Effective date: [Launch Date]
Last updated: [Launch Date]
This Privacy Policy explains how yaddayadda.io (the "Service"), operated by [Your Legal Name / Entity] ("we," "us," "our"), collects, uses, stores, and shares your information.
We keep this policy straightforward because we believe you should understand exactly what happens with your data without needing a law degree.
Account information. When you create an account, we collect your email address and display name. If you sign in with Google or GitHub OAuth, we receive your name, email address, and profile picture from those services. We do not receive or store your Google or GitHub password.
Payment information. When you subscribe to a paid plan, your payment details are collected and processed by Stripe. We do not store your credit card number, CVC, or full billing details on our servers. We receive from Stripe: your Stripe customer ID, subscription status, plan tier, and the last four digits of your payment method for display in your account settings.
Generation inputs. When you use the AI generator, we receive the topic, tone preset, template type, and any custom parameters you provide. These inputs are sent to our AI provider to generate your output.
API keys. When you create an API key, we store a hashed version of the key. The plaintext key is shown to you once at creation and is never stored or retrievable by us afterward.
Usage data. We track generation counts per user per day, API request counts per key, template and tone selections, and timestamps. This data is used for rate limiting, billing, and to understand how the Service is used.
Generation history. For Pro subscribers, we store your past generations (topic, tone, template, output preview, and timestamp) to power the history feature. Free tier users' generation content is not stored after the response is delivered.
Analytics data. We use PostHog for product analytics. PostHog collects: pages visited, features used, browser type and version, device type, operating system, approximate location (country/region level, derived from IP address), and referral source. PostHog does not collect your name, email, or any content you generate.
Server logs. Our hosting provider (Vercel) and CDN (Cloudflare) automatically collect IP addresses, request timestamps, URLs accessed, and HTTP headers in server logs. These logs are used for security, debugging, and abuse prevention.
Cookies. We use essential cookies for authentication (keeping you logged in) and a small number of functional cookies for preferences. If ads are displayed (free tier), our ad network may set its own cookies — see Section 5 for details. We do not use tracking cookies for cross-site advertising.
We use the information we collect to:
We do not:
Database. Account data, usage logs, API key hashes, and generation history are stored in Supabase (hosted on AWS infrastructure). All data is encrypted at rest and in transit. Row Level Security (RLS) policies ensure that users can only access their own data.
Caching. Frequently requested generation results are cached in Upstash Redis to improve performance and reduce costs. Cached data contains generated output text keyed by a hash of the request parameters (template, topic, tone). No personal information is included in cache keys or cached values.
Payment data. All payment processing is handled by Stripe. We never store full card numbers or sensitive payment details on our infrastructure. See Stripe's privacy policy at stripe.com/privacy.
API keys. Keys are hashed using a one-way hash before storage. We cannot view or recover your API key after creation.
Security measures. We use HTTPS everywhere, CSRF protection, brute force protection, and Cloudflare's DDoS mitigation. We review our Row Level Security policies regularly and monitor for unauthorized access attempts.
We share your information only with the service providers necessary to operate yaddayadda.io:
| Provider | What they receive | Why |
|---|---|---|
| Supabase | Account data, usage logs, hashed API keys | Database and authentication |
| Stripe | Email, payment details, subscription data | Payment processing |
| Google (Gemini API) | Generation inputs (topic, tone, template) | AI text generation |
| OpenAI | Generated text content (TTS feature only) | Text-to-speech audio |
| Vercel | IP addresses, request data | Hosting and serverless functions |
| Cloudflare | IP addresses, request data | CDN, DNS, and security |
| Upstash | Cached generation output (no personal data) | Redis caching |
| Unkey | API key metadata, usage counts | API key management and rate limiting |
| Resend | Email address | Transactional emails |
| PostHog | Analytics events (anonymized) | Product analytics |
| Google AdSense / Carbon Ads | Page context, IP address (free tier only) | Advertising |
We do not sell or rent your personal information. We may disclose information if required by law, legal process, or government request, or to protect the rights, safety, or property of our users or the public.
| Cookie | Purpose | Duration |
|---|---|---|
| Session / auth cookie | Keeps you logged in | Session / 30 days |
| Preference cookie | Remembers tone preset, dark mode, language | 1 year |
Ad networks (free tier only). If you use the free tier, our ad network (Carbon Ads, BuySellAds, or similar) may set cookies to serve contextual ads and measure ad performance. These are not used for cross-site tracking or behavioral targeting. Pro subscribers see no ads and receive no ad-related cookies.
PostHog analytics. PostHog may set a cookie to distinguish unique visitors. This cookie does not contain personal information and is not shared with third parties.
You can disable or delete cookies through your browser settings. Disabling essential cookies may prevent you from staying logged in. Disabling third-party cookies will block ad-related tracking without affecting core functionality.
Depending on where you live, you may have some or all of the following rights regarding your personal data:
Access. Request a copy of the personal data we hold about you.
Correction. Request that we correct inaccurate or incomplete data.
Deletion. Request that we delete your personal data. You can delete your account at any time, which removes your profile, generation history, and API keys. Some data may be retained in server logs and backups for a limited period as described below.
Data portability. Request your data in a machine-readable format.
Objection. Object to our processing of your data for certain purposes.
Restriction. Request that we limit how we process your data.
Withdraw consent. Where we process data based on your consent, you may withdraw that consent at any time.
To exercise any of these rights, email us at privacy@yaddayadda.io. We will respond within 30 days.
Our legal basis for processing your data is:
You have the right to lodge a complaint with your local data protection authority if you believe we are processing your data unlawfully.
We do not sell your personal information as defined by the CCPA. You have the right to know what personal information we collect and request its deletion. We will not discriminate against you for exercising your rights.
| Data type | Retention period |
|---|---|
| Account information | Until you delete your account |
| Generation history (Pro) | Until you delete your account or individual entries |
| Usage logs and generation counts | 24 months, then aggregated and anonymized |
| API key hashes | Until you revoke the key or delete your account |
| Server logs (Vercel, Cloudflare) | 30–90 days (controlled by the provider) |
| Analytics data (PostHog) | 24 months |
| Payment records (Stripe) | As required by tax and financial regulations (typically 7 years) |
| Cached generation output (Redis) | Variable TTL, typically 24 hours to 7 days |
After you delete your account, we remove your personal data from our active database within 30 days. Data may persist in encrypted backups for up to 90 days before being purged.
The Service is hosted on infrastructure located primarily in the United States (Vercel, Supabase/AWS, Upstash). If you access the Service from outside the US, your data will be transferred to and processed in the US.
For EU/EEA users, these transfers are conducted in accordance with applicable data protection laws, relying on Standard Contractual Clauses or other approved transfer mechanisms where required.
The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us at privacy@yaddayadda.io and we will delete it promptly.
How AI generation works. When you request AI-generated text, your inputs (topic, tone, template type) are sent to Google's Gemini API. The AI processes your request in real time and returns generated text. We do not fine-tune or train AI models on your inputs or outputs.
Text-to-speech. The optional TTS feature on the website sends generated text to OpenAI's text-to-speech API. Audio is generated in real time and streamed to your browser. We do not store the audio.
Caching. Generated outputs may be cached based on a hash of the request parameters. This means if another user sends an identical request (same template, topic, and tone), they may receive the same cached output. No personal information is linked to cached content.
AI provider data policies. Our AI providers have their own data handling policies. We encourage you to review:
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email (if you have an account) or by posting a notice on the Service at least 14 days before the changes take effect.
The "Last updated" date at the top of this page indicates when this policy was most recently revised.
If you have questions about this Privacy Policy or how we handle your data, contact us at:
Email: privacy@yaddayadda.io
For data protection inquiries from the EU/EEA, you may also contact us at the address above.
This Privacy Policy applies to yaddayadda.io and all associated services including the API at api.yaddayadda.io and the MCP server at mcp.yaddayadda.io.