OmniSubs

Privacy Policy

Last updated: June 4, 2026 (rev. 3)

This document is published in English. The English version is the legally authoritative version. For questions or a courtesy translation, contact us at support@omnisubs.app.

This Privacy Policy explains what information EGO HERO LLC("EGO HERO", "we", "us", or "our") collects when you use OmniSubs (the "Service"), how we use it, how we share it with third parties, and the choices you have.

1. What We Collect

Account information. When you create an account, we collect your email address and any name or profile information you provide or that is returned by your chosen sign-in provider (for example, Google OAuth).

Uploaded content. When you upload a video file, the video itself is not uploaded to our servers. The Service extracts audio from it locally in your browser using WebAssembly; only that extracted audio leaves your device. When you upload a subtitle file directly (VTT, SRT, or SMI), that text file is sent to our servers so we can translate it.

Generated subtitles. The transcribed base subtitles and their translations are stored in our private object storage so that you can download them and view them in your account history.

Usage and diagnostic data. We log job metadata (filename, file size, duration, target language, chosen tone, timestamps, success/failure status), cost signals from the AI providers (audio seconds sent, API call counts, token counts), client and server errors, and user actions such as clicks and phase transitions. These help us measure performance, bill usage accurately, and diagnose problems. We do not sell this data.

Aggregate analytics. Public pages of the Service measure aggregate traffic via Google Analytics 4 — page views, navigation paths, broad geography, and device class. These signals are not linked to named user accounts on our side, and we do not enable Google Signals (the cross-device ad-personalization extension of GA). Whether analytics cookies are set in a particular session depends on your consent choice (see section 11).

2. Third-Party Service Providers and Other Recipients

To provide the Service we transmit your content and certain usage data to the specific third parties below. Each contracted provider processes data for the purpose described and is subject to its own privacy policy. We do not sell your uploaded content, generated subtitles, account identifiers, or Extension data to data brokers or advertising networks.

  • OpenAI, LLC — receives audio chunks extracted from your uploaded or selected video for the purpose of producing a text transcript through Whisper.
  • Kie.ai and Google LLC — receive subtitle text and translation prompts so Google Gemini 2.5 Flash can translate subtitles into your requested language. Kie.ai is the API proxy we use for the Gemini model endpoint.
  • Google LLC — in the rare case that Gemini refuses to translate a specific subtitle line (typically due to a training-data match safeguard), that single line (with no surrounding context, metadata, or user identifier) is sent to the public Google Translate web endpoint to keep output in the target language. This fires on well under 1% of lines on typical content. We do not have a private commercial contract with this fallback service; the request is made over HTTPS to a public endpoint anonymously, with no account credential or user identifier attached, and the data sent is the single subtitle line only.
  • Supabase Inc. — provides authentication, database, private object storage, signed storage URLs, and account-session handling. Supabase stores account identifiers, job rows, generated subtitle files, credit ledger records, and temporary media-extractor audio chunks.
  • Stripe, Inc.— processes credit purchases, subscriptions, invoicing, and refunds. Card details are entered on Stripe's hosted checkout page and never touch our servers.
  • Vercel Inc. — hosts the web application, API routes, and static assets. Vercel may process standard request logs and serverless execution metadata.
  • OpenSubtitles.com— receives subtitle search parameters and selected file IDs when you use the browser extension's Subtitles tab to search or download community subtitle files. These requests are proxied by OmniSubs so our API key stays on the server.
  • The original website, video host, CDN, or subtitle host whose content you select — receives ordinary HTTP(S) requests for the selected media file, stream manifest, stream segments, or subtitle file when the browser extension or our media extractor fetches the content you chose to caption.
  • EGO HERO's self-hosted n8n workflow and Telegram — receive browser-extension problem report details only if you click the report button, so the operator/support channel can investigate the issue.

Each of the contracted providers above processes your data solely on our documented instructions and is contractually prohibited from using it for their own commercial purposes. The Google Translate fallback endpoint, original content hosts/CDNs, and OpenSubtitles are exceptions to that contractual posture; we limit those flows to the specific line, search/download request, or selected media request needed for the feature you used. We may also disclose information when required by law, to protect against abuse or security threats, or as part of a merger, acquisition, or sale of assets after obtaining any consent required by law or platform policy.

We also use two Google products that are advertising / analytics partners rather than service-providers in the sense above:

  • Google AdSense displays advertisements on certain public pages (review pages, blog, tools). AdSense and its subprocessors set their own cookies and read device signals to serve and measure ads. Whether ads on this site are personalized depends on the choice you record in our cookie-consent banner.
  • Google Analytics 4 (measurement ID G-6C3PYPD2ZS) measures aggregate site usage — page views, navigation paths, broad geography, device class — so we can prioritize what to fix and what to build next. We do not link Google Analytics signals to named user accounts, and we do not enable Google Signals (the cross-device, ad-personalization extension of GA).

Both products operate under Google Consent Mode v2: for visitors in the EEA, UK, and Switzerland the default state is deniedfor analytics storage, ad storage, ad-user-data, and ad-personalization until the consent banner records an explicit choice. Outside those jurisdictions consent is presumed and the "Do Not Sell or Share My Personal Information" link below provides the equivalent opt-out for residents of US states with comprehensive privacy laws (California, Colorado, Connecticut, Virginia, Utah, and similar). You can change your choice at any time via the "Manage privacy choices" control in the page footer or via Do Not Sell or Share My Personal Information. We do not sell personal information for cross-context behavioral advertising. Data flows from these products are governed by Google's privacy policy for partner sites.

3. How We Use Your Information

  • to provide, maintain, and improve the Service;
  • to transcribe and translate the content you provide, and to deliver the resulting subtitles back to you;
  • to authenticate you and secure your account;
  • to monitor costs, detect abuse, and diagnose errors in the processing pipeline;
  • to communicate with you about your account or the Service;
  • to comply with legal obligations.

We do not use your uploaded content or your generated subtitles to train machine-learning models, and we do not sell your personal information to third parties.

4. How We Share Your Information

We share information only with the third-party processors described above, and only to the extent necessary to operate the Service. We may also disclose information when required by law, legal process, or to protect the rights, property, or safety of EGO HERO LLC, our users, or the public.

5. Public User-Generated Content (Reviews, Replies, Ratings)

The Service lets signed-in users submit star ratings, written reviews, and replies on public show pages under the /review/ section. Everything you submit in that context is publicand indexed by search engines. Don't include anything in a review or reply that you wouldn't want publicly associated with you.

Displayed name policy. To attribute your contribution without exposing your full identity, we render a display name next to each review or reply according to the following order of preference:

  • If you have set a public username on your profile, that username is shown exactly as you entered it. A username is a value you chose and published deliberately, so no masking is applied.
  • Otherwise, if your profile has a full name (typically populated by your OAuth provider when you sign in with Google or similar), we display a masked version that keeps only the first and last character of each word and replaces the middle with asterisks. For example, "John Smith" is shown as "J**n S***h".
  • Words of two characters or fewer are shown unchanged, because masking them would leave nothing readable.
  • If no profile name is on file, we fall back to a masked form of your email's local-part (the portion before "@").
  • If none of the above resolves, the name "anonymous" is used.

The display name is snapshotted at submission time and stored alongside the review or reply in the column anonymized_display_name. If you later change your profile or delete your account, the snapshot remains so that other users' replies referencing your review still make sense; however, the link from the review back to your account is severed (your user_id is set to NULL) on account deletion.

Moderation. Before a review or reply becomes public it passes through an automated classifier that rejects hate speech, threats, sexual content involving minors, doxxing, and illegal-activity promotion outright. Borderline content (spam, bot-generated text, strong profanity) is held for admin review. Other users can also report a review as inappropriate; reported items are hidden from the public list pending admin review.

Lawful basis. This treatment is consistent with GDPR Article 6(1)(b) (processing necessary for the performance of the public-review feature you chose to use) and Article 6(1)(f) (legitimate interest in attributing user-generated content while minimizing identification risk, as balanced against the narrowly-tailored masking described above). Under the California Consumer Privacy Act (CCPA/CPRA), masked display names meet the definition of de-identified information per § 1798.140 because the mask removes or obscures the identifying portion of the name. You retain the right to access, correct, or delete any review or reply you have submitted at any time from the corresponding show page.

6. Data Retention

Account information, job metadata, generated subtitles, and diagnostic logs are retained for as long as your account is active or as needed to provide the Service. To delete individual generations, your stored subtitles, or your account itself together with all associated data, email privacy@omnisubs.app from the address on the account. We action verified deletion requests within the timeframes required by GDPR (30 days) and CCPA (45 days). After deletion, content may persist for a short period in automatic database backups before being permanently removed. We are working on adding self-service delete controls; until then, the email path is the canonical mechanism.

Audio sent to our transcription service provider is processed under that provider's contractual commitments to us. We do not store your raw audio on our servers; only the transcribed text is retained.

The contractual commitments that apply to audio sent for transcription are:

  • Temporary retention. The provider may securely retain API data for up to 30 days for the sole purpose of monitoring abuse and ensuring service integrity. After 30 days the data is removed unless legal requirements dictate otherwise.
  • Training exclusion. Data submitted to the transcription API is notused to train the provider's models, your data, or any other customer's models. This is contractually guaranteed.
  • Zero Data Retention (ZDR). Qualifying business customers can request a Zero Data Retention arrangement for eligible endpoints, which prevents the provider from storing any input or output content even during the 30-day abuse-monitoring window. If you operate under a regulatory regime that requires ZDR (for example HIPAA covered entities, EU public-sector clients, or customers under enhanced confidentiality obligations), contact us at the address in section 13 to discuss enabling ZDR for your account.

7. Your Rights

Depending on where you live, you may have rights under the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or similar laws, including the right to:

  • access the personal data we hold about you;
  • correct inaccurate personal data;
  • delete your personal data;
  • object to or restrict certain processing;
  • data portability.

To exercise these rights, contact us at privacy@omnisubs.app. We will respond within the timeframes required by applicable law.

8. Security

We use industry-standard security practices (encryption in transit, scoped access keys, row-level security on the database, private object storage) to protect your information. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. Children

The Service is not intended for children under 13 (or the equivalent minimum age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected such information, we will delete it.

10. International Data Transfers

The Service and our third-party processors may store and process data in countries other than your own. By using the Service you consent to such transfer and processing, and you acknowledge that the laws of the destination country may differ from those of your home country.

11. Cookies and Local Storage

We use cookies and similar local-storage technologies for three distinct purposes:

  • Strictly necessary. Sign-in session tokens and a small set of UI preferences (selected interface language, video preview playback state). These are first- party cookies that the Service cannot meaningfully operate without and that we set without prompting for consent.
  • Cookie-consent state.A first-party cookie records the choice you make in the consent banner so we don't re-prompt you on every page.
  • Advertising.Public pages of the Service (review pages, blog, tools) display Google AdSense advertisements. AdSense and its subprocessors set their own cookies and read device signals on those pages — these are third-party cookies. Whether the ads served are personalized depends on the choice you record in our consent banner; non-consented sessions receive non-personalized ads only. Authenticated upload, generation, and account pages do not currently render AdSense and therefore do not set advertising cookies. You can change your consent choice at any time via the "Manage privacy choices" control in the page footer or via Do Not Sell or Share My Personal Information.
  • Analytics. Google Analytics 4 sets the _ga and _ga_* first-party cookies to count unique visitors and aggregate navigation paths. Under Google Consent Mode v2 these are not writtenfor visitors in the EEA, UK, or Switzerland until the consent banner records an explicit accept; declined sessions run in cookieless "ping" mode that sends only debounced, anonymized event signals. Outside those jurisdictions consent is presumed and you can opt out via the same "Do Not Sell or Share My Personal Information" link.

We do not deploy our own cross-site tracking pixels, behavioral- analytics SDKs, or social-media tracking pixels.

12. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and update the "Last updated" date. Material changes will be announced via the Service or by email.

13. Contact

Questions about this Privacy Policy or your personal data can be sent to EGO HERO LLC at privacy@omnisubs.app.

If you use the OmniSubs browser extension, a supplemental Browser Extension Privacy Policy describes what the extension collects and transmits on your device in addition to what is covered here.

See also our Terms of Service.