Privacy Policy

Yerba provides a hosted chat experience that creators use in place of a traditional link-in-bio. A creator configures a page that responds to visitors in the creator's voice and surfaces the creator's links, offers, and content destinations within the conversation. The legal entity that operates Yerba and is responsible for the information described here (the "controller" for data-protection purposes) is identified in Section 15.

This Policy covers two groups. "Creators" are the people who register accounts and operate Yerba pages. "Visitors" are the people who view or chat with a creator's page. Where a practice applies to only one group, we say so; otherwise it applies to both.

Yerba is an adults-only service. We host the conversational layer and the analytics around it, not the destination content. The explicit or other content that may live on a creator's own destinations is hosted and governed by those destinations and their own policies, not by Yerba and not by this Policy. We describe the service this way for accuracy, not to disclaim the adult-oriented nature of the audiences many creators serve, and our age requirement in Section 12 is a real control, not a formality.

Account information. When a creator registers, we collect information needed to create and maintain the account, such as a username or handle, an email address, authentication credentials, and any profile details the creator chooses to provide (for example, a display name, photo, or bio). We also collect billing-related details necessary to manage a paid plan; full payment card data is handled directly by our payment processor and is never stored by us.

Page content. We collect and store the content a creator supplies to build and run a page: the creator's voice and persona settings, links and destinations, descriptions, uploaded reference material, and any documents or knowledge a creator adds to inform how the page answers questions. Conversations on a page, including messages exchanged between visitors and the page, are processed and may be stored to operate, secure, and support the service. As described in Section 7, conversation content is sent to third-party AI infrastructure and model providers so that a reply can be generated, which means a visitor's chat messages leave our systems and are processed by those outside providers.

Visitor analytics and signals. When a visitor interacts with a page, we collect technical and behavioral information described here in general terms: device and connection signals, which we hash or truncate to reduce their identifiability, used to recognize returning visitors and to detect automated traffic; approximate, coarse location derived from network information (not precise GPS); click, view, and engagement events; and conversation metadata such as timestamps, message counts, session length, referral source, and which links or offers were surfaced or followed. We favor pseudonymized and aggregated signals over directly identifying details. We are candid that hashing or truncation reduces, but does not eliminate, the identifiability of these signals: a hashed device or network identifier can still be linked back to a visitor, so we continue to treat such signals as personal information.

Log and device information. We collect standard log and diagnostic information generated when you use the service, including request data, error reports, browser and device characteristics, and cookie or similar-technology identifiers used for sessions, preferences, security, and measurement.

Information from third parties. If a creator connects an external destination or service, or if a payment, infrastructure, or model provider returns status information to us, we may receive related information necessary to operate that connection.

To provide the service: to create and authenticate accounts, render creator pages, power conversational responses in the creator's voice, surface and route links, and maintain sessions.

To operate analytics and reporting: to give creators insight into visitor activity, engagement, click-to-conversion behavior, conversation patterns, and the share of automated versus genuine traffic, and to produce the dashboards and summaries that are part of the product, including the accurate, real-click counts used to bill fairly.

To secure and protect the service: to detect, investigate, and deflect bots, scraping, fraud, abuse, and other harmful or unauthorized activity, and to enforce our terms. Some of this protection is automated, as described in Section 8.

To improve and develop the service: to debug, measure performance, and build new and improved features. This purpose does not include training AI models on creator or visitor content. As stated in Section 7, we do not use the content of creator pages, visitor conversations, or visitor messages to train, fine-tune, or otherwise develop AI models, whether our own or a provider's.

To communicate: to send account, transactional, security, and service messages, and, where permitted, product updates.

To meet legal and compliance obligations: to satisfy applicable law, respond to lawful requests, and establish, exercise, or defend legal claims.

We process information using automated systems, including third-party AI infrastructure and model providers, to generate conversational responses and to analyze engagement. The legal bases on which we rely for these uses are set out in Section 11.

We do not sell or share your personal information, or your visitors' personal information, as those terms are defined under the California Consumer Privacy Act and similar laws. We do not disclose personal information to third parties for money or other valuable consideration, and we do not share it for cross-context behavioral advertising. We do not build advertising profiles and we do not use advertising cookies. To make this enforceable rather than a slogan, we honor the opt-out mechanisms described in Section 11, including recognized browser opt-out signals.

Service providers and processors. We share information with third-party processors that operate parts of our infrastructure strictly to provide the service on our behalf and under our written instructions. We describe these providers generically and intentionally: our database provider, third-party infrastructure and model providers (including the AI infrastructure and model providers that generate conversational replies), and providers that support payment, communications, security, and measurement. These providers may process information only as needed to perform their functions for us. We bind them by contract to protect the information and not to use it for their own purposes, and we will identify the specific categories of sub-processors, or name them, on request through the contact channel in Section 15.

Aggregated and de-identified information. We may create and use aggregated or de-identified information that does not identify, and cannot reasonably be linked to, any individual creator or visitor (for example, total counts, rates, and trends). Where we treat information as de-identified, we take reasonable measures to ensure it cannot be re-associated with a person, we publicly commit not to attempt to re-identify it except to test that de-identification, and we contractually require any recipient to make the same commitment. Pseudonymized or merely hashed signals are not de-identified for this purpose and remain personal information. We do not characterize this practice as a license to monetize personal information. If in the future we offer any product that surfaces market-level or category-level insight, any use of personal information for that purpose beyond what is described in this Policy will be introduced under a separate, clearly labeled, opt-in notice with its own consent, and will not be enabled by this Policy or by continued use of the service.

Business transfers. If Yerba is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to this Policy or a successor policy that provides equivalent protection.

Legal and safety. We may disclose information when we believe in good faith that disclosure is required by law or legal process, or is reasonably necessary to protect the rights, property, or safety of Yerba, our creators, visitors, or the public.

With direction or consent. We share information at a creator's direction, or with your consent, including when a creator connects an external destination or chooses to make information public.

We use cookies and similar technologies for essential functions (such as keeping you signed in and securing the service), for preferences, and for analytics and measurement, including counting unique real click-throughs so you can see how your page performs. We keep non-essential cookies to a minimum and do not run advertising cookies.

Essential technologies are necessary for the service to work and are used on that basis. For non-essential analytics and measurement technologies, and where the law requires opt-in consent (including in the EU, the UK, and similar jurisdictions), we ask for your affirmative, specific consent before setting or reading them, and we do not treat continued browsing or the mere presence of a banner as consent for those categories. You may decline, and you may withdraw consent at any time, through our consent control or your browser settings.

You can adjust browser controls to limit certain technologies, and some features may not function correctly if essential technologies are blocked. We recognize browser-based opt-out signals, including Global Privacy Control, as a valid request to opt out where applicable law gives them that effect.

Yerba is built on top of services operated by third parties. We rely on our database provider to store account and operational data, on third-party infrastructure and model providers to host the application and to generate conversational replies, and on additional providers for payments, communications, security, and measurement.

We describe these providers generically in the body of this Policy rather than as a fixed list, because the specific providers can change. We select providers using reasonable diligence and engage them by contract to handle information consistently with this Policy and applicable law, including obligations not to use the information for their own purposes. Because some readers and some regulators reasonably expect to know who processes their information, we maintain an up-to-date, identifiable record of our sub-processors and the general categories they fall into, and we will provide it on request through the contact channel in Section 15. Those providers remain responsible for their own systems, and their handling of information is also governed by their own terms.

To generate a reply in a creator's voice, we transmit the relevant conversation content (which can include the visitor's messages and the creator's persona and reference material) to third-party AI infrastructure and model providers. This processing chain can involve more than one provider, such as a gateway or routing layer and a separate model host, which may operate in different countries. We send this content only to produce the reply and to operate, secure, and support the service.

We do not use the content of creator pages, visitor conversations, or visitor messages to train, fine-tune, or otherwise develop AI models, whether our own or a provider's, and we instruct our AI providers not to use that content to train their models. This commitment is intentional and is not overridden by the "improve and develop" purpose in Section 3.

Conversational replies are produced by automated systems and may be imperfect or inaccurate. Creators are responsible for the persona and material they configure, and visitors should not treat a reply as a statement of fact verified by Yerba.

To protect creators and the integrity of analytics and billing, we use automated methods to distinguish genuine visitors from bots, scrapers, and other automated or abusive traffic. These methods evaluate signals such as the hashed or truncated device and connection signals and request characteristics described in Section 2, and they can run an invisible check that assesses a device without requiring any visible challenge.

Where this assessment indicates automated or abusive traffic, it can result in an automated decision that limits or blocks access to a link or to the page, without a person reviewing each decision. If you believe a decision wrongly affected you, you can contact us using the details in Section 15 to ask us to review it and to explain or reconsider the outcome, to the extent applicable law gives you that right.

We take the protection of information seriously and use reasonable administrative, technical, and organizational measures designed to protect information against unauthorized access, loss, misuse, and alteration. These measures include access controls, encryption of data in transit and, where supported by our providers, encryption of data at rest, the hashing or truncation of certain visitor signals to reduce their identifiability, and monitoring for abuse. We describe these measures honestly: hashing or truncation reduces identifiability but does not render a signal anonymous, and we do not claim to hold any particular security certification.

No method of transmission or storage is perfectly secure. While we work in good faith to protect your information, we cannot and do not guarantee absolute security, and you provide information at your own risk.

If we become aware of a security incident affecting personal information, we will investigate, take reasonable steps to mitigate it, and notify affected users and the relevant authorities where and within the timeframes that applicable law requires, including, where the law so provides, notifying the appropriate supervisory authority without undue delay.

Yerba links to and interoperates with destinations and platforms that we do not control. Those third parties set their own rules and may restrict, suspend, ban, remove, or refuse traffic, links, accounts, or content at their discretion.

We are not responsible or liable for the actions of those third parties, including any decision by an external platform to limit, deactivate, ban, or remove a creator, a link, a destination, or related access, and no such decision gives rise to liability on our part. Creators are responsible for complying with the rules of the destinations they connect.

Legal bases (EEA/UK and similar regimes). Where data-protection law requires a legal basis, we rely on: performance of our contract with you, to create accounts, run pages, and generate replies; our legitimate interests, to secure the service, deflect bots, prevent abuse, produce product analytics, and improve features, balanced against your rights; your consent, for non-essential cookies and any optional processing, which you may withdraw at any time; and compliance with legal obligations, where the law requires us to process information.

Your rights. Depending on where you live, you may have rights to know what we collect, to access a copy, to correct, delete, port, or restrict processing, to object to certain processing, to withdraw consent, and to opt out of any "sale" or "sharing" of personal information (we do not sell or share it, as stated in Section 4). You also have the right to lodge a complaint with your local data protection authority or, in the United States, the relevant Attorney General. We will not discriminate or retaliate against you for exercising any of these rights, and our plan pricing does not condition service on giving up a privacy right.

CCPA categories. In the past twelve months we have collected the following categories of personal information: identifiers (such as handle, email, and online and device identifiers); commercial information (such as plan and billing-related details); internet or network activity (such as click, view, engagement, and conversation metadata); approximate (coarse) geolocation; and the content creators and visitors provide. We collect these for the business purposes described in Section 3 and disclose them only to the service providers described in Section 4. We do not sell or share these categories.

How to exercise rights, and our response time. You can make a request, or ask a question, by emailing the privacy contact in Section 15, and creators can also access, edit, export, or delete much of their information, and close their account, directly in the product. These are our designated request methods, which is appropriate for an online service. We may need to verify your identity, typically by confirming control of the account email or details associated with the relevant activity, before we act. We will respond within the time your local law allows, generally within 45 days under United States state laws (extendable where permitted) and within one month under EEA/UK law (extendable for complex requests). You may use an authorized agent where the law permits.

Cookie and communication choices. You can manage cookie and analytics choices through the consent control and your browser settings described in Section 5, including recognized opt-out signals, and you can opt out of non-essential communications by following the instructions in those messages.

Yerba is intended only for adults. You must be at least 18 years old, or the age of majority in your jurisdiction if higher, to create an account or use the service. Creators represent that they are adults and that the audiences and destinations they operate are run consistently with that requirement.

Because we are an adults-only service, age is not treated as a formality. At sign-up we require an affirmative attestation of adult age as a condition of creating an account, we may decline or close accounts that we have reason to believe are operated by minors, and we reserve the right to apply additional verification where we deem it appropriate or where the law requires it. We do not knowingly collect information from anyone under 18. If we learn that an account belongs to, or that we have collected information from, a person under 18, we will close the account and take reasonable steps to delete the information. If you believe a minor has provided us information, please contact us using the details in Section 15.

We retain information for as long as it is needed to provide the service, maintain accounts, operate analytics, secure the platform, and comply with our legal obligations. Retention periods vary by the type of information and the purpose for which it is held.

Account and page content is generally retained while an account is active and for a reasonable period afterward. Visitor analytics, conversation metadata, and security-related signals are retained for the periods needed for accurate reporting, fair billing, and abuse prevention. We may retain genuinely de-identified information, which no longer reasonably identifies a person, for as long as it remains non-identifying; pseudonymized or hashed signals are not treated this way and are retained only as personal information under the periods above. When personal information is no longer needed, we take reasonable steps to delete, de-identify, or restrict it, subject to legal and operational requirements and to backups that age out on a routine cycle.

Yerba operates with infrastructure and providers that may be located in multiple countries, and Yerba itself is operated from the United States. As a result, your information may be processed and stored in countries other than the one in which you live, and those countries may have data protection laws that differ from yours. As noted in Section 7, generating a reply can involve providers in more than one country.

Where we transfer personal information across borders, we take steps intended to keep it protected consistently with this Policy and applicable law, which may include relying on recognized transfer mechanisms or other appropriate safeguards. Information about the safeguards we use is available on request through the contact in Section 15. By using the service, you understand that your information may be transferred and processed in this way.

We may update this Policy from time to time to reflect changes in our practices, technology, or legal requirements, and we will revise the effective date when we do. For routine changes, posting the updated Policy is sufficient. For material changes, in particular any expansion of how we use or share personal information, we will provide advance notice through the service or by email and, where the change requires it or the law so demands, we will obtain your fresh, affirmative consent before the new use applies to you rather than relying on continued use alone.

This Policy is published with an effective date of June 16, 2026. Yerba is operated by the legal entity identified on our website's legal or contact page, which is the controller responsible for your information and the point of contact for any required representative.

If you have questions, requests, or concerns about this Policy or your information, you can reach us at support@yerba.chat, the designated channel for the privacy requests described in Section 11. For general inquiries, you can also reach us at hello@yerba.chat.