Yenn - Create content that builds audience

Yenn.ai (also known as "Yenn", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered content marketing automation platform (the "Service").

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, you must not use the Service.

Controller Information:

Company Name: Sagecat Consulting LTD
Registered Address: 17 Green Lanes, London, United Kingdom, N16 9BS
Email: info@yenn.ai
Data Protection Officer: For privacy and data protection inquiries, contact info@yenn.ai

Information We Collect

Information We Collect

2.1 Personal Information You Provide

Account Information:

Name
Username (unique identifier)
Email address
Password (hashed with Argon2, never stored in plain text)
Profile picture/avatar (optional)

Brand Voice Data:

Website URLs (your own websites and competitor websites)
Social media profile URLs (LinkedIn, etc.)
News/blog URLs
Sector, location, and tone preferences
Additional brand information and messaging guidelines

Content Data:

Articles, blog posts, and written content
LinkedIn posts and content
Instagram content
Images and videos you upload
Projects and organizational data

Connection Information:

WordPress site credentials (application passwords)
LinkedIn OAuth tokens (encrypted)
Site URLs and connection names

2.2 Information Automatically Collected

Technical Data:

IP address (from server logs)
Browser type and version
Device information (type, operating system)
Time zone and location data (approximate, from IP)
Referring URLs and pages visited

Usage Data:

Total images generated
Total video seconds generated
Content generation history
Credit transactions and usage
Subscription status and billing information
Feature usage patterns
Error logs and performance metrics

Authentication Data:

JWT access tokens (temporary, for session management)
JWT refresh tokens (hashed before storage)
Email verification tokens (hashed before storage)
OAuth tokens (LinkedIn, Google - encrypted)

Tracking Data:

Onboarding email tracking (day 3/5/7/10 sent dates)
Email verification resend count
Last login timestamps
WebSocket connection data (Socket.IO for real-time notifications)

2.3 Information from Third-Party Services

Google OAuth (if you sign in with Google):

Display name
Email address
Google ID
Profile picture URL

LinkedIn OAuth (if you connect LinkedIn):

User ID (sub)
Name (given_name, family_name)
Email address
Profile picture URL
Email verification status

Stripe (payment processing):

Customer ID
Subscription ID
Payment status
Billing information (handled by Stripe, not stored by us)
Note: We do NOT store credit card information; all payment data is handled by Stripe

2.4 Web Scraping Data (CRITICAL DISCLOSURE)

Website Content Scraping:
When you provide website URLs for brand voice analysis, we automatically scrape and analyze:

Full website HTML content
Text content and structure
URL patterns and website structure
SEO metrics, categories, and keywords
Competitor website content (if you provide competitor URLs)

LinkedIn Profile Scraping:
When you provide LinkedIn profile URLs for brand voice analysis, we automatically scrape:

Profile headline
About section
Experience and work history
Skills and endorsements
⚠️ Important: LinkedIn profile scraping may violate LinkedIn's Terms of Service. You use this feature at your own risk.

How Scraping Works:

We use automated tools (Puppeteer) to access and analyze website content
Scraped content is stored in your account for brand voice analysis
Scraped content is used solely to personalize your content generation
We respect robots.txt and implement rate limiting where possible

Your Authorization:

By providing website URLs or LinkedIn profile URLs, you grant us permission to scrape and analyze that content
You represent that you have the authority to authorize scraping of the provided URLs
We are not responsible for violations of third-party website terms of service

How We Use Your Information

How We Use Your Information

3.1 Service Provision

Account Management:

Create and manage your account
Authenticate and authorize access
Process subscription payments
Manage credits and usage tracking

Content Generation:

Generate AI-powered content (blog posts, LinkedIn posts, Instagram content)
Analyze brand voice and personalize content
Generate images and videos using AI
Provide SEO optimization and scoring

Publishing Services:

Publish content to your WordPress sites
Publish content to your LinkedIn account
Manage media uploads and storage

Web Scraping:

Scrape and analyze websites for brand voice analysis
Scrape LinkedIn profiles for brand voice insights
Store scraped content for content personalization

3.2 Communication

Transactional Emails (cannot opt-out):

Email verification
Password reset
Account security notifications
Payment confirmations
Subscription updates

Onboarding Emails (can opt-out):

Welcome email
Day 3, 5, 7, and 10 follow-up emails
Feature tutorials and tips

Marketing Emails (opt-in required):

Product updates and new features
Promotional offers
Newsletter and content
You can opt-out at any time (see Section 11.3)

Service Communications:

Important service updates
Policy changes
Security alerts
Support responses

3.3 Analytics and Improvement

Service Improvement:

Analyze usage patterns to improve the Service
Identify and fix bugs and errors
Optimize performance and reliability
Develop new features and capabilities

AI Model Training:

Our Models: We may use anonymized, aggregated data to improve our internal AI models
Third-Party AI Models: Your prompts and content are sent to third-party AI providers (OpenAI, Google, Leonardo)
- These providers may use your data to train or improve their AI models
- AI provider data usage is governed by their terms of service
- We do not control how AI providers use your data
- See AI provider privacy policies for details:
  - OpenAI: https://openai.com/policies/privacy-policy
  - Google: https://policies.google.com/privacy
  - Leonardo: https://www.leonardo.ai/privacy-policy (or current URL on Leonardo's website)
Your Control: You cannot opt-out of sending data to AI providers (required for Service functionality)
Individual Content: We do NOT use your individual, identifiable content to train our own models without explicit consent

Error Tracking:

Monitor and track errors for debugging
Improve service reliability
Identify security issues

3.4 Legal Compliance

Legal Obligations:

Comply with applicable laws and regulations
Respond to legal process and government requests
Enforce our Terms and Conditions
Protect our rights and property

Fraud Prevention:

Detect and prevent fraud
Verify user identity
Protect against abuse and misuse

International Data Transfers

International Data Transfers

6.1 Transfer Locations

Data Storage:

Primary database: MongoDB hosted on DigitalOcean
Location: United Kingdom or European Union (confirm your droplet region in DigitalOcean control panel)

Third-Party Locations:

Most third-party services are located in the United States:
- OpenAI (United States)
- Google (United States)
- Stripe (United States)
- Cloudinary (United States)
- Resend (United States)
- AppSignal (United States)
- SERP API (United States)
- Leonardo API (United States)

6.2 Transfer Mechanisms (GDPR)

Standard Contractual Clauses (SCCs):

We use Standard Contractual Clauses approved by the European Commission for transfers to countries without adequacy decisions
All data processors are bound by SCCs in our Data Processing Agreements

Adequacy Decisions:

We rely on adequacy decisions where applicable
We continuously monitor adequacy decisions and update our transfer mechanisms as needed

Your Rights:

You have the right to object to international data transfers
Contact us if you have concerns about data transfers

6.3 Safeguards

Security Measures:

Encryption in transit (HTTPS/TLS)
Encryption at rest (where applicable)
Access controls and authentication
Regular security audits

Data Security

Data Security

7.1 Technical Security Measures

Encryption:

Passwords: Hashed with Argon2 (industry-standard hashing)
OAuth tokens: Encrypted in MongoDB
Email verification tokens: Hashed before storage
JWT refresh tokens: Hashed before storage
Data in transit: HTTPS/TLS encryption
⚠️ Note: WordPress application passwords are currently stored as-is (encryption recommended for production)

Access Controls:

Role-based access control (RBAC)
User authentication required for all endpoints
API rate limiting (where implemented)
Secure API key management

Infrastructure Security:

Secure hosting (DigitalOcean)
Regular security updates
Firewall and network security
Monitoring and intrusion detection

7.2 Organizational Security Measures

Employee Access:

Limited access to user data (need-to-know basis)
Employee training on data protection
Confidentiality agreements
Regular security audits

Incident Response:

Security incident response procedures
Regular security assessments
Vulnerability management
Breach notification procedures (see Section 7.4)

7.3 Security Limitations

COMPREHENSIVE SECURITY DISCLAIMERS**:

NO GUARANTEES OF SECURITY:

NO SYSTEM IS 100% SECURE - Despite implementing reasonable security measures, we cannot guarantee absolute security
We make NO WARRANTIES regarding:
- Data security or protection
- Prevention of security breaches
- Prevention of unauthorized access
- Prevention of data loss or corruption
- Security of third-party services
- Security of data in transit or at rest

YOU USE THE SERVICE AT YOUR OWN RISK:

You acknowledge that no system is completely secure
You acknowledge that security breaches may occur despite reasonable security measures
You acknowledge that data may be compromised, lost, or accessed by unauthorized parties
You are SOLELY RESPONSIBLE for maintaining account security

COMPLETE EXCLUSION OF LIABILITY FOR SECURITY BREACHES:

WE ARE NOT LIABLE FOR:

Security breaches or unauthorized access (even despite reasonable security measures)
Data compromises, loss, or corruption due to security breaches
Unauthorized access to your account or data
Third-party security breaches (AI providers, hosting, payment processors)
Any consequences arising from security breaches or unauthorized access
Any losses, damages, or harm resulting from security incidents

YOUR RESPONSIBILITIES:

Use strong, unique passwords
Do not share account credentials
Log out of shared devices
Report suspicious activity immediately
Maintain your own security practices
YOU ARE SOLELY RESPONSIBLE FOR ACCOUNT SECURITY

Your Responsibilities:

Use a strong, unique password
Do not share your account credentials
Log out of shared devices
Report suspicious activity immediately

7.4 Data Backup and Recovery

NO WARRANTIES REGARDING BACKUPS:

We implement data backup procedures, but make NO WARRANTIES regarding:

Backup success or reliability
Backup availability or accessibility
Backup completeness or accuracy
Backup recovery success
Data recovery time or point objectives
Zero data loss in any scenario

COMPLETE DISCLAIMER:

Backups may FAIL or be UNAVAILABLE
Backups may be INCOMPLETE or CORRUPTED
Backup recovery may FAIL or be INCOMPLETE
We cannot guarantee successful data recovery
We cannot guarantee zero data loss

YOUR SOLE RESPONSIBILITY:

YOU ARE SOLELY AND EXCLUSIVELY RESPONSIBLE for:

Maintaining your own backups of ALL important content
Exporting your data regularly (see Section 9.5 - Data Portability)
Ensuring you have copies of all critical data
Recovering your own data in case of loss

COMPLETE EXCLUSION OF LIABILITY FOR DATA LOSS:

WE ARE NOT LIABLE FOR DATA LOSS DUE TO:

Backup failures or unavailability
Backup corruption or incompleteness
Recovery failures or incomplete recovery
System errors or technical issues
Third-party service failures
Force majeure events
Security breaches or unauthorized access
ANY OTHER CAUSE, REGARDLESS OF WHETHER FORESEEABLE

NO REFUNDS FOR DATA LOSS:

We do not provide refunds, credits, or compensation for:

Data loss or corruption
Backup failures
Recovery failures
Any consequences arising from data loss

7.5 Data Breach Notification

Our Commitment:

We will notify you of data breaches that affect your personal information
Notification will be sent to your registered email address
Notification will be sent within 72 hours (as required by GDPR) or as soon as reasonably possible

What We Will Notify You About:

The nature of the breach
The data affected
Steps we are taking to address the breach
Steps you should take to protect yourself
Contact information for questions

Regulatory Notification:

We will notify relevant data protection authorities as required by law
GDPR: Within 72 hours to supervisory authority
Other jurisdictions: As required by applicable law

No Guarantee:

While we implement security measures, no system is 100% secure
We cannot guarantee prevention of all security breaches
You use the Service at your own risk

Data Retention

Data Retention

8.1 Retention Periods

User Accounts:

Retained until account deletion
After account deletion: Deleted within 30 days (subject to legal requirements)

Content Data:

Articles, posts, images, videos: Retained until account deletion
⚠️ Current Implementation: Account deletion only removes user document; related content is NOT automatically deleted
Required: Cascade deletion of all related data (see Section 8.2)

Brand Voice Data:

Retained until account deletion
Used for content personalization while account is active

Payment Records:

Retained per legal requirements (tax, accounting)
Typically 7 years (varies by jurisdiction)

Logs and Analytics:

Retained for security and legal purposes
Typically 90 days to 1 year (varies by log type)

Web Scraping Data:

Retained in brand voice analysis results
Deleted when account is deleted or brand voice is deleted

OAuth Tokens:

Retained until you disconnect the connection
Deleted immediately upon disconnection

WordPress Credentials:

Retained until you delete the connection
Deleted immediately upon connection deletion

8.2 Account Deletion and Data Deletion

Current Process:

Account deletion currently only removes the user document
Related data (articles, media, projects, connections) is NOT automatically deleted
⚠️ GDPR Risk: This violates the right to erasure

Required Process (to be implemented):
When you delete your account, we will delete:

User account and profile data
All articles and blog posts
All media files (from database and Cloudinary)
All projects
All WordPress connections
All LinkedIn connections
All brand voice data and analysis
All generation jobs
All content generation history
All usage metrics

Retention Exceptions:
We may retain certain data if required by:

Legal obligations (tax records, legal proceedings)
Legitimate business interests (dispute resolution)
Technical limitations (backup systems)

Anonymized Data:

We may retain anonymized, aggregated data for:
- Service improvement
- Analytics
- Research
This data cannot be linked to you personally
Anonymized data is not subject to deletion requests

Backup Data:

Backup systems may retain data for up to 90 days after deletion
Backup data is automatically purged according to retention schedules
We cannot immediately delete data from all backup systems

8.3 Deletion Timeline

Immediate Deletion:

Account access revoked immediately
Subscription cancelled immediately

Data Deletion:

Most data deleted within 30 days of account deletion request
Some data may be retained longer if required by law
Backup data may be retained for up to 90 days for disaster recovery

Cookies & Tracking Technologies

Cookies & Tracking Technologies

10.1 Types of Cookies We Use

Essential Cookies (required for Service functionality):

Authentication cookies (JWT tokens)
Session management
Security and fraud prevention
Cannot be disabled - Service requires these cookies

Functional Cookies (enhance functionality):

User preferences
Language settings
Feature customization
Can be disabled - Service will function but with limited features

Analytics Cookies (help us improve the Service):

Usage analytics
Error tracking
Performance monitoring
Can be disabled - We use AppSignal for error tracking

Marketing Cookies (if applicable):

Marketing campaign tracking
Conversion tracking
Can be disabled - Currently not actively used

10.2 Third-Party Cookies

Stripe (payment processing):

Payment session cookies
Required for checkout functionality

AppSignal (error tracking):

Error and performance tracking
Helps us improve service reliability

10.3 Cookie Management

How to Manage Cookies:

Browser settings: Most browsers allow you to control cookies
Account settings: Some cookie preferences can be managed in your account
Cookie consent banner: We will implement a cookie consent banner (to be implemented)

Disabling Cookies:

You can disable non-essential cookies
Disabling essential cookies will prevent Service access
Some features may not work if cookies are disabled

10.4 Do Not Track

Browser DNT Signals:

We respect "Do Not Track" (DNT) browser signals
However, DNT is not yet standardized, and our response may vary
We continue to use essential cookies for Service functionality

Marketing Communications

Marketing Communications

11.1 Types of Communications

Transactional Emails (cannot opt-out):

Email verification
Password reset
Account security notifications
Payment confirmations
Subscription updates
Service announcements

Onboarding Emails (can opt-out):

Welcome email
Day 3, 5, 7, and 10 follow-up emails
Feature tutorials
How to opt-out: Update email preferences in account settings

Marketing Emails (opt-in required):

Product updates and new features
Promotional offers and discounts
Newsletter and content
Tips and best practices
How to opt-in: Check the marketing email opt-in box during registration or in account settings

11.2 Email Preferences

Managing Preferences:

Update email preferences in your account settings
Unsubscribe link in all marketing emails
Contact support to update preferences

Current Implementation:

⚠️ Limitation: emailSubs field exists but no visible opt-out mechanism
Required: Implement opt-out API endpoint and UI

11.3 How to Unsubscribe

From Marketing Emails:

Click "Unsubscribe" link in any marketing email
Update preferences in account settings
Contact support: info@yenn.ai

From Onboarding Emails:

Update email preferences in account settings
Contact support to opt-out

Effect of Unsubscribing:

You will stop receiving marketing emails
You will continue to receive transactional emails (required for Service)
Unsubscribe takes effect within 10 business days

Children’s Privacy (Coppa)

Children’s Privacy (Coppa)

12.1 Age Restrictions

Minimum Age:

United States: Service is not intended for users under 13 years of age
European Union: Service is not intended for users under 16 years of age
We do not knowingly collect personal information from children

12.2 Parental Consent

If We Discover Child Data:

If we discover we have collected data from a child under 13 (US) or 16 (EU), we will:
- Delete the data immediately
- Notify parents if contact information is available
- Terminate the account

Parental Rights:

Parents can review their child's data
Parents can request deletion of their child's data
Parents can revoke consent and have data deleted

12.3 How to Report

If You Believe We Have Collected Child Data:

Contact us immediately: info@yenn.ai
We will investigate and take appropriate action

California Privacy Rights (Ccpa)

California Privacy Rights (Ccpa)

13.1 Your CCPA Rights

If you are a California resident, you have the following rights:

Right to Know:

What categories of personal information we collect
What categories of sources we collect from
What business or commercial purposes we use information for
What categories of third parties we share information with

Right to Delete:

Request deletion of your personal information
Subject to certain exceptions (legal obligations, etc.)

Right to Opt-Out:

Opt-out of "sale" of personal information
Note: We do not currently "sell" personal information as defined by CCPA
If we begin selling personal information, we will provide an opt-out mechanism

Right to Non-Discrimination:

We will not discriminate against you for exercising your CCPA rights
We will not deny services, charge different prices, or provide different quality of service

13.2 Categories of Personal Information We Collect

Identifiers:

Name, email, username, IP address

Commercial Information:

Subscription data, payment history, purchase records

Internet Activity:

Usage data, browsing history, interaction data

Geolocation Data:

Approximate location from IP address

Professional Information:

Brand voice data, sector, location preferences

Content Data:

Articles, posts, images, videos you create or generate

13.3 How to Exercise CCPA Rights

Contact Information:

Email: info@yenn.ai
Include: Your name, email, California address, and specific request

Verification:

We will verify your identity before processing
We may require additional information to verify identity

Response Time:

We will respond within 45 days
May be extended to 90 days with notice and explanation

No Fees:

CCPA requests are free
We will not charge fees for exercising CCPA rights

14. Changes to Privacy Policy

14.1 Policy Updates

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Email to your registered email address
In-app notification
Posting updated Privacy Policy on our website

14.2 Material Changes

What Constitutes Material Changes:

Changes to data collection practices
Changes to how we use your data
Changes to data sharing practices
Changes to your rights or how to exercise them
Changes to international data transfers

For Material Changes:

We will provide at least 30 days' notice
We may require explicit acceptance of material changes
You can object to material changes by deleting your account

14.3 Acceptance of Changes

Continued Use:

Your continued use of the Service after notification constitutes acceptance of the updated Privacy Policy
If you do not agree to changes, you must stop using the Service and delete your account

Effective Date:

Changes take effect 30 days after notification (unless otherwise specified)
The "Last Updated" date at the top indicates when changes were made

15. Contact Information

15.1 Privacy Inquiries

For Privacy Questions or Requests:

Email: info@yenn.ai
Mail: 17 Green Lanes, London, United Kingdom, N16 9BS
Response Time: We will respond within 30 days (GDPR) or 45 days (CCPA)

15.2 Data Protection Officer (if applicable)

If We Have a DPO:

Email: info@yenn.ai
Mail: 17 Green Lanes, London, United Kingdom, N16 9BS

15.3 Supervisory Authority (GDPR)

If You Are in the EEA or UK:

You have the right to lodge a complaint with your local data protection authority
Find your authority: https://ico.org.uk/make-a-complaint/

UK:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk

EU:

Contact your local data protection authority
List of authorities: https://edpb.europa.eu/about-edpb/board/members_en

16. Additional Information

16.1 Data Controller

Controller Information:

Company Name: Sagecat Consulting LTD
Registered Address: 17 Green Lanes, London, United Kingdom, N16 9BS
Email: info@yenn.ai

16.2 Data Processing Locations

Primary Processing:

Data is processed in: United Kingdom or European Union (confirm your DigitalOcean droplet region)
Third-party processors are located primarily in the United States

16.3 Retention Summary

Summary of Retention Periods:

User accounts: Until deletion
Content: Until account deletion
Payment records: 7 years (legal requirement)
Logs: 90 days to 1 year
Web scraping data: Until account or brand voice deletion

16.4 Service Availability and Maintenance

Service Availability:

We do not guarantee 100% uptime
Service may be unavailable due to maintenance, outages, or third-party issues
See Terms & Conditions Section 2.1 for details

Data Availability:

We implement redundancy and backup systems
However, we cannot guarantee data availability at all times
You are responsible for maintaining your own backups of important data

16.5 Security Summary

Security Measures:

Passwords: Argon2 hashing
Tokens: Encryption and hashing
Data in transit: HTTPS/TLS
Access controls: RBAC, authentication required
Infrastructure: Secure hosting, regular updates

17. Acknowledgment

By using the Service, you acknowledge that:

You have read and understood this Privacy Policy
You consent to the collection and use of your information as described
You understand your rights and how to exercise them
You understand the risks associated with web scraping and third-party integrations

If you do not agree with this Privacy Policy, you must not use the Service.

Last Updated: January 2025

Effective Date: 14 February 2026
Questions? Contact us at: info@yenn.ai

Product

Support

Your privacy choices

Terms and conditions