Data Security and Privacy Plan
Substital Browser Extension
Prepared by Gaëtan Covelli, developer of Substital · March 24, 2026
Overview
Substital is a browser extension that allows users to add, search for, and customize subtitles for online videos on many video platforms. It is used in educational settings for accessibility, language learning, and comprehension support.
Substital is developed and maintained by a single developer (Gaëtan Covelli). The core subtitle functionality does not collect, transmit, or store any personally identifiable information (PII), including student PII. All subtitle operations occur locally within the user's browser.
Substital also includes a GiveFreely affiliate/charity popup integration. This feature runs background configuration and analytics requests on extension startup regardless of the page being visited. The charity selection popup itself is displayed only on commercial e-commerce checkout pages. This feature is entirely separate from the educational subtitle service, does not target students, and is explicitly excluded from the scope of this NDPA. It is disclosed here for full transparency. See Section 2 for detail.
1. Implementation of Contract Requirements
- The core subtitle service collects no student PII. All subtitle operations are local to the user's browser.
- Substital complies with FERPA, COPPA, and applicable state student privacy laws across the 16 NDPA participating states.
- LEAs will be notified of any material changes to data practices or this Plan in advance of such changes.
- The GiveFreely integration is excluded from NDPA scope and does not apply to students. See Section 2.
2. Administrative, Operational, and Technical Safeguards
Core subtitle service:
- No user accounts, logins, or PII are required or stored.
- Browser extension storage holds only local user preferences (e.g. subtitle appearance). This is not accessible remotely.
- All external communications use HTTPS. The extension requests only permissions necessary for subtitle functionality.
OpenSubtitles.com API (subtitle search and download):
- Substital uses the OpenSubtitles.com REST API to enable subtitle search and download functionality.
- API requests transmit video metadata only — such as video title, language, and IMDb ID. No user identity, student data, or PII is transmitted to OpenSubtitles in the course of normal use.
- OpenSubtitles is a subprocessor for subtitle data retrieval only and has no access to any student PII.
GiveFreely integration (excluded from NDPA scope):
- On extension startup, regardless of the page being visited, background requests are made to GiveFreely's servers to fetch configuration, active merchant domains, standdown policy, merchant rates, and language files.
- Once per day, a health check event is sent to GiveFreely's analytics API containing only the user's browser language.
- The charity selection popup is displayed only on commercial e-commerce checkout pages — not on educational platforms, video platforms, or school websites.
- A country-level IP geolocation lookup is made via MaxMind GeoIP (once, then cached) to determine which charities to display.
- Creates an anonymous user profile on GiveFreely's servers (no name, email, or real identity — pseudonymous device ID and selected charity only).
- Logs anonymous interaction events (popup shown/dismissed, charity selected) to GiveFreely's analytics API.
- Uses Wildfire (affiliate network) to generate tracking links. GiveFreely and Wildfire are subprocessors of this feature only and have no access to any student data.
3. Employee and Subcontractor Training
Substital is a sole-developer operation. The developer maintains awareness of FERPA, COPPA, and applicable state student privacy laws through ongoing review of SDPC documentation and applicable legal updates. Any future employees or contractors with access to student data will be trained on applicable laws before receiving access.
4. Contracting Processes
No employees currently exist. Any future employees or contractors with access to student data will sign confidentiality agreements bound to the terms of this Plan and the NDPA. Any subprocessors receiving student data will enter into written data processing agreements providing protections no less stringent than the NDPA. Substital currently uses the following subprocessors: OpenSubtitles.com (subtitle data retrieval — receives video metadata only, no student PII), GiveFreely and Wildfire (affiliate integration — excluded from NDPA scope, no student PII). No subprocessors have access to student data.
5. Incident Management and Breach Notification
In the event of a breach involving student PII, Substital will:
- Notify affected LEAs within 72 hours of confirmation (24 hours for Virginia LEAs).
- Provide notification including: date/range of breach, types of information involved, description of incident, number of records affected if known, and a point of contact.
- Cooperate with LEAs, the NYSED Chief Privacy Officer, and law enforcement as required.
- Take immediate containment and remediation steps and document lessons learned.
Because no student PII is currently collected by Substital, the risk of a student data breach from Substital-controlled systems is very low.
6. Data Transition Upon Termination
Substital's core service stores no student PII on its own servers. If any student data is held pursuant to a service agreement, it will be returned or securely destroyed within the timeframes required by the NDPA (60 days standard; 90 days for New York; 30 days for Colorado). Data will be provided in a readable, exportable format upon request. Written confirmation of destruction will be provided upon request.
7. Secure Destruction
If student data is ever stored, it will be destroyed using secure deletion methods consistent with NIST SP 800-88 Rev. 1. Written certification of destruction will be provided to the requesting LEA. For Colorado LEAs, written notice of the destruction date and method will be provided within 30 days of completion.
8. Alignment with LEA Policies
- Substital will review and comply with the Data Security and Privacy Policy of any originating LEA, provided upon DPA execution.
- Substital will review the Parents' Bill of Rights of any subscribing New York LEA, provided upon Exhibit E execution.
- Substital will not use student data for commercial, advertising, or marketing purposes.
- Substital will not sell, rent, or trade student data to any third party.
- All student data remains the exclusive property of the LEA.
- Material changes to Substital's privacy policy will be communicated to LEAs in advance (15 days for Colorado; written notice for Washington).
9. NIST Cybersecurity Framework v1.1 Alignment
| Function | Category | Provider Response |
|---|---|---|
| IDENTIFY | Asset Management (ID.AM) | Assets consist of the browser extension, substital.com, and hosting infrastructure. No student PII is stored in any of these. Third-party integrations (GiveFreely/Wildfire) are documented and scoped separately from the educational service. |
| IDENTIFY | Business Environment (ID.BE) | Substital's mission is accessibility and language learning via subtitles. Data privacy is a core obligation factored into all development and partnership decisions. |
| IDENTIFY | Governance (ID.GV) | Substital maintains a Privacy Policy and this Plan. The developer reviews applicable federal and state student privacy laws. Governance is the direct responsibility of the sole developer. |
| IDENTIFY | Risk Assessment (ID.RA) | Primary risk is unauthorized access to future student data. Currently low, as no student PII is collected. Third-party integrations have been reviewed for privacy risk. |
| IDENTIFY | Risk Management Strategy (ID.RM) | Data minimization is the primary risk strategy. Collecting no student data is the most effective control. Where data is collected (GiveFreely), it is anonymized, contains no student PII, and is scoped away from educational contexts. |
| IDENTIFY | Supply Chain Risk (ID.SC) | Third-party dependencies include OpenSubtitles.com (subtitle data retrieval — video metadata only, no student PII), GiveFreely and Wildfire (affiliate, excluded from NDPA scope). No third party has access to student PII. |
| PROTECT | Identity & Access Control (PR.AC) | Backend access is limited to the sole developer with strong authentication. No student accounts or credentials are required. Browser storage is local to the user's device. |
| PROTECT | Awareness & Training (PR.AT) | The developer maintains awareness of cybersecurity obligations. Future employees/contractors with student data access will be trained before receiving access. |
| PROTECT | Data Security (PR.DS) | No student PII is stored server-side. All external communications use HTTPS/TLS. User preferences are stored locally in the browser and not accessible to Substital remotely. |
| PROTECT | Information Protection Processes (PR.IP) | This Plan constitutes Substital's information protection policy. It is reviewed and updated when laws change or new integrations are introduced. |
| PROTECT | Maintenance (PR.MA) | The extension is updated through official browser stores (Chrome Web Store, Firefox Add-ons). Updates are reviewed for privacy implications. Security patches are applied promptly. |
| PROTECT | Protective Technology (PR.PT) | HTTPS enforced for all external communications. The extension requests only minimum necessary browser permissions. No unnecessary data collection code is present. |
| DETECT | Anomalies & Events (DE.AE) | Server infrastructure is monitored for unusual access. User-reported anomalies are reviewed promptly. Third-party service anomalies are monitored via provider dashboards. |
| DETECT | Security Continuous Monitoring (DE.CM) | Extension store reviews and user reports are monitored for security issues. Browser extension stores provide security scanning of extension code. |
| DETECT | Detection Processes (DE.DP) | Incident response procedures are documented in Section 5. Periodic review of data flows and third-party integrations verifies no unintended data collection is occurring. |
| RESPOND | Response Planning (RS.RP) | Incident response plan is described in Section 5. LEAs notified within 72 hours of confirmed breach (24 hours for Virginia). Incident is contained and remediation steps taken. |
| RESPOND | Communications (RS.CO) | In a breach, Substital coordinates with affected LEAs, the NYSED CPO (for NY LEAs), and law enforcement as required. A security contact is provided to each LEA upon DPA execution. |
| RESPOND | Analysis (RS.AN) | Breach incidents are analyzed to determine scope, cause, and affected data. Findings are documented and shared with LEAs as required. |
| RESPOND | Mitigation (RS.MI) | Immediate steps include containing the breach, revoking compromised access, and securing affected systems. LEAs are notified of containment actions taken. |
| RESPOND | Improvements (RS.IM) | Lessons learned from incidents are documented and used to update this Plan and improve safeguards. LEAs are informed of material improvements. |
| RECOVER | Recovery Planning (RC.RP) | Recovery includes restoration of affected systems, verification of data integrity, and confirmation that the breach vector is closed. Documentation of recovery is maintained. |
| RECOVER | Improvements (RC.IM) | Each incident is used to improve recovery procedures. This Plan is updated accordingly and reviewed at least annually. |
| RECOVER | Communications (RC.CO) | Recovery is coordinated with LEAs, third-party providers, and browser store platforms as appropriate. Status updates are provided to affected LEAs throughout recovery. |
Prepared by: Gaëtan Covelli, developer of Substital · gaetan@substital.com · March 24, 2026