Legal
Privacy Policy
Last updated July 2026
This policy explains what personal data yothere processes, why, and the rights you have under the EU General Data Protection Regulation (GDPR / DSGVO). yothere is an invite-only beta; this policy will be updated as the product matures.
1. Controller
The controllers responsible for data processing are Philipp Wenger Lebron and Oscar Sanchez (see the Impressum for contact details). For any privacy request, contact[email protected].
2. Scope
This policy covers two surfaces:
- The marketing site at
yothere.ai(this website). - The hosted app at
app.yothere.ai, the control plane for your agent fleet.
3. Data we process on the marketing site
- Waitlist / access requests. If you submit the waitlist form, we store the email address you provide, your optional note, and, where present, session attribution (campaign/UTM parameters and the referring page) in Cloudflare Workers KV, solely to contact you about beta access and to understand how people find yothere. We do not use it for unrelated marketing.
- Server logs. Our host (Cloudflare Pages) processes standard request metadata (IP address, user agent, timestamp) transiently to serve the site and prevent abuse.
- Privacy-preserving analytics. We measure page views and a small set of explicit interactions (for example, submitting the waitlist form) with PostHog, hosted in the EU (Frankfurt) and configured cookieless: no cookies, no persistent identifiers, no session recording, and the client IP address is discarded. To understand where visitors come from, we keep campaign (UTM) parameters and the referring page in your browser's sessionStorage for the current session only; it is deleted when you close the tab. We use no advertising cookies and no cross-site trackers.
4. Data we process in the app
- Account. Your email, an invite code, and a password stored only as a cryptographic hash (never in plaintext).
- Task data. The instructions you dispatch and their results. The AI compute runs on your own machine, with your own model credentials; our control plane stores your thread and task state so you can see your fleet.
- Device pairing. Tokens that link your laptop to your account, stored as hashes.
- Voice. When you use voice, audio is processed in real time to run the conversation. We store call metadata and, where enabled, transcripts so you can review them in the cockpit. Voice uses Google Gemini via short-lived tokens minted per call; cross-network audio may be routed through a Cloudflare TURN relay.
5. Legal bases (Art. 6 GDPR)
- Performance of a contract (Art. 6(1)(b)): to provide the app and its features to you.
- Consent (Art. 6(1)(a)): for the waitlist; you can withdraw it at any time.
- Legitimate interests (Art. 6(1)(f)): security, abuse prevention, keeping the service running, and understanding aggregate site usage through privacy-preserving analytics.
6. Processors and sub-processors
We share data only with the providers needed to run the service:
- Cloudflare. Website hosting, CDN, the waitlist store, and the voice TURN relay.
- Fly.io. Hosting for the app control plane and its database (EU region, Amsterdam).
- Google. The Gemini model that powers voice conversations.
- PostHog (EU). Cookieless website and product analytics, hosted in Frankfurt.
- Resend. Transactional email (for example, sign-up confirmation, password reset, and invites).
- Backblaze B2. Encrypted off-site backups of app data.
Your task compute runs on your own machine via Claude Code (Anthropic); we do not send your task contents to a model of our own.
7. International transfers
Some processors (e.g. Google, Resend) may process data outside the EU/EEA. Where that happens, transfers are covered by the EU Standard Contractual Clauses or an equivalent safeguard.
8. Retention
We keep app data while your account is active and delete it on request. Waitlist emails are kept until the beta ends or you ask us to remove them.
9. Your rights
You have the right to access, rectify, erase, restrict, and port your data, to object to processing, and to withdraw consent at any time. You may also lodge a complaint with a data protection supervisory authority. To exercise any right, email[email protected].