Short version: we collect only what we need to run YAPIC Network, process your payments, keep the site secure, and comply with the law. We do not sell your data, we do not run third-party advertising on the site, and we do not connect your anonymous activity to your identity. This policy tells you exactly what we hold, why, for how long, who we share it with, and how you can ask us to remove it.
011. Who we are (data controller)
YAPIC Network ("YAPIC", "we", "us") is a creative-content network operating from the Republic of Cyprus. We are the controller of personal data processed through yapic.network and the domains that redirect to it.
For privacy questions, data-access requests, complaints, or anything else in this policy, write to us through the Support page (`/support`) or email support@yapic.network. We respond within 30 days — most requests are answered the same week.
022. What we collect
We deliberately collect as little personal data as possible. The categories below are the only things tied to you:
- Email address — when you create an account, subscribe to Premium, buy a credit pack, or request a magic-link sign-in. Used for sign-in, receipts, password-reset links, and (if you explicitly opt in) new-content alerts.
- Name — optional, only if you provide it during sign-up or on the Support form; used for personalised greetings.
- Hashed password — when you choose email + password sign-up. Stored using bcrypt with a per-user salt; we cannot recover your plaintext password and never email it back to you.
- Payment identifiers from Stripe — Stripe customer IDs, charge IDs, subscription IDs, and the email you provided to Stripe at checkout. Full card details stay with Stripe; we never see or store your card number, CVC, or expiry date.
- Generations you create — outputs from any of our six AI tools (FakeChats AI conversations, Value AI renders, RedScene AI stills, CreepGen AI entities, Love AI analyses, DeepHistory AI reconstructions) are automatically saved to your account so you can reopen them. Saves are private to you and capped at the most recent 200 per user (oldest pruned automatically). You can delete any saved generation from the Your archive panel on each tool page or from the profile page at any time.
- Credit / improvements-bank ledger — number of generations and "improvements" left on your account, transaction history of purchases, and any winback promo codes we've issued you.
- Pseudonymous activity — page views, channel taps, tool generations, button clicks. Tied to a random session token in your browser, not to your email, unless you are signed in.
- Technical data — IP address (truncated before we store it for analytics), user-agent string, language preference, country derived from IP at the edge. Used to mitigate abuse, display the site in your locale, and price products in your currency.
- Cookies and local-storage keys — see Section 8 below for the exhaustive list.
033. Why we process it (legal bases)
If you live in the EU/UK or another GDPR-style jurisdiction, the legal bases we rely on are:
- Performance of a contract (GDPR Art. 6(1)(b)) — to deliver Premium content, run the FakeChats AI and Value AI tools you paid for, send receipts, and authenticate your sessions.
- Consent (Art. 6(1)(a)) — for opt-in marketing emails and for non-essential analytics cookies. You can withdraw consent any time in the cookie banner, in your Profile → Cookie preferences panel, or via the "unsubscribe" link in any marketing email.
- Legitimate interests (Art. 6(1)(f)) — fraud detection, rate-limiting, security logs, customer support, and aggregate usage analytics that help us decide which channels to keep.
- Legal obligation (Art. 6(1)(c)) — complying with tax, accounting, AML/KYC requests from Stripe, and lawful requests from authorities.
044. AI-generated images, characters, and writing
Most images, illustrations, character photos, SMS conversations, story drafts, and Value AI outputs on YAPIC are generated by AI models: Anthropic Claude, Google Gemini / Nano Banana, OpenAI GPT and image models, and OpenAI Sora 2 for video clips.
Our prompts explicitly forbid real, identifiable people — every face you see on YAPIC is a fully fictional, randomly-generated person. If a generated image happens to resemble someone real, the resemblance is accidental and unintended and is not meant to identify, mock, defame, or insult any individual. If you believe a generated image looks like you and you would like it removed, write to us through the Support page and we will remove it within 7 days regardless of legal obligation.
AI output may be inaccurate, biased, strange, or unsuitable for any specific purpose. Treat it as creative entertainment. Do not rely on AI output for medical, legal, financial, psychological, or safety-critical decisions.
055. How long we keep it (retention)
- Account record — for as long as your account is active, plus 12 months after you delete it (so we can resolve any post-termination disputes).
- Stripe payment records — 7 years (tax / accounting requirement).
- Saved generations (SMS + Value AI) — until you delete them or your account. Automatically removed when you close your account.
- Credit / improvements-bank ledger — 12 months after your account is closed.
- Winback promo codes — expire automatically after the window printed on the offer (usually 14 days).
- Magic-link tokens — 20 minutes; deleted immediately on use.
- OTP codes — 10 minutes; deleted on use.
- Refund requests — 24 months after the request is resolved.
- Anonymous analytics — aggregated to weekly buckets after 30 days; raw events deleted after 90 days.
- Login security logs — 12 months.
- Email opt-in record — until you unsubscribe + 24 months (proof of consent under GDPR).
066. Who we share it with (sub-processors)
We share data only with the processors below, each bound by a contract that limits their use to the specific service they provide to us:
- Stripe, Inc. — payments processing + Customer Portal.
- Resend, Inc. — transactional email delivery (sign-in links, receipts, support replies, refund notifications).
- MongoDB Atlas — managed database hosting.
- Anthropic (Claude), OpenAI (GPT, image models, Sora 2, Whisper), Google (Gemini, Nano Banana) — large-language-model and image-model API calls used to generate site content. We send AI providers only the content prompt and never your account email or payment data.
- Cloudflare / our CDN — edge caching, DDoS protection.
- PostHog — pseudonymous product analytics. Opt out at any time in the cookie banner or Profile → Cookie preferences.
- We do not sell, rent, or trade your data with anyone. We do not share data with advertising networks. We do not run third-party tracking pixels on the site.
077. International data transfers
Some of the processors listed above are based in the United States. Where we transfer personal data out of the EU/UK we rely on the EU Standard Contractual Clauses (2021) plus the UK International Data Transfer Addendum where applicable, with supplementary measures (encryption in transit, encryption at rest, pseudonymisation where possible) to protect the data.
088. Cookies and local storage
We keep cookies to the minimum needed for the site to work and to remember your preferences. We do not use third-party advertising cookies. Our banner distinguishes essentials (always set) from analytics (opt-in). You can change your choice any time in Profile → Cookie preferences.
- Essential — session cookie (`session_id`, HttpOnly, SameSite=Lax) — set when you sign in; deleted when you sign out.
- Essential — Stripe checkout cookies — set by Stripe on the hosted checkout page to prevent payment fraud; not accessible to us.
- Essential — locale preference (`yapic_locale`, localStorage) — remembers your language choice across visits.
- Essential — cookie-consent record (`yapiccookieconsent`, localStorage) — remembers whether you chose "all" or "essentials" so we don't ask again.
- Essential — voter token (`yapicvoterid`, localStorage) — random ID used to prevent vote stuffing without identifying you.
- Essential — vote / pulse cache (`yapicpulses*`, localStorage) — short-lived, browser-only.
- Analytics (opt-in) — PostHog — pseudonymous event log for product decisions. Automatically opted-out the moment you select Only essentials.
099. Your rights
Under GDPR, UK GDPR, and similar laws (CCPA in California, LGPD in Brazil, PIPEDA in Canada), you have the right to:
- Access — get a copy of the data we hold about you.
- Rectification — ask us to correct anything wrong.
- Erasure ("right to be forgotten") — ask us to delete your account and the personal data tied to it.
- Restriction — ask us to pause processing while a dispute is resolved.
- Portability — get a machine-readable export of your data.
- Objection — object to processing based on our legitimate interests.
- Withdraw consent — any time, with one click in a marketing email or the cookie panel.
- Lodge a complaint with your local supervisory authority (in the EU, your national Data Protection Authority; in the UK, the ICO; in California, the CA Privacy Protection Agency).
- We respond to these requests within 30 days, free of charge, unless the request is manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse — and tell you why).
1010. Children's privacy
YAPIC is not directed at children under 13 (under 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, write to us through the Support page and we will delete the account immediately.
1111. Security
We protect personal data with industry-standard measures: TLS 1.2+ for data in transit, AES-256 at rest in MongoDB Atlas, bcrypt password hashing, rate-limited authentication endpoints, brute-force throttling on sign-in, single-use magic-link tokens, HttpOnly session cookies, and least-privilege access for our small team. No method of transmission or storage is 100% secure — if we ever discover a breach that affects you, we will notify you within 72 hours of confirming it, as required by GDPR Art. 33–34.
1212. Automated decision-making
We do not make decisions that have legal or similarly significant effects on you using fully automated processing.
1313. Changes to this policy
If we materially change this policy, we will display a banner on the homepage at least 14 days before the change takes effect, so you can review it (and, if you disagree, cancel Premium and request deletion before any new processing starts). Minor wording fixes that don't change your rights are released without a banner.
Last updated · June 21, 2026
