Privacy Policy

Last updated: March 19, 2026

1. Who We Are

YEDANYAGAMI ("we", "us") provides AI-powered financial governance tools and MCP server APIs.
Representative: CHEN CHIH TENG
Address: No. 2-4-1, Jiujie Rd., Dali Dist., Taichung City, Taiwan (R.O.C.)
Phone: +886-987-750-904
Contact: yedanyagamiai@gmail.com

2. Data We Collect

Account data: Email address, API tokens (hashed).
Usage data: API call logs, capability usage, error rates.
Financial data: Case metadata, payment intents (processed by Stripe — we do not store card numbers).
Audit data: Five-layer audit events (Identity/Input/Reasoning/Action/Outcome) with SHA256 hash chain.

3. How We Use Data

• Provide and improve our services
• Process payments via Stripe
• Maintain immutable audit trails for compliance
• Detect and prevent abuse, fraud, and injection attacks
• Communicate service updates

4. Data Retention

Audit events: Minimum 180 days (EU AI Act), maximum 7 years (SOX compliance).
Chainlog (hash chain): 180 days minimum, immutable — cannot be deleted within retention period.
Case data: 1-7 years depending on case type.
Account data: Retained until account deletion, then purged within 30 days (except legally required records).

5. Data Security

We implement multiple security layers:

• TLS encryption in transit
• Timing-safe token comparison (anti-timing-attack)
• OAuth 2.1 + PKCE authentication (via Scalekit)
• 37-pattern injection blocklist (OWASP ASI06 aligned)
• L1-L5 trust level stamping on all knowledge graph entities
• Sensitivity classification with automatic redaction for L4/L5 data

6. Third-Party Services

Stripe: Payment processing. Subject to Stripe's Privacy Policy.
Cloudflare: CDN and edge computing. Subject to Cloudflare's Privacy Policy.
Scalekit: OAuth 2.1 authentication. Subject to Scalekit's Privacy Policy.

7. Your Rights

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion of your account and associated data
• Export your audit data (JSONL format via audit_export capability)
• Object to processing for direct marketing

To exercise these rights, contact yedanyagamiai@gmail.com.

8. Cookies

Our website uses only essential cookies for session management. We do not use tracking cookies or third-party analytics.

9. Changes

We may update this policy. Material changes will be communicated via email. The "last updated" date at the top reflects the most recent revision.