Privacy Policy

1. Introduction

This Privacy Policy describes how Yanna ("we", "us", "our", or "Company") collects, uses, shares, and protects personal information obtained through our platform and services. We recognize that privacy is tremendously important, and we are committed to maintaining the trust and confidence of our users.

Our platform provides AI-powered legal document generation, case management, optical character recognition, electronic signature capabilities, and related services. In providing these services, we process various types of information, including personal data and sensitive documents. This policy explains our practices regarding such information and your rights concerning your data.

By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy. If you do not agree with our data practices as described in this policy, you should not use our Service. We encourage you to review this policy carefully and contact us if you have any questions or concerns.

2. Information We Collect

In order to provide our services effectively, we collect several categories of information. The specific information we collect depends on how you interact with our platform, which features you use, and the choices you make. Below is a comprehensive description of the types of information we may collect.

2.1 Information You Provide Directly

This category includes information that you voluntarily submit to us when creating an account, using our services, or communicating with us. The provision of certain information is necessary for us to deliver our services to you, while other information may be optional.

• Account Registration Information: When you create an account, we collect your email address, full name, and password. If you choose to sign up using a third-party authentication service such as Google OAuth, we receive your name and email address from that provider. You may also provide a professional title or other profile information to personalize your account.
• Profile and Signature Information: Our platform allows you to create and store electronic signatures, which may include drawn signatures, typed signatures, or uploaded signature images. We also store your signature preferences, such as your preferred signature style and font selections. This information is used to facilitate the signing of documents through our electronic signature features.
• Payment and Billing Information: When you subscribe to a paid plan or make purchases through our platform, we collect payment information necessary to process your transaction. This includes billing addresses and payment method details. However, we do not directly store complete credit card numbers or sensitive payment credentials. Instead, this information is securely processed and stored by our payment processor, Stripe, in accordance with Payment Card Industry Data Security Standards (PCI DSS).
• Documents and Content: The nature of our service requires you to upload, create, and store various types of documents and content. This includes legal documents you create or generate using our AI tools, PDF files and images you upload for processing, text content you input into our document editor, and facts or information extracted from your documents through our AI-powered analysis features. We understand that these documents may contain sensitive or confidential information, and we implement appropriate security measures to protect them.
• Communication and Correspondence: When you send documents to recipients, communicate with our support team, or use our SMS assistant feature, we collect the content of those communications. This includes email addresses of document recipients, SMS messages sent to and from our platform, chat conversations with our AI assistant, and any support tickets or inquiries you submit. We use this information to facilitate communication, provide customer support, and improve our services.
• API and Integration Configuration: If you use our API or integration features, particularly if you are an agency user managing multiple clients, we collect configuration information such as API keys, webhook URLs, client identifiers, and integration settings. This information is necessary to enable programmatic access to our platform and to facilitate integrations with third-party services.

2.2 Information Collected Automatically

When you access or use our Service, we automatically collect certain information about your device, browsing actions, and usage patterns. This information helps us understand how users interact with our platform, identify technical issues, improve performance, and enhance the overall user experience.

• Usage and Activity Data: We collect detailed information about how you use our platform, including which pages and features you access, the actions you take, the time you spend on different pages, the sequence of pages you visit, and the features you use most frequently. This data helps us understand user behavior, identify popular features, and make informed decisions about product development and improvements.
• Device and Technical Information: We automatically collect information about the device and software you use to access our Service. This includes your IP address (which may be used to approximate your geographic location), browser type and version, device type (such as desktop, mobile, or tablet), operating system and version, screen resolution, and user agent string. This information helps us optimize our platform for different devices and browsers, troubleshoot technical issues, and detect potential security threats.
• Log and Event Data: Our servers automatically record log information when you access or use our Service. These logs include access timestamps, requested URLs, HTTP response codes, error messages, API requests and responses, and other diagnostic data. We retain these logs for security monitoring, troubleshooting, and system optimization purposes.
• Analytics and Product Intelligence: We use analytics tools, specifically PostHog, to collect aggregated and individual-level data about user behavior and product usage. This includes information about feature adoption, user flows, conversion events, session recordings (when enabled), and interaction patterns. These insights help us understand how users engage with our platform and inform our product development priorities.
• Authentication and Session Information: To maintain your logged-in state and secure your account, we collect information about your authentication sessions, including login timestamps, authentication methods used (such as password, OAuth, or magic link), session duration, and session tokens. This information is essential for account security and to provide a seamless user experience across multiple sessions and devices.
• Performance and Diagnostic Data: We monitor the performance of our platform by collecting data such as API response times, error rates, system load metrics, and feature performance statistics. This information helps us identify performance bottlenecks, optimize our infrastructure, and ensure reliable service delivery.

2.3 Information from Third-Party Sources

In certain circumstances, we receive information about you from third-party services that you choose to connect with our platform or that we use to provide our services.

• OAuth and Social Login Providers: If you choose to create an account or sign in using Google or another OAuth provider, we receive basic profile information from that provider, typically including your name, email address, and profile picture. The specific information we receive depends on your privacy settings with that provider and the permissions you grant during the authentication process.
• Payment Service Providers: Our payment processor, Stripe, provides us with information about payment transactions, including payment status, transaction identifiers, customer identifiers, billing history, and subscription status. We use this information to manage your account, process payments, handle billing inquiries, and provide customer support related to payments.
• Business Partners and Integrations: If you connect third-party services to your account, such as Slack workspaces or other integrations, we may receive information from those services necessary to facilitate the integration. This may include workspace identifiers, user identifiers, and configuration settings.

3. How We Use Your Information

We use the information we collect for various purposes related to providing, maintaining, and improving our services. Our use of your information is based on our legitimate business interests, the necessity to perform our contract with you, your consent, or compliance with legal obligations. Below are the primary purposes for which we use your information.

3.1 Providing and Delivering Our Services

The primary purpose for which we collect and use your information is to provide you with the services you request. This includes:

• Creating, maintaining, and securing your account
• Authenticating your identity and managing your login sessions
• Processing and generating legal documents using artificial intelligence technologies
• Performing optical character recognition on uploaded documents using Azure Document Intelligence and OpenAI Vision APIs
• Extracting and structuring relevant facts and information from your documents
• Organizing and managing your documents within our case management system
• Facilitating electronic signature workflows and document execution
• Delivering documents to recipients via email through Resend and SMS through Twilio
• Processing API requests and executing webhook notifications
• Providing SMS-based AI assistance and responding to your inquiries
• Storing your documents and data securely in our cloud infrastructure

3.2 Processing Payments and Managing Subscriptions

When you subscribe to a paid plan or make purchases through our platform, we use your information to:

• Process subscription payments and manage recurring billing
• Calculate and charge for usage-based services, including AI credits and document processing
• Monitor your usage against billing thresholds and notify you when thresholds are approached
• Manage your payment methods and update payment information
• Handle refund requests, payment disputes, and chargebacks
• Generate and deliver invoices, receipts, and billing statements
• Detect and prevent payment fraud
• Maintain records of transactions for accounting and tax purposes

3.3 Communicating With You

We use your contact information to communicate with you about our services, your account, and other relevant matters:

• Sending transactional emails necessary for account management, such as account verification, password resets, and security alerts
• Delivering notifications about documents sent to you for signature or review
• Sending billing notifications, payment confirmations, and usage alerts
• Responding to your customer support inquiries and providing technical assistance
• Sending important service updates, maintenance notifications, and changes to our terms or policies
• Providing SMS notifications and AI assistant responses when you use our SMS features
• Communicating about new features, product updates, or other information we believe may be of interest to you (you may opt out of marketing communications)

3.4 Improving and Developing Our Services

We analyze usage data and user feedback to continuously improve our platform and develop new features:

• Analyzing usage patterns and user behavior through PostHog analytics to understand how users interact with our platform
• Monitoring system performance, reliability, and uptime to ensure consistent service delivery
• Identifying, diagnosing, and fixing bugs, errors, and technical issues
• Evaluating the effectiveness of our AI models and improving their accuracy and performance
• Conducting research and development to create new features and enhance existing functionality
• Tracking API usage patterns to optimize rate limiting and resource allocation
• Testing new features and conducting A/B tests to improve user experience
• Gathering user feedback and conducting surveys to inform product decisions

3.5 Ensuring Security and Preventing Abuse

We use your information to maintain the security and integrity of our platform:

• Detecting and preventing fraudulent transactions, unauthorized access, and other illegal activities
• Monitoring for security threats, vulnerabilities, and suspicious behavior
• Enforcing our Terms of Service and other policies
• Investigating and responding to security incidents
• Implementing and maintaining access controls, encryption, and other security measures
• Verifying user identity and preventing account takeovers
• Protecting against spam, abuse, and misuse of our platform

3.6 Complying with Legal Obligations

We may use and disclose your information as necessary to comply with applicable laws, regulations, legal processes, or governmental requests. This includes maintaining records for tax purposes, responding to subpoenas or court orders, and cooperating with law enforcement investigations when legally required to do so.

4. How We Share Your Information

We do not sell your personal information to third parties. However, we do share your information in certain circumstances as described below. When we share information with third parties, we take steps to ensure they handle your data responsibly and in accordance with applicable privacy laws.

4.1 Service Providers and Business Partners

We engage trusted third-party companies and individuals to perform services on our behalf. These service providers have access to your information only to perform specific tasks and are obligated not to disclose or use it for other purposes. Our key service providers include:

• Supabase: Provides our database infrastructure, user authentication services, and file storage. Supabase hosts your account information, documents, and other data in secure, encrypted databases with Row Level Security to ensure data isolation between users.
• Stripe: Processes all payment transactions, manages subscriptions, and stores payment method information. Stripe is a PCI DSS Level 1 certified payment processor and handles your payment data in accordance with the highest security standards.
• OpenAI: Provides artificial intelligence language models that power our document generation features and vision models for optical character recognition. When you use AI features, your document content is sent to OpenAI for processing. Importantly, we have configured our integration to ensure zero data retention - OpenAI does not store or use your data to train their models. Your content is processed in real-time and immediately discarded after generating results.
• Groq: Offers alternative AI processing capabilities for improved performance. Similar to our OpenAI integration, we maintain a zero data retention policy with Groq. Your data is processed transiently and not retained or used for model training purposes.
• Microsoft Azure: Specifically, we use Azure Document Intelligence (formerly Form Recognizer) for optical character recognition and document analysis. Azure processes your documents to extract text and structure. We have configured our Azure services with zero data retention - your documents are processed and results are returned without any storage or retention of your data by Microsoft.
• Twilio: Enables SMS messaging capabilities, including our SMS assistant feature and text notifications. Twilio processes phone numbers and message content to deliver SMS communications.
• Resend: Handles transactional email delivery, including account notifications, document delivery emails, and system alerts. Resend processes email addresses and message content to deliver emails on our behalf.
• PostHog: Provides product analytics and user behavior tracking. PostHog collects usage data, events, and interaction patterns to help us understand how users engage with our platform and inform product decisions.
• Vercel: Hosts and deploys our application infrastructure, providing the platform on which our service runs.
• Upstash: Provides Redis database services for caching, session management, and rate limiting functionality.

4.2 Integration Partners

When you choose to enable integrations with third-party services, we share relevant information necessary to facilitate those integrations:

• Slack: If you connect your Slack workspace, we share workspace information, user identifiers, and notification content to enable Slack notifications and interactions.
• Custom Webhooks: If you configure webhook URLs, we send event data to those endpoints as specified in your configuration. You control what information is shared through webhooks based on the events you subscribe to.

4.3 Document Recipients

When you send documents for signature, review, or sharing through our platform, we necessarily share information with the intended recipients. This includes the recipient's name and email address (which you provide), the document content you choose to share, signing instructions and messages, and metadata about the document envelope. Recipients can access the documents you send them through secure links, and we track their interactions with those documents (such as when they open or sign them).

4.4 Legal Requirements and Protection of Rights

We may disclose your information if we believe in good faith that such disclosure is necessary to:

• Comply with applicable laws, regulations, legal processes, or enforceable governmental requests
• Enforce our Terms of Service or other agreements, including investigation of potential violations
• Detect, prevent, or otherwise address fraud, security, or technical issues
• Protect against harm to the rights, property, or safety of our company, our users, or the public as required or permitted by law
• Respond to claims that content violates the rights of third parties
• Cooperate with law enforcement or national security investigations

Where legally permitted, we will make reasonable efforts to notify you of such requests unless notification is prohibited by law or court order, or if we believe notification could create a risk of harm or obstruct a legal investigation.

4.5 Business Transfers

In the event that we are involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. In such cases, we will provide notice before your information is transferred and becomes subject to a different privacy policy. The acquiring entity will be required to continue to honor the commitments we have made in this Privacy Policy.

4.6 Aggregated and De-Identified Information

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. For example, we may share statistical data about usage patterns, feature adoption rates, or industry trends. This information does not contain any personal identifiers and cannot be traced back to individual users.

4.7 With Your Consent

We may share your information for purposes not described in this policy with your explicit consent. We will clearly explain what information will be shared, with whom, and for what purpose before obtaining your consent.

5. Artificial Intelligence and Zero Data Retention

Our platform leverages advanced artificial intelligence technologies to provide document generation, optical character recognition, and intelligent analysis features. We understand that the documents you process through our platform may contain sensitive, confidential, or privileged information. Therefore, we have implemented strict data handling practices with our AI service providers.

5.1 Zero Data Retention Policy

We have configured our integrations with all AI service providers to implement a zero data retention policy. This means:

• No Storage: Your documents and content are not stored by our AI providers after processing. They are processed in real-time and immediately discarded once results are returned.
• No Training: Your data is not used to train, improve, or develop AI models. OpenAI, Groq, and Azure do not retain your content for machine learning purposes.
• Transient Processing: Content is held in memory only for the duration necessary to generate results, typically a few seconds, and then permanently deleted.
• No Human Review: Your content is not reviewed by human operators at our AI service providers unless you explicitly report an issue and consent to such review.

5.2 AI Processing Details

When you use AI-powered features, the following types of content may be sent to our AI providers for processing:

• Document text and content for generation, analysis, or completion
• Images and PDF files for optical character recognition
• Chat messages and prompts submitted to our AI assistant
• Extracted text for fact identification and structuring

This processing occurs over encrypted connections, and the results are returned to our servers where they are stored in your account. The AI providers do not retain copies of your content or the generated results.

5.3 Your Control Over AI Features

You have control over when and how AI features are used with your content. AI processing only occurs when you explicitly invoke AI features, such as clicking a button to generate content, upload a document for OCR, or send a message to our AI assistant. You can choose not to use AI features if you prefer to work with your documents without AI assistance.

5.4 AI Service Provider Policies

While we have configured our integrations for zero data retention, we recommend reviewing the privacy policies of our AI service providers for complete information about their data practices:

• OpenAI Privacy Policy and API Data Usage Policies
• Microsoft Azure Privacy Statement and AI Services Data Protection
• Groq Privacy Policy and Data Handling Practices

6. Electronic Signatures and E-SIGN Act Compliance

Our platform provides electronic signature capabilities that allow you to sign documents electronically and send documents to others for signature. These features are designed to comply with the Electronic Signatures in Global and National Commerce Act (E-SIGN Act), the Uniform Electronic Transactions Act (UETA), and similar laws governing electronic signatures and records.

6.1 Legal Validity of Electronic Signatures

Under the E-SIGN Act and UETA, electronic signatures are generally given the same legal effect as handwritten signatures. Our electronic signature features are designed to create legally binding signatures that satisfy the requirements of these laws. However, the legal enforceability of any particular signature depends on various factors, including the intent of the parties, the nature of the transaction, and applicable state and federal laws.

6.2 Consent to Electronic Signatures

By using our electronic signature features, you consent to conducting transactions electronically and to signing documents using electronic signatures. When you send a document to another party for signature, that party must also consent to using electronic signatures before they can sign. We obtain this consent through our signature workflow, which includes clear disclosure of the electronic nature of the transaction.

6.3 Signature Authentication and Security

To ensure the integrity and authenticity of electronic signatures, we implement multiple security measures:

• Identity Verification: Signers must verify their identity through email verification. When a document is sent for signature, we send a unique, secure link to the signer's email address.
• Access Controls: Each signature request is protected by a unique access token that prevents unauthorized access to the document. Only the intended recipient can access the document using their unique link.
• Audit Trail: We maintain a comprehensive audit trail for each signed document, including timestamps of when the document was sent, opened, and signed, IP addresses from which the document was accessed, and user agent information about the device and browser used.
• Signature Capture: We record the signature data (whether drawn, typed, or uploaded) and associate it with the signer's identity and the specific document.
• Document Integrity: Once a document is signed, we ensure that the signed version cannot be altered. Any changes to the document would invalidate the signature.

6.4 Signature Records and Retention

We retain records of electronic signatures and related information to provide evidence of the signing transaction. This includes:

• The signed document and its contents
• The signature image or data
• The complete audit trail of the signing process
• Signer identification information
• Timestamps and metadata about the transaction

These records are stored securely and are accessible to you through your account. You can download signed documents and their associated audit trails at any time. We retain these records in accordance with our data retention policies and applicable legal requirements.

6.5 Withdrawal of Consent

You have the right to withdraw your consent to use electronic signatures at any time. However, withdrawal of consent does not affect the legal validity of any signatures that were completed before the withdrawal. If you wish to withdraw consent, you should discontinue using our electronic signature features and conduct future transactions using paper-based signatures.

6.6 Limitations and Exclusions

While electronic signatures are legally valid for most transactions, certain types of documents may be excluded from electronic signature laws or may require additional formalities. These may include wills, codicils, testamentary trusts, certain family law documents, court orders, notices of cancellation of utility services, and other documents specified by law. You are responsible for determining whether electronic signatures are appropriate for your particular use case and ensuring compliance with applicable laws.

7. Data Storage, Security, and Retention

We take the security of your information seriously and have implemented comprehensive technical and organizational measures to protect your data from unauthorized access, disclosure, alteration, or destruction.

7.1 Data Storage Infrastructure

Your data is stored using enterprise-grade cloud infrastructure provided by Supabase, which is built on Amazon Web Services (AWS). Our storage architecture includes:

• Database Storage: Structured data, including account information, case metadata, and document metadata, is stored in PostgreSQL databases with Row Level Security (RLS) enabled. RLS ensures that users can only access their own data, providing database-level isolation between user accounts.
• File Storage: Documents, images, and other files are stored in Supabase Storage, which provides secure, scalable object storage with access controls and encryption.
• Cache Storage: Temporary data and session information is stored in Upstash Redis, which provides fast, in-memory caching for improved performance.
• Backup Systems: Automated backups are maintained by Supabase to protect against data loss. Backups are encrypted and stored redundantly across multiple geographic locations.

7.2 Security Measures

We employ multiple layers of security to protect your information:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS) with strong cipher suites. This prevents eavesdropping and man-in-the-middle attacks.
• Encryption at Rest: All data stored in our databases and file storage systems is encrypted at rest using industry-standard encryption algorithms. This protects your data even if physical storage media were to be compromised.
• Authentication Security: User passwords are hashed using bcrypt, a strong one-way hashing algorithm designed specifically for password storage. We never store passwords in plain text. Multi-factor authentication options are available for enhanced account security.
• Access Controls: We implement strict access controls to limit who can access user data. Row Level Security in our database ensures that users can only access their own data. Administrative access to systems is restricted to authorized personnel only and is logged for audit purposes.
• API Security: API keys are hashed using SHA-256 before storage, and we never store the full key after initial generation. API requests are authenticated and rate-limited to prevent abuse. We validate all API inputs to prevent injection attacks and other vulnerabilities.
• Webhook Security: Webhook payloads are signed using HMAC SHA-256 signatures, allowing recipients to verify that webhooks originated from our platform and have not been tampered with in transit.
• Session Management: User sessions are protected using secure, randomly generated tokens with automatic expiration. Sessions are invalidated upon logout and after periods of inactivity.
• Monitoring and Logging: We continuously monitor our systems for security threats, suspicious activity, and unauthorized access attempts. Security logs are retained and reviewed regularly to identify and respond to potential incidents.
• Vulnerability Management: We regularly update our software dependencies, apply security patches promptly, and conduct security assessments to identify and remediate vulnerabilities.
• Incident Response: We maintain an incident response plan to quickly detect, respond to, and recover from security incidents. In the event of a data breach affecting your personal information, we will notify you in accordance with applicable laws.

7.3 Data Retention Periods

We retain your information for as long as necessary to provide our services and fulfill the purposes described in this Privacy Policy. Specific retention periods include:

• Active Account Data: While your account is active, we retain all data associated with your account, including documents, case information, and account settings. You can delete documents and data at any time through your account.
• Deleted Account Data: When you delete your account, we begin a deletion process that permanently removes your personal information and documents from our active systems within 30 days. Some information may persist in backup systems for up to an additional 30 days before being permanently deleted.
• Billing and Transaction Records: We retain billing records, invoices, and transaction history for seven years to comply with tax laws, accounting requirements, and financial regulations. This includes payment information necessary for tax reporting and audit purposes.
• System Logs: Server logs, access logs, and error logs are retained for 90 days for security monitoring, troubleshooting, and system optimization purposes. After 90 days, logs are automatically deleted.
• Backup Data: Data in backup systems is retained for 30 days and then permanently deleted. Backups are maintained for disaster recovery purposes and follow the same deletion schedule as active data.
• Legal Hold: If we are subject to a legal obligation to retain data (such as a litigation hold, government investigation, or court order), we will retain relevant data until the legal obligation is lifted, even if you have requested deletion.

7.4 Your Security Responsibilities

While we implement robust security measures, the security of your account also depends on your actions. You are responsible for:

• Choosing a strong, unique password for your account
• Keeping your password confidential and not sharing it with others
• Logging out of your account when using shared or public computers
• Promptly notifying us if you suspect unauthorized access to your account
• Keeping your contact information up to date so we can reach you about security matters
• Maintaining backups of critical documents and information

8. Your Privacy Rights and Choices

You have various rights regarding your personal information. The specific rights available to you may depend on your location and applicable privacy laws. We are committed to honoring these rights and providing you with meaningful control over your information.

8.1 Access and Data Portability

You have the right to access your personal information and obtain a copy of your data in a portable format. Through your account settings, you can view most of your personal information, including your profile details, account settings, and subscription information. You can export your documents at any time by downloading them individually or in bulk. If you need a comprehensive copy of all personal information we hold about you, you may submit a data access request to privacy@yanna.pro, and we will provide the information in a structured, commonly used, machine-readable format within 30 days.

8.2 Correction and Update

You have the right to correct inaccurate or incomplete personal information. You can update most of your account information directly through your account settings, including your name, email address, professional title, signature preferences, and other profile details. If you encounter information that you cannot update yourself, please contact us at support@yanna.pro, and we will assist you in making the necessary corrections.

8.3 Deletion and Account Closure

You have the right to request deletion of your personal information and closure of your account. You can delete individual documents, cases, or other content through your account at any time. To delete your entire account and all associated data, please contact us at privacy@yanna.pro with your deletion request. Upon receiving your request, we will:

• Verify your identity to prevent unauthorized deletion requests
• Cancel any active subscriptions
• Permanently delete your personal information and documents from our active systems within 30 days
• Remove your data from backup systems within 60 days

Please note that we may retain certain information if required by law, for legitimate business purposes (such as billing records for tax compliance), or to resolve disputes. We will inform you if any information must be retained and the reason for retention.

8.4 Objection and Restriction

You have the right to object to certain types of processing of your personal information and to request restriction of processing in certain circumstances. For example, you may object to processing for direct marketing purposes or request that we temporarily restrict processing while we verify the accuracy of your data. To exercise these rights, please contact us at privacy@yanna.pro with details of your objection or restriction request.

8.5 Opt-Out of Communications

You can control the communications you receive from us:

• Email Notifications: You can manage your email notification preferences through your account settings. You can choose which types of emails you wish to receive. Please note that even if you opt out of marketing emails, we will still send you essential transactional emails related to your account, such as password resets, billing notifications, and important service updates.
• SMS Messages: If you use our SMS features, you can opt out of SMS notifications at any time by replying "STOP" to any SMS message from our platform. You can also manage SMS preferences through your account settings.
• Analytics Tracking: If you wish to opt out of analytics tracking, please contact us at privacy@yanna.pro. Note that opting out of analytics may limit our ability to improve the service based on usage patterns.

8.6 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected the information, our business or commercial purposes for collecting the information, and the categories of third parties with whom we share personal information.
• Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell personal information as defined by California law. We do not and will not sell your personal information to third parties.
• Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
• Right to Limit Use of Sensitive Personal Information: If we use sensitive personal information for purposes beyond those permitted by law, you have the right to limit such use.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your privacy rights. We will not deny you services, charge different prices, or provide a different level of service solely because you exercised your privacy rights.

To exercise these rights, please submit a request to privacy@yanna.pro. We will verify your identity before processing your request and respond within 45 days. You may designate an authorized agent to make requests on your behalf, but we will require proof of authorization.

8.7 European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and similar laws:

• Right of Access: You have the right to obtain confirmation of whether we process your personal data and to access that data.
• Right to Rectification: You have the right to have inaccurate personal data corrected and incomplete data completed.
• Right to Erasure: You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
• Right to Restriction of Processing: You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
• Right to Object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, particularly in your country of residence, place of work, or place of alleged infringement.

To exercise these rights, please contact us at privacy@yanna.pro. We will respond to your request within one month, though we may extend this period by two additional months if necessary, in which case we will inform you of the extension and the reasons for the delay.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities and to provide, maintain, and improve our services. This section explains what these technologies are, why we use them, and how you can control them.

9.1 What Are Cookies

Cookies are small text files that are placed on your device when you visit a website. They are widely used to make websites work more efficiently and to provide information to website owners. Cookies can be "persistent" (remaining on your device until deleted or expired) or "session" (deleted when you close your browser).

9.2 Types of Cookies We Use

• Strictly Necessary Cookies: These cookies are essential for the operation of our platform. They enable core functionality such as user authentication, security features, and access to secure areas. Without these cookies, services you have requested cannot be provided. These cookies do not gather information about you for marketing purposes and cannot be disabled through our settings.
• Functional Cookies: These cookies allow our platform to remember choices you make (such as your theme preference, language, or region) and provide enhanced, personalized features. They may also be used to provide services you have requested, such as remembering your login state across sessions.
• Analytics and Performance Cookies: We use PostHog analytics cookies to collect information about how visitors use our platform. These cookies collect aggregated information about the number of visitors, where visitors come from, which pages they visit, how long they stay, and what actions they take. This information helps us improve our platform and understand user behavior. The information collected is anonymous and cannot be used to identify individual users.
• Session Management Cookies: These cookies maintain your logged-in state as you navigate through our platform. They are essential for security and ensuring that your session remains authenticated throughout your visit.

9.3 Third-Party Cookies

Some cookies on our platform are placed by third-party services we use. For example, PostHog places cookies to track analytics, and our authentication provider may place cookies to manage your login session. These third parties have their own privacy policies governing their use of cookies and tracking technologies.

9.4 Controlling Cookies

Most web browsers automatically accept cookies, but you can modify your browser settings to decline cookies if you prefer. However, please note that disabling cookies may prevent you from using certain features of our platform or may cause some features to not function properly. You can typically find cookie settings in the "Options" or "Preferences" menu of your browser.

To opt out of analytics tracking, you can contact us at privacy@yanna.pro, and we will honor your request. Additionally, you can use browser extensions or privacy tools that block analytics scripts.

9.5 Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online activities tracked. Currently, there is no industry standard for how to respond to DNT signals, and our platform does not currently respond to DNT browser signals. However, you can control tracking through the cookie settings described above.

10. International Data Transfers

Our services are hosted and operated in the United States, and our service providers may be located in various countries around the world. If you access our services from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate.

These countries may have data protection laws that differ from the laws of your country of residence. However, we take steps to ensure that your information receives an adequate level of protection regardless of where it is processed. When we transfer personal data from the European Economic Area, United Kingdom, or Switzerland to other countries, we implement appropriate safeguards, such as:

• Standard Contractual Clauses approved by the European Commission
• Data Processing Agreements with our service providers that include data protection obligations
• Ensuring service providers are certified under recognized frameworks such as the EU-U.S. Data Privacy Framework (where applicable)
• Implementing technical and organizational measures to protect data during transfer and processing

By using our services, you acknowledge and consent to the transfer of your information to the United States and other countries for the purposes described in this Privacy Policy.

11. Children's Privacy

Our services are not directed to, and we do not knowingly collect personal information from, children under the age of 18. Our Terms of Service require that users be at least 18 years old to create an account and use our services. If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information as quickly as possible.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at privacy@yanna.pro, and we will work to delete the information and terminate the account.

12. Third-Party Links and Services

Our platform may contain links to third-party websites, services, or integrations that are not owned or controlled by us. This Privacy Policy applies only to our platform and services. When you click on links to third-party sites or enable third-party integrations, you are subject to the privacy policies and terms of service of those third parties.

We are not responsible for the privacy practices, content, or security of third-party websites or services. We encourage you to read the privacy policies of every website you visit and every service you use. The inclusion of a link or integration does not imply our endorsement of the linked site or service.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes to this policy, we will update the "Last Updated" date at the top of this page. If we make material changes that significantly affect your privacy rights or how we handle your personal information, we will provide additional notice through one or more of the following methods:

• Sending an email notification to the email address associated with your account
• Displaying a prominent notice on our platform
• Requiring you to acknowledge the updated policy before continuing to use our services

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your information. Your continued use of our services after we publish or communicate changes to this Privacy Policy constitutes your acceptance of those changes.

14. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your personal data only when we have a valid legal basis to do so. The legal bases we rely on include:

• Contract Performance: Processing is necessary to perform our contract with you and provide the services you have requested. This includes creating your account, processing documents, facilitating electronic signatures, and delivering the core features of our platform.
• Legitimate Interests: Processing is necessary for our legitimate business interests, such as improving our services, ensuring security, preventing fraud, analyzing usage patterns, and conducting research and development. We balance these interests against your rights and interests and only process data when our interests are not overridden by your privacy rights.
• Consent: In some cases, we process personal data based on your explicit consent, such as when you opt in to receive marketing communications or enable optional features. You have the right to withdraw consent at any time, and withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
• Legal Obligations: Processing is necessary to comply with legal obligations to which we are subject, such as tax laws, accounting requirements, or responding to lawful requests from authorities.

15. Data Controller and Contact Information

For the purposes of data protection laws, Yanna is the data controller responsible for your personal information. If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below:

When contacting us about privacy matters, please include sufficient information to allow us to verify your identity and locate your account. For data subject access requests, deletion requests, or other privacy rights requests, we will respond within the timeframes required by applicable law, typically within 30-45 days.

If you are located in the European Economic Area and have concerns about our data practices that we have not adequately addressed, you have the right to lodge a complaint with your local data protection authority.