Privacy Policy

Effective Date: February 20, 2026 · Contact: support@yaia.no

1. Introduction

Yaia (“we”, “us”, or “our”) is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, store, and share personal data when you use the Yaia platform (“Service”), and describes your rights under the General Data Protection Regulation (“GDPR”) and other applicable privacy laws.

Yaia operates as a data processor and data controller depending on the context. When processing your account and billing data, we act as a data controller. When processing visitor data collected through bots deployed by our customers, we act as a data processor on behalf of our customers, who are the data controllers.

2. Data We Collect

2.1 Account and Identity Data

When you register for the Service, we collect:

  • Name and email address
  • Authentication identifiers via Auth0
  • Organization and role information
  • Account preferences and settings

2.2 Usage and Technical Data

As you use the Service, we automatically collect:

  • Log data including IP addresses (stored as hashed values), browser type, and user agent strings
  • Session and interaction data within the dashboard
  • API usage metrics and request logs
  • Performance and error telemetry

2.3 Bot Configuration and Knowledge Data

To provide the core Service functionality, we collect and process:

  • Website content crawled from domains you authorize us to index
  • Documents and files you upload to the platform
  • Bot configuration settings, prompt templates, and guardrail rules
  • Knowledge base content and FAQ entries you create

2.4 Conversation and Lead Data

When visitors interact with bots deployed through the Service, we collect:

  • Chat messages and conversation history
  • Lead information voluntarily provided by visitors (name, email, phone, company)
  • Session metadata including origin URL, timestamp, and device fingerprint
  • User feedback and ratings on bot responses

2.5 Billing Data

Payment processing is handled by Stripe. We store Stripe customer and subscription identifiers but do not store full payment card details. Stripe's privacy policy governs the processing of your payment information.

3. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the Service you have subscribed to, including account management, bot operation, and lead delivery
  • Legitimate interests: Processing for platform security, fraud prevention, abuse detection, service improvement, and aggregated analytics, where these interests are not overridden by your privacy rights
  • Legal obligation: Processing required to comply with applicable laws, including tax and financial record-keeping obligations
  • Consent: Where we rely on consent, such as for certain marketing communications, you may withdraw consent at any time without affecting the lawfulness of prior processing

4. How We Use Your Data

We use the data we collect to:

  • Provide, operate, and maintain the Service
  • Process and deliver AI-generated chat responses on your behalf
  • Capture, qualify, and route leads to your designated destinations
  • Send operational notifications including missed question alerts and improvement suggestions
  • Process billing and manage your subscription
  • Monitor platform security and prevent fraud and abuse
  • Generate aggregated, anonymized analytics and improve the Service
  • Respond to support requests and communicate about the Service
  • Comply with legal obligations

5. Data Sharing and Disclosure

5.1 Service Providers

We share data with trusted third-party service providers who assist us in operating the Service, including:

  • Auth0: Authentication and identity management
  • Supabase / PostgreSQL: Database hosting and storage
  • Stripe: Payment processing
  • AI model providers: For generating chat responses (data is processed subject to their data processing agreements)
  • Cloud infrastructure providers: For hosting and content delivery

All service providers are bound by data processing agreements and are prohibited from using your data for purposes other than providing services to us.

5.2 Agency and White-Label Deployments

If you are an Agency customer deploying the Service for your clients, your clients' visitor and lead data is accessible to you through the dashboard as the data controller for those deployments. We process that data on your behalf as a data processor.

5.3 Legal Requirements

We may disclose personal data if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to equivalent privacy protections.

5.5 No Sale of Data

We do not sell, rent, or trade your personal data or your users' personal data to third parties for marketing or commercial purposes.

6. Data Retention

We retain personal data for as long as necessary to provide the Service and fulfill the purposes described in this policy:

  • Account data: Retained for the duration of your subscription plus 90 days following account closure, to allow for reactivation and dispute resolution
  • Conversation and lead data: Retained for the duration of your subscription and deleted within 60 days of account closure, unless you request earlier deletion
  • Billing records: Retained for 7 years to comply with financial record-keeping obligations
  • Audit logs: Retained for 12 months
  • Anonymized analytics: May be retained indefinitely as they do not constitute personal data

7. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, and destruction. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of sensitive data at rest
  • IP address hashing prior to storage
  • Role-based access controls and tenant data isolation
  • Regular security monitoring and audit logging
  • Multi-tenant architecture with row-level data separation

While we take security seriously, no system is completely secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.

8. International Data Transfers

Yaia is based in Norway, which is subject to GDPR as part of the European Economic Area. Some of our service providers may process data outside the EEA. Where we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or adequacy decisions.

9. Your Rights Under GDPR

As a data subject, you have the following rights with respect to your personal data:

  • Right of access: You may request a copy of the personal data we hold about you
  • Right to rectification: You may request correction of inaccurate or incomplete personal data
  • Right to erasure: You may request deletion of your personal data where there is no compelling reason for continued processing
  • Right to restriction: You may request that we restrict processing of your data in certain circumstances
  • Right to data portability: You may request your data in a structured, machine-readable format
  • Right to object: You may object to processing based on legitimate interests or for direct marketing purposes
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at support@yaia.no. We will respond to your request within 30 days. You also have the right to lodge a complaint with your national data protection supervisory authority.

10. Cookies

We use cookies and similar tracking technologies on our website and within the Service dashboard for authentication session management, security, and analytics purposes. You can control cookie preferences through your browser settings or our cookie consent tool. Disabling certain cookies may affect the functionality of the Service.

11. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete such information.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email or through the dashboard at least 14 days before they take effect. The effective date at the top of this policy will always reflect the most recent version.

13. Contact and Data Protection

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Yaia

Email: support@yaia.no

Website: https://yaia.no

For GDPR-related matters, you may also contact your local supervisory authority. In Norway, this is Datatilsynet (www.datatilsynet.no).

We value your privacy

We use cookies for analytics to improve our website. No personal data is sold. Privacy Policy