Privacy Policy

Yoonle (the “Service”, “we”, “us”, “our”) is operated by Yoonle AI. This Privacy Policy describes how we handle personal data when you visit yoonle.com or use the application at app.yoonle.com.

For privacy questions, contact us at support@yoonle.com. For data-protection requests specifically, you may also write to privacy@yoonle.com.

We collect data in three categories.

2.1 Data you give us directly

• Account data— email address, display name, locale preference, and (if you sign up via Google) the public profile fields Google returns: name, profile picture URL, and Google account ID.
• Trail content— the topics you ask the AI to teach you, the audience and duration you specify, your goals, and (on the Pro plan) the files you upload as study materials.
• Progress data— modules you complete, quiz answers, exercise submissions, XP earned, current streak, achievements unlocked.
• Billing data (Pro plan only)— we do not store your payment card. Card data is handled by our payment processor Stripe; we receive only a subscription identifier, plan tier, billing cycle, and current status.
• Support correspondence— the content of any emails you send us.

2.2 Data we collect automatically

• Authentication tokens stored in HTTP-only cookies on.yoonle.com so we can keep you signed in.
• Telemetry essential to the product: which paywalls you saw, which trails you created, anonymous error reports. We do not use third-party ad-tracking or behavioural-advertising cookies.
• Server logs retained for up to 30 days containing IP address, user-agent, and request path. Used for security investigations and debugging.

2.3 Data we do NOT collect

• We do not collect or store payment-card details.
• We do not use third-party advertising or analytics SDKs that profile you across the web (no Google Analytics, no Facebook Pixel, no LinkedIn Insight Tag).
• We do not access your contacts, calendar, microphone, or camera.

We use your data only for the purposes listed below, and only when we have a lawful basis.

We do not use your trail content, materials, or progress data to market other products to you. We do not profile you for behavioural advertising.

Generating a trail involves sending the topic, audience, duration, and any materials you upload to a Large Language Model (“LLM”) running on Microsoft Azure AI Foundry in EU data centres.

• No model training on your data. Per our Azure agreement, your inputs and outputs are not used by Microsoft, OpenAI, or any third party to train or improve models.
• Transient processing. Azure may briefly retain your prompts for abuse monitoring (up to 30 days, EU region). After that, content is discarded by Azure. We retain the generated trail in our database so you can resume learning.
• Your prompts and materials are tied to your account. Other users cannot see your trail content or uploaded materials.
• Quality evaluation. We may sample anonymised, aggregated metadata about generation runs (token counts, latency, error rates) to improve quality. We do not read your trail content for this purpose.

We use the following sub-processors. Each is contractually bound to handle your data only on our behalf and to apply security safeguards equivalent to ours.

Where a sub-processor operates outside the EEA, transfers are protected by Standard Contractual Clauses (SCCs) and supplementary measures consistent with the EDPB’s post-Schrems II guidance. The current sub-processor list will be kept up to date on this page.

• Account data— for as long as your account is active. After account deletion, we permanently erase it within 30 days (with a 90-day backup-rotation grace period).
• Trails & progress— same as account data; deleted with the account.
• Billing records— retained for 7 years to comply with tax law.
• Server logs— up to 30 days, then auto-deleted.
• Support emails— up to 2 years, then auto-deleted.

If you live in the EEA, the UK, or Switzerland, GDPR gives you the following rights. Even outside those regions, we honour these rights for all users as a matter of policy.

• Access— ask for a copy of the data we hold about you.
• Rectification— correct inaccurate data.
• Erasure (“right to be forgotten”)— ask us to delete your account and associated data.
• Portability— receive your trail data in a structured, machine-readable format (JSON).
• Restriction & objection— ask us to pause certain processing or object to processing based on legitimate interest.
• Withdraw consent— where processing relies on consent, you can withdraw it at any time without affecting prior processing.
• Lodge a complaint with your local supervisory authority. EU users can find theirs at the EDPB members page.

How to exercise your rights: email privacy@yoonle.com from the address on your account. We respond within 30 days as required by GDPR Art. 12(3).

California residents (CCPA/CPRA):you have rights to know what we collect, to delete it, to correct it, and to opt out of any “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioural advertising. Submit requests to the same address above.

We use a small number of cookies and browser-storage entries, all strictly necessary or functional. Under the EU ePrivacy Directive (Article 5(3)), localStorage and cookies are treated the same way; both are listed below for transparency.

We do not use any third-party advertising or analytics cookies. Because all cookies we set are strictly necessary or functional, no consent banner is shown under EU ePrivacy rules.

Your data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Database access is restricted by Postgres Row Level Security so each user can only read their own rows. We use OAuth and one-time email codes for authentication; we never store passwords. Internal access to production data is limited to a small number of employees, audit-logged, and used only to investigate user-reported issues with the user’s consent.

No system is perfectly secure. If you notice anything suspicious about your account or believe there has been a security incident, please email security@yoonle.com immediately. We commit to notifying affected users within 72 hours of becoming aware of a personal-data breach, in line with GDPR Art. 33.

Yoonle is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you become aware that a child has provided us personal data without parental consent, please contact us so we can delete it.

We may update this Privacy Policy from time to time. When we do, we update the “Last updated” date at the top of the page. For material changes that affect your rights, we will notify you by email at least 30 days before they take effect.

For any questions about this policy or our handling of your data, contact us at privacy@yoonle.com. For general support, use support@yoonle.com.