TechSpeak Studio is designed with privacy as a default:

1. Video stays local. Recorded video is stored in your browser's IndexedDB. It is never sent to any server unless you explicitly click "Upload to YouTube."

2. Transcript is sent to AI only on demand. When you click "Get AI Coaching," the text transcript (not the video) is sent to the configured LLM endpoint. No data is sent automatically.

3. No analytics or tracking. The app does not include any analytics, telemetry, or third-party tracking scripts.

4. OAuth tokens are stored server-side. YouTube OAuth tokens are stored in a local SQLite database file. In production, this should be encrypted at rest.

• Enable HTTPS (required for getUserMedia in production)
• Set Content-Security-Policy headers
• Encrypt the SQLite database at rest (or use a secrets manager for OAuth tokens)
• Set rate limits on /api/coach and /api/youtube/upload
• Rotate YouTube OAuth client secrets periodically
• Run the app behind a reverse proxy (nginx, Caddy)
• Set X-Frame-Options: DENY and X-Content-Type-Options: nosniff

If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public GitHub issue.
2. Email: [your-email@example.com] (replace with your contact)
3. Include: description, reproduction steps, and potential impact.
4. We will acknowledge receipt within 48 hours and provide a fix timeline.

We minimize dependencies intentionally. Key dependencies and their security posture:

• next — actively maintained by Vercel
• googleapis — official Google client library
• better-sqlite3 — widely used, native SQLite binding
• zustand — minimal state management (no network activity)

Run npm audit regularly to check for known vulnerabilities.