Version: 1.2
Effective Date: 2026-07-12
Last Updated: 2026-07-14
1. Scope of This Policy
This Privacy Policy explains how Wu Yujie, as the individual developer / operator of Yrkie, collects, uses, stores, shares, and protects information related to Yrkie. It applies to:
- The official Yrkie website, registration, login, password recovery, account workspace, and payment entry points.
- Yrkie's AI presentation creation, editing, upload, import, preview, storage, and export features.
- The Main Agent, Sub Agents, workflows, tools, web search or fetching, and other AI-assisted functions.
- Optional Google or GitHub OAuth login and other integrations made available by Yrkie.
- Customer support, billing, subscriptions, credits, refunds, security, and related communications.
This Policy does not govern services independently controlled by third parties, including Waffo Pancake, OpenRouter, underlying AI model providers, Cloudflare, SendCloud, Google, GitHub, banks, card issuers, browsers, operating systems, websites, APIs, MCP servers, or tools you access. Their processing is governed by their own terms and privacy policies.
2. Data Controller
The data controller for Yrkie is:
- Operator: Wu Yujie
- Business status: individual developer / sole operator
- Business address or mailing address: Hongyi Huacheng Phase 2, Huicheng District, Huizhou City, China
- Privacy and security contact: dreamyitman@proton.me
- Customer support contact: dreamyitman@gmail.com
- Payment, billing, subscription, and refund contact: chumengitman@163.com
- Data Protection Officer: not currently appointed. Privacy requests are handled through dreamyitman@proton.me unless applicable law requires a separate appointment.
- Service hours: Monday to Friday, 09:00-21:00 (China Time, UTC+8), excluding statutory holidays.
3. Information We Collect
We process information only to the extent reasonably necessary to provide, protect, bill for, maintain, and improve Yrkie; follow your instructions; and comply with legal obligations. The categories depend on the features you use.
3.1 Account and Identity Information
- Email address and display name.
- User ID, account status, creation time, update time, email-verification time, and last-login time.
- Password hash for password-based accounts. We do not store plaintext passwords.
- Google or GitHub provider name, provider user ID, verified-email status, provider display name or login, and avatar URL when you use OAuth.
- New-user onboarding answers you choose to provide, including role, intended presentation uses, discovery source, optional bounded “Other” details, completion or skip status, and response timestamps.
- Name, contact information, screenshots, files, logs, issue descriptions, and other content you provide in support, refund, security, or feedback communications.
3.2 Verification, OAuth, Session, and Security Information
- Email verification-code hash, purpose, attempt count, expiration time, consumption time, and request IP.
- Web session token hash, account ID, creation time, update time, expiration time, revocation time, request IP, and User-Agent.
- OAuth state hash, PKCE verifier, provider, safe return parameters, request IP, User-Agent, expiration, and consumption time.
- One-time OAuth login-ticket hash, provider, request IP, User-Agent, expiration, and consumption time.
- Request URLs, timestamps, response status, error information, rate-limit records, abuse signals, and security audit records.
- Turnstile token, verification result, hostname or action metadata, and other necessary security-verification signals returned by Cloudflare.
3.3 Billing, Subscription, Credit, and AI Usage Information
We may store or receive:
- Selected plan, subscription status, billing-cycle information, activation, renewal, cancellation, past-due, termination, and refund status.
- Waffo product ID, checkout session ID, order ID, payment ID, event ID, delivery ID, store ID, environment, amount, currency, payment status, checkout URL, expiration time, webhook payload, and processing result.
- Credit balance, welcome grant, subscription grants, adjustments, debit entries, unique ledger references, and transaction timestamps.
- AI generation ID, session, source such as Main Agent, Sub Agent, or Workflow, model or provider metadata, cost lookup status, OpenRouter-reported cost, charged credits, and reconciliation records.
- Refund, chargeback, duplicate charge, billing error, fraud, dispute, and support records.
We do not store complete bank-card numbers, card security codes, or complete payment credentials on our servers. Waffo Pancake or its payment infrastructure processes that information.
3.4 Workspace, Presentation, Upload, and Export Information
Depending on your use, we may process and store:
- Project and session identifiers, titles, timestamps, messages, conversation history, current status, and project metadata.
- Prompts, requirements, instructions, selected text, responses, and feedback.
- Uploaded PPTX files, documents, images, media, fonts, attachments, filenames, file sizes, MIME types, hashes, storage paths, and upload metadata.
- Extracted slide text, shapes, relationships, layouts, media, speaker-note or document data when supported, and other content parsed from uploaded files.
- Presentation outlines, page counts, slide titles, slide content, HTML fragments, semantic presentation data, revisions, shape identifiers, edit history, and Sub Agent source metadata.
- Preview status, compiler metadata, cached presentation data, rendered thumbnails, and error information.
- Export requests, exported PPTX files, download metadata, and temporary or content-addressed assets.
- Workflows, tool calls, Sub Agent calls, generated artifacts, file-action records, and related audit data.
- Memory or context data used to continue a session and keep project work consistent.
Uploaded and generated content is stored in Yrkie's hosted environment and is not merely local browser data. Authorized administrators or service personnel may access workspace data when reasonably necessary for support, security, abuse investigation, system maintenance, legal compliance, or operation of explicitly available administrative review features, subject to access controls and confidentiality obligations.
3.5 AI Agent and Model Information
When you use Yrkie AI features, we may process and transmit to OpenRouter and underlying model providers:
- Prompts, conversation history, system instructions, and relevant prior messages.
- Uploaded or extracted material, images, document or slide fragments, current outlines, presentation content, and relevant metadata.
- Tool-call inputs and results, web-search queries, fetched URLs or page content, workflow context, and Sub Agent instructions.
- Model name, provider, request parameters, generation ID, token or cost metadata, latency, status, and errors.
- AI replies, generated outlines, slide content, tool plans, and other outputs.
OpenRouter routes requests to underlying model providers. Provider retention and training practices depend on the chosen model, endpoint, and provider policy. Yrkie does not guarantee zero data retention for every request. OpenRouter or a model provider may retain, review, or use inputs and outputs as described in its own policies and applicable settings.
Yrkie stores AI conversations and related project context to provide session continuity, editing, billing, support, security, and troubleshooting. We do not use this content to train AI models unless you expressly consent or receive a separate clear notice and lawful choice.
3.6 Google and GitHub OAuth Information
When you use OAuth login, Yrkie may receive:
- Google subject ID, verified email, name, and profile image information.
- GitHub numeric user ID, verified email, login, display name, and avatar information.
- OAuth authorization code, short-lived provider token used during callback processing, and provider response metadata.
The current OAuth flow does not retain Google or GitHub provider access tokens after authentication. We store the resulting provider identity binding and verified profile fields needed to maintain your Yrkie account.
3.7 Optional Integrations, Search, and External Tools
If you import, configure, enable, or invoke a workflow, skill, plugin, MCP server, web search, URL fetch, or other external tool, Yrkie may process:
- Integration name, type, URL, configuration, permissions, and non-secret metadata.
- Requests, queries, headers or credentials you provide where technically required, tool inputs, results, errors, timestamps, and audit information.
- User Content or project context you direct the tool to process.
The external service may receive your IP address through our infrastructure, request content, credentials, User Content, or other data needed to perform the action. Review the external service's policies and do not connect services or provide secrets without authorization.
3.8 Website, Product Analytics, Browser Storage, and Logs
Yrkie uses a server-issued HttpOnly session cookie for authenticated web access. The cookie contains or references a random session token; the server stores a hash rather than the raw token. A newly issued session currently has a maximum lifetime of 60 days and may be revoked earlier by logout, password reset, security action, or account changes.
The browser may also store non-sensitive interface information such as language, theme, current route, dismissed notices, preview caches, or other functional preferences. Legacy local authentication state may be cleared when the server returns an unauthorized response.
Yrkie offers optional, first-party product analytics. It is off until you choose “Allow analytics.” The consent message is shown once for the browser or device. That browser choice remains active after signing in and when accounts are switched on the same browser, and it is synchronized to the currently signed-in account. An account preference initializes a browser only when that browser has no local choice. Closing the message records that analytics is not allowed. Before permission, Yrkie does not create an anonymous analytics identifier, queue optional events, or retroactively join earlier activity. If you allow it, the browser may create a random anonymous identifier with a maximum lifetime of 90 days and store a versioned consent preference. For an authenticated account, Yrkie may also associate accepted events with the internal account ID and synchronize the analytics choice to that account. The server stores a keyed hash of the anonymous identifier rather than its raw value.
Optional product-analytics events are limited to approved metadata such as page type and route template, language, referring domain, allowlisted campaign tags, selected call-to-action identifier, presentation mode, non-content action type, slide or save counts, duration and completion buckets, success or failure status, coarse error code or stage, plan snapshot, and sampled LCP, INP, or CLS performance measurements. These events do not include prompt text, conversation text, slide or outline content, uploaded or exported files, filenames, project titles, email addresses, complete URLs or query strings, clipboard or keystroke content, raw error messages, complete IP addresses, or complete User-Agent strings. Yrkie does not use a third-party advertising or cross-site analytics provider for this system.
Declining or withdrawing optional analytics stops new optional events and removes the browser's anonymous analytics identifier. Essential service records—such as account, security, billing, AI usage, import, preview, and export status—may still be processed where needed to provide and protect the requested service. Those records are not used for cross-site advertising.
The website and APIs may process request URL, timestamp, IP address, User-Agent, response status, error logs, performance information, and security events for operation and security. Yrkie does not currently implement advertising cookies, cross-site behavioral tracking, or marketing analytics. If this changes, we will update this Policy and provide consent or opt-out controls where required.
4. How We Use Information
| Purpose | Information Categories | Legal Basis or Processing Basis |
|---|---|---|
| Create and maintain accounts | Account, identity, verification, OAuth, and session data | Performance of contract |
| Personalize onboarding and prioritize product improvements | Role, intended-use, discovery-source, optional Other details, and survey status | Legitimate interests and information you voluntarily provide |
| Login, password reset, and security verification | Email, code hashes, sessions, IP, User-Agent, Turnstile, OAuth state | Performance of contract, legitimate interests |
| Provide AI presentation creation and editing | Prompts, workspace content, uploads, slides, outlines, AI inputs and outputs | Performance of contract, user instructions |
| Import, preview, store, and export presentations | PPTX files, assets, parsed content, preview data, revisions, exports | Performance of contract, user instructions |
| Provide Main Agent, Sub Agent, Workflow, and tool features | Conversations, context, tool inputs and outputs, model metadata | Performance of contract, user instructions |
| Process subscriptions, credits, payments, refunds, and disputes | Account, Waffo events, subscription, ledger, usage, costs, audit records | Performance of contract, legal obligations, legitimate interests |
| Prevent fraud, abuse, attacks, duplicate grants, and chargeback misuse | IP, User-Agent, usage, payment, session, and audit data | Legitimate interests, legal obligations |
| Provide support and investigate errors | Communications, account data, workspace data you authorize us to inspect, logs | Performance of contract, legitimate interests |
| Maintain availability, security, and service quality | Error, performance, security, usage, and aggregated data | Legitimate interests |
| Improve product journeys and measure optional website or product usage | Approved first-party event metadata and sampled Web Vitals after your choice | Consent |
| Comply with tax, accounting, payment, regulatory, and legal duties | Billing, subscription, dispute, audit, account, and communication records | Legal obligations |
| Send service notices | Email, account, subscription, security, and service status | Performance of contract, legitimate interests |
| Send marketing communications | Email and communication preferences | Consent or another lawful basis permitted by applicable law |
We may aggregate, anonymize, or de-identify information for product operations, financial reporting, capacity planning, security monitoring, and service improvement. We will not treat data as anonymous if it can reasonably be linked back to an individual.
5. Payment Information and Waffo Pancake
When you pay, Waffo Pancake may collect and process card information, billing information, transaction information, tax information, risk signals, and verification information needed to complete and manage the subscription.
Yrkie receives or stores the identifiers and status information needed to create checkout, confirm successful charges, grant credits, update membership, process cancellations or refunds, resolve disputes, and maintain audits. We verify signed Waffo webhooks before applying billing events. We do not store complete card numbers or card security codes.
6. Cookies and Similar Technologies
| Type | Purpose | Can It Be Disabled? |
|---|---|---|
| Strictly necessary | Authentication, session continuity, protected API access, payment return flow | Usually not without losing core functionality |
| Functional | Language, theme, interface state, preview or workspace preferences | Can usually be cleared in browser settings |
| Security | Turnstile, rate limiting, fraud and abuse prevention | Usually not without affecting registration or login |
| Analytics | Optional first-party product events used to improve journeys, reliability, and performance | Yes. It remains off until allowed and can be withdrawn in Account Center under General settings |
| Marketing | Not clearly implemented at present | Consent or opt-out will be provided if later introduced and required by law |
You may clear cookies and browser storage through browser settings. Doing so may sign you out, reset preferences, or interrupt checkout and workspace state.
7. Information Sharing and Disclosure
We do not sell personal information. We do not sell or share personal information for cross-context behavioral advertising and have not knowingly done so in the preceding 12 months. We disclose information only as reasonably necessary in these circumstances:
- Service providers: hosting, database, file storage, email, security, monitoring, support, payment, tax, accounting, and infrastructure providers.
- Waffo Pancake: checkout, recurring payment, subscription status, refunds, taxes, risk controls, chargebacks, and payment notifications.
- OpenRouter and model providers: prompts, context, User Content, parameters, and related request information required for AI inference, plus generation and cost metadata.
- Cloudflare Turnstile: signals required for bot detection and security verification.
- SendCloud or other email providers: recipient email, template or message content, and delivery metadata needed for verification, password reset, and service notices.
- Google and GitHub: OAuth requests and identity information needed when you choose provider login.
- External tools and websites: data needed when you enable or instruct search, fetch, workflow, plugin, skill, MCP, API, or other integration actions.
- Legal and regulatory recipients: when required by law, court order, regulatory request, tax or accounting rules, sanctions, law enforcement, payment-network rules, or protection of rights and safety.
- Business transactions: in a merger, acquisition, financing, asset sale, restructuring, or similar transaction, subject to reasonable continuing protection obligations.
- With your consent or instruction: where you expressly consent or direct disclosure.
We require service providers acting on our behalf to process data under appropriate instructions or lawful authorization and to use reasonable safeguards. Independently controlled third parties may process data under their own terms.
8. Data Security Measures
We use reasonable technical and organizational safeguards, including:
- HTTPS/TLS for production data in transit.
- PBKDF2-HMAC-SHA256 password hashing under the current authentication implementation.
- HMAC-SHA256 hashing for verification codes and SHA-256 hashing for random web session tokens.
- HttpOnly, SameSite session cookies and server-side session expiry and revocation.
- PKCE, short-lived OAuth state, and one-time login tickets for Google and GitHub login.
- Waffo webhook signature verification and idempotent event processing.
- Rate limits and Turnstile checks on sensitive authentication operations.
- User-scoped database records, file roots, sessions, artifacts, outlines, slides, previews, billing records, and AI context.
- Restricted administrative access and audit records for important account, content, billing, and security operations.
- Reasonable backup, access-control, secret-management, and incident-response practices.
No system can guarantee absolute security. Use a strong password, protect your email and devices, review uploaded materials for secrets, and avoid submitting highly sensitive or regulated data unless you have confirmed the legal basis and safeguards.
If you believe your account or data is at risk, contact dreamyitman@proton.me. If a security incident may affect your rights, we will notify affected users and regulators as required by applicable law. Where GDPR applies and regulatory notification is required, the applicable 72-hour supervisory-authority timeline will be followed.
9. Data Retention
We retain data only as long as reasonably necessary to provide the service, perform contracts, comply with law, resolve disputes, enforce terms, prevent fraud, maintain security, and complete normal backup cycles.
| Data Type | Typical Retention | Handling at Expiration |
|---|---|---|
| Account and provider identity information | While active; normally up to 90 days after verified deletion, unless law or disputes require longer | Delete or anonymize |
| Password hash | While password login remains active; replaced on reset and deleted or disabled with the account | Delete, replace, or disable |
| Email verification and reset-code records | Normally up to 30 days after expiration or consumption; longer for a security investigation if needed | Delete or anonymize |
| Web sessions | Up to 60 days from issuance, or earlier on logout, reset, revocation, or deletion | Delete or mark revoked |
| OAuth state and login tickets | Short-lived; normally about 10 minutes for state and 2 minutes for a ticket, then retained only briefly for security/audit needs | Delete, expire, or anonymize |
| Workspace, prompts, conversations, uploads, outlines, slides, previews, and artifacts | While the account or project is active; normally removed from active systems within 90 days after verified deletion, subject to backup, security, and legal needs | Delete, anonymize, or remove from active access |
| Exported or temporary generated files and caches | As needed to provide downloads, previews, recovery, and performance; stale derived files may be removed earlier | Delete or regenerate |
| Credit ledger, AI usage cost, subscription, payment, refund, tax, and Waffo event records | Normally 7 years, or as required for tax, accounting, payment, chargeback, and legal obligations | Secure archive, anonymize where possible, or delete |
| Security, authentication, administrative, anti-fraud, and abuse logs | Normally 12 to 24 months; longer for major attacks, disputes, chargebacks, or legal holds | Delete, anonymize, or archive |
| Support, refund, legal, and security communications | Normally 3 years, or longer when disputes or law require | Delete or archive |
| Browser cookies and local functional storage | Until expiry, logout, revocation, browser clearing, or overwrite | Controlled by you and the browser |
| Optional first-party product-analytics events | Normally up to 180 days | Delete or aggregate |
| Anonymous analytics identifier | Up to 90 days, or earlier on withdrawal or browser clearing | Remove from the browser; server-side keyed hashes expire under analytics retention rules |
| Analytics consent preference | Normally up to 180 days before the browser asks again; an account preference may remain while the account is active | Replace, withdraw, or delete with the account, subject to lawful exceptions |
| Data processed by OpenRouter and model providers | According to the model, endpoint, provider policy, OpenRouter settings, and applicable agreements | Controlled by the relevant provider |
| Data sent to other third-party integrations | According to that service's terms, configuration, and your instructions | Controlled by you and the third party |
Deletion from backups may occur later through normal secure rotation. Legal holds, fraud prevention, tax, accounting, payment, chargeback, security, and disaster-recovery needs may extend retention.
10. Your Privacy Rights
Depending on applicable law, you may have rights to:
| Right | Description |
|---|---|
| Know and be informed | Learn what personal information we process, why, and with whom it is disclosed |
| Access | Obtain a copy of personal information held about you |
| Correct | Request correction of inaccurate or incomplete information |
| Delete | Request deletion subject to legal and operational exceptions |
| Restrict | Request restricted processing in specified circumstances |
| Port | Receive certain data in a structured, commonly used, machine-readable format |
| Object | Object to processing based on legitimate interests or direct marketing |
| Withdraw consent | Withdraw consent for future consent-based processing |
| Opt out | Opt out of marketing or any sale or sharing if such practices are introduced |
| Non-discrimination | Not receive unlawful discriminatory treatment for exercising privacy rights |
| Complain | Submit a complaint to an applicable data-protection or consumer-protection authority |
Submit requests to dreamyitman@proton.me. We may verify your identity and authority before acting. We normally respond without undue delay and within 30 calendar days, subject to lawful extensions and local requirements.
Some records cannot be deleted immediately, including payment, tax, accounting, chargeback, fraud, security, backup, and legal records. Deleting a Yrkie account does not automatically delete information already processed by Waffo Pancake, OpenRouter, model providers, Google, GitHub, Cloudflare, SendCloud, or external tools under their own policies, or copies you downloaded or shared.
11. Your Choices
You may:
- Log out, clear browser cookies and local storage, or reset functional preferences.
- Choose password login or an available Google or GitHub OAuth method.
- Delete individual projects or request account and data deletion through the privacy contact.
- Download presentations or other available exports before deletion.
- Choose not to upload particular materials or use optional integrations, search, fetching, tools, or OAuth.
- Cancel a paid subscription to prevent future renewals.
- Unsubscribe from marketing email through an available unsubscribe method or by contacting dreamyitman@gmail.com.
- Allow or close the one-time product-analytics message, and later withdraw optional product analytics in Account Center under General settings. Anonymous visitors may withdraw by clearing this site's browser storage. Withdrawal applies to future optional processing and removes the current browser analytics identifier; it does not rewrite essential operational records or analytics already lawfully processed.
Verification codes, password resets, payment notices, security alerts, subscription notices, service changes, and legal notices are necessary service communications and may still be sent after a marketing opt-out.
12. Children's Privacy
Yrkie is intended for users at least 18 years old. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided personal information, contact dreamyitman@proton.me. After reasonable verification, we will delete it unless law requires retention.
13. Cross-Border Data Transfers
Yrkie and its service providers, including Waffo Pancake, OpenRouter, model providers, Google, GitHub, Cloudflare, SendCloud, hosting, storage, and infrastructure providers, may be located outside your country or region. Information may be processed or stored in China, the United States, Singapore, the European Union, or other regions depending on the provider and model routing.
Where required by applicable law, we will use reasonable safeguards such as data-processing agreements, standard contractual clauses, access controls, encryption, minimization, and vendor review. The model, endpoint, provider, and external integration selected or triggered by your request may affect the actual processing location.
14. Third-Party Links and Content
Yrkie may contain or process links to payment pages, AI models, APIs, documentation, websites, open-source projects, Google, GitHub, or other services. We do not control their content, availability, security, or privacy practices. Review their terms and privacy policies before use.
If you instruct Yrkie to fetch a URL, search the web, call an API, or use an external tool, the recipient may record request time, network information, request content, User-Agent or service identifier, and accessed content.
15. Supplemental Notice for California, Europe, China, and Other Regions
Where the CCPA/CPRA, GDPR, UK GDPR, PIPL, or another privacy law applies, we provide the rights and protections required by that law.
We do not sell personal information and do not currently share it for cross-context behavioral advertising. We do not currently use sensitive personal information to infer characteristics for advertising. If these practices change, we will update this Policy and provide notices and choices required by law.
Our legal bases may include performance of contract, compliance with legal obligations, legitimate interests, consent, and protection of vital interests. You may ask about the basis for a particular processing activity through dreamyitman@proton.me.
Yrkie uses automated systems to calculate credits, check balances, detect abuse, verify payment events, and enforce security restrictions. These systems may automatically allow, limit, or block service access, but we do not intend to make solely automated decisions that produce legal or similarly significant effects on individuals without safeguards required by applicable law. Contact us if you believe an automated restriction is incorrect.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will announce material changes through the website, product notices, registered email, or other reasonable methods and update the date at the top. Unless law requires otherwise, material changes will usually be announced at least 14 days in advance.
Continuing to use Yrkie after an update takes effect means that you acknowledge the updated Policy. If you disagree, stop using Yrkie, cancel any subscription, and request account or data deletion as applicable.
17. Contact Us
For questions about privacy, data, security, or this Policy, contact:
- Product usage, login, workspace, and feature issues: dreamyitman@gmail.com
- Payment, billing, subscription cancellation, refund, chargeback, and other money-related issues: chumengitman@163.com
- Privacy, data requests, account deletion, legal, security, and other issues: dreamyitman@proton.me
- Operator: Wu Yujie
- Mailing address: Hongyi Huacheng Phase 2, Huicheng District, Huizhou City, China
- Phone: phone support is not currently provided. Please use the email addresses above.
- Service hours: Monday to Friday, 09:00-21:00 (China Time, UTC+8), excluding statutory holidays.
Wu Yujie — Yrkie — Last Updated: 2026-07-12