Back to CheckMyThumbnailCheckMyThumbnail by Vidstew

Legal

CheckMyThumbnail privacy policy

Last updated: April 30, 2026

CheckMyThumbnail (“CMT”) is a free service operated by Vidstew. This page explains what data we collect when you use it and how we use that data. If anything here is unclear, email hello@vidstew.com.

What we collect

When you sign in with Google, we receive your email address, your display name, and a stable identifier (your Google account ID). We do not request access to your YouTube account, your Google Drive, your Gmail, or any other Google service. The sign-in is identity-only.

When you submit an analysis, we collect:

  • The thumbnail image you uploaded.
  • The title text you typed.
  • The YouTube channel @handle or URL you provided, plus a public snapshot of that channel pulled from YouTube's public Data API (channel name, subscriber count, last 10 public video titles and view counts).
  • Your consent choice for marketing follow-up (yes/no, plus the timestamp of the choice).
  • The AI-generated analysis output we produced for you.
  • Standard request metadata: timestamp, IP address (hashed for rate-limit accounting), user agent.

How we use it

To run the analysis. Your thumbnail and title are sent to our AI subprocessor (Google Gemini) to produce the deep-dive analysis. The AI provider does not retain the data after the request completes (per their published privacy posture for API customers).

For newsletter + Vidstew product follow-up. If you ticked the consent box at submission, we add you to our weekly “What's epic in YouTube” newsletter and may email you occasional updates about Vidstew (the producer dashboard CheckMyThumbnail is built by). One-click unsubscribe in every email.

We do not email you the result of your analysis. The analysis is shown on-screen immediately after the run completes; the result and the channel-fit narrative live at your private result URL, which is yours to bookmark or share via the public share link.

To prevent abuse and improve the service. Hashed IP + uid are used to enforce the per-user rate limit (5/day, 2/hour). Aggregate analytics (number of runs, average analysis time, failure rate) inform reliability work. We don't profile individual users beyond the rate limit and the marketing-bucket classification.

What we don't do

  • Sell your data to anyone, ever.
  • Share your thumbnail or analysis with other users.
  • Access any private YouTube data — your watch history, your monetization, your studio analytics, your unlisted videos. We read only what's already public.
  • Train AI models on your data. Inputs are sent to the AI subprocessor for the single inference and not retained.

Sharing your result

Each analysis has two URLs: a private result page (only useful if you've got the random run-id) and a separate public share URL at /r/{publicId}. The public share page redacts your email and channel handle — only you, with the run-id link, see the channel-attribution view.

How long we keep it

  • Analysis records: kept indefinitely so you can revisit your shared result URLs.
  • Marketing email lists: kept until you unsubscribe (one click in any email).
  • Hashed IP rate-limit data: kept for 24 hours (the rolling rate-limit window), then garbage- collected.

You can request deletion of your data at any time by emailing hello@vidstew.com from the address tied to your Google sign-in. We honour deletion requests within 7 days.

How we protect your data

CMT processes data — including data classified as sensitive under Google's OAuth verification policy where applicable — using the following technical and organisational measures.

Encryption in transit

All traffic to and from CMT is encrypted with TLS 1.2 or higher. HTTP is upgraded to HTTPS at the edge before reaching application servers. Connections to all subprocessors (Firebase, Google Gemini API, YouTube Data API, Resend, Sentry) use TLS 1.2+.

Encryption at rest

Run records in Firestore and uploaded thumbnails in Cloud Storage are encrypted at rest with Google-managed AES-256 keys. Database backups (daily Firestore exports to a private bucket) are encrypted with the same standard and retained for 30 days.

Authentication

We use Firebase Authentication with Google sign-in. We don't store passwords ourselves. Session tokens (Firebase ID tokens) are short-lived (1 hour) and refresh automatically. The analyze API verifies the token server-side on every request.

Access controls

Reads and writes to CMT data go through admin-only server routes. Firebase Security Rules deny direct client access to the run records collection by default, with the runID + publicID (cryptographically random) gating entry. Vidstew team members access production data only via the admin allowlist enforced in code (lib/admin/auth.ts).

Sensitive scope handling (YouTube Data API)

CMT reads only public YouTube data via the YouTube Data API v3 using a server-held API key. We do notrequest any OAuth scope that would let us upload, edit, delete, or modify YouTube content on a user's behalf. The Google sign-in popup requests basic profile (email + name) only.

Monitoring & incident response

Application errors are monitored via Sentry; abnormal patterns trigger alerts to the Vidstew team. In the event of a security incident affecting personal data we will notify affected users without undue delay and, where required by law (GDPR, UK GDPR, applicable US state laws), within 72 hours.

Subprocessor security posture

Subprocessors are selected partly on their published compliance certifications. CMT's subprocessors hold (at minimum): Google Cloud / Firebase (SOC 1/2/3, ISO 27001/27017/27018), Vercel (SOC 2 Type II), Resend (SOC 2 Type II), Sentry (SOC 2 Type II).

Subprocessors

  • Google Firebase (Auth, Firestore, Cloud Storage) — hosting + identity.
  • Google Gemini API — AI analysis.
  • YouTube Data API v3 — public channel + video lookups.
  • Vercel — application hosting.
  • Resend — transactional email (your result delivery).
  • MailerLite — newsletter (only if you opted in).
  • Sentry — error monitoring.

Your rights

If you're in the EU, UK, California, or any other jurisdiction with consumer privacy law, you have the right to access, correct, export, or delete your data. Email hello@vidstew.com and we'll respond within 7 days. You can also unsubscribe from marketing emails with one click in any email we send.

Children

CheckMyThumbnail is not intended for children under 13 (or under 16 in the EU/UK). We don't knowingly collect data from minors. If you believe a minor has used the service, email us and we'll delete the record.

Changes

We'll update the “Last updated” date at the top of this page when we make changes. Material changes (new subprocessors, expanded data use) trigger an email to anyone in our marketing list.

CheckMyThumbnail and Vidstew share core infrastructure but are separate user-facing products. Vidstew's privacy policy is here.

Analytics cookies?

We use PostHog and Vercel Analytics to understand which parts of Vidstew creators actually use, so we can improve them. No ad networks, no third-party sales — ever. You can change this any time from Privacy.