Version: 1.2

Effective Date: 2026-07-12

Last Updated: 2026-07-14

1. Scope of This Policy

This Privacy Policy explains how Wu Yujie, as the individual developer / operator of Yrkie, collects, uses, stores, shares, and protects information related to Yrkie. It applies to:

  • The official Yrkie website, registration, login, password recovery, account workspace, and payment entry points.
  • Yrkie's AI presentation creation, editing, upload, import, preview, storage, and export features.
  • The Main Agent, Sub Agents, workflows, tools, web search or fetching, and other AI-assisted functions.
  • Optional Google or GitHub OAuth login and other integrations made available by Yrkie.
  • Customer support, billing, subscriptions, credits, refunds, security, and related communications.

This Policy does not govern services independently controlled by third parties, including Waffo Pancake, OpenRouter, underlying AI model providers, Cloudflare, SendCloud, Google, GitHub, banks, card issuers, browsers, operating systems, websites, APIs, MCP servers, or tools you access. Their processing is governed by their own terms and privacy policies.

2. Data Controller

The data controller for Yrkie is:

  • Operator: Wu Yujie
  • Business status: individual developer / sole operator
  • Business address or mailing address: Hongyi Huacheng Phase 2, Huicheng District, Huizhou City, China
  • Privacy and security contact: dreamyitman@proton.me
  • Customer support contact: dreamyitman@gmail.com
  • Payment, billing, subscription, and refund contact: chumengitman@163.com
  • Data Protection Officer: not currently appointed. Privacy requests are handled through dreamyitman@proton.me unless applicable law requires a separate appointment.
  • Service hours: Monday to Friday, 09:00-21:00 (China Time, UTC+8), excluding statutory holidays.

3. Information We Collect

We process information only to the extent reasonably necessary to provide, protect, bill for, maintain, and improve Yrkie; follow your instructions; and comply with legal obligations. The categories depend on the features you use.

3.1 Account and Identity Information

  • Email address and display name.
  • User ID, account status, creation time, update time, email-verification time, and last-login time.
  • Password hash for password-based accounts. We do not store plaintext passwords.
  • Google or GitHub provider name, provider user ID, verified-email status, provider display name or login, and avatar URL when you use OAuth.
  • New-user onboarding answers you choose to provide, including role, intended presentation uses, discovery source, optional bounded “Other” details, completion or skip status, and response timestamps.
  • Name, contact information, screenshots, files, logs, issue descriptions, and other content you provide in support, refund, security, or feedback communications.

3.2 Verification, OAuth, Session, and Security Information

  • Email verification-code hash, purpose, attempt count, expiration time, consumption time, and request IP.
  • Web session token hash, account ID, creation time, update time, expiration time, revocation time, request IP, and User-Agent.
  • OAuth state hash, PKCE verifier, provider, safe return parameters, request IP, User-Agent, expiration, and consumption time.
  • One-time OAuth login-ticket hash, provider, request IP, User-Agent, expiration, and consumption time.
  • Request URLs, timestamps, response status, error information, rate-limit records, abuse signals, and security audit records.
  • Turnstile token, verification result, hostname or action metadata, and other necessary security-verification signals returned by Cloudflare.

3.3 Billing, Subscription, Credit, and AI Usage Information

We may store or receive:

  • Selected plan, subscription status, billing-cycle information, activation, renewal, cancellation, past-due, termination, and refund status.
  • Waffo product ID, checkout session ID, order ID, payment ID, event ID, delivery ID, store ID, environment, amount, currency, payment status, checkout URL, expiration time, webhook payload, and processing result.
  • Credit balance, welcome grant, subscription grants, adjustments, debit entries, unique ledger references, and transaction timestamps.
  • AI generation ID, session, source such as Main Agent, Sub Agent, or Workflow, model or provider metadata, cost lookup status, OpenRouter-reported cost, charged credits, and reconciliation records.
  • Refund, chargeback, duplicate charge, billing error, fraud, dispute, and support records.

We do not store complete bank-card numbers, card security codes, or complete payment credentials on our servers. Waffo Pancake or its payment infrastructure processes that information.

3.4 Workspace, Presentation, Upload, and Export Information

Depending on your use, we may process and store:

  • Project and session identifiers, titles, timestamps, messages, conversation history, current status, and project metadata.
  • Prompts, requirements, instructions, selected text, responses, and feedback.
  • Uploaded PPTX files, documents, images, media, fonts, attachments, filenames, file sizes, MIME types, hashes, storage paths, and upload metadata.
  • Extracted slide text, shapes, relationships, layouts, media, speaker-note or document data when supported, and other content parsed from uploaded files.
  • Presentation outlines, page counts, slide titles, slide content, HTML fragments, semantic presentation data, revisions, shape identifiers, edit history, and Sub Agent source metadata.
  • Preview status, compiler metadata, cached presentation data, rendered thumbnails, and error information.
  • Export requests, exported PPTX files, download metadata, and temporary or content-addressed assets.
  • Workflows, tool calls, Sub Agent calls, generated artifacts, file-action records, and related audit data.
  • Memory or context data used to continue a session and keep project work consistent.

Uploaded and generated content is stored in Yrkie's hosted environment and is not merely local browser data. Authorized administrators or service personnel may access workspace data when reasonably necessary for support, security, abuse investigation, system maintenance, legal compliance, or operation of explicitly available administrative review features, subject to access controls and confidentiality obligations.

3.5 AI Agent and Model Information

When you use Yrkie AI features, we may process and transmit to OpenRouter and underlying model providers:

  • Prompts, conversation history, system instructions, and relevant prior messages.
  • Uploaded or extracted material, images, document or slide fragments, current outlines, presentation content, and relevant metadata.
  • Tool-call inputs and results, web-search queries, fetched URLs or page content, workflow context, and Sub Agent instructions.
  • Model name, provider, request parameters, generation ID, token or cost metadata, latency, status, and errors.
  • AI replies, generated outlines, slide content, tool plans, and other outputs.

OpenRouter routes requests to underlying model providers. Provider retention and training practices depend on the chosen model, endpoint, and provider policy. Yrkie does not guarantee zero data retention for every request. OpenRouter or a model provider may retain, review, or use inputs and outputs as described in its own policies and applicable settings.

Yrkie stores AI conversations and related project context to provide session continuity, editing, billing, support, security, and troubleshooting. We do not use this content to train AI models unless you expressly consent or receive a separate clear notice and lawful choice.

3.6 Google and GitHub OAuth Information

When you use OAuth login, Yrkie may receive:

  • Google subject ID, verified email, name, and profile image information.
  • GitHub numeric user ID, verified email, login, display name, and avatar information.
  • OAuth authorization code, short-lived provider token used during callback processing, and provider response metadata.

The current OAuth flow does not retain Google or GitHub provider access tokens after authentication. We store the resulting provider identity binding and verified profile fields needed to maintain your Yrkie account.

3.7 Optional Integrations, Search, and External Tools

If you import, configure, enable, or invoke a workflow, skill, plugin, MCP server, web search, URL fetch, or other external tool, Yrkie may process:

  • Integration name, type, URL, configuration, permissions, and non-secret metadata.
  • Requests, queries, headers or credentials you provide where technically required, tool inputs, results, errors, timestamps, and audit information.
  • User Content or project context you direct the tool to process.

The external service may receive your IP address through our infrastructure, request content, credentials, User Content, or other data needed to perform the action. Review the external service's policies and do not connect services or provide secrets without authorization.

3.8 Website, Product Analytics, Browser Storage, and Logs

Yrkie uses a server-issued HttpOnly session cookie for authenticated web access. The cookie contains or references a random session token; the server stores a hash rather than the raw token. A newly issued session currently has a maximum lifetime of 60 days and may be revoked earlier by logout, password reset, security action, or account changes.

The browser may also store non-sensitive interface information such as language, theme, current route, dismissed notices, preview caches, or other functional preferences. Legacy local authentication state may be cleared when the server returns an unauthorized response.

Yrkie offers optional, first-party product analytics. It is off until you choose “Allow analytics.” The consent message is shown once for the browser or device. That browser choice remains active after signing in and when accounts are switched on the same browser, and it is synchronized to the currently signed-in account. An account preference initializes a browser only when that browser has no local choice. Closing the message records that analytics is not allowed. Before permission, Yrkie does not create an anonymous analytics identifier, queue optional events, or retroactively join earlier activity. If you allow it, the browser may create a random anonymous identifier with a maximum lifetime of 90 days and store a versioned consent preference. For an authenticated account, Yrkie may also associate accepted events with the internal account ID and synchronize the analytics choice to that account. The server stores a keyed hash of the anonymous identifier rather than its raw value.

Optional product-analytics events are limited to approved metadata such as page type and route template, language, referring domain, allowlisted campaign tags, selected call-to-action identifier, presentation mode, non-content action type, slide or save counts, duration and completion buckets, success or failure status, coarse error code or stage, plan snapshot, and sampled LCP, INP, or CLS performance measurements. These events do not include prompt text, conversation text, slide or outline content, uploaded or exported files, filenames, project titles, email addresses, complete URLs or query strings, clipboard or keystroke content, raw error messages, complete IP addresses, or complete User-Agent strings. Yrkie does not use a third-party advertising or cross-site analytics provider for this system.

Declining or withdrawing optional analytics stops new optional events and removes the browser's anonymous analytics identifier. Essential service records—such as account, security, billing, AI usage, import, preview, and export status—may still be processed where needed to provide and protect the requested service. Those records are not used for cross-site advertising.

The website and APIs may process request URL, timestamp, IP address, User-Agent, response status, error logs, performance information, and security events for operation and security. Yrkie does not currently implement advertising cookies, cross-site behavioral tracking, or marketing analytics. If this changes, we will update this Policy and provide consent or opt-out controls where required.

4. How We Use Information

PurposeInformation CategoriesLegal Basis or Processing Basis
Create and maintain accountsAccount, identity, verification, OAuth, and session dataPerformance of contract
Personalize onboarding and prioritize product improvementsRole, intended-use, discovery-source, optional Other details, and survey statusLegitimate interests and information you voluntarily provide
Login, password reset, and security verificationEmail, code hashes, sessions, IP, User-Agent, Turnstile, OAuth statePerformance of contract, legitimate interests
Provide AI presentation creation and editingPrompts, workspace content, uploads, slides, outlines, AI inputs and outputsPerformance of contract, user instructions
Import, preview, store, and export presentationsPPTX files, assets, parsed content, preview data, revisions, exportsPerformance of contract, user instructions
Provide Main Agent, Sub Agent, Workflow, and tool featuresConversations, context, tool inputs and outputs, model metadataPerformance of contract, user instructions
Process subscriptions, credits, payments, refunds, and disputesAccount, Waffo events, subscription, ledger, usage, costs, audit recordsPerformance of contract, legal obligations, legitimate interests
Prevent fraud, abuse, attacks, duplicate grants, and chargeback misuseIP, User-Agent, usage, payment, session, and audit dataLegitimate interests, legal obligations
Provide support and investigate errorsCommunications, account data, workspace data you authorize us to inspect, logsPerformance of contract, legitimate interests
Maintain availability, security, and service qualityError, performance, security, usage, and aggregated dataLegitimate interests
Improve product journeys and measure optional website or product usageApproved first-party event metadata and sampled Web Vitals after your choiceConsent
Comply with tax, accounting, payment, regulatory, and legal dutiesBilling, subscription, dispute, audit, account, and communication recordsLegal obligations
Send service noticesEmail, account, subscription, security, and service statusPerformance of contract, legitimate interests
Send marketing communicationsEmail and communication preferencesConsent or another lawful basis permitted by applicable law

We may aggregate, anonymize, or de-identify information for product operations, financial reporting, capacity planning, security monitoring, and service improvement. We will not treat data as anonymous if it can reasonably be linked back to an individual.

5. Payment Information and Waffo Pancake

When you pay, Waffo Pancake may collect and process card information, billing information, transaction information, tax information, risk signals, and verification information needed to complete and manage the subscription.

Yrkie receives or stores the identifiers and status information needed to create checkout, confirm successful charges, grant credits, update membership, process cancellations or refunds, resolve disputes, and maintain audits. We verify signed Waffo webhooks before applying billing events. We do not store complete card numbers or card security codes.

6. Cookies and Similar Technologies

TypePurposeCan It Be Disabled?
Strictly necessaryAuthentication, session continuity, protected API access, payment return flowUsually not without losing core functionality
FunctionalLanguage, theme, interface state, preview or workspace preferencesCan usually be cleared in browser settings
SecurityTurnstile, rate limiting, fraud and abuse preventionUsually not without affecting registration or login
AnalyticsOptional first-party product events used to improve journeys, reliability, and performanceYes. It remains off until allowed and can be withdrawn in Account Center under General settings
MarketingNot clearly implemented at presentConsent or opt-out will be provided if later introduced and required by law

You may clear cookies and browser storage through browser settings. Doing so may sign you out, reset preferences, or interrupt checkout and workspace state.

7. Information Sharing and Disclosure

We do not sell personal information. We do not sell or share personal information for cross-context behavioral advertising and have not knowingly done so in the preceding 12 months. We disclose information only as reasonably necessary in these circumstances:

  • Service providers: hosting, database, file storage, email, security, monitoring, support, payment, tax, accounting, and infrastructure providers.
  • Waffo Pancake: checkout, recurring payment, subscription status, refunds, taxes, risk controls, chargebacks, and payment notifications.
  • OpenRouter and model providers: prompts, context, User Content, parameters, and related request information required for AI inference, plus generation and cost metadata.
  • Cloudflare Turnstile: signals required for bot detection and security verification.
  • SendCloud or other email providers: recipient email, template or message content, and delivery metadata needed for verification, password reset, and service notices.
  • Google and GitHub: OAuth requests and identity information needed when you choose provider login.
  • External tools and websites: data needed when you enable or instruct search, fetch, workflow, plugin, skill, MCP, API, or other integration actions.
  • Legal and regulatory recipients: when required by law, court order, regulatory request, tax or accounting rules, sanctions, law enforcement, payment-network rules, or protection of rights and safety.
  • Business transactions: in a merger, acquisition, financing, asset sale, restructuring, or similar transaction, subject to reasonable continuing protection obligations.
  • With your consent or instruction: where you expressly consent or direct disclosure.

We require service providers acting on our behalf to process data under appropriate instructions or lawful authorization and to use reasonable safeguards. Independently controlled third parties may process data under their own terms.

8. Data Security Measures

We use reasonable technical and organizational safeguards, including:

  • HTTPS/TLS for production data in transit.
  • PBKDF2-HMAC-SHA256 password hashing under the current authentication implementation.
  • HMAC-SHA256 hashing for verification codes and SHA-256 hashing for random web session tokens.
  • HttpOnly, SameSite session cookies and server-side session expiry and revocation.
  • PKCE, short-lived OAuth state, and one-time login tickets for Google and GitHub login.
  • Waffo webhook signature verification and idempotent event processing.
  • Rate limits and Turnstile checks on sensitive authentication operations.
  • User-scoped database records, file roots, sessions, artifacts, outlines, slides, previews, billing records, and AI context.
  • Restricted administrative access and audit records for important account, content, billing, and security operations.
  • Reasonable backup, access-control, secret-management, and incident-response practices.

No system can guarantee absolute security. Use a strong password, protect your email and devices, review uploaded materials for secrets, and avoid submitting highly sensitive or regulated data unless you have confirmed the legal basis and safeguards.

If you believe your account or data is at risk, contact dreamyitman@proton.me. If a security incident may affect your rights, we will notify affected users and regulators as required by applicable law. Where GDPR applies and regulatory notification is required, the applicable 72-hour supervisory-authority timeline will be followed.

9. Data Retention

We retain data only as long as reasonably necessary to provide the service, perform contracts, comply with law, resolve disputes, enforce terms, prevent fraud, maintain security, and complete normal backup cycles.

Data TypeTypical RetentionHandling at Expiration
Account and provider identity informationWhile active; normally up to 90 days after verified deletion, unless law or disputes require longerDelete or anonymize
Password hashWhile password login remains active; replaced on reset and deleted or disabled with the accountDelete, replace, or disable
Email verification and reset-code recordsNormally up to 30 days after expiration or consumption; longer for a security investigation if neededDelete or anonymize
Web sessionsUp to 60 days from issuance, or earlier on logout, reset, revocation, or deletionDelete or mark revoked
OAuth state and login ticketsShort-lived; normally about 10 minutes for state and 2 minutes for a ticket, then retained only briefly for security/audit needsDelete, expire, or anonymize
Workspace, prompts, conversations, uploads, outlines, slides, previews, and artifactsWhile the account or project is active; normally removed from active systems within 90 days after verified deletion, subject to backup, security, and legal needsDelete, anonymize, or remove from active access
Exported or temporary generated files and cachesAs needed to provide downloads, previews, recovery, and performance; stale derived files may be removed earlierDelete or regenerate
Credit ledger, AI usage cost, subscription, payment, refund, tax, and Waffo event recordsNormally 7 years, or as required for tax, accounting, payment, chargeback, and legal obligationsSecure archive, anonymize where possible, or delete
Security, authentication, administrative, anti-fraud, and abuse logsNormally 12 to 24 months; longer for major attacks, disputes, chargebacks, or legal holdsDelete, anonymize, or archive
Support, refund, legal, and security communicationsNormally 3 years, or longer when disputes or law requireDelete or archive
Browser cookies and local functional storageUntil expiry, logout, revocation, browser clearing, or overwriteControlled by you and the browser
Optional first-party product-analytics eventsNormally up to 180 daysDelete or aggregate
Anonymous analytics identifierUp to 90 days, or earlier on withdrawal or browser clearingRemove from the browser; server-side keyed hashes expire under analytics retention rules
Analytics consent preferenceNormally up to 180 days before the browser asks again; an account preference may remain while the account is activeReplace, withdraw, or delete with the account, subject to lawful exceptions
Data processed by OpenRouter and model providersAccording to the model, endpoint, provider policy, OpenRouter settings, and applicable agreementsControlled by the relevant provider
Data sent to other third-party integrationsAccording to that service's terms, configuration, and your instructionsControlled by you and the third party

Deletion from backups may occur later through normal secure rotation. Legal holds, fraud prevention, tax, accounting, payment, chargeback, security, and disaster-recovery needs may extend retention.

10. Your Privacy Rights

Depending on applicable law, you may have rights to:

RightDescription
Know and be informedLearn what personal information we process, why, and with whom it is disclosed
AccessObtain a copy of personal information held about you
CorrectRequest correction of inaccurate or incomplete information
DeleteRequest deletion subject to legal and operational exceptions
RestrictRequest restricted processing in specified circumstances
PortReceive certain data in a structured, commonly used, machine-readable format
ObjectObject to processing based on legitimate interests or direct marketing
Withdraw consentWithdraw consent for future consent-based processing
Opt outOpt out of marketing or any sale or sharing if such practices are introduced
Non-discriminationNot receive unlawful discriminatory treatment for exercising privacy rights
ComplainSubmit a complaint to an applicable data-protection or consumer-protection authority

Submit requests to dreamyitman@proton.me. We may verify your identity and authority before acting. We normally respond without undue delay and within 30 calendar days, subject to lawful extensions and local requirements.

Some records cannot be deleted immediately, including payment, tax, accounting, chargeback, fraud, security, backup, and legal records. Deleting a Yrkie account does not automatically delete information already processed by Waffo Pancake, OpenRouter, model providers, Google, GitHub, Cloudflare, SendCloud, or external tools under their own policies, or copies you downloaded or shared.

11. Your Choices

You may:

  • Log out, clear browser cookies and local storage, or reset functional preferences.
  • Choose password login or an available Google or GitHub OAuth method.
  • Delete individual projects or request account and data deletion through the privacy contact.
  • Download presentations or other available exports before deletion.
  • Choose not to upload particular materials or use optional integrations, search, fetching, tools, or OAuth.
  • Cancel a paid subscription to prevent future renewals.
  • Unsubscribe from marketing email through an available unsubscribe method or by contacting dreamyitman@gmail.com.
  • Allow or close the one-time product-analytics message, and later withdraw optional product analytics in Account Center under General settings. Anonymous visitors may withdraw by clearing this site's browser storage. Withdrawal applies to future optional processing and removes the current browser analytics identifier; it does not rewrite essential operational records or analytics already lawfully processed.

Verification codes, password resets, payment notices, security alerts, subscription notices, service changes, and legal notices are necessary service communications and may still be sent after a marketing opt-out.

12. Children's Privacy

Yrkie is intended for users at least 18 years old. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided personal information, contact dreamyitman@proton.me. After reasonable verification, we will delete it unless law requires retention.

13. Cross-Border Data Transfers

Yrkie and its service providers, including Waffo Pancake, OpenRouter, model providers, Google, GitHub, Cloudflare, SendCloud, hosting, storage, and infrastructure providers, may be located outside your country or region. Information may be processed or stored in China, the United States, Singapore, the European Union, or other regions depending on the provider and model routing.

Where required by applicable law, we will use reasonable safeguards such as data-processing agreements, standard contractual clauses, access controls, encryption, minimization, and vendor review. The model, endpoint, provider, and external integration selected or triggered by your request may affect the actual processing location.

14. Third-Party Links and Content

Yrkie may contain or process links to payment pages, AI models, APIs, documentation, websites, open-source projects, Google, GitHub, or other services. We do not control their content, availability, security, or privacy practices. Review their terms and privacy policies before use.

If you instruct Yrkie to fetch a URL, search the web, call an API, or use an external tool, the recipient may record request time, network information, request content, User-Agent or service identifier, and accessed content.

15. Supplemental Notice for California, Europe, China, and Other Regions

Where the CCPA/CPRA, GDPR, UK GDPR, PIPL, or another privacy law applies, we provide the rights and protections required by that law.

We do not sell personal information and do not currently share it for cross-context behavioral advertising. We do not currently use sensitive personal information to infer characteristics for advertising. If these practices change, we will update this Policy and provide notices and choices required by law.

Our legal bases may include performance of contract, compliance with legal obligations, legitimate interests, consent, and protection of vital interests. You may ask about the basis for a particular processing activity through dreamyitman@proton.me.

Yrkie uses automated systems to calculate credits, check balances, detect abuse, verify payment events, and enforce security restrictions. These systems may automatically allow, limit, or block service access, but we do not intend to make solely automated decisions that produce legal or similarly significant effects on individuals without safeguards required by applicable law. Contact us if you believe an automated restriction is incorrect.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will announce material changes through the website, product notices, registered email, or other reasonable methods and update the date at the top. Unless law requires otherwise, material changes will usually be announced at least 14 days in advance.

Continuing to use Yrkie after an update takes effect means that you acknowledge the updated Policy. If you disagree, stop using Yrkie, cancel any subscription, and request account or data deletion as applicable.

17. Contact Us

For questions about privacy, data, security, or this Policy, contact:

  • Product usage, login, workspace, and feature issues: dreamyitman@gmail.com
  • Payment, billing, subscription cancellation, refund, chargeback, and other money-related issues: chumengitman@163.com
  • Privacy, data requests, account deletion, legal, security, and other issues: dreamyitman@proton.me
  • Operator: Wu Yujie
  • Mailing address: Hongyi Huacheng Phase 2, Huicheng District, Huizhou City, China
  • Phone: phone support is not currently provided. Please use the email addresses above.
  • Service hours: Monday to Friday, 09:00-21:00 (China Time, UTC+8), excluding statutory holidays.

Wu Yujie — Yrkie — Last Updated: 2026-07-12