Page loading
We believe in radical transparency. Here's exactly what we do and don't do with your data.
We store your email address to create and manage your account.
This is used for login authentication through Google OAuth or magic link email sign-in, and for occasional important account notifications such as billing confirmations or service updates.
We do not sell your email, use it for advertising, or send marketing campaigns.
Titles and tags you generate are saved to your account so you can access your favorites, generation history, and previously created content across browsing sessions.
You can delete saved content from your dashboard, and account deletion purges user-owned app data from TitleHook stores.
We track anonymous usage patterns such as which features are most popular, how many title generations occur per day, and which pages users visit most frequently.
This helps us improve the product experience. This data is aggregated and never tied to your personal identity, email address, or account.
No YouTube OAuth, no YouTube scopes, no YouTube account linking. We never access your analytics, subscriber demographics, revenue, watch time, or any data behind your YouTube sign-in.
The optional My Channel feature uses only the public YouTube Data API for channels you opt-in by handle — the same public titles, view counts, and thumbnails anyone can see on youtube.com.
We do not collect your name (it is an optional profile field), your geographic location, or your IP address for tracking purposes.
We also do not collect your browsing history on other websites, device identifiers, or any personal information beyond your email address and generated content.
Your data is never sold, licensed, rented, or given to third parties for advertising, marketing, data brokering, or audience profiling.
Operational processors receive only what is needed to run the service: Stripe for billing, AI providers for generation requests, email delivery for magic links, Google Analytics for anonymous usage measurement, and the public YouTube Data API for channel handles you add.
We use a session authentication cookie to keep you logged in, plus Google Analytics 4 cookies for anonymous usage measurement (no personal identifiers, no advertising, no retargeting). GA can be blocked at the browser level — tracking-protection, an ad-blocker, or Global Privacy Control — and the site works fully without it.
We do not use advertising pixels, retargeting scripts, browser fingerprinting, or any form of cross-site tracking. No Facebook Pixel, no Google Ads tracking, no advertising networks.
All data transmitted between your browser and our servers is encrypted via HTTPS using modern TLS protocols.
We never store passwords because authentication is handled entirely through Google OAuth 2.0 and magic link email sign-in, eliminating password-related security risks.
Sign in securely with Google OAuth 2.0 or a one-time-use magic link sent to your email address.
No passwords to remember, no credentials that could be stolen or compromised. Both methods are significantly more secure than traditional password-based authentication.
We only collect what we absolutely need to provide the title generation service: your email and your generated content.
Less data collected means less data at risk. This is a deliberate design choice, not an afterthought.
You can delete your account and associated app data at any time from your account settings.
Operational records may remain only in anonymized or legally required form, such as payment records handled by Stripe.
Browser traffic is served over HTTPS, and TitleHook sends HSTS headers so modern browsers keep using encrypted connections on future visits. We also set frame, content-type, referrer, and cross-origin headers on app responses.
Sensitive app surfaces are protected server-side. Authenticated routes verify the session before returning user data, admin routes are allowlisted, payment details stay in Stripe, and public My Channel lookups never require YouTube account credentials.
Private app data requires a valid session
Admin surfaces check approved accounts server-side
Card details are handled by Stripe, not TitleHook
My Channel reads only public channel metadata
Security-sensitive flows use explicit server-side checks: signed webhooks for Stripe events, rate limits on abuse-prone endpoints, input validation before generation, and CSP/security headers on rendered pages.
We review security-sensitive code paths before launch, including authentication, payments, account deletion, rate limits, and My Channel data access. If you find a vulnerability, report it so we can investigate and fix it quickly.
Found a vulnerability? Email security@titlehook.com with enough detail to reproduce the issue. Good-faith reports are reviewed and prioritized based on risk.
Sessions use signed HTTP-only cookies. Magic link tokens are stored as hashes, are single-use, and expire in 15 minutes. Google and Twitter OAuth access tokens are used only during sign-in callbacks to fetch profile information and are not stored by TitleHook.
TitleHook is a title generation tool — not a data company. We make money by helping you create better YouTube titles through Pro and Max subscriptions, not by selling your information to advertisers or data brokers.
Your privacy is not just a policy; it's our product philosophy and a core design principle that influences every decision we make.
We collect the minimum data necessary to provide the service. No YouTube OAuth, no private YouTube scopes — the optional My Channel feature uses only the public YouTube Data API for channels you add by handle. We never sell your data or share it for advertising. We use passwordless authentication to eliminate credential risks.
You can delete your account and user-owned app data at any time. TitleHook respects your privacy and keeps security claims tied to the controls we actually run.
No private YouTube data, no YouTube OAuth, no YouTube scopes. Title generation is topic-driven — we match what you type to frameworks, never log in to your YouTube account.
The minimum to run the service: email (for login), titles/tags you generate (for history + favorites), anonymous usage analytics.
Yes. All payments go through Stripe (PCI Level 1 certified). Your card number, expiry, and CVC never touch TitleHook servers.
Yes, anytime from account settings. We purge user-owned app data such as your email, titles, favorites, history, saved channel data, and profile data from TitleHook stores.
No advertising or retargeting pixels. We use a session auth cookie plus Google Analytics 4 cookies for anonymous usage measurement (block at browser level via tracking-protection / ad-blocker / Global Privacy Control). No Facebook Pixel, Google Ads tracking, or fingerprinting.
We never sell, rent, license, or share your data for advertising, marketing, data brokering, or audience profiling. Operational processors receive only what is needed to run the product: Stripe for billing, AI providers for generation requests, email delivery for magic links, Google Analytics for anonymous usage measurement, and the public YouTube Data API for channels you add by handle.
Passwordless: Google OAuth 2.0 or magic link email. No passwords stored, so nothing to steal in a breach.
Our minimal data collection means limited exposure: no passwords, no payment details, no YouTube credentials. Most sensitive data we hold is your email.
Yes. Under both laws: you can access, correct, delete, or export your data. We don't sell personal info. California residents may use an authorized agent.
Have questions about your privacy?