Privacy

Privacy Policy

Last updated: June 9, 2026

What YinPsi collects, who it's shared with, how long it's kept, and how you can take it back. We pair this with the /security page which documents what we've actually shipped vs what's on the roadmap.

1. Who we are

YinPsi is built by Bcreate Systems, based in Trivandrum, India. We're a single-founder operation; correspondence about privacy reaches a human (often the founder) within 24 hours. Contact: privacy@yinpsi.com.

2. What we collect

When you use YinPsi, we collect data in three categories:

  • Account information you give us: name, email, password hash, business name, billing country. Required to create your workspace.
  • Operational data generated by your use of the product: WhatsApp messages your business sends and receives, contact lists you upload, templates you create, broadcasts you schedule, automation rules, audit log entries.
  • Telemetry for the platform to function: IP address (for security + region detection), browser user agent, request/response timing for performance monitoring, exception traces for our in-codebase error tracker.

We do not collect cookies for advertising, fingerprinting, or analytics resale.

3. AI features and what they touch

YinPsi includes AI-powered features that send content to third-party large-language-model providers. When you use these features, the content of the conversation you direct the AI to process is sent to the provider for processing — typically with a zero-retention agreement.

Providers we use, by feature:

  • OpenAI — AI Inbox Copilot, AI Agent (Phase 1+), voice-note transcription via Whisper. Under our API contract, OpenAI does not train models on YinPsi data.
  • Anthropic — Premium AI reasoning model (Phase 5+). Same zero-training contract.
  • Sarvam AI — Indic-language ASR + TTS (Phase 5+). Based in India.
  • ElevenLabs — Voice synthesis for the Voice Agent (Phase 5+).

We disclose the AI provider used per feature in your dashboard's sub-processor list, and we notify customers 30 days in advance before adding a new sub-processor that processes PII.

AI output disclaimer: Generated content (replies, summaries, drafts, translations) may be inaccurate. You are responsible for reviewing AI output before sending it to your customers. We design every AI surface with an explicit human-confirm step whenever the output is destructive or sent on your behalf.

4. Your customers' data

The contacts and conversations in your YinPsi workspace are your data. We process it on your behalf under a data-processor relationship; you remain the data controller.

  • We do not use your customers' data to train any models — ours or our sub-processors'.
  • We do not market to your customers.
  • We do not share contact lists between tenants. Every record carries a tenantId and every query filters on it at the route and service layer.
  • We honour deletion requests on a per-contact basis within 30 days of receipt.

5. Storage, encryption, and location

  • Primary storage is a single PostgreSQL instance hosted by us. As of June 9, 2026 the instance is in India.
  • Sensitive tokens (Meta access tokens, payment provider credentials) are encrypted with AES-256-GCM at rest.
  • All inbound traffic is TLS 1.3 via Cloudflare. Internal traffic between application processes is host-local.
  • Nightly backups are encrypted in transit and at rest. Backup retention is 30 days.
  • Data residency in EU and US regions is on the Phase 6 roadmap (~Month 18). Enterprise customers may negotiate residency commitments earlier.

6. How long we keep things

  • Conversations & contacts — kept for as long as your account is active. Deleted within 30 days of account deletion.
  • Audit log — 90 days by default. Configurable for enterprise customers.
  • Health check & status data — 90 days.
  • Error reports — 90 days; PII is redacted at capture, not at expiry.
  • Billing records — retained for 7 years per Indian accounting law.
  • Backups — 30 days.

7. Your rights

You can, at any time, by emailing privacy@yinpsi.com:

  • Request a copy of all data we hold about you (delivered in machine-readable format within 30 days).
  • Ask us to correct inaccurate information.
  • Ask us to delete your data (subject to the legal retention obligations above).
  • Object to specific processing — particularly profiling or automated decision-making.
  • Withdraw consent for optional processing.
  • Lodge a complaint with your local data protection authority.

8. Sub-processors

The complete list of every third party that processes YinPsi data — and the purpose of each — is maintained on our /security page. That list is the source of truth. If a vendor isn't on it, they don't process your data.

We require every sub-processor to have a published DPA (linked from the security page) and to provide equivalent or stronger protections than this policy.

9. Children

YinPsi is a business product. We do not knowingly process data of children under 16. If we become aware that we have collected such data without parental consent, we will delete it.

10. Changes to this policy

We notify all customers by WhatsApp and email 30 days before any change that materially expands data collection, sharing, or AI processing. For non-material changes (typos, contact-info updates) we revise this page silently and bump the "last updated" date.

11. How to reach us

Questions about this document? Email legal@yinpsi.com. YinPsi is operated by Bcreate Systems.