Privacy policy · Effective July 14, 2026

Local by design, clear about the boundaries.

This policy explains what X Video Toolkit handles, why it needs each browser capability, where information is stored, and what still leaves your device when you fetch source media.

Summary

X Video Toolkit is a browser extension and local macOS helper. The project operator does not run an analytics service, advertising service, hosted backend, or transcription server. The extension does not sell personal information.

When you request a download or transcript, the software must contact the original media host to fetch the media. Transcription is then sent to Spokenly through a loopback address on your own Mac and processed with the locally selected model.

Information the extension handles

Depending on the action you choose, the extension may handle:

  • the source page URL and a post or file identifier;
  • publicly visible post text, title, author name, and handle;
  • the media URL and downloaded video or audio bytes;
  • generated transcript text and timestamps;
  • a short transcript preview;
  • your history and formatting settings;
  • local diagnostic information written by the Native Messaging host.

The software does not ask for your account password, payment details, contacts, or precise location.

Why the browser permissions are required

Host access

Access to x.com, twitter.com, Google Drive, and declared media delivery hosts is used to identify the active video and resolve media that your browser can already access.

Downloads

Used only when you ask to save a video, TXT transcript, or SRT subtitle file.

Tabs

Used to determine the supported video in the active tab and associate actions with the correct source page.

Native Messaging

Connects the extension to the installed local helper, which invokes FFmpeg and calls Spokenly on 127.0.0.1.

Storage

Stores verified transcript history, source metadata, cache records, and your chosen settings in chrome.storage.local.

Clipboard write

Copies a transcript only after you use a transcript or copy action.

Storage and retention

Temporary audio is created in a per-request temporary directory and deleted when the request completes or fails. Verified transcripts and source metadata remain in browser-local storage according to the retention and history limits you choose.

Local host diagnostics may be written to ~/Library/Logs/xvdl-native-host.log. You control this file through your operating system and may delete it.

Network access and sharing

The extension contacts X/Twitter, Google Drive, or their declared media delivery hosts to retrieve the media you requested. Those services process requests under their own privacy policies and may receive normal network information such as your IP address and request headers.

The local helper sends a file path to Spokenly's loopback-only server. When NVIDIA Parakeet v3 is selected, accepted transcription is expected to run locally. Spokenly is separate software; review its current settings and policy. Enabling Spokenly's Local-only mode blocks its online features.

This project does not transmit transcript history to a project-operated server and does not share or sell it to advertisers or data brokers.

Security

The Native Messaging host accepts only declared HTTPS media hosts, rejects URLs containing credentials and private or local media hosts, isolates temporary files per request, and verifies transcript coverage before saving a result. No software can guarantee absolute security. Test with non-sensitive media and keep your browser, operating system, and dependencies updated.

Your choices

  • Do not use Download or Transcript on media you do not want processed.
  • Clear transcript history from the extension popup.
  • Reduce the retention window or history item limit.
  • Delete downloaded files and the local diagnostic log through macOS.
  • Enable Local-only mode in Spokenly.
  • Uninstall the extension and run ./scripts/uninstall_native_host.sh.

Children's privacy

X Video Toolkit is a general-purpose developer utility and is not directed to children. The project operator does not knowingly collect children's personal information through a hosted service.

Changes to this policy

Material changes will be published on this page and reflected by an updated effective date. Repository history may also show how the policy changed.

Contact and security reports

For general questions, open an issue in the public repository without including private URLs, transcripts, tokens, or personal data. Report security vulnerabilities through GitHub private vulnerability reporting.

This project is not affiliated with X Corp., Google, NVIDIA, Apple, FluidInference, or Spokenly.