Privacy Policy
Effective 2026-04-11 · Last updated 2026-04-11 · Version 1.0.0
1. Who we are
This Privacy Policy describes how Yarova Inc. (“Yarova”, “we”, “us”) collects, uses, and protects personal information in connection with its products and websites, including:
- kits.yarova.ca — Yarova Kits digital storefront
- operator.yarova.ca — Operator product and waitlist
- yarova.ca — company website
- Any future yarova.ca subdomains
Yarova Inc. is a federally incorporated Canadian corporation (Federal Corporation number 1064550-8) registered extra-provincially in British Columbia (Registration A0131471). We are subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and any applicable provincial privacy legislation.
Our privacy lead is Rohith Yadla, reachable at hello@yarova.ca.
2. What information we collect
We deliberately collect the minimum information necessary to provide our products. We do not sell your data. We do not run targeted advertising.
2.1 Information you provide directly
Email address. When you:
- Join a product waitlist (Operator, future products)
- Complete a purchase (Stripe collects payment details; we receive your email and name)
- Contact us at hello@yarova.ca
Name. When provided at checkout via Stripe or in email correspondence.
Payment information. Payment card details are processed directly by Stripe, Inc. and are never transmitted to, stored on, or processed by Yarova’s servers. Yarova receives only the Stripe customer ID and a confirmation that payment succeeded.
2.2 Information collected automatically
Technical information. When you visit our websites:
- IP address (used by Cloudflare for security and analytics)
- Country (derived from IP via Cloudflare)
- User-agent string
- Request timestamp and URL
- Referring URL
Analytics. We use Cloudflare Web Analytics (a privacy-respecting analytics service that does not set cookies or use fingerprinting). We do not use Google Analytics, Facebook Pixel, or similar tracking tools.
Cookies. Our marketing sites use minimal cookies:
- Essential cookies for site functionality (if any)
- No tracking or advertising cookies
- No third-party marketing cookies
3. Why we collect this information
We collect and use personal information for the following purposes, each with a lawful basis:
| Purpose | Lawful basis |
|---|---|
| Fulfilling your order (sending download links, delivering purchased products) | Contract performance |
| Sending transactional emails (order confirmations, refund notifications, product updates related to purchases) | Contract performance |
| Responding to your support inquiries | Contract performance / legitimate interest |
| Operating the products (signed-up users, account access) | Contract performance |
| Security (fraud detection, abuse prevention, rate limiting) | Legitimate interest |
| Aggregated analytics (improving the site, no identification of individuals) | Legitimate interest |
| Complying with legal obligations (tax records, regulatory requests) | Legal obligation |
We do NOT use your personal information for:
- Targeted advertising
- Sale to third parties
- Training AI models without explicit consent
- Profiling for automated decisions with legal effects
4. Who we share it with
We share personal information only with the following categories of recipients, and only when necessary:
4.1 Service providers
- Stripe, Inc. — payment processing. Stripe operates under its own privacy policy (stripe.com/privacy) and is PCI DSS certified. Stripe is our sole payment processor.
- Cloudflare, Inc. — hosting, CDN, DNS, analytics, email routing. Cloudflare processes data on our behalf under its privacy policy (cloudflare.com/privacypolicy).
- Anthropic PBC — AI model provider for Operator and automation. Used for processing inputs you submit (e.g., Operator queries). Subject to Anthropic’s privacy policy. We do not authorize Anthropic to train models on your data.
- Resend Inc. or equivalent email delivery service — transactional email delivery (planned).
- GitHub, Inc. — source code and operational file hosting. Minimal customer data touches GitHub (only our own source code and cortex).
Each of these providers is contractually required to protect your personal information at a level equivalent to this Privacy Policy.
4.2 Legal and regulatory disclosures
We may disclose personal information when required by law, court order, or government regulation, including:
- Responses to Canadian law enforcement requests
- Tax authority (CRA) audits
- Subpoenas or court orders
- Fraud investigations
4.3 Business transfers
In the event of a merger, acquisition, or asset sale involving Yarova Inc., personal information may be transferred to the successor entity, subject to the protections of this Privacy Policy.
4.4 Never shared
We do NOT share personal information with:
- Advertising networks
- Data brokers
- Marketing list resellers
- Social media platforms (we do not implement tracking pixels)
5. Where your data lives (data residency)
- Cloudflare-hosted data (websites, D1 database, R2 objects) is stored on Cloudflare’s global edge network. Cloudflare operates data centers in Canada, the US, EU, and other regions.
- Stripe-processed payment data is stored according to Stripe’s data residency practices (primarily US / EU).
- Anthropic API interactions are processed in Anthropic’s infrastructure.
- GitHub repository data (source code + our operational files) is stored on GitHub’s infrastructure (US).
- CPA / tax records (when a CPA is engaged) are stored by the CPA per their professional obligations in Canada.
Because of Cloudflare’s global nature, your data may be processed in multiple jurisdictions, but always under the protections of this Privacy Policy and Canadian privacy law.
6. How long we keep it
| Category | Retention period |
|---|---|
| Customer email addresses | Until you request deletion or 7 years after last activity (for tax records) |
| Order records | 7 years (CRA retention requirement for Canadian corporations) |
| Waitlist emails | Until the bet is killed or 2 years, whichever comes first |
| Website analytics (non-identifying) | 90 days at Cloudflare’s default |
| Support email conversations | 2 years after resolution |
| Security logs | 1 year |
Data older than the retention period is deleted or anonymized.
7. How we protect it
- Encryption in transit: All Yarova websites and APIs use TLS (HTTPS). HTTP requests are automatically upgraded.
- Encryption at rest: Cloudflare D1 encrypts data at rest by default. Stripe encrypts all payment data. GitHub encrypts private repositories at rest.
- Access control: Credentials are managed per
ops/access-registry.mdwith rotation schedules. Only Rohith Yadla (the sole operator) has access to production systems. - Minimal PII: We store only email addresses and names. No addresses, phone numbers, government IDs, payment cards, or biometric data.
- No single-factor access: Where available, two-factor authentication is enabled on all administrative accounts.
- Rotation schedules: API credentials rotate per
security/rotation-schedule.md. - Audit logs: Changes to our systems are logged in git history and D1 event tables.
No system is perfectly secure. If a data breach occurs that affects your personal information, we will notify you within 72 hours of becoming aware of the breach, as required by PIPEDA.
8. Your rights
Under PIPEDA (Canada), you have the right to:
8.1 Access
Request a copy of the personal information we hold about you. We will respond within 30 days.
8.2 Correction
Request that we correct inaccurate or incomplete personal information.
8.3 Withdrawal of consent
Withdraw consent to our processing of your personal information, subject to legal or contractual obligations. This may result in us being unable to continue providing certain services.
8.4 Deletion
Request that we delete your personal information, subject to our legal obligations to retain certain records (e.g., tax records for 7 years).
8.5 Portability
Request your personal information in a structured, machine-readable format for transfer to another service.
8.6 Complaint
If you believe Yarova has violated your privacy rights, you may file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca).
To exercise any of these rights, email hello@yarova.ca with your request and a description of the personal information involved. We may request verification of your identity before fulfilling the request.
9. International users
9.1 United States
If you are a US resident, Yarova is a Canadian company and processes your data under Canadian privacy law. We do our best to comply with applicable US state privacy laws (CCPA, CPRA, VCDPA, etc.) to the extent they apply.
9.2 European Union / UK
Yarova does not actively target EU/UK customers at present. If you are an EU/UK resident and choose to use our products, your data may be processed outside the EU/UK under Canadian law. We are not currently configured as a GDPR controller. If you require GDPR-compliant processing, contact hello@yarova.ca before purchasing — we may need to make special arrangements.
9.3 Elsewhere
If you are outside Canada, the US, EU, or UK, Yarova processes your data under Canadian law.
10. Children’s privacy
Yarova’s products are not directed to children under 13 (or under the minimum age for personal data collection in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have inadvertently collected personal information from a child, email hello@yarova.ca and we will delete it.
11. AI and automation
Some Yarova products use large language models (currently Anthropic Claude) to generate content, summarize, or automate tasks. When you interact with AI-enabled features:
- Your inputs may be sent to Anthropic for processing
- Anthropic is contractually prohibited from using your inputs to train their models (per Anthropic’s API terms)
- Yarova does not retain AI prompts or outputs longer than necessary for the immediate task
- AI-generated outputs are not guaranteed to be accurate; you use them at your own risk (see TOS Section 10)
12. Changes to this Policy
We may update this Privacy Policy from time to time. When we do:
- The “Last updated” date at the top changes
- The revised Policy is posted at the same URL
- For material changes, we notify customers by email or in-product notice at least 14 days before the effective date
Your continued use of Yarova products after the effective date constitutes acceptance of the updated Policy.
13. Contact
Questions about this Privacy Policy or about the personal information we hold?
Email: hello@yarova.ca Subject line suggestion: “Privacy inquiry” or “Data access request”
Yarova Inc. Registered office: Delta, British Columbia, Canada Federal Corporation number: 1064550-8 BC Registration number: A0131471 Business Number (CRA): 769022880
This Privacy Policy is a plain-language document written in good faith by Yarova Inc. It reflects our current data-handling practices. It is not a substitute for professional legal advice. Customers in regulated industries or jurisdictions with specific privacy requirements are encouraged to seek independent legal review before using our products.