Subtitle Tutor

Privacy Policy

Effective May 18, 2026 · Last updated May 18, 2026

This Privacy Policy explains how Subtitle Tutor (“the Service”, “we”, “our”) collects, uses, stores, and shares information when you use the dashboard, the browser extension, or the mobile companion app.

The short version: we collect the minimum we need to give you working subtitle captures, vocabulary, and AI-generated lessons. We do not sell your data. We share it only with the third-party AI, translation, and dictionary providers you have configured, and only as much as each one needs to answer your specific request.

1. Who runs the Service

Subtitle Tutor is operated as a personal, open-source project. For any privacy or general support question contact [email protected].

If you self-host Subtitle Tutor, you are the data controller for your deployment. This policy describes the design of the software; you decide where it actually runs.

2. What we collect

2.1 Account information

  • Email address, used as your login identifier.
  • Password hash. Passwords are stored using bcrypt with a per-user salt. We never see your plaintext password.
  • Account metadata (creation date, last sign-in, password-reset timestamps, tokenVersion counter used for session revocation).

2.2 Settings and preferences

  • Study language and native language.
  • Selected AI provider, translation provider, and dictionary provider.
  • Encrypted AI API keys. If you supply an API key for an AI provider (for example OpenAI or Anthropic), we encrypt it at rest with AES-256-GCM before storing it. Only the server can decrypt it, and only to call the upstream provider on your behalf.

2.3 Captured subtitles and study material

  • Subtitle text captured by the browser extension or submitted manually.
  • Source page URL and platform label (for example a YouTube video URL) the subtitles were captured from.
  • Lessons, glossaries, translations, and vocabulary cards produced by the AI, dictionary, or translation provider you selected, in response to your captures.
  • Words you pick or pin for study and their mastery and progress state.

2.4 Technical and operational data

  • Server access logs (IP address, request path, timestamp, user agent, response status). These rotate on a short retention schedule and are used for abuse prevention, debugging, and rate limiting.
  • WebSocket connection metadata so the dashboard receives live AI-generation updates.
  • Session tokens (JWT), stored in an HTTP-only cookie for the dashboard and in extension storage for the browser extension. Each token is bound to a tokenVersion, so logging out everywhere or changing your password invalidates every outstanding token on next use.

2.5 Crash and analytics data (mobile app only)

The Flutter mobile companion app uses:

  • Firebase Crashlytics, which collects automatic crash reports including stack traces, device model, OS version, and a Crashlytics-generated installation ID. Reports are sent to Google.
  • Firebase Analytics, which collects standard app usage events (sessions, screen views) and a pseudonymous app instance ID.

These do not include your subtitle content, password, or AI key. Crashlytics and Analytics are Google services governed by Google’s own privacy policy.

The browser extension and the dashboard do not include third-party analytics by default.

2.6 What we do not collect

  • Audio or video from the sites you visit. The extension only reads the rendered subtitle text from the page.
  • Anything about the page you are watching beyond the subtitle text, the URL, and the platform label.
  • Device identifiers, advertising IDs, or precise location.
  • Biometric or financial data.

3. How we use it

We use the information above only to:

  • Authenticate you and protect your account.
  • Render the subtitles, vocabulary, and lessons you have created back to you.
  • Send your subtitle and word requests to the AI, dictionary, and translation providers you have selected, on your behalf, and store the result.
  • Enforce rate limits and detect abuse.
  • Debug crashes (mobile) and improve reliability.

We do not:

  • Sell, rent, or trade personal information.
  • Use your captures to train AI models. Whether upstream AI providers retain your prompts is governed by their policies; see section 4.
  • Send marketing email.

4. Third-party processors

Subtitle Tutor relies on external services to do its job. When you hit one of them the request leaves our server with the minimum text needed to answer it.

ServiceWhat it seesWhen
Your selected AI provider (OpenAI, Anthropic, Google Gemini, local Llama, etc.)The subtitle line or word and the prompt template used to generate a lesson, gloss, or AI translationWhen the worker generates a lesson, a dictionary fallback, or an AI translation
DeepL (when DEEPL_AUTH_KEY is configured)Source text, source and target language codePer translation request
LibreTranslate (self-hosted inside the Docker network by default)Same as DeepLPer translation request
Free Dictionary API / Wiktionary (via kaikki.org)The single word being looked upPer dictionary request
Google Firebase (Crashlytics + Analytics)Crash stack traces and usage events from the mobile appWhile the mobile app is running

We do not have a contractual relationship that lets us audit these providers; read their own privacy policies. We pass the minimum text necessary and never your account credentials or AI key.

5. Where data lives

All primary data (accounts, subtitles, vocabulary, encrypted AI keys) lives in:

  • PostgreSQL for durable storage.
  • Redis for short-lived job queues, rate-limit counters, and WebSocket fan-out.

Backups are scoped to the same database instance and retained only as long as needed to perform a restore.

6. Security

We take the following protective steps:

  • Passwords hashed with bcrypt. Password policy: minimum 8 characters, three of four character classes (lowercase, uppercase, digit, symbol), maximum 72 bytes (bcrypt’s silent-truncation ceiling), and cannot match the email local-part.
  • JWT tokens issued with a server-side tokenVersion revocation channel, so password change or logout-everywhere invalidates all outstanding tokens.
  • AI API keys encrypted at rest with AES-256-GCM, versioned envelope.
  • Per-IP rate limits on authentication endpoints; per-user rate limits on AI and dictionary endpoints.
  • Postgres and Redis bound to loopback in development; production deployment is fronted by an nginx reverse proxy and uses authenticated Redis.
  • Periodic multi-agent security review (most recent: 2026-05-17, documented in the repository).

No system is perfectly secure. If you believe you have found a vulnerability please contact [email protected] privately rather than disclosing publicly.

7. Your rights

Wherever you live, you can:

  • Access— request a copy of the data tied to your account.
  • Correct— fix wrong information from the dashboard’s Settings page.
  • Delete— request deletion of your account and the associated captures, vocabulary, and AI keys.
  • Withdraw consent— revoke any AI, translation, or dictionary provider key from Settings; the server will purge the encrypted value.
  • Object or restrict— ask us to stop processing a specific category of data.
  • Port— export your captures and vocabulary in a machine-readable format.

To exercise any of these rights email [email protected] from the address on the account. We aim to respond within 30 days.

If you are in the EU or EEA, the United Kingdom, or Brazil, you also have the right to lodge a complaint with your local data-protection authority (for example your national DPA, the ICO, or the ANPD).

8. Retention

  • Account data and captured material are kept for as long as the account exists.
  • On account deletion we remove your captures, vocabulary, encrypted AI keys, and session tokens within 30 days. Aggregated server logs may persist somewhat longer for security and accounting purposes.
  • Crash and analytics data follow Firebase’s retention defaults. If you self-host the mobile build you can configure or wipe them via the Firebase console.

9. Cookies and similar technologies

  • subtitle-tutor-token— HTTP-only session cookie. Required for the dashboard to work.
  • Your theme preference (light / dark) is stored in localStorage so it survives reloads.

We do not use advertising cookies or cross-site tracking.

10. Children

The Service is not directed at children under 13 (under 16 in the EU or EEA). We do not knowingly collect data from children. If you believe a child has registered, contact us and we will remove the account.

11. International transfers

If you use a hosted Subtitle Tutor instance, your data may be processed in jurisdictions different from your own — in particular, the AI, translation, and dictionary providers you select may be located in other regions. By using the Service you accept those transfers; the providers we list above publish their own safeguards.

12. Changes to this policy

We may update this policy as the product evolves. When we make a material change we will update the “Last updated” date at the top. Continued use of the Service after a change means you accept the revised policy.

13. Contact

Questions, requests, or complaints: [email protected].