Legal · Privacy
Privacy, without surprises.
How Pinchana processes requests, protects the web interface, and stores the few preferences needed to make the app work.
Introduction
Welcome to Pinchana. We respect your privacy and are committed to protecting any personal data processed through our website.
Data processing and storage
Pinchana operates as a direct stream downloader utility. We do not build a user media library. Private-download files exist only for the job lifetime and are deleted after expiry.
Submitted URLs and technical request details may appear in short-lived operational logs used for security, abuse prevention, and troubleshooting.
For a private download, the browser encrypts a selected cookie profile directly to one assigned ephemeral worker. The Next.js application, gateway, Redis queue, logs, and persistent server storage receive ciphertext only. The selected worker briefly receives plaintext because yt-dlp must use it; its cookie directory is RAM-backed and the worker is destroyed after the job.
Turnstile security
We use Cloudflare Turnstile to protect our API endpoints from automated spam and bot abuse. Cloudflare Turnstile collects telemetry, device parameters, and browser details to perform verification checks.
For more information, refer to the Cloudflare Turnstile Privacy Policy.
Cookies and local storage
We use only storage that is necessary for security and your local preferences.
- pinchana_web_session
- An HttpOnly, SameSite=Strict session cookie containing a signed verification credential. It authorizes web downloads and becomes invalid when the verification session expires.
- pinchana_instance
- An HttpOnly, SameSite=Strict cookie containing the project-signed certificate for a custom API origin selected in Settings. It expires with that certificate and is removed when the default API is restored.
- cf_clearance
- Cloudflare may set this strictly necessary security cookie only when Turnstile pre-clearance or a Cloudflare Challenge is enabled. It records that the browser passed a security check and expires according to the configured challenge-passage period.
- pinchana-settings
- Local browser storage for Save immediately, ZIP multiple files, background paws, reduced motion, and the selected download mode.
- pinchana_cookie_consent
- Local browser storage recording that the essential-storage notice was acknowledged.
- pinchana-cookie-vault
- A versioned IndexedDB database containing one AES-256-GCM encrypted payload. Profile names, domains, and cookie values are encrypted. Only the salt, calibrated PBKDF2 iteration count, cipher version, IV, and ciphertext are stored unencrypted.
We do not use analytical, tracking, advertising, or marketing cookies.
The vault key remains only in browser memory and the vault locks after a browser restart. Pinchana cannot recover a forgotten passphrase. Erasing the vault permanently deletes its encrypted local record; there is no server backup, account synchronization, or recovery key.
This design does not protect cookies from malicious scripts running in the page, a malicious browser extension, a compromised device, or a malicious API instance operator. Import only user-exported Netscape cookies.txt files and use a trusted Pinchana instance.
External platforms
This service interacts server-side with third-party platforms such as Instagram, TikTok, and YouTube. Pinchana does not embed their login widgets or scripts, so using the downloader does not itself let those platforms set cookies in your browser.
Following an external link is subject to that platform's own privacy and cookie policies.
Icons
Font Awesome icons are packaged and served locally with this website. The browser does not contact a Font Awesome CDN, and Font Awesome does not set cookies through this integration.