Privacy policy
SponsorBoard helps YouTube creators report on their sponsorships and gives the brands they partner with a private dashboard to see how their campaigns performed. This page explains what data we collect, what we do with it, and the rights you have over it. Last updated: 2026-05-21.
Who's responsible
SponsorBoard (operated by SuperHuman Enterprises, LLC — a single-member Wyoming LLC fully owned by YouTube creator Jonathan Levi) runs the platform. For data you give us directly — your email, your YouTube account, behavioural analytics on this site — SponsorBoard is the data controller. For sponsor contact details a creator uploads about their sponsors, the creator is the controller and SponsorBoard is the processor acting on their instructions. The Data Processing Agreement creators electronically agree to at signup spells this out.
What we collect from creators
When you sign up: your email and a hashed password (or a federated Google identity if you use “Sign in with Google”). When you connect your YouTube channel: an OAuth refresh token, your channel ID, and metadata about every public video on your channel (title, thumbnail, description, publish date, view counts). When you upload a sponsor list: the brand names, sponsor contact emails, mention types and amounts you provide. When you connect a shortlink provider: the URL of your provider and an access token, stored encrypted at rest.
Google user data — what we access, how we use it, how we protect it
SponsorBoard's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. This section spells out exactly what that means in practice.
OAuth scopes we request. When a creator signs in with Google or connects their YouTube channel, we ask for the following scopes and nothing else:
• openid, email, and profile— to identify which Google account just authorized, create or sign in to a SponsorBoard account, and display the creator's name and email inside the product.
• https://www.googleapis.com/auth/youtube.readonly — read-only access to the creator's YouTube channel and its public videos so we can list videos, fetch titles / thumbnails / descriptions / publish dates / view counts, and pull top-level comments for the sentiment dashboard.
• https://www.googleapis.com/auth/yt-analytics.readonly — read-only access to the channel's YouTube Analytics so we can show per-video performance (views, watch time, impressions, CTR, effective CPM, and audience demographics) on the creator's dashboard and on the private sponsor dashboards they invite brands to.
We deliberately do not request any read/write or destructive scopes. We cannot post, edit, delete, or modify anything on a creator's YouTube account, and we never will — if that ever changes, we'll re-prompt for consent and update this policy first.
Specific Google user data we access, collect, or store.
• From Google Sign-In: Google account ID, email address, name, and profile picture URL.
• From YouTube Data API: channel ID, channel title, channel thumbnail, public video metadata (video ID, title, description, thumbnail, publish date, public view / like / comment counts), and top-level public comments (comment ID, author display name, author channel ID, text, like count, timestamp).
• From YouTube Analytics API: per-video and per-channel performance metrics including views, watch time, average view duration, impressions, impression click-through rate, estimated revenue where available, and aggregated audience demographics (age, gender, geography buckets).
• OAuth tokens: a Google-issued refresh token and short-lived access tokens so we can keep syncing on the creator's behalf without re-prompting daily.
How we use this Google user data. Solely to provide and improve the user-facing features the creator signed up for: (a) showing the creator their own video and sponsorship performance inside SponsorBoard, (b) rendering the brand-scoped dashboards their sponsors log in to, (c) classifying public comments for sentiment and brand mentions, and (d) computing aggregated, anonymized benchmarks across creators (e.g. fair-rate suggestions). We do not use Google user data to serve advertisements, and we do not sell, rent, or transfer it for advertising or marketing purposes. A small number of internal SponsorBoard staff (today: the founder and two long-tenured employees, all bound by written confidentiality) can access individual creators' synced Google user data on a need-to-know basis in order to operate the service — specifically to diagnose bugs reported by a creator, investigate sync failures or data-quality issues, respond to support requests, improve product features, and investigate security or abuse incidents. Access is logged, restricted by least-privilege IAM, and used solely for these operational purposes.
AI / machine-learning use. We do not today use Google user data to develop, improve, or train generalized AI or machine-learning models. Comments are sent to Anthropic's Claude API only for the narrow purpose of classifying sentiment / brand mentions on behalf of the creator whose channel they came from, and Anthropic's API terms prohibit training on that traffic. In the future we may build product features that use machine learning on a creator's own data (for example, suggesting sponsors that look like good fits based on the creator's past deals and audience). If we ever introduce such a feature, participation will be strictly opt-in: the creator will be asked for clear, affirmative consent before any of their Google user data is used to train, fine-tune, or otherwise improve a model, and they will be able to withdraw that consent at any time. We will update this policy and notify affected creators before any such change takes effect, and we will not use Google user data to train generalized models that benefit third parties outside SponsorBoard.
Who we share Google user data with. We do not sell Google user data and we do not share it for advertising, marketing, or resale. We share it only with the sub-processors needed to run the service — Supabase (encrypted Postgres storage of synced rows and OAuth tokens, US region), Vercel (application hosting), Anthropic (Claude API for comment classification, with training prohibited by contract), and a small number of vetted internal staff and contractors under written confidentiality on a strict need-to-know basis. The brand dashboards we render for a creator's sponsors only ever surface the videos, metrics, and aggregates tied to that specific sponsor; one sponsor never sees another sponsor's data, and no third party receives the creator's raw Google account credentials.
How we store and protect Google user data. All Google user data is stored in our managed Postgres database on Supabase (US region) and is encrypted at rest by the underlying cloud provider. OAuth refresh tokens and any third-party access tokens are stored in dedicated columns and are encrypted at rest. All traffic between the creator's browser, our servers, and Google's APIs is encrypted in transit over HTTPS / TLS. Access to the production database is restricted via row-level security policies (so creators can only read their own rows), least-privilege IAM on Supabase, and audit logging on administrative actions. Only the small set of staff and contractors described above can reach the production environment, and they do so under written confidentiality obligations.
How long we keep Google user data. We retain Google user data for as long as the creator's SponsorBoard account exists. We do not auto-delete it after a fixed period of inactivity, and we do not delete it automatically when a creator revokes OAuth access or disconnects the integration. We keep the previously-synced data so that a returning creator can reconnect without losing their historical sponsorship reports, sentiment classifications, and analytics — re-syncing a year of history takes hours and burns API quota. We may, from time to time, review long-dormant accounts (for example, accounts where OAuth access has been revoked or unused for an extended period) and delete the associated Google user data; if we do, we will give the affected creator advance notice by email so they have a chance to reconnect or export their data first.
Revoking access vs. deleting data. These are two separate actions:
• Revoking access— a creator can revoke SponsorBoard's access at any time from their Google Account permissions page or by disconnecting the integration inside SponsorBoard's Settings page. This immediately invalidates the refresh token we hold, so we can no longer pull new data from the creator's YouTube account. It does not, on its own, delete the data we have already synced.
• Deleting data — to delete the underlying synced data, email hello@sponsorboard.io and request account deletion. We will remove the creator's row, OAuth tokens, synced YouTube videos, analytics snapshots, comments, and any derived classifications within 30 days of the request (longer only until encrypted backups cycle out, which is at most 90 days). Once deleted, the data is gone — there is no archived copy we hold indefinitely.
What we collect from sponsors
Your email and a hashed password (or federated Google identity) when you accept an invite. Nothing more. The dashboard you see is rendered from data the creator who invited you uploaded plus aggregate stats we've pulled from public YouTube APIs.
Comments + sentiment
For each public video on a connected channel, we pull top-level comments via the YouTube API and run them through Anthropic's Claude to classify sentiment and extract brand mentions. Anthropic's terms prohibit them from training on our API traffic. We store the classifications, not raw comments, beyond a short cache window.
Billing data
When you upgrade to a paid plan, we use Stripe to process payments. Stripe collects and stores your card details directly on their PCI-compliant infrastructure — we never see or store full card numbers. What we do store is the Stripe customer and subscription IDs Stripe issues for your account, your current plan and billing cycle, and metadata Stripe sends us through webhooks (status, renewal dates, last-four of card for display in the dashboard). Stripe's own privacy policy covers what they do with the underlying payment data.
Behavioural analytics + session replay
We use PostHog for page-view tracking and session replay. Replays show how the dashboard rendered for you — clicks, navigation, layout — so we can debug issues. Inputs and elements tagged sensitive are masked in the recording; we never see what you type. Anonymous visitors don't generate person profiles.
How we use aggregated data
We combine data across creators — deal amounts, mention types, channel size, engagement, audience signals — to power product features and benchmarks. Concretely, that means things like a fair-rate recommendation that tells you whether you're undercharging compared to creators with similar size, niche, and engagement, and (in the future) a public “what's your channel worth?” calculator anyone can use to estimate sponsorship pricing. Any number we publish or surface inside the product is built from aggregates of multiple creators — never from one identifiable deal, creator, or sponsor. We may also publish cohort-level marketing statistics (e.g. “the average creator using SponsorBoard increases their rate by X% within Y months”), but those are always rolled up and never tied to a specific account. Where the cohort feeding a number is too small to be meaningfully anonymous, we suppress the number rather than publish it. We do not sell, license, or share your individual deal terms, sponsor list, or rate sheet with other users or third parties for marketing, advertising, or resale.
Introductions between creators and brands (planned, opt-in only)
A future version of SponsorBoard may help match creators with brands that look like good fits, and may offer to make introductions between them. This feature is strictly opt-in on both sides. SponsorBoard will never disclose a creator's sponsor contact details to another creator unless (a) the sponsor has explicitly opted in to receive introductions from other SponsorBoard creators, and (b) the creator who originally added that sponsor has explicitly opted in to share (in exchange for also receiving introductions from other creators). Both opt-ins will be off by default, granted through clear in-app controls, and revocable at any time. If we ever expand or change the scope of this feature, we'll update this policy and tell affected users before the change takes effect.
Who inside SponsorBoard can see your data
Today: Jonathan Levi, who operates SponsorBoard, plus two employees who've worked across Jonathan's companies for over five years and are bound by written confidentiality. As the team grows, future SponsorBoard staff bound by the same confidentiality. Vetted consultants and contractors (for example a lawyer reviewing a contract, an engineer fixing a bug, an accountant during an audit) on a strict need-to-know basis and under written confidentiality. The sub-processors listed below see only the slice of data they need to provide their service. That's the full list. Your data is not shared with brands you didn't deal with, other creators, marketers, recruiters, data brokers, or anyone else, and we apply commercially reasonable safeguards (encryption at rest, row-level security, principle of least privilege, audit logging on admin actions) to keep it that way.
Sub-processors
SponsorBoard runs on Vercel (hosting), Supabase (database + auth, hosted in the US), Resend (transactional email), Stripe (payment processing), PostHog (product analytics, US region), and Anthropic (Claude API for sentiment classification). We'll update this list whenever we add a processor.
Your rights (GDPR / UK GDPR / CCPA)
You can request a copy of your data, ask us to correct it, ask us to delete it, or object to specific processing. If you're a sponsor whose contact details were uploaded by a creator and you don't recognise the relationship, email us — we'll forward your request to the creator who controls that data and remove the row from our systems on confirmation. EU users have the right to lodge a complaint with their local supervisory authority.
Data retention
Account data lives for as long as the account is active. If you delete your account, we drop your records within 30 days (longer if backups haven't cycled, max 90 days). YouTube + analytics data we've synced is treated the same way — when the connected creator account is deleted, the synced rows go too.
What we don't do
No advertising, no selling data, no cross-site retargeting, and no revealing your individual deal terms, sponsor contacts, or rate sheet to any other user — creator, brand, or third party — outside the opt-in introduction flow described above. Aggregated, anonymized cohort statistics may be used for product features and marketing, but nothing tied back to a specific account. This is a product tool, not a marketing surface or a data broker.
Questions
Email hello@sponsorboard.io and we'll get back to you within a couple of business days. Creators can also reach us through the in-app feedback widget.
Looking for the Data Processing Agreement? /dpa.