Privacy Policy

Plain-English summary

Yesoma is a customer success tool. To do its job it stores your customer messages, the AI drafts written about them, and the metadata around them — inside a database that only your workspace can read. We do not sell your data. We do not train AI models on your customer data. You can export everything any time, or ask us to delete it. We use a small list of named subprocessors (Supabase, Anthropic, OpenAI, Stripe, Resend, Cloudflare, Google for sign-in) and we publish that list in section 5.

1. Who we are

Yesoma (“Yesoma”, “we”, “us”) is a product of Afia Labs. Afia Labs is the data controller for personal information collected through the Yesoma marketing site and for account-level information about users.

When you (the business owner) bring customer information into a Yesoma workspace, you are the controller of that information and Afia Labs acts as your data processor for it, processing only on your documented instructions.

2. Information we collect

2.1 Information you give us directly

Account info: your name, email address, password hash (or Google OAuth identifier), and profile photo from Google if you choose SSO.
Workspace info: organization name, business type, industry tag, location, currency, time zone, brand colors, and uploaded logo.
Business Brain content: services, prices, policies, FAQs, tone instructions, templates, and any other context you choose to add.
Customer Content: customer names, emails, phone numbers, WhatsApp numbers, tags, notes, inquiries, message bodies, voice notes, attachments, observations, and internal notes you save.
Billing info: handled by Stripe; we store only a Stripe customer ID and subscription metadata (plan, status, period dates).

2.2 Information collected automatically

Session data: authentication cookies and session tokens (Supabase Auth). When a Yesoma support team member opens your workspace (only with your workspace's staff_access_enabled setting on), a short-lived httpOnly cookie scopes their session to your workspace; every action is logged and visible to you under Settings → Staff access.
Usage metadata: routes accessed, feature interactions, performance metrics, and error reports — aggregated for product improvement, never linked to your customers' personal data.
Device + network: IP address, browser user-agent, language preference, approximate location (country-level) inferred from IP.
Web Push subscriptions (if you enable notifications): VAPID endpoint, p256dh public key, and auth secret.

2.3 Information from third parties

Inbound integrations: messages received via WhatsApp Business Platform, email aliases, website forms, and custom webhooks become Customer Content under your control as soon as they arrive.
Google OAuth (if used): email, name, and profile photo, used only to sign you in and identify your account.
Stripe: subscription events (created, renewed, cancelled, failed) to keep your plan in sync.

3. How we use information

We use your information to:

Operate the Yesoma service (display your inbox, draft replies, schedule follow-ups, etc.).
Authenticate users and protect against unauthorized access.
Process payments via Stripe and manage subscriptions.
Send transactional and operational emails (account confirmations, password resets, digests, weekly Pulse summaries, billing receipts).
Detect, prevent, and respond to fraud, abuse, and security incidents.
Improve the product through aggregated, anonymized analytics.
Comply with legal obligations and respond to lawful requests.

We do not:

Sell or rent your personal information.
Train any AI model on your Customer Content.
Use your customers' messages to market to them.
Share workspace identity in the public template marketplace (only your industry tag is shown).

4. AI processing

Yesoma sends limited information to AI providers to generate suggested replies, summaries, classifications, transcriptions, and observations. Specifically:

Anthropic (Claude `claude-opus-4-7`): receives the inquiry text, the relevant Business Brain context (services, prices, policies, tone, templates), customer history snippets, and prior corrections used as few-shot examples. Anthropic processes these requests under their Commercial Terms and does not train on API inputs by default.
OpenAI Whisper: receives only the voice attachment audio for transcription. Transcribed text is stored as a message body in your workspace. OpenAI does not train on API inputs by default.

Both providers operate as our subprocessors and act only on our (and therefore your) instructions. We use prompt caching on the Business Brain prefix to reduce cost and latency; cached prefixes are scoped to your workspace and expire automatically.

AI suggestions are presented as drafts for you to review and approve. Yesoma does not auto-send messages to your customers unless you explicitly enable native channel dispatch and confirm each send.

We share information only with the following categories of recipients:

Recipient	Why	Where
Supabase	Database, auth, file storage	US / EU (region-pinned)
Anthropic (Claude)	AI reply generation, analysis, observations	United States
OpenAI (Whisper)	Voice transcription	United States
Stripe	Subscription billing	United States + global
Resend	Transactional + digest email delivery	United States
Cloudflare	Hosting, CDN, DDoS protection, edge runtime	Global edge network
Google (OAuth)	Sign-in (only if you choose Google)	United States + global
Twilio / Meta / WhatsApp Business Platform	Optional connected messaging providers when enabled by the customer (inbound WhatsApp routing)	United States + global
Slack / Discord / Web Push	Notifications you configure	Per service

We will also disclose information when required by law, when needed to enforce these Terms, to protect the rights or safety of Yesoma, our users, or the public, or in connection with a corporate restructuring, merger, or acquisition (in which case we will notify affected users in advance).

6. International data transfers

Yesoma is operated from the United States and stores data with infrastructure providers located primarily in the United States and the European Union. If you access Yesoma from outside these regions, you consent to the transfer of your information to these jurisdictions, which may not provide the same level of data protection as your country of residence.

For EU/UK data subjects, we rely on Standard Contractual Clauses and the providers' own GDPR-compliant data processing agreements where applicable.

7. How long we keep your data

We keep your information as long as your account is active. Specific retention defaults:

Customer Content: indefinitely while your subscription is active; deleted within 30 days of account closure unless you ask for sooner.
Activity log: 180 days by default, configurable per workspace.
AI correction signals: 90 days by default, configurable per workspace.
Audit log exports: stored by you; we do not retain copies.
Backups: rolling backups retained for up to 30 days for disaster recovery.
Billing records: retained for 7 years to meet tax and financial reporting obligations.

You can export everything at any time from Settings → Workspace export.

8. Security

We take security seriously. Yesoma uses:

Row-Level Security (RLS) on every table — every query is scoped to your workspace, enforced at the database layer.
TLS 1.2+ in transit; encryption at rest provided by Supabase and Cloudflare.
Hashed passwords (bcrypt via Supabase Auth); no plaintext password storage.
Scoped API keys with per-key rate limiting and revocation; full audit trail of API usage.
Stripe-hosted payment surfaces; we never see or store your card number.
VAPID-signed Web Push (no third-party push broker).
Signed URLs (10-minute lifetime) for voice-note attachments.
Least-privilege service-role keys for cross-org maintenance jobs.
Regular dependency updates and security patches.

No system is perfectly secure. If you believe you have found a vulnerability, please report it to security@getyesoma.com — we will respond within 5 business days.

9. Your rights

Depending on where you live, you may have the following rights in relation to your personal information:

Access: ask us what information we hold about you.
Rectification: have inaccurate information corrected.
Erasure: request deletion of your information. Workspace owners can self-serve from Settings → Security (a 30-day cooling-off window starts, cancellable any time before then). Other deletion requests are honored within 30 days.
Portability: receive your information in a structured, machine-readable format (use our workspace export).
Objection: object to certain processing.
Restriction: ask us to limit how we process your information.
Withdraw consent where processing is based on consent.
Complaint: lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@getyesoma.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

If you are a customer of a business that uses Yesoma (rather than a Yesoma account holder), and your message landed in their inbox, the business is the controller of your data. Contact the business directly to exercise your rights; we will assist them in fulfilling your request.

10. Cookies and similar technologies

Every cookie Yesoma sets is strictly necessary to run the product. We do not use advertising, marketing, or analytics cookies, and we do not track you across other websites — so we don't show a cookie-consent banner. The full list:

Name	Purpose	Lifetime
`sb-*` (Supabase Auth)	Sign-in session + refresh token. Without these you can't access your workspace.	Session + refresh window
`yesoma_staff_session`	Set only when a Yesoma support team member is actively in your workspace, and only if your workspace's staff access toggle is on. Visible to you under Settings → Staff access; you can revoke any time.	60 minutes
`yesoma_staff_session_return_to`	Paired with the above; remembers where support opened the session from so Exit returns them there.	60 minutes

Yesoma also uses browser localStorage (per-device, never sent to our servers) to remember small bits of UI state: dismissed banners, the “was this article helpful?” choice on a help-center page, and the Supabase session refresh token. Clearing site data removes all of it.

You can disable cookies in your browser, but doing so will prevent you from signing in to Yesoma.

11. Children

Yesoma is not intended for children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact privacy@getyesoma.com and we will delete it.

12. WhatsApp and channel data

When you connect a channel (WhatsApp Business number, email alias, website form, custom webhook), inbound messages are forwarded to Yesoma and stored in your workspace as Customer Content. We process this content only to provide the service — display the inbox, draft replies, classify, summarize, and retain history.

WhatsApp has its own privacy practices. See WhatsApp's Privacy Policy. Your use of WhatsApp is governed by WhatsApp's terms, not ours.

13. Browser extension

Our optional Chrome extension stores your Yesoma API key and base URL locally in chrome.storage.local. The extension only sends data to Yesoma when you explicitly invoke “Send to Yesoma” on a selection — it does not read pages passively, does not track browsing history, and does not phone home.

14. Changes to this policy

We may update this Privacy Policy. Material changes will be announced via email and an in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page indicates the most recent revision.

15. Contact

For privacy questions, requests, or complaints, contact:

Privacy: privacy@getyesoma.com
Security: security@getyesoma.com

This Privacy Policy was prepared in good faith and reflects our current practices, but is not a substitute for legal advice. Before relying on it commercially or in regulated markets, have it reviewed by counsel qualified in your jurisdiction (e.g. CCPA/CPRA in California, VCDPA in Virginia, GDPR in the EU/UK).