Privacy Policy

Last updated: April 2, 2026

El Orangutan LLC, doing business as Yod Security ("Yod," "we," "us"), operates the Yod service at app.yodsec.com. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights regarding that data.

1. Data We Collect

1.1 Information you provide

Email address — provided at signup, used for account authentication, billing notifications, and service alerts
Domain name (FQDN) — the web application domain you wish to protect
Invitation code — if required during early access signup

1.2 Information collected automatically

IP address — used for rate limiting during authentication. Not stored long-term; used only for in-memory rate limit counters
Email address (for rate limiting) — also used as a key for in-memory login rate limit counters, separate from its use for authentication and notifications
Session tokens — generated at login, stored as SHA-256 hashes in our database, used to authenticate dashboard requests

1.3 Information generated by the Service

Instance metadata — instance IP address, SSH port, health check status, software version, and provisioning status
Billing events — subscription status, payment outcomes, and invoice data received from Stripe via webhooks

1.4 Data on your dedicated instance

Your Yod instance processes traffic to and from your web application. The following data exists only on your dedicated, isolated virtual machine. It is not transmitted to Yod's control plane, and our systems do not access it during normal operation:

HTTP request and response data passing through the reverse proxy
Attack detection logs and session classification data
AI-generated threat analysis reports (if you configure an AI provider)
Your AI provider API keys or Ollama configuration
Session cookie values from your web application's visitors

Our control plane communicates with your instance only for: health check heartbeats, software update checks, and instance secret verification. We do not access your web application's traffic content during normal operation. As the infrastructure operator, we retain administrative access to the underlying virtual machine for maintenance and troubleshooting purposes, and may be required to access or disclose data in response to valid legal process.

2. How We Use Your Data

Data	Purpose	Legal Basis (GDPR)
Email address	Account authentication (magic link login), billing notifications, service alerts (provisioning, health, teardown)	Contract performance
Domain name	Instance provisioning, DNS resolution to determine origin IP, TLS certificate issuance	Contract performance
IP address	Rate limiting authentication requests to prevent abuse	Legitimate interest
Billing data	Processing payments, managing subscriptions, handling failed payments and cancellations	Contract performance
Instance metadata	Service delivery, monitoring instance health, deploying software updates	Contract performance

3. Third-Party Services

We share data with the following third-party service providers, solely to deliver the Service:

Stripe (Payment processing)

Your email address and domain name are shared with Stripe to create your customer account and process payments. Stripe collects and processes your payment card details directly — we never see or store your card number. Stripe's privacy policy: stripe.com/privacy

Vultr (Infrastructure hosting)

Your domain name and origin IP address are included in the cloud-init configuration used to provision your dedicated instance on Vultr's infrastructure. Vultr's privacy policy: vultr.com/legal/privacy

Let's Encrypt (TLS certificates)

Your domain name is submitted to Let's Encrypt to obtain TLS certificates. Let's Encrypt publishes certificate transparency logs that include domain names. Let's Encrypt's privacy policy: letsencrypt.org/privacy

We do not sell, rent, or share your personal data with any other third parties. We do not use any analytics, advertising, or tracking services.

4. Cookies

We use a single, essential cookie:

Name	`yod_customer_session`
Purpose	Authenticates your dashboard session
Duration	24 hours, or 7 days if you select "Remember me"
Type	Strictly necessary (HttpOnly, SameSite=Lax)

We do not use any analytics cookies, advertising cookies, or third-party tracking cookies. Because we use only a strictly necessary cookie, no cookie consent banner is required under GDPR or ePrivacy regulations.

5. Data Retention

Account data (email, domain, billing records) — retained for the duration of your subscription and after teardown until you request deletion
Session tokens — automatically expire (24 hours or 7 days) and are deleted from the database upon expiration
Magic link tokens — expire after 10 minutes and are marked as used after a single verification
Instance data (detection logs, traffic data, configuration) — exists only on your dedicated VM and is permanently destroyed when the instance is torn down
Waitlist data — email address retained until you are invited or request removal

6. Data Security

We protect your data through the following measures:

Tenant isolation. Each customer receives a dedicated virtual machine. No infrastructure, data, or state is shared between customers.
Encryption in transit. All connections to and between app.yodsec.com and customer instances use modern, up-to-date encryption such as TLS.
Hashed credentials. Session tokens and instance secrets are stored as cryptographic hashes (SHA-256 and bcrypt, respectively), never in plaintext.
Passwordless authentication. We use magic link email authentication — there are no passwords to leak or breach.
Rate limiting. Authentication endpoints are rate-limited to prevent brute force attacks.
Minimal data collection. We collect only the data strictly necessary to deliver the Service.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access. Request a copy of the personal data we hold about you.
Correction. Request correction of inaccurate personal data.
Deletion. Request deletion of your personal data. Note that this will require cancellation of your subscription and teardown of your instance.
Portability. Request your data in a structured, machine-readable format.
Objection. Object to processing of your data based on legitimate interest.
Restriction. Request restriction of processing in certain circumstances.

To exercise any of these rights, contact us at admin@yodsec.com. We will respond within 30 days.

8. International Data Transfers

Your data is processed and stored on servers located in the United States (Vultr US East region). If you are located outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We rely on the necessity of the transfer for the performance of our contract with you as the legal basis for international data transfers under GDPR.

9. Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at admin@yodsec.com and we will promptly delete it.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

Right to know what personal information we collect and how it is used (detailed in Sections 1 and 2 above)
Right to delete your personal information
Right to non-discrimination for exercising your privacy rights

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at admin@yodsec.com.