Transparency
Last updated: 2026-05-22
The Privacy page is the short version. This is the long version — every component your request touches, what it sees, and why we chose it. The point isn't to be exhaustive; it's to be specific enough that someone technical can verify the claims.
The request path
your browser
│ (HTTPS, TLS 1.3)
▼
Cloudflare edge ─── TLS termination, bot-detection, per-IP rate limits
│
├──> / ─── Cloudflare Pages (static Astro site, ~13 KB JS)
│
└──> /api/* ─── Cloudflare Worker (KV cache for metadata, rate limits)
│
▼
Cloudflare Tunnel ─── outbound-only tunnel from our VM to CF edge
│ (no public ports open on the VM)
▼
Oracle Cloud VM ─── Ubuntu 24.04 ARM, Docker, read-only container
│
├──> yt-dlp ─── extracts video URLs from YouTube
├──> ffmpeg ─── muxes / trims / transcodes when needed
└──> Cloudflare WARP (proxy) ─── YouTube only sees a consumer-grade
Cloudflare IP, not our datacenter IP
│
▼
YouTube / googlevideo.com
What each component sees
- Cloudflare edge: your IP, the URL path (e.g.
/api/info?url=...), standard HTTP headers. Used for routing, TLS, bot detection, rate-limit counters. No request body inspection. Governed by Cloudflare's privacy policy. - Cloudflare Worker: your IP (for rate limits), the YouTube video ID. Caches video metadata (title, duration, format list) keyed by video ID for 24 h. Does not cache who requested what.
- Cloudflare Tunnel: encrypted, point-to-point. Sees only TLS-wrapped bytes between the Worker and the VM. No request inspection by Cloudflare here.
- Backend VM (Oracle): the YouTube URL, the format you picked, your IP at the Cloudflare-Connecting-IP header. The web server runs
uvicorn --no-access-log— your URL and IP are not written to any log. Container is read-only; the only writable path is a 300 MB tmpfs at /tmp that holds video streams transiently and is wiped per request. - Cloudflare WARP (proxy): yt-dlp's network calls to youtube.com and googlevideo.com route through Cloudflare's consumer WARP service. From YouTube's perspective, the request comes from a Cloudflare-owned consumer IP (not our datacenter IP, not your IP). This is the only reason datacenter-IP bot detection doesn't break the service.
- YouTube / googlevideo.com: sees a video ID request and a stream download from a Cloudflare WARP IP. Doesn't see your YouTube account (we never log in). Doesn't see your real IP.
What we never do
- — Write the URL or video ID you submitted to any persistent log.
- — Run a third-party analytics or ad tracker.
- — Persist any video file on disk. ffmpeg writes to stdout; pre-download buffers live in tmpfs (RAM) only.
- — Sell, share, or otherwise hand your data to a third party. We don't have data to hand over.
- — Show captchas, popups, or "premium" upsells. The page is the page.
What you can't audit yourself
Honest disclosure: you can read the frontend by viewing source (it's a small Astro static bundle). The backend isn't currently public, though it's small enough to make public when the rough edges are smoothed. Until then, the claims on this page are claims — backed by the architectural choices listed but not independently verifiable. Take that into account.
Known limitations
- — MP3 transcoding of long audio (hour-plus) takes several minutes of single-core CPU work. We don't reject long videos but the wait is real.
- — Live streams and DRM-protected content are not supported.
- — Member-only, age-restricted (gated), and private videos cannot be downloaded — they need an authenticated session that we deliberately don't have.
- — Cloudflare WARP exit IPs are pooled. In rare cases YouTube may temporarily rate-limit a specific WARP exit; the service auto-retries.
Contact
Inaccuracy on this page or specific concern: [email protected]. DMCA / takedown: [email protected].