special protection of children (GDPR Art. 8, GDPR-K)
In Czech Republic the age threshold for consent to information society services is 15 years.
- Children under 15: processing only with parental consent verified through Verifiable Parental Consent (VPC) mechanism
- Adolescents 15–17: may consent themselves, parents informed
- Adults 18+: independent consent
Texts intended for children are written in age-appropriate language (Art. 12(1) GDPR).
10. Cookies and tracking
On mentor.vinarice.net we use:
- Functional cookies — JWT access/refresh tokens (necessary, no consent required)
- Analytical cookies — none currently. If we add Plausible/Umami in the future, we will update this policy.
- Marketing cookies — none
The Chrome extension uses no cookies (communicates only with our own backend via HTTPS, JWT authentication in Authorization header).
11. Security measures
Technical and organizational measures (GDPR Art. 32):
- HTTPS/TLS 1.2+ for all communication
- Argon2id password hashing (memory-hard, 64 MB / 3 iterations)
- AES-256-GCM encryption for sensitive at-rest data (e.g., Google OAuth refresh tokens)
- HMAC-SHA256 for OAuth state CSRF protection
- Rate limiting on auth endpoints
- Daily backups with 30-day rotation (local + offsite EU)
- Datacenter: own servers in Czech Republic, Vinařice
- Logs without PII (no names/emails in logs)
In case of data breach we notify affected subjects and Czech DPA within 72 hours of discovery (Art. 33–34 GDPR).
12. Profiling and automated decision-making
The service does NOT perform automated decision-making or profiling within the meaning of Art. 22 GDPR. Displayed aggregates (top channels, watch time) are descriptive and have no legal effects on the Student.
13. Changes to this policy
We reserve the right to update this policy. Material changes will be communicated via:
- Banner in dashboard at next visit
- Email to Mentor address
Last updated: 2026-MM-DD.
14. Contact
Controller: Ladislav Kepl, Vinařice, Czech Republic
Email: ladislav.kepl@gmail.com
DPO: (not yet appointed; to be appointed when reaching 100+ users — per GDPR Art. 37)
Generated as PoC draft 2026-05-19. Requires legal review before commercial launch.