Privacy Policy

Last updated: 10 May 2026

Data controller
Pablo Guarachi (peodemeo@gmail.com) — hereafter "the Operator".

This Privacy Policy describes how the website drbrugal.shop ("the Website") and the OAuth application drbrugal-publisher ("the App") collect, use and protect personal data. The Website is a personal health-awareness journal; the App is a single-user developer tool used by the Operator to upload videos to their own YouTube channel.

On this page 1. Website (drbrugal.shop) · 2. drbrugal-publisher OAuth app (YouTube) · 3. Your rights · 4. Contact

1. Website — drbrugal.shop

1.1 What we collect

The Website is a static read-only publication. We do not use cookies, behavioural tracking, advertising pixels, or session identifiers. The hosting server (Hetzner Cloud, Germany, EU) records standard HTTP access logs (IP address, user-agent, requested URL, timestamp, response status) for security and operational diagnostics.

1.2 Why we collect it

Server logs: legitimate interest in detecting abuse and ensuring availability (Art. 6.1.f GDPR). Logs are retained for up to 30 days, then rotated and discarded.

1.3 What we do not do

No cookies set by drbrugal.shop itself.
No third-party trackers, analytics scripts, or social media pixels.
No newsletter or contact forms with data collection.
No advertising network.

1.4 Embedded YouTube content

Some article pages may embed YouTube videos (via standard <iframe>). When you load such a page, your browser connects to YouTube's servers, which apply Google's own privacy policy. We have no control over this and do not receive your data from YouTube.

2. drbrugal-publisher OAuth app (YouTube)

"drbrugal-publisher" is an OAuth 2.0 application registered in Google Cloud Console (project ID: drbrugal-publisher) by the Operator. It exists to upload videos to a single YouTube channel — @doctor.brugal — owned and operated by the Operator.

2.1 Who uses this app

The App is used exclusively by the Operator. There are no third-party users, no public sign-up, and no plan to onboard additional accounts. If you are not the Operator and you encounter this OAuth consent screen unexpectedly, do not grant access — it would mean a credential of yours was misused.

2.2 Scopes requested

https://www.googleapis.com/auth/youtube.upload — required to programmatically upload video files to the connected channel via the YouTube Data API v3 resumable upload endpoint.

This scope is write-only for new uploads. The App does not read existing videos, browsing history, watch history, comments, subscriptions, or any other YouTube data. The App does not modify or delete content already on the channel.

2.3 What data the App handles

OAuth refresh token: stored locally in a .env file on the Operator's machine, in an access-controlled directory. Never transmitted to anyone other than Google's OAuth token endpoint when refreshing the access token.
Access token: requested at runtime from Google, used in memory only, never persisted to disk.
Video files: the MP4 the Operator chooses to publish. Uploaded directly from the Operator's machine over HTTPS to upload.googleapis.com. The App does not host, transcode, or proxy the video through any third-party service.
Video metadata: title, description, tags, category ID, privacy status — all defined by the Operator.

2.4 Storage and retention

OAuth tokens are stored only on the Operator's local development machine (Windows 11, encrypted disk). They are not synced to any cloud, repo, or third-party service. The repository hosting the App's source enforces .gitignore on all .env files.
The Operator can revoke the App's access at any time via Google Account permissions; doing so invalidates the refresh token immediately.
The App does not aggregate, log, or transmit usage metrics to any analytics service.

2.5 Sharing with third parties

The App communicates with two endpoints only, both belonging to Google LLC:

https://oauth2.googleapis.com/token — refresh token exchange.
https://www.googleapis.com/upload/youtube/v3/videos — resumable video upload.

No data is sent to any other recipient. No data brokers, advertisers, or analytics providers are involved.

2.6 Compliance with Google API Services User Data Policy

The App's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: the App does not transfer Google user data to third parties except as required for upload functionality, does not use the data for advertising, does not allow humans to read the data unless explicitly consented to by the data owner (the Operator themselves), and does not store data outside the user-controlled environment described above.

3. Your rights under GDPR / UK GDPR

If you are a Website visitor whose IP address appears in server logs, or if you are the Operator with respect to data the App handles on your behalf, you have the right to:

Access the personal data held about you;
Rectify inaccurate data;
Request erasure ("right to be forgotten");
Request data portability;
Object to processing based on legitimate interest;
Withdraw consent at any time (where consent is the basis of processing);
Lodge a complaint with a supervisory authority (UK ICO, or the data-protection authority in your country of residence).

4. Contact

Questions, requests, or concerns: peodemeo@gmail.com. The Operator will respond within 30 days.

5. Changes to this policy

Material changes will be reflected on this page with a new "Last updated" date. The change history is publicly auditable through the website's source repository.