Legal

Privacy Policy

This policy explains what information Yvori collects, how it is used, and available choices.

Information we collect

  • Account details, profile details, and billing metadata.
  • Operational data such as bookings, quotes, invoices, and communications.
  • Usage and device information for reliability and security.

How we use data

To run and improve the product, process subscriptions, send transactional updates, and meet legal obligations.

Payments

Payments are processed by Stripe; Yvori does not store full card numbers.

Google User Data

Yvori requests access to your Google Calendar (https://www.googleapis.com/auth/calendar and https://www.googleapis.com/auth/calendar.events) solely to read, create, update, and delete calendar events on your behalf so that jobs scheduled in Yvori stay in sync with your Google Calendar. Yvori's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Yvori is operated by MaxMin Agency LLC; privacy inquiries are handled at saad@maxmin.agency.

Sharing, Transfer, and Disclosure of Google User Data

We do not sell, rent, or share Google user data with third parties for advertising, marketing, or any other commercial purpose. We do not use Google user data to train generalized or large language models.

Google user data is only transferred to the following infrastructure sub-processors strictly as needed to operate the service:

  • Supabase, Inc. — encrypted database and authentication storage (hosted on AWS, US region).
  • Vercel Inc. — application hosting and edge compute for the Yvori web and API layer.

We may also disclose Google user data if required by law, valid legal process, or to protect the rights, property, or safety of Yvori, our users, or the public. We will not disclose Google user data to any other party except with your explicit consent.

Data Protection for Sensitive Data

We treat Google user data (including OAuth access and refresh tokens, and calendar event content) as sensitive and protect it with the following safeguards:

  • OAuth refresh tokens are encrypted at rest using AES-256 in our database.
  • All data is transmitted over TLS 1.2+ (HTTPS) between your device, Google, and our servers.
  • Access to production systems storing Google user data is restricted to authorized personnel, protected by multi-factor authentication, and logged for audit.
  • Row-level security (RLS) policies at the database layer ensure that each user's Google user data is isolated and only accessible to that user's authenticated session.
  • We follow the principle of least privilege: we only request the minimum OAuth scopes necessary for the calendar sync feature.

Retention and Deletion of Google User Data

We retain Google user data only as long as necessary to provide the calendar sync feature:

  • While your account is active and calendar sync is connected: we retain OAuth tokens and a cache of synced event metadata to keep your calendar in sync.
  • When you disconnect Google Calendar in Yvori: we revoke the OAuth token with Google and delete all associated tokens and cached event data from our systems within 30 days.
  • When you delete your Yvori account: all Google user data (tokens and cached events) is deleted within 30 days. Backups are purged on a rolling 35-day cycle.

You can revoke Yvori's access to your Google account at any time by:

  1. Disconnecting the integration inside Yvori: Settings → Integrations → Google Calendar → Disconnect, or
  2. Revoking access directly from your Google Account at myaccount.google.com/permissions, or
  3. Emailing us at saad@maxmin.agency to request deletion.

Contact

support@yvori.app · Yvori · 30 N Gould St Ste R, Sheridan, WY 82801