Privacy Policy

1. Company Information

This Privacy Policy applies to yawn.ai ("Company," "we," "our," "us"), a product of The Yawn Company, a Delaware corporation. We are committed to protecting your privacy and being transparent about our data practices. This policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered autonomous operating system for businesses.

2. Information We Collect

We collect several types of information to provide and improve our services:

Account and Profile Data

When you create an account, we collect:

• Email address and display name
• Profile information (bio, avatar)
• Login history and timestamps
• IP addresses and geographic location
• User agent and browser information
• Role and permission settings

Company and Business Data

For businesses using our platform:

• Company name, description, and settings
• GitHub repository URLs and webhook configurations
• GitHub access tokens (encrypted)
• Team member information and roles
• Integration credentials (encrypted)
• Business configuration and preferences

Browser Automation and Recording Data

Our browser agent feature collects:

• Screenshots and screen recordings of automated browser sessions
• Network request and response logs (URLs, headers, timing)
• Browser console output and error messages
• DOM snapshots (page structure)
• User actions and interactions during recording mode
• Execution logs and automation patterns
• Performance metrics (memory usage, CPU utilization)

AI Conversation Data

When you interact with our AI features:

• Chat messages and conversation history
• Holon dialogues and agent interactions
• Questions, answers, and clarifications
• AI-generated plans and recommendations
• Confidence scores and stage progression
• Feedback and rating data

File and Document Data

Files uploaded to our platform:

• File metadata (name, size, type, timestamps)
• Storage URLs and thumbnail URLs
• MIME types and file structures
• Access permissions and sharing settings
• File scanning results (for security)

Usage and Analytics Data

We automatically collect:

• Pages visited and features used
• Click patterns and navigation flows
• Session duration and frequency
• Device information and screen resolution
• Browser type and operating system
• Performance metrics and error logs

Audit and Compliance Logs

For security and compliance purposes:

• Complete audit trail of sensitive operations
• User actions with before/after states
• Administrative changes and permissions grants
• Security events and access attempts
• Data export and deletion requests

Payment Information

We collect billing information including your name and billing address. Payment card data is handled exclusively by Stripe, our PCI DSS compliant payment processor. We never store your full credit card numbers or CVV codes on our servers.

3. AI Services and Data Processing

Our platform uses artificial intelligence services to provide autonomous operations and intelligent automation. We want to be completely transparent about how your data is processed by AI:

AI Service Providers

• Anthropic Claude: Used for agent orchestration, conversation management, and holon system intelligence
• OpenAI GPT-4: Used for browser automation AI actions and natural language processing

AI Training and Your Data

We have opted out of AI training with our providers. Your data, conversations, and content are NOT used to train or improve third-party AI models. Data sent to AI providers is used solely for processing your specific requests and is subject to their respective privacy policies:

• Anthropic Privacy Policy
• OpenAI Privacy Policy

How We Use AI Processing

Data is sent to AI services for:

• Generating responses to your questions and commands
• Creating structured plans from natural language intentions
• Analyzing confidence levels and stage readiness
• Automating browser interactions based on job descriptions
• Extracting actionable items from conversations
• Providing intelligent recommendations and insights

4. Browser Automation and Recording

Our browser agent feature enables autonomous web interactions. During browser automation sessions, we collect:

• Screenshots: Full-page captures at each step of automation
• Screen Recordings: Video recordings of automation sessions (when recording mode is enabled)
• Network Logs: HTTP requests, responses, and timing information
• Console Output: Browser console messages, warnings, and errors
• DOM Snapshots: Page structure and element data
• User Actions: Clicks, typing, scrolling, and navigation during training

Data Retention for Browser Sessions

Browser automation artifacts are retained for 90 days from the session end date. You can delete individual sessions or all browser data at any time through your account settings.

5. Third-Party Services

We integrate with the following third-party services to provide our platform functionality:

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to maintain sessions and improve your experience:

Essential Cookies

• Authentication Cookies: Session management and login state (HTTP-only, secure flags in production)
• JWT Tokens: Secure user authentication with automatic expiration
• Demo Session Cookies: For development and testing environments (24-hour expiration)

Managing Cookies

You can configure your browser to refuse cookies or alert you when cookies are being sent. However, some features of our service may not function properly without cookies.

7. How We Use Your Information

We use the collected information for:

• Providing, operating, and maintaining our autonomous operating system
• Processing AI-powered automation and intelligent decision-making
• Managing browser agent sessions and automation workflows
• Processing payments and managing subscriptions
• Sending transactional emails and important service notifications
• Responding to your support requests and communications
• Analyzing usage patterns to improve features and user experience
• Detecting and preventing security threats, fraud, and abuse
• Maintaining audit logs for compliance and security
• Fulfilling legal obligations and enforcing our terms

8. Data Security Measures

We implement comprehensive security measures to protect your information:

Technical Safeguards

• Encryption: Data encrypted at rest and in transit using industry-standard protocols (TLS 1.3)
• Row-Level Security (RLS): Database access controls on every table
• Role-Based Access Control: Three-tier permission system (super_admin, admin, user)
• API Key Hashing: Secure storage of API keys using one-way hashing
• OAuth Token Encryption: Third-party access tokens encrypted in database
• Secure Session Management: HTTP-only cookies with secure flags and SameSite policies

Operational Security

• Comprehensive audit logging of all sensitive operations
• Regular security assessments and vulnerability scanning
• Rate limiting to prevent abuse
• Automated monitoring and alerting
• Incident response procedures

While we implement strong security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using industry best practices.

9. Data Retention and Deletion

We retain your personal data only as long as necessary for the purposes outlined in this policy:

Retention Periods

• Account Data: Until account deletion request, then 30-day grace period
• Audit Logs: 7 years (Delaware legal requirement for business records)
• Browser Session Data: 90 days from session completion
• Chat/Conversation Data: Until account deletion
• File Uploads: Until deleted by user or account deletion
• Payment Records: 7 years for tax and compliance purposes
• Backup Data: 30 days in encrypted backups

Account Deletion

You can delete your account at any time through your account settings page. Upon deletion request, we initiate a 30-day grace period during which you can restore your account. After this period, your personal data is permanently deleted, except for audit logs and payment records retained for legal compliance. You can request immediate deletion by contacting privacy@yawn.ai.

10. Your Privacy Rights

Depending on your location, you have the following rights regarding your personal information:

Access and Portability

You have the right to request a copy of your personal data in a structured, machine-readable format (JSON). Contact privacy@yawn.ai to request your data export.

Correction and Update

You can update your profile information, company settings, and preferences directly through your account dashboard at any time.

Deletion

You can delete your account through the settings page. This will permanently remove your personal data after the grace period, subject to legal retention requirements.

Opt-Out Rights

• Marketing Communications: Unsubscribe from any marketing email
• Data Selling: We do not sell your personal information to third parties
• Analytics: Contact us to opt out of usage analytics

Automated Decision-Making

When our AI systems make automated decisions that significantly affect you, you have the right to request human review of those decisions. Contact privacy@yawn.ai for assistance.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Categories of Personal Information We Collect

• Identifiers (name, email, IP address)
• Commercial information (subscription and payment history)
• Internet or network activity (usage data, browser logs)
• Professional or employment information (company data)
• Audio, visual, or similar information (screenshots, recordings)

Business Purposes for Collection

We collect this information to provide our AI autonomous operating system, process payments, improve our services, ensure security, and comply with legal obligations.

Third Parties We Share With

We share data only with service providers (Stripe, Supabase, Anthropic, OpenAI, Railway, GitHub, Google) necessary to operate our services. We do not sell your personal information.

No Discrimination

We will not discriminate against you for exercising your CCPA rights. You will not receive different pricing or quality of service for making privacy requests.

12. GDPR Rights (European Residents)

If you are located in the European Economic Area (EEA) or United Kingdom, you have rights under the General Data Protection Regulation (GDPR):

Legal Basis for Processing

• Contract Performance: Processing necessary to provide our services
• Consent: For optional features and marketing communications
• Legitimate Interest: For service improvement, security, and fraud prevention
• Legal Obligation: For compliance with applicable laws

International Data Transfers

Your data may be transferred to and processed in the United States. We use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for data transfers.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.

13. Children's Privacy

Our services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@yawn.ai. We will promptly delete such information from our records.

14. International Data Transfers

Your information may be transferred to and maintained on servers located in the United States and other countries where data protection laws may differ from those in your jurisdiction. We use Supabase's US region for data storage. When we transfer data internationally, we implement appropriate safeguards including Standard Contractual Clauses and ensure our partners provide adequate data protection.

15. Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website of any such change in ownership or control of your personal information. The acquiring entity will be required to honor this Privacy Policy or provide you with notice of changes.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last updated" date
• Sending an email notification to active users at least 30 days before changes take effect
• Displaying a prominent notice on our website or dashboard

Your continued use of our services after the effective date of changes constitutes acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: