Privacy Policy

Draft. NOT legally reviewed. Do not publish before counsel review.

1. Who we are

youself.io is a SaaS that provides isolated AI assistants in Telegram. This document describes what personal data we collect, why, and what you can do about it.

2. What we collect

• Email — to send the claim link and service messages. Stored as a bcrypt hash for lookup; plaintext is not retained.
• Telegram user ID — after bot activation, to bind the VM to a user.
• Payment metadata — order ID, amount, currency, provider. We never see card details — Paddle handles those.
• Technical data — IP, user-agent (anti-fraud, webhook validation).
• Provider API keys (BYOK) — encrypted with AES-256-GCM. Plaintext is never logged.

3. How we use it

• Deliver the claim link and email reminders.
• Provision and operate your VM.
• Customer support.
• Legal obligations (tax, refunds).

We do not sell your data to third parties.

4. Sharing with third parties

Service	What we share	Why
Paddle (Merchant of Record)	Email, amount, country	Payment processing, taxes
Hetzner Cloud	Hashed order ID	VM provisioning
Resend	Email	Transactional email delivery

5. Retention

• Order metadata: 7 years (tax law).
• Encrypted API keys: until VM deletion.
• Email hash: until your deletion request.
• Logs: 30 days.

6. Your rights (GDPR)

• Access your data.
• Correct it.
• Erasure (“right to be forgotten”), except data we are legally required to retain.
• Export in machine-readable format.

Send requests to privacy@youself.io.

7. DPO contact

privacy@youself.io

8. Changes

We email material changes 30 days before they take effect.