Privacy Policy

1. Introduction & Scope

YOUNIQC ("we," "us," or "our") operates the YOUNIQC web application ("The Studio"), the YOUNIQC mobile application ("The Journal"), and the U AI agent (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

This Privacy Policy applies to all users of the Service regardless of geographic location. Where specific laws impose additional obligations (such as PIPEDA in Canada, GDPR in the European Union, CCPA in California, or Bill 96 in Quebec), we address those requirements in the applicable sections below.

2. Information We Collect

We collect information you provide directly and information generated through your use of the Service. Below is a detailed breakdown by category.

2.1 Account Data

When you create an account, we collect your name, email address, and password. Your password is hashed using bcrypt (cost factor 12) and is never stored in plaintext. You may also upload a profile photo, which is stored in our file storage system.

2.2 Brand Data

To personalize your experience, we collect brand-related information you provide, including your brand name, niche, target audience, voice configuration, banned phrases, and connected platforms.

2.3 Content Data

The Service generates and stores AI-generated content on your behalf, including content ideas, captions, shot lists, quality scores, and refinement history. This content is associated with your account and accessible only to you.

2.4 Preference & Learning Data

We collect preference data derived from your usage patterns, including which content variants you select, how you edit generated content, quality ratings you assign, and explicit settings you configure. Each learned preference carries a confidence score. You can disable the learning system at any time via your account preferences.

2.5 Chat Data

Conversations with U (our AI agent) are stored and associated with your account. This includes message text, conversation context, and mode classification (companion, operator, or expert). Chat transcripts are retained for 90 days and then automatically deleted.

2.6 Voice Data

If you use voice features (available on eligible plans), we process voice recordings for transcription purposes. Voice audio is transmitted to our AI processors (OpenAI Whisper for transcription, ElevenLabs for text-to-speech synthesis) and is not permanently stored on our servers after processing is complete.

2.7 Mobile Data

If you use The Journal (our mobile app), we collect ideas you capture, voice notes, and project tags. This data syncs with your main account and is accessible across all YOUNIQC surfaces.

2.8 Billing Data

Payment processing is handled entirely by Stripe, a PCI DSS-compliant payment processor. We transmit your name and email to Stripe for billing purposes. We never receive, process, or store your full credit card number, CVV, or other sensitive payment details. Stripe's own privacy policy governs the handling of your payment information.

2.9 Usage Data

We collect information about how you use the Service, including feature usage frequency, Spark consumption, session duration, and error logs. This data helps us improve the Service and monitor for abuse.

2.10 Feedback & Quality Data

We track which content variants you select, your editing patterns, and quality ratings you assign. This feedback data is used to improve content generation quality for your account specifically and, in anonymized aggregate form, for all users.

2.11 Collective Data

We generate anonymized, aggregated usage patterns organized by niche. This collective data contains no individually identifiable information and is used to improve our AI models and provide benchmarking insights.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: To provide, maintain, and improve the YOUNIQC platform, including AI content generation, personalized recommendations, and voice features.
• Personalization: To learn your content preferences and generate increasingly relevant ideas, captions, and creative suggestions tailored to your brand.
• Billing & account management: To process payments, manage subscriptions, and enforce usage limits based on your plan.
• Communication: To send transactional emails (receipts, account changes, security alerts) and, with your consent, product updates.
• Safety & moderation: To moderate AI-generated content for safety, detect abuse, and enforce our Terms of Service.
• Service improvement: To analyze anonymized aggregate usage patterns, fix bugs, and develop new features.
• Legal compliance: To comply with applicable laws, regulations, and legal processes.

4. AI Data Processing

YOUNIQC uses multiple third-party AI providers to power its features. When you interact with the Service, certain data may be transmitted to these providers for processing. Below is a detailed breakdown of each provider, the data they receive, and the purpose.

Important: We do not use your content to train AI models. Your prompts and generated content are processed by these providers solely to deliver the Service to you. Each provider is contractually bound by their respective data processing terms.

You can review each provider's privacy practices at their respective websites. We select AI providers that commit to not using API-submitted data for model training.

5. Data Sharing & Third Parties

We do not sell your personal information. We share data only with the third-party service providers necessary to operate the Service. Each processor receives only the minimum data required for its function.

We may also disclose your information if required by law, in response to a valid legal process, or to protect the rights, property, or safety of YOUNIQC, our users, or the public.

6. Data Retention

We retain your data for the minimum period necessary to provide the Service and comply with our legal obligations. Specific retention periods are as follows:

When you request account deletion, we initiate a 30-day processing window during which your data is marked for deletion but remains recoverable in case of accidental requests. After this period, your data is permanently and irreversibly deleted from our systems, except where retention is required by law.

7. Data Security

We implement industry-standard technical and organizational measures to protect your information, including:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Sensitive data fields (including API tokens) are encrypted using AES-256-GCM before storage.
• Password hashing: User passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.
• Access controls: Strict role-based access controls limit which team members can access user data, with audit logging.
• Rate limiting: Automated rate limiting and abuse detection protect against brute-force attacks and API abuse.
• Error monitoring: We use Sentry for error tracking with PII stripped from error payloads.

While we strive to use commercially acceptable means to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Your Privacy Rights

Depending on your jurisdiction, you may have specific rights regarding your personal information. We are committed to honoring these rights regardless of where you live, to the extent technically feasible.

8.1 Canada (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to:

• Access: Request access to the personal information we hold about you. You can view most of your data directly within the Service.
• Correction: Request correction of inaccurate or incomplete information. You can edit your Brand Identity and preferences directly in the app.
• Withdraw consent: Withdraw your consent for data processing at any time by deleting your account.
• Complain: File a complaint with the Office of the Privacy Commissioner of Canada if you believe your rights have been violated.

8.2 European Union (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR). Our lawful bases for processing your data are:

• Consent: You provide consent when creating your account and agreeing to this Privacy Policy.
• Contractual necessity: Processing necessary to deliver the Service you have subscribed to.
• Legitimate interest: Service improvement, security monitoring, and abuse prevention.

Your GDPR rights include:

• Right of access: Request a copy of your personal data.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure: Request deletion of your personal data ("right to be forgotten"). Supported via account deletion.
• Right to restrict processing: You can disable the learning system via your account preferences to restrict how we process your usage patterns.
• Right to data portability: Request an export of your data in a machine-readable format. Our data export feature is coming soon via the GET /api/user/export endpoint.
• Right to object: Object to processing based on legitimate interest.

8.3 California (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to know: You can request information about the categories and specific pieces of personal data we have collected about you.
• Right to delete: You can request deletion of your personal data.
• Right to opt out of sale: We do not sell your personal information. We do not engage in the sale or sharing of personal information as defined by the CCPA/CPRA.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

8.4 Quebec (Bill 96 / Law 25)

Users in Quebec have additional language rights. Under Bill 96, we are committed to making this Privacy Policy available in French with equal quality and completeness. French-language users in Quebec will be served the French version of this policy by default.

8.5 How to Exercise Your Rights

To exercise any of the rights described above, contact us at privacy@youniqc.com. We will respond to your request within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

9. Cookies & Tracking Technologies

We use a minimal set of cookies, limited to what is strictly necessary for the Service to function:

• Authentication cookies: Supabase session cookies are required to keep you signed in. These are essential cookies and cannot be disabled without losing access to the Service.
• Language preference: A local storage entry records your preferred language (English, Spanish, or French).

What we do not use: We do not currently use any analytics cookies, advertising trackers, or third-party tracking pixels. We do not use Google Analytics, Mixpanel, or any similar analytics platform.

A cookie consent management system is being implemented and will be deployed before any non-essential cookies are introduced.

10. Children's Privacy

YOUNIQC is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. Age is self-declared at the time of account creation.

If we become aware that we have inadvertently collected personal information from a child under 16, we will take immediate steps to delete that information. If you believe a child under 16 has provided us with personal information, please contact us at privacy@youniqc.com.

11. International Data Transfers

YOUNIQC is operated from Canada. Our primary database is hosted by Supabase on servers located in the United States. Your data may also be processed by our third-party providers in various jurisdictions (including the United States).

If you are accessing the Service from outside the United States or Canada, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States.

12. Data Breach Notification

In the event of a data breach that poses a real risk of significant harm to affected individuals, we will:

• Notify affected users via email as soon as reasonably possible and no later than 72 hours after becoming aware of the breach.
• Notify the Office of the Privacy Commissioner of Canada as required under PIPEDA (within 72 hours).
• Notify the relevant EU supervisory authority within 72 hours as required under GDPR, where applicable.
• Provide details about the nature of the breach, the data affected, the measures taken to address it, and steps you can take to protect yourself.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Effective Date" at the top of this page.
• We will notify you via email or an in-app notification at least 14 days before the changes take effect.
• For significant changes affecting your rights, we will request renewed consent where required by law.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes become effective constitutes your acceptance of the updated policy.

14. Contact & Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you can reach us at:

For GDPR-related inquiries or to contact our Data Protection Officer, please email privacy@youniqc.com with the subject line "DPO Request."

If you are a Canadian resident and are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.

If you are an EU/EEA resident, you have the right to lodge a complaint with your local data protection supervisory authority.