Privacy Policy
Effective: 2026-05-06
Privacy Policy
⚠️ Draft. Do not publish before counsel review and alignment with GDPR / Ukraine’s Personal Data Protection Law.
Effective: 2026-05-06 Privacy contact: privacy@youself.io
1. Who is the controller of your data
youself.io is a SaaS that provides isolated AI agents in Telegram (the “Service”).
This document describes:
- what personal data we collect
- with what purpose and on what legal basis
- how long we store it
- with whom we share it
- what your rights are and how to exercise them
2. Data we process
2.1 Data you provide
- Email — for service messages. Stored as a bcrypt hash for lookup; plaintext is not retained.
- Telegram user ID — after activating
@youself_io_bot, to bind the agent to a user. - Knowledge base content — notes, documents you add to your AI agent’s vault. Encrypted at rest with AES-256-GCM.
- Agent prompts — stored temporarily (up to 30 days) for debugging and fraud prevention.
2.2 Data collected automatically
- Payment metadata — order ID, amount, currency, provider. We never see card details — LiqPay handles those.
- Wallet transactions — top-ups, token spend.
- LLM usage logs — model, token count, cost (for billing).
- Technical data — IP address, user-agent, referrer, browser language. Used for anti-fraud and webhook validation.
- Cookie
yio_locale— your selected locale (1 year). Details in our Cookie Policy.
2.3 What we do NOT collect
- Card details (LiqPay handles them directly).
- Biometric data.
- Health data.
- Third-party tracking cookies (no Google Analytics, Facebook Pixel, etc.).
3. Legal basis for processing (GDPR Art. 6)
| Data | Legal basis |
|---|---|
| Email, Telegram ID, agent content | Contract performance (Art. 6(1)(b)) |
| Payment data, wallet | Contract + legal obligation (Art. 6(1)(b), (c)) |
| Technical data, anti-fraud | Legitimate interest (Art. 6(1)(f)) |
| Analytics (Plausible, if enabled) | Consent (Art. 6(1)(a)), revocable |
4. Purposes of processing
- Service delivery (subscription, AI agent, knowledge base)
- Billing (LiqPay charges, token invoices)
- Customer support
- Security (fraud detection, abuse prevention)
- Legal obligations (Ukrainian tax reporting — 7 years)
We do not use your data to train LLM models.
We do not sell data to third parties.
5. Sharing with third parties
The full subprocessor list is on the Subprocessors page. Summary:
| Service | What we share | Jurisdiction | Purpose |
|---|---|---|---|
| LiqPay | Email, amount, country code | Ukraine | Payment processing |
| OpenRouter | Agent prompts (no email/identity) | USA | LLM routing |
| Email provider (Resend or Postmark) | Email + body | EU/US | Transactional email |
| Hosting provider | Logs, infrastructure | DE/EU | Hosting |
All subprocessors have signed a DPA (Data Processing Agreement) or equivalent.
6. International data transfers
Some subprocessors (OpenRouter) are located outside the EU. Transfers happen under:
- Standard Contractual Clauses (SCC) per GDPR Art. 46(2)(c)
- Or Adequacy Decisions of the European Commission, where applicable
7. Retention periods
| Category | Period |
|---|---|
| Email hash | Until your deletion request |
| Knowledge base content | Active subscription + 30-day grace period |
| Payment metadata | 7 years (tax law) |
| LLM usage logs | 90 days (for billing dispute resolution) |
| Technical logs | 30 days |
| Audit log (admin actions) | 1 year |
After these periods, data is fully removed from prod systems. Backups carry stale copies for at most 30 days.
8. Your GDPR rights
You have the right to:
- Access (Art. 15) — receive a copy of all your data
- Rectification (Art. 16) — correct inaccurate data
- Erasure / “right to be forgotten” (Art. 17) — delete data, except what we must retain by law
- Restriction of processing (Art. 18) — ask us to stop certain processing
- Portability (Art. 20) — receive data in a machine-readable format (JSON)
- Object to processing (Art. 21) — when the basis is legitimate interest
- Withdraw consent (Art. 7(3)) — e.g., opt out of analytics
- Lodge a complaint with a supervisory authority — Ukrainian Ombudsperson, or your local EU DPA
To exercise: email privacy@youself.io. We respond within 30 days (GDPR Art. 12(3)).
For details and self-service flows, see GDPR Rights.
9. Security
- Encryption at rest: knowledge base, secrets — AES-256-GCM
- Encryption in transit: TLS 1.3 on all endpoints
- Isolation: every AI agent runs in its own Proxmox VM, no shared storage
- Access to prod data: restricted to a small set of engineers with 2FA; all actions audit-logged
- Backups: daily, encrypted at rest, 30-day retention
- Incidents: we notify you within 72 hours of detection (GDPR Art. 33)
10. Children
The Service is not intended for individuals under 16 (or 14 for Ukraine, GDPR Art. 8). We do not knowingly collect data from minors.
11. Changes to this policy
For material changes we email you 30 days before the effective date. The current version always lives at https://youself.io/privacy.
Change history is in the git repo.
12. Contact
- General privacy: privacy@youself.io
- DPO: privacy@youself.io
- Data deletion: privacy@youself.io with subject
Erasure request