Privacy Policy

1. Introduction

This Privacy Policy applies to personal information that Yorph AI collects, uses, shares, and otherwise processes when you:

• Access or use our website available at www.yorph.ai, the Yorph AI blog, or any other website operated or made available by Yorph AI where this Privacy Policy is posted (collectively, the "Website") or interact with the Yorph AI online collaborative community (the "Community");
• Access or use any of the Yorph AI products or any related services or functionality we make available through the Website or Community (collectively, the "Products"); or
• Communicate with us through any written, electronic, or oral communications, including by email, phone, or text message.

For purposes of this Privacy Policy, we refer to our Website, Community, Products, and any other online service we provide that links to this Privacy Policy as the "Services."

This Privacy Policy applies to:

• Visitors to the Website and any individuals who communicate with or receive communications from Yorph AI;
• Registered Users who have registered for a Product or created an account with Yorph AI; and
• Non-registered Users who access, use, or interact with any Yorph AI Products and have not registered.

We refer to Registered Users and Non-registered Users collectively as "Users."

As used in this Privacy Policy, "personal information" means any information that identifies or could be used to identify an individual person. For example, personal information may include name, email address, and phone number. It also includes other non-public information that we associate with such identifying information. Personal information does not include aggregated or anonymized information.

Yorph AI does not intentionally collect or process sensitive personal information, such as social security numbers, genetic data, health information (including any information protected under HIPAA), or religious information, about Users. Users are strictly prohibited from uploading or submitting any protected health information (PHI) or other data subject to HIPAA or similar healthcare privacy laws. Yorph AI is not a "Business Associate" under HIPAA and does not process PHI on behalf of any User.

While we do not proactively monitor uploaded content for PHI, if we become aware that such data has been submitted, we may delete it and, where appropriate, restrict or terminate the associated account.

In providing its Services, Yorph AI processes certain data sets on behalf of its Users. This processing may include personal information contained within those data sets and is performed in accordance with Yorph AI's Terms of Service (and, where applicable, any additional agreements with Users). Yorph AI has no direct relationship with the individuals whose personal information may be included in such data. If you are such an individual and have questions about the processing of your personal information or wish to exercise a privacy right, please contact the Yorph AI User with whom you interact(ed) directly.

2. Information We Collect

The personal information we collect and how we collect it depends on how you use the Services. We collect the following types of personal information, as described below. By default, we prioritize data minimization and do not retain user-submitted files, or outputs persistently unless you explicitly opt in. For example, when you upload data for AI analysis, we process it only for that session unless you choose to opt-in to store this data.

(a) Information You Provide

We collect personal information that you provide directly to us when you access or use the Services or when you interact with us. We collect information that you provide to us in the following ways:

1. Registration information. If you register or create an account with us, Yorph AI collects personal information to set up and manage your account, such as your name, email address, password, and account credentials.
2. Payment and billing information. If you make a purchase using the Services, we collect payment and billing information using third-party payment processors. For more information, please see the Payment Processors section integrated into Sharing and Disclosure below.
3. Files or input data uploaded to the platform. When you upload files, sync datasets or submit input data for processing through our AI Services (e.g., analyzing data), we temporarily process this information to generate outputs. We do not store this data persistently unless you explicitly opt in (see Section 4 for details).
4. Communications and customer support queries. If you contact us, such as by sending an email, contacting customer support, or submitting feedback, we may collect your name, company, job title, email address, phone number, country, the details of your question or request, and any other information you choose to include in your message. We may also collect information you provide if you complete surveys or questionnaires that we make available.
5. Interactions through Discord, social media, and other third-party platforms. If you interact with us through any third-party platforms, such as Slack or GitHub, or through any of our pages or feeds on social media sites or platforms, such as Facebook or LinkedIn, we may collect information such as your name, username, demographic information, contact information such as email address, location, and publicly-posted data such as your social media activity.

You may choose not to provide personal information directly to us or to not use the Services. However, some personal information is necessary so that we can provide you with the Services you have requested. Failure to provide this information may prevent us from providing you with access to our Services.

(b) Information We Collect Automatically

When you access or use the Services, we or our third-party agents or service providers automatically collect information about the device you use to access the Services and your activity when you use the Services. Depending on your activity, the information may include:

1. Device information: We collect certain information about your device, such as browser type and version, operating system, IP address, time zone, unique device identifiers, and approximate location (as determined through your IP address).
2. Usage statistics and event logs: This may include features that you use, clickstream data, access dates and times, and how you interact with the Services (e.g., which prompts you submit). When you visit the Website, this information may also include referring/exit pages and URLs, how you interact with links on the Website, landing pages, and pages viewed. We also may collect the date and time you open an email communication from us or click on any links in an email and we or our service provider may associate this information with the email address we already have for you.
3. Cookies and other tracking technologies: We and our third-party service providers or agents may collect information using one or more Cookies or similar technologies such as pixels or locally stored objects (collectively "Cookies"). Cookies may collect information such as your IP address, unique device identifiers, your browser settings, and information about how you use the Services (e.g., the pages you view, the links you click). Please refer to Section 8 below for more information about our use of Cookies and your choices related to Cookies.

(c) Data from Integrations

We may collect data from third-party integrations, such as Fastn, based on your configuration and authorization. Use of such integrations is subject to their respective terms and privacy policies. We do not control or assume responsibility for the data practices of these third parties. For example, if you connect Fastn to extract data for AI processing, we only access what you authorize.

3. How We Use Your Information

We use the personal information we collect in the following ways, always in accordance with data minimization principles and applicable laws. Each use is tied to a legal basis where required (see Section 16 for EEA/UK details):

• To provide and maintain the Services, including processing your inputs to generate AI outputs (e.g., analyzing a prompt to create a response; legal basis: contract performance).
• To authenticate and manage your account (legal basis: contract performance).
• To process transactions and manage payments through our Payment Processor (Square).
• To respond to customer support requests and communicate with you (legal basis: contract performance or legitimate interest).
• To improve service performance and user experience, such as by analyzing anonymized usage patterns (legal basis: legitimate interest).
• To ensure security and prevent abuse, fraud, or unauthorized access (legal basis: legitimate interest or legal obligation).
• To conduct analytics related to the Services, such as to understand how they are being used and where improvements may be needed (legal basis: legitimate interest).
• To personalize and improve user experience with the Services (legal basis: legitimate interest or consent).
• To update, improve, and/or enhance the Services, and develop new features, functionality, Products, and Services, using anonymized and aggregated usage data only. We do not use your identifiable Customer Data (including prompts, files, or outputs) to train or fine-tune our AI models. (Legal basis: legitimate interest.)
• To send you newsletters and promotional and marketing communications that may be of interest to you (with opt-out options; legal basis: consent).
• To conduct and administer promotions, sweepstakes, or contests if you have chosen to participate, in accordance with the terms of the promotion (legal basis: consent).
• To display personalized advertisements to you regarding the Services (legal basis: consent or legitimate interest).
• To better understand your personal preferences and to enable us to provide you with improved and personalized communications and services (legal basis: legitimate interest).
• To compile aggregate data, such as about traffic and interaction with or on the Services (legal basis: legitimate interest).
• To tailor the content and advertising we display to you or others, on our Services or elsewhere, and to analyze trends and statistics (legal basis: legitimate interest).
• To provide transactional updates about our Services (legal basis: contract performance).
• To enforce our Terms of Service, resolve disputes or otherwise to carry out our obligations and enforce our rights, and to protect our business interest and rights of third parties (legal basis: legitimate interest or legal obligation).
• To audit our compliance with legal and contractual requirements and internal policies (legal basis: legal obligation).
• To comply with legal and contractual obligations and requirements, law enforcement requests, and legal process (legal basis: legal obligation).
• For our business transfers (legal basis: legitimate interest).
• To keep you updated about changes to policies related to our Services (including this Privacy Policy) (legal basis: legitimate interest).
• For any other purpose with your consent (legal basis: consent).

We may combine any of the information that we collect from you with other information, including information that we obtain from third parties, or with information derived from any other products or services we provide. We will use this information for the purposes described in this Privacy Policy. For AI-specific uses, such as generating responses to your prompts, we process data transiently and do not retain it without your opt-in consent. For example, your prompt flows through our AI pipeline: input is encrypted, processed in-memory for output generation, and deleted immediately after unless opted in.

4. Data Storage and Retention

We are committed to data minimization and retention only as necessary. Retention periods vary by data type to meet legal and business needs:

(a) No Persistent Storage by Default

• We do not store files, input data or output data unless you explicitly opt in.
• Data is processed in-memory or temporarily cached for the duration of your session only (stored during the session or till the pipeline finishes running), and automatically deleted thereafter.

(b) Optional Temporary File Use

• If you opt in (e.g., for session persistence or repeat access), files or session data are securely stored for up to 30 days.
• You can opt out anytime via changing settings and then your data will be removed after the session.

(c) Anonymized Metadata

• We use anonymized usage data (e.g., aggregate statistics) to improve performance and Services. This does not include personal information and is retained indefinitely in aggregated form for trend analysis.

Other retention examples:

• Account data (e.g., name, email): Retained for the duration of your relationship with us plus 1 year for backups, unless you request deletion sooner.
• Communication records (e.g., support queries): Retained for 2 years to resolve disputes.
• Audit logs (e.g., access events): Retained for 90 days for security monitoring.
• Payment data: Not stored by us; handled by processors per their policies.

We retain personal information for the purposes stated in this Privacy Policy and as required under applicable law. To determine how long we keep personal information, we consider the amount, nature, and sensitivity of personal information, the reasons for which we collect and process the information, and applicable legal requirements.

5. Model Training and Opt-In

As an AI-focused startup, we prioritize ethical practices and the protection of your data. We do not use your Customer Data—whether personal information (PII) or non-PII, such as prompts, files, or outputs—to train or fine-tune our AI models.

Instead, we improve our platform using a combination of:

• public or licensed datasets;
• synthetic test cases we create ourselves; and
• anonymized, aggregated usage metrics that do not contain Customer Data and cannot reasonably be linked back to an individual or organization.

For example, if we identify that agents frequently struggle with messy nested JSON, we simulate those patterns in synthetic test cases to improve performance, rather than reusing your actual data.

We rely on enterprise-grade model providers and implement robust security policies to ensure your data is never leaked or exposed, whether through API calls, internal tools, or prompt injection. We maintain strict data segregation to protect your information, with additional enterprise-grade security measures, such as isolated processing environments, for enterprise and team plans. Our practices are regularly audited to ensure compliance with applicable laws and to uphold our commitment to data privacy.

6. Sharing and Disclosure

We do not sell your personal information or data to third parties. We transmit, share, grant access, make available, and provide personal information to or with the following types of third parties only as necessary and with appropriate safeguards. For third-party AI integrations (e.g., cloud-based model providers like those from AWS or Google Cloud), we share only minimal, anonymized data under strict contracts requiring GDPR-compliant safeguards; users can opt out of specific integrations via settings.

(a) Other Users of the Services
If you post or share content through the Yorph AI Community, that information is public and will be shared with other Users of the Community. Yorph AI is not a controller of that information once it is shared. We encourage you to be thoughtful as to how you interact with our Community tools, how you interact with others in our Community, and the information you share within the Community forums (for example, through creating a public profile, project contributions, comments, and blog posts).

(b) Service Providers and Third-Party Processors
We share personal information with our third-party vendors, consultants, agents, contractors, and service providers that help us provide our Services or with any of the purposes described in this Privacy Policy. We use trusted third-party processors such as Google Cloud Platform, Supabase, Fastn, Mailchimp, and Square to provide secure infrastructure, integrations, communication services, and payment processing. These providers process data strictly under our instructions and never for independent purposes.

These include trusted service providers such as:

• Hosting service providers,
• Analytics providers,
• Payment processing providers (we do not directly collect or store your payment information; we use third-party, PCI-compliant payment processors to collect and process payments on our behalf. Our payment processors may provide us with limited information to confirm the transaction. Information collected by these third-party payment processors is governed by the applicable third-party payment processor's privacy policy. You should review the applicable privacy policy prior to submitting any information to the applicable third-party payment processors.),
• Advertising and marketing partners (limited to aggregated data),
• Providers of business operations and communication tools, such as email and messaging software providers,
• Customer relationship management and customer support service providers,
• Other third-party service providers that help us provide features and functions for the Services (including AI vendors for model development, but only using aggregated, non-identifiable data that cannot reasonably be linked back to you or your organization); and
• Professional advisors, agents, and service providers, such as auditors, lawyers, consultants, accountants, and insurers.

(c) Yorph AI Partners
From time to time, we may work with other businesses to sponsor or host conferences or webinars, market related services, promote joint ventures, or other similar collaborations. We might share personal information, such as your name and email address, with our partners in these situations, but only with your consent or as necessary for the collaboration.

(d) Sweepstakes, Contests, and Other Promotional Activities
If you participate in a promotion, sweepstakes, or contest (collectively, "Promotion"), we may disclose your personal information to any third parties affiliated with the Promotion or to the public in connection with conducting and administering the Promotion. For example, we may share personal information to select a winner, provide a prize, as required by applicable law (such as publishing a list of winners), or as permitted by the applicable terms and conditions or official rules of the Promotion.

(e) Legal, Compliance, and Regulatory Purposes
We may share personal information if we believe that it is necessary to:

• Comply with a law, regulation, legal process, or legitimate governmental request;
• Protect the safety or security of the Services, Users of the Services, or any person;
• Investigate, prevent, or take action regarding illegal or suspected illegal activities;
• Prevent spam, abuse, fraud, or other malicious activity of actors using or accessing the Services; or
• Protect our rights or property or the rights or property of those who use the Services, including sharing with authorities if required by law.

Non-public information about our Users will not be released to law enforcement except in response to an appropriate legal process such as a subpoena, court order, or other valid legal process that has been reviewed by Yorph AI. However, if we receive information that provides us with a good faith belief that there is an exigent emergency, we may provide information to law enforcement trying to prevent or mitigate the danger, to be determined on a case-by-case basis.

(f) Business Transfers
We may share personal information with third parties we choose to acquire or with buyers, successors, or others in connection with a merger, acquisition, divestiture, restructuring, reorganization, financing due diligence, initial public offering, dissolution, or other sale or transfer of some or all of our assets or transition of service to another provider, whether as a going concern or as part of bankruptcy, receivership, liquidation, or similar proceeding, as permitted by law and/or contract. We will provide notice to users where feasible.

(g) With Your Consent
There may be situations where you are asked to consent to share personal information with third parties for additional reasons not included in this Privacy Policy.

(h) Third-Party Links and Social Media Plugins
We may provide links to other websites or resources with which we do not have a contractual relationship and over which we do not have control ("External Websites"). Such links are not paid advertisements, nor do they constitute an endorsement by Yorph AI of those External Websites and are provided to you only as a convenience. By clicking on links to the External Websites, the operators of the External Websites may collect personal information. We are not responsible for the content or data collection practices of those External Websites, and your use of External Websites is subject to their respective terms of use and privacy policies. We encourage you to carefully read the privacy policy of any website you visit.

The Services may offer Social Media Platform sharing features and other integrated tools that enable you to share or view certain content via social media sites (such as the X "Follow" button). These features may function as cookies or web beacons when you interact with them and collect information such as information about your device or your interactions with the Services, such as what you're viewing through the Services. If you are logged in to your account with the third party, the third party may be able to link information about your interactions with the Services to your account with them. Please refer to each third party's privacy policies to learn more about its data practices.

7. Your Rights and Choices

We respect your privacy rights and provide controls where possible. Depending on your location and applicable laws (e.g., CCPA for California residents, GDPR for EEA residents), you may have the right to:

• Access or download your data (e.g., a copy of your account info and processing logs);
• Correct or update personal data (e.g., edit your profile via settings);
• Request deletion of your account and data (including a "right to be forgotten" where applicable; we delete within 30 days unless legally required to retain);
• Opt out of certain processing, such as marketing communications or opt out of storing data;
• Request data portability (receiving your data in a common format like CSV/JSON);
• Withdraw consent (where processing is based on consent; e.g., for storing data opt-out);
• Rights related to automated decision-making and profiling (e.g., requesting human review of AI decisions; see Section 14 for details); and
• For U.S. residents: Opt-out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising). For Nevada residents, we do not sell covered information; submit opt-out requests to privacy@yorph.ai with 'Nevada Privacy Request' in the subject line. For California "Shine the Light," we do not share for third-party direct marketing.

(a) Marketing Preferences

To stop receiving, or opt-out of, promotional email communications from Yorph AI, click on the "unsubscribe" link or follow the relevant opt-out instructions within the marketing communication. If you opt-out, we will still send you transactional emails for service purposes, such as for responses to your requests or communications about your account.

(b) Third-Party Advertising and Analytics

Yorph AI works with third-party network advertisers, ad agencies, and other advertising partners to serve Yorph AI ads online. We may use information we have learned about you to target ads to you and to allow third parties to target ads to you. We also use third-party analytics providers to provide us with information regarding the use of the Services and the effectiveness of our advertisements. For more information about the tracking technologies that these third parties use and your options, please see Section 8 below.

(c) AI-Specific Choices

Opt out of using temporary storage via [e.g., Under settings under "Data Storage"].

We do not discriminate against users for exercising their rights (e.g., no denial of services). If you are in the EEA/UK/Switzerland, you can also lodge a complaint with your local data protection authority.

8. Cookies, Tracking, and Technologies

This Website uses Trackers, including Cookies and similar technologies, to enhance your experience and analyze usage. Trackers are technologies such as Cookies, web beacons, pixel tags, or locally stored objects that collect information about your interactions with our Services. We use these technologies to maintain session integrity (e.g., keeping you logged in during a prompt session), understand usage trends (e.g., popular features), and improve our Services (e.g., fixing bugs based on error logs). You may disable Cookies via your browser settings, but some functionality may be affected (e.g., session persistence).

(a) What Are Cookies and Trackers?

Cookies are small data files placed on your device by us or third parties when you visit a website or use our Services. Trackers also include:

• Web Beacons: Tiny graphics with unique identifiers placed on a website or in an email to gather interaction data.
• Local or Web Storage: Storage areas on your browser or device, including browser cache.
• Embedded Scripts: Programming code that collects interaction data, active only while connected to the Services.

For more information about Cookies, visit www.allaboutcookies.org.

(b) Types of Cookies

Trackers are categorized by their duration and origin:

• Persistent Cookies: Remain in your browser to recognize you on return visits.
• Session Cookies: Temporary, deleted when you close your browser.
• First-Party Cookies: Set by Yorph AI or at our request.
• Third-Party Cookies: Set by third parties, such as analytics or advertising providers.

(c) What Types of Information Do Trackers Collect?

Trackers may collect information such as:

• Pages viewed, buttons clicked, visit times, and time spent on the Services;
• IP address, unique device identifiers (e.g., UUID), browser type, operating system, and device settings;
• For AI personalization, interactions to improve recommendations (e.g., suggesting relevant prompts).

(d) How Do We Use Trackers?

We use Trackers for the following purposes, aligned with applicable legal bases (e.g., consent or legitimate interest):

• Strictly Necessary Cookies: Essential for the Services to function (e.g., authentication, fraud prevention; cannot be disabled). Legal basis: Contract performance.
• Functional Cookies: Remember preferences (e.g., language, customizations) to enhance your experience. Disabling these may reduce functionality. Legal basis: Legitimate interest or consent.
• Performance or Analytics Cookies: Understand how our Services are used (e.g., track visitor numbers, identify performance issues) using tools like Google Analytics. Data is sent to analytics services. Legal basis: Legitimate interest or consent.
• Advertising Cookies: Deliver relevant ads, limit their frequency, and measure campaign effectiveness (e.g., track ad interactions). Legal basis: Consent.

Specific Tracker: Google Analytics (Google LLC) This Website uses Google Analytics, a web analytics service provided by Google LLC, to collect and analyze Usage Data (e.g., number of Users, session statistics, approximate geolocation via IP address) and Trackers. Google Analytics helps us understand how our Services are accessed and used to improve performance. The data collected is processed in accordance with Google's Privacy Policy (available at https://policies.google.com/privacy). You can opt out of Google Analytics tracking by installing the browser add-on at https://tools.google.com/dlpage/gaoptout. Legal basis: Consent or legitimate interest (balanced against your rights).

(e) How to Manage or Delete Trackers

You can control Trackers through the following methods:

• Browser Settings: Adjust your browser to accept, reject, or alert you to Cookies (instructions in browser help). Note that this does not remove existing persistent Cookies.
• Preferences Tools:
  • Google Analytics opt-out: https://tools.google.com/dlpage/gaoptout.
  • Digital Advertising Alliance (DAA): http://optout.aboutads.info.
  • Network Advertising Initiative (NAI): http://optout.networkadvertising.org.
• Web Beacons: Disable remote images in your email client or avoid clicking links in emails to limit tracking.
• Cookie Consent Management: Upon visiting our Website, you may interact with our cookie banner to accept or reject non-essential Trackers. You can revisit your preferences at any time via https://yorph.ai/cookie-policy.
• Mobile Devices: Manage app permissions through your device settings.

Disabling Cookies may impact functionality, such as session persistence or personalized features. Opting out of advertising Trackers will not block all ads, but you will receive generic advertisements. For further details, visit www.allaboutcookies.org.

The Services do not alter their behavior in response to "Do Not Track" signals due to the lack of industry consensus on their meaning, except where required by law.

9. Security Measures

At Yorph AI, we take our responsibility to protect the security and privacy of personal information seriously. We have implemented reasonable and appropriate technical and organizational measures designed to prevent personal information from being lost, used, accessed, altered, or disclosed in an unauthorized or unlawful way. These measures include, as applicable:

• Encryption in transit using modern TLS protocols;
• Encryption at rest for Customer Data stored in our hosting and storage providers;
• Access controls, including role-based permissions for internal tools;
• Environment and tenant isolation to separate customer workloads;
• Logging and monitoring of access and system events; and
• Regular internal reviews of our security posture and configurations.

However, no method of transmission over the Internet or method of electronic storage can be guaranteed to be 100% secure. While we work hard to protect your personal information, we cannot and do not guarantee absolute security. By using the Services, you understand and assume the risks associated with your activities on the Internet. In the event of a data incident, we will notify affected users and regulators as required by law (e.g., within 72 hours under GDPR). If you have reason to believe that your information is no longer secure, please let us know by contacting us using the methods provided in the "Contact Us" section below.

10. Children's Privacy

Our Services are intended for use only by individuals who are at least 18 years old, or the age of legal majority in their jurisdiction. Yorph AI does not knowingly collect personal information from anyone under the age of 18. If you learn or believe that an individual under the age of 18 has provided us with personal information, please contact us using the methods provided in the "Contact Us" section below. We will promptly delete such information and, if applicable, terminate the associated account.

11. International Data Transfers

The personal information that we collect or receive may be transferred to and processed in countries located outside of your country of residence, such as the United States or other jurisdictions where our servers and service providers operate (e.g., for AI processing in EU or US cloud regions). The data protection laws of the countries where personal information is processed may not be as comprehensive as or equivalent to those in your country of residence.

To protect data during transfers, we rely on:

• Adequacy decisions (e.g., for transfers to the UK or EEA countries recognized as adequate by the European Commission).
• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to non-adequate countries like the US (e.g., our DPAs with providers incorporate the 2021 SCCs with supplementary measures like encryption and audits).
• Other mechanisms, such as Binding Corporate Rules for intra-group transfers or approved codes of conduct.

Where we rely on Standard Contractual Clauses, we also implement supplementary measures such as encryption and access controls to help protect personal information.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes (e.g., new processing purposes, major rights impacts, or AI feature additions affecting data use) will receive advance notice. Non-material changes (e.g., minor clarifications) are effective immediately upon posting. When we update this Privacy Policy, we will revise the "Effective Date" at the top of this Privacy Policy and post a link to the updated Privacy Policy on our Website. Changes to this Privacy Policy are effective when they are posted. Please review this Privacy Policy periodically to ensure you are aware of any such changes. Your continued use of the Services after the effective date of changes constitutes your agreement to the new terms. For disputes on changes, see Section 13.

13. Contact Information

If you have any questions about this Privacy Policy or our privacy practices, including exercising your rights, please contact us:

• By email at privacy@yorph.ai (include "Privacy Request" in subject); or
• By postal mail at this address:
  • Yorph AI Inc - 14205 N Mo Pac Expy Ste 570 PMB 447850 Austin, TX 78628-6529, US

If required (e.g., under GDPR), contact our Data Protection Officer at the above email. For complaints or rights requests, provide sufficient details (e.g., account email) for verification. We aim to respond within 30 days.

Dispute Resolution: For privacy disputes, first contact us for resolution. If unsatisfied, escalate via our internal review process (response within 14 days). For EEA/UK users, contact your local authority (e.g., DPC in Ireland). US users may pursue arbitration under AAA rules or small claims court. We do not use automated decisions in disputes.

14. Additional AI-Specific Disclosures

As an AI startup, we are committed to ethical AI practices and transparency. Our AI platform processes user inputs (e.g., prompts for generation or analysis) transiently to provide services, but we do not use identifiable personal data for training (see Section 5). Anonymized or aggregated data may be used to improve the system for better accuracy and to reduce biases—e.g., "We may use de-identified interaction logs to improve response relevance."

15. U.S. State-Specific Notices

California Residents (CCPA/CPRA)
Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have additional rights, including to know categories of personal information collected, sold/shared (we do not sell or share for cross-context advertising), and disclosed; request deletion; and opt out of sales/sharing (not applicable here). We do not sell personal information. To exercise rights, use the contact methods above; we will verify and respond free of charge twice per year.

16. Notice to European and Non-U.S. Residents

This notice supplements the information provided in this Privacy Policy and applies only to individuals located in the EEA, UK, Switzerland, or another country with a comprehensive data protection law who are within the scope of this Privacy Policy.

For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and relevant local data protection laws, Yorph AI is (a) the data controller of personal information about Users and (b) the data processor of personal information processed on behalf of Users in User data sets. "Personal information" as used in this Notice means "personal data," as defined in Article 4(1) of the GDPR or the relevant section of the local data protection laws. If you have any questions about how we process your personal data, or to exercise your data protection rights, please contact us using the methods provided in the "Contact Us" section above.

(a) Legal Basis for Processing

Yorph AI processes personal information where there is a legal ground to do so, as described below. The applicable legal ground depends on the Services you use and how you use them (mapped to purposes in Section 3).

Performance of a Contract. We process personal data for the performance of our Services under the terms of our agreement with you in the Terms of Service or applicable agreement. This includes, for example, using personal data to:

• Create and manage your account;
• Facilitate your use of the Services (e.g., processing prompts);
• Complete and process purchases you make, including processing payments;
• Maintain our Services in accordance with this Privacy Policy and the applicable Terms of Service;
• Provide customer support;
• Respond to your inquiries and requests, or otherwise communicate with you, and provide you with assistance related to the Services.

Legitimate Interest. We process personal data when Yorph AI has a legitimate interest to do so (balanced against your rights via Legitimate Interests Assessments). This includes, for example, processing personal data to:

• Provide you with customer service or technical support;
• Debug, update, and improve the Services (e.g., anonymized analytics);
• Personalize your experience using the Services (e.g., usage trends);
• Send you marketing communications in accordance with your applicable marketing preferences (where not requiring consent);
• Prevent or detect fraud on the Services;
• Conduct analytics regarding the Services;
• Engage in targeted advertising (limited); and
• Establish, exercise, or defend legal claims or in connection with any court or jurisdiction. You may request more information regarding our processing activities based on legitimate interest (including our balancing test) by contacting us with your request and confirmation that you are located in the EEA, United Kingdom, or Switzerland using the methods provided in the "Contact Us" section above.

Legal Obligation. We process personal information for compliance with any legal obligation to which Yorph AI is subject (e.g., responding to subpoenas).

Consent. We process personal information based on your explicit consent only in specific, limited cases. This includes, for example:

• Optional temporary storage of files, prompts, or session data for up to 30 days (beyond default transient session processing) to enable features like session persistence or repeat access to outputs—you can opt out or request deletion at any time via account settings, and any stored data will be deleted within 30 days (or sooner upon request);
• Sending marketing communications, such as newsletters or promotional offers, about our Services or other products we think might interest you;
• Conducting surveys to gather feedback on our Services. We do not use your personal data for AI model training or improvement (see Section 5 for details on our synthetic/anonymized approach), and we do not store payment information (handled exclusively by Square). Where Yorph AI relies on your consent as the lawful basis for processing personal data, you have the right to withdraw your consent to further use of your personal data at any time. You can use the methods described in Section 7 to withdraw your consent (e.g., via account settings for data storage opt-out or unsubscribe links for marketing). Withdrawing consent will not affect the lawfulness of processing before withdrawal or processing based on other grounds, such as core account data (e.g., name, email) retained for contract performance or transient session data processed for service delivery. Withdrawn consent will trigger deletion of any related opted-in data (e.g., temporary stored files) within 30 days, subject to legal retention requirements.

(b) Your Data Rights

Under the GDPR and relevant local data protection laws, you have certain rights regarding your personal data, including those listed in Section 7. These rights are subject to certain limitations and exemptions under law (e.g., for legal obligations).

(c) Exercising Your Rights

For each of the rights described above, and for any complaints you may have, please contact us. We respond to all requests we receive from individuals wishing to exercise their data rights in accordance with applicable data protection laws. We may need to request specific information from you to help us confirm your identity before we can respond to your request. This is a security measure to help ensure that personal data is not disclosed to any person who has no right to receive it.

If you are located in the EEA, the United Kingdom, or Switzerland, you have the right to make a complaint at any time to the supervisory authority for data protection issues in your country of residence (e.g., the Irish Data Protection Commission for EU matters). We would appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us first using the methods provided in the "Contact Us" section above.