Privacy Policy

Last Updated: January 26, 2025

This Privacy Policy describes how YOTAKO S.A. ("we," "us," or "our") collects, uses, and protects your personal data when you use WPMaven ("the Service"). This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

2. Personal Data We Collect

2.1 Information You Provide Directly

Account Information

• Identity Data: Name, email address, username
• Contact Data: Email address, phone number (optional)
• Billing Data: Billing address, payment information (processed by third-party payment processors)
• Authentication Data: Password (hashed), authentication tokens

Usage Data

• Prompts and Requests: Text prompts you submit to the AI assistant
• Generated Content: Content created by the Service in response to your prompts
• WordPress Site Data: Site URL, WordPress version, theme and plugin information
• Settings and Preferences: Your configuration choices and customizations

2.2 Information Collected Automatically

Technical Data

• Device Information: Browser type, operating system, device identifiers
• Log Data: IP address, access times, pages viewed, actions taken
• Performance Data: Error logs, crash reports, performance metrics
• Cookies and Tracking: See Section 7 for details

Analytics Data

• Usage Statistics: Features used, frequency of use, session duration
• AI Interaction Data: Number of requests, credit consumption, response times
• Site Health Data: Performance metrics, security scan results (from your WordPress site)

2.3 Information from Third Parties

• Authentication Providers: If you sign in with Google, GitHub, or Microsoft, we receive basic profile information (name, email)
• Payment Processors: Transaction confirmations and payment status from Stripe, PayPal
• WordPress.org: Plugin and theme information from public repositories

3. How We Use Your Personal Data

We process your personal data for the following purposes, based on the legal grounds indicated:

Purpose	Legal Basis (GDPR)
Provide and maintain the Service	Contract Performance (Art. 6(1)(b))
Process AI requests and generate responses	Contract Performance (Art. 6(1)(b))
Process payments and billing	Contract Performance (Art. 6(1)(b))
Send service updates and notifications	Contract Performance (Art. 6(1)(b))
Provide customer support	Contract Performance (Art. 6(1)(b))
Improve and optimize the Service	Legitimate Interest (Art. 6(1)(f))
Train and improve AI models	Legitimate Interest (Art. 6(1)(f))*
Detect and prevent fraud and abuse	Legitimate Interest (Art. 6(1)(f))
Ensure security and prevent threats	Legitimate Interest (Art. 6(1)(f))
Comply with legal obligations	Legal Obligation (Art. 6(1)(c))
Send marketing communications	Consent (Art. 6(1)(a))**

* We use anonymized, aggregated data only. You can opt out in Settings.
** You can withdraw consent at any time by clicking "unsubscribe" in emails or updating preferences.

4. Data Sharing and Disclosure

4.1 Service Providers

We share data with trusted third-party service providers who process data on our behalf:

Provider	Purpose	Data Shared	Location
Amazon Web Services (AWS)	Cloud hosting	All service data	EU (Frankfurt)
Stripe	Payment processing	Payment information	Global (GDPR compliant)
SendGrid	Email delivery	Email, name	EU & US (Privacy Shield)
OpenAI	AI model processing	Prompts (anonymized)	US (DPA in place)
Anthropic	AI model processing	Prompts (anonymized)	US (DPA in place)
Google (Gemini)	AI model processing	Prompts (anonymized)	US (DPA in place)

All service providers are contractually bound to:

• Process data only as instructed by us
• Implement appropriate security measures
• Comply with GDPR and data protection laws
• Not use data for their own purposes

4.2 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

4.3 Legal Requirements

We may disclose your data if required by law, court order, or governmental authority, or to:

• Comply with legal obligations
• Protect our rights, property, or safety
• Prevent fraud or abuse
• Respond to emergencies involving danger to persons

4.4 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot identify you with:

• Research partners (for AI improvement)
• Business partners (for analytics)
• The public (in reports or blog posts)

5. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States.

5.1 Transfer Mechanisms

For transfers outside the EEA, we use:

• Standard Contractual Clauses (SCCs): EU Commission-approved contracts ensuring GDPR compliance
• Data Processing Agreements (DPAs): Contractual guarantees with all processors
• Adequacy Decisions: Transfers to countries recognized by the EU as having adequate protection

5.2 AI Model Processing

6. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy:

Data Type	Retention Period
Account information	Duration of account + 90 days after closure
Prompts and generated content	Duration of account + 30 days after closure
Billing records	7 years (legal requirement)
Usage logs	12 months
Support communications	3 years
Marketing consent records	Duration of consent + 3 years
Anonymized analytics	Indefinitely (cannot identify individuals)

6.1 Early Deletion

You can request early deletion of your data at any time (see Section 9).

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

Cookie Type	Purpose	Duration
Essential Cookies	Authentication, security, core functionality	Session / 1 year
Functional Cookies	Remember preferences, settings	1 year
Analytics Cookies	Usage statistics, performance monitoring	2 years
Marketing Cookies	Track campaign effectiveness (with consent)	1 year

7.2 Managing Cookies

You can control cookies through:

• Cookie Preferences: Available in Settings → Privacy
• Browser Settings: Most browsers allow you to refuse or delete cookies
• Opt-out Tools: NAI opt-out, Google Analytics opt-out browser add-on

Note: Disabling essential cookies may affect Service functionality.

8. Data Security

We implement industry-standard security measures to protect your personal data:

8.1 Technical Measures

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Access Controls: Role-based access, multi-factor authentication
• Infrastructure Security: Firewalls, intrusion detection, regular security audits
• Secure Development: Code reviews, security testing, vulnerability scanning
• Data Isolation: Customer data is logically separated

8.2 Organizational Measures

• Employee Training: Regular security and privacy training
• Access Limitation: Data access on a need-to-know basis
• Confidentiality Agreements: All employees sign NDAs
• Incident Response: Documented procedures for data breaches
• Regular Audits: Annual third-party security assessments

8.3 Data Breach Notification

In the event of a data breach affecting your personal data, we will:

• Notify you within 72 hours of discovering the breach
• Notify relevant supervisory authorities as required by law
• Provide details of the breach, affected data, and remediation steps
• Offer assistance and guidance to mitigate potential harm

9. Your Rights Under GDPR

As a data subject in the European Economic Area, you have the following rights:

9.1 Right of Access (Art. 15 GDPR)

You can request:

• Confirmation of whether we process your personal data
• A copy of your personal data
• Information about how we use your data

How to exercise: Settings → Privacy → Download My Data, or email privacy@yotako.io

9.2 Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate or incomplete data.

How to exercise: Update in Settings → Account, or email privacy@yotako.io

9.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You can request deletion of your personal data in certain circumstances.

How to exercise: Settings → Privacy → Delete Account, or email privacy@yotako.io

Note: We may retain some data if required by law (e.g., billing records).

9.4 Right to Restriction of Processing (Art. 18 GDPR)

You can request that we limit how we use your data.

How to exercise: Email privacy@yotako.io

9.5 Right to Data Portability (Art. 20 GDPR)

You can receive your data in a structured, machine-readable format and transfer it to another service.

How to exercise: Settings → Privacy → Export Data (JSON format)

9.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests or for direct marketing.

How to exercise: Settings → Privacy → Marketing Preferences, or email privacy@yotako.io

9.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent, you can withdraw it at any time.

How to exercise: Settings → Privacy → Manage Consent, or click "unsubscribe" in emails

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

• Luxembourg: Commission Nationale pour la Protection des Données (CNPD) - cnpd.public.lu
• Your country: Contact your local data protection authority

9.9 Response Time

We will respond to requests within 30 days. If we need more time, we'll notify you of the extension and reason.

10. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@yotako.io.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

11.1 Right to Know

You can request information about the personal data we've collected, used, disclosed, or sold in the past 12 months.

11.2 Right to Delete

You can request deletion of your personal data, subject to certain exceptions.

11.3 Right to Opt-Out of Sale

We do not sell your personal data.

11.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

How to exercise: Email privacy@yotako.io with "CCPA Request" in the subject line.

12. AI-Specific Privacy Considerations

12.1 Prompt Processing

• Prompts are processed to generate AI responses
• We anonymize prompts before sending to AI model providers
• Prompts are not used to train publicly available AI models without your explicit consent
• You can opt out of prompt data usage for improvement in Settings

12.2 Generated Content

• You own content generated by the Service
• Generated content is stored temporarily to provide the Service
• We do not claim ownership or copyright over your generated content
• Similar content may be generated for other users (AI is not deterministic)

12.3 Model Training

• We may use anonymized, aggregated usage data to improve our service
• We do NOT use your specific prompts or content without permission
• You can opt out of data usage for improvement in Settings → Privacy

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will notify you via email and/or in-app notification
• We will update the "Last Updated" date at the top
• Changes take effect 30 days after notification
• Continued use after changes constitutes acceptance

We encourage you to review this Privacy Policy periodically.

14. Contact Us

For questions, concerns, or to exercise your privacy rights, contact us:

15. Data Processing Agreement (DPA)

For Enterprise customers requiring a Data Processing Agreement, please contact legal@yotako.io. We provide standard DPAs that include:

• Processing terms compliant with GDPR Article 28
• Standard Contractual Clauses for international transfers
• Security measures and audit rights
• Sub-processor lists and notification procedures