yaanyaan

Privacy Policy

Last updated on the 29th April 2026

If you're an end user visiting a site protected by yaan, see the End User Privacy notice instead.

For privacy questions or to exercise your data subject rights, email support@yaan.ch.

Introduction

Yaan is built and operated by Zenith Hosting KLG ("we," "us," "our," "yaan"), a company incorporated at Saegebachweg 16a, 3052 Zollikofen, Switzerland.

We're committed to processing personal data securely and respecting the privacy of the individuals concerned. This Privacy Policy describes how we collect, use, share, and protect your personal data when you use our services.

This policy is designed to comply with both:

  • The Swiss Federal Act on Data Protection (nFADP / revDSG)
  • The EU General Data Protection Regulation (GDPR), Regulation (EU)

Competent Supervisory Authority

The Federal Data Protection and Information Commissioner (FDPIC) is the Swiss supervisory authority responsible for data protection compliance with respect to yaan's activities. For GDPR matters, the competent lead supervisory authority may vary depending on the nature of the processing.

Data Protection Officer

Our Data Protection Officer is:

Luis Staeheli Quednau
Saegebachweg 16a, 3052 Zollikofen, Switzerland
DPO@yaan.ch

Data Processing Agreement

We offer a Data Processing Agreement (DPA) to customers who require one under Art. 28 GDPR. To request a DPA, email support@yaan.ch. When yaan acts as a data processor for customers, the terms of the DPA govern that processing relationship.

1. Scope and Definitions

This policy describes yaan's rules for personal data processing and protection. It applies to Zenith Hosting KLG and all employees and contractors. Management ensures adequate procedures for implementation and monitoring.

Key Definitions

Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Data Controller: The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. For data collected through yaan.ch, Zenith Hosting KLG is the data controller.

Data Processor: A natural or legal person which processes personal data on behalf of the data controller.

Data Protection Laws: The Swiss Federal Act on Data Protection (nFADP), the EU General Data Protection Regulation (GDPR), and any other applicable data protection laws.

Data Subject: A natural person whose personal data we process. Data subjects include but are not limited to yaan users, website visitors, employees, contractors, and partners.

Personal Data: Any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Processing: Any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction.

Sensitive Personal Data: Special categories of personal data as defined under Art. 9 GDPR and the nFADP, including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data concerning sexual orientation.

Standard Contractual Clauses (SCCs): Standard data protection clauses adopted by the European Commission for the transfer of personal data to processors or controllers established in third countries.

Third Party: A natural or legal person who accesses personal data for further processing and is not an employee, member, or corporate affiliate of yaan.

User: A data subject who uses our services provided on the yaan website, dashboard, or API.

2. Data Processing Principles

Yaan's processing activities follow the data protection principles required by both the nFADP and GDPR. We process personal data in accordance with the following principles:

Lawfulness, Fairness, and Transparency: We always have a legal ground for processing (described in Section 3), collect only data adequate to the purpose, and make sure data subjects are informed about the processing.

Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

Data Minimization: We always make sure the data we collect is adequate, relevant, and limited to what is strictly necessary for the purposes for which it is processed.

Accuracy: We maintain accurate and up-to-date data. Data subjects can ask us to correct inaccurate personal data at any time.

Storage Limitation: Personal data is kept in a form permitting identification for no longer than necessary for the processing purposes. Storage periods are defined in Section 8.

Integrity and Confidentiality: Personal data is processed in a manner ensuring appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical and organizational measures.

Privacy by Design and by Default: We integrate data protection considerations from the planning phase of any system or process. Default settings are privacy-friendly, minimizing unnecessary data collection and processing.

Accountability: We document our compliance with data protection laws, including maintaining records of processing activities, conducting data protection impact assessments when required, training staff, and implementing technical and organizational measures.

Each processing activity must have one of the lawful grounds specified below. If we do not have a valid legal ground, we cannot collect or process the personal data.

Performance of a Contract

Where we have a contract with the data subject (e.g., our Terms of Service), and the contract requires the provision of personal data, the applicable legal ground is the performance of the contract. This includes:

  • Account creation and management
  • Providing our bot protection services
  • Processing payments and managing subscriptions
  • Customer support

Legitimate Interests

We may process personal data based on our legitimate interests, where those interests are not overridden by the data subject's rights and freedoms. Our legitimate interests include:

  • Analyzing website traffic and usage patterns to improve our services
  • Ensuring the security and integrity of our platform
  • Detecting and preventing fraud, abuse, and unauthorized access
  • Developing and improving our bot detection technology
  • Responding to inquiries and support requests

When relying on legitimate interests, we carefully balance our interests against data subjects' rights and provide an opt-out mechanism where appropriate.

Where we rely on consent as a legal basis, we obtain clear, freely given, specific, informed, and unambiguous consent before processing. Consent requests are not bundled with other terms, and consent can be withdrawn at any time.

Express consent is required for processing sensitive personal data and for any high-risk profiling activities.

We may process personal data to comply with legal obligations under Swiss law, including:

  • Tax and accounting requirements (Swiss Code of Obligations Art. 958f)
  • Legal proceedings or regulatory requests
PurposeData CategoriesLegal Basis
Account setup and managementEmail, nameContract performance
Providing bot protection servicesAPI keys, usage data, verification logsContract performance
Processing payments and billingEmail, payment method, billing address, transaction dataContract performance; Legal obligation
Customer supportEmail, communication contentContract performance; Legitimate interest
Analytics and service improvementUsage data, technical data (self-hosted, no third-party sharing)Legitimate interest; Consent (where required)
Security and fraud preventionIP address, access logs, usage patternsLegitimate interest; Legal obligation
Marketing communications (if subscribed)EmailConsent

4. What Data We Collect

Directly From You

  • Email address — required for account creation and authentication (magic-link login)
  • Support messages — content you send us when contacting support
  • Payment information — handled entirely by Stripe; we receive only transaction metadata (last 4 digits, expiry date, billing country)

Automatically Collected

  • IP address — hashed and processed for security purposes; not stored in raw form
  • Browser and device information — user agent, operating system, screen dimensions
  • Usage data — pages visited on yaan.ch, features used in the dashboard, API call timestamps
  • Analytics data — page views, referrers, device type, and country-level location (via our self-hosted Umami instance; no cookies, no cross-site tracking)

What We DO NOT Collect

  • We do not set cookies on end users visiting sites protected by yaan
  • We do not collect or store full credit card numbers
  • We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significant effects on data subjects. Automated security decisions (e.g., bot vs. human traffic classification) are operational measures that do not produce such effects.
  • We do not sell personal data to third parties

5. Third Parties and Sub-Processors

Before sharing personal data with any person outside yaan, we ensure that the third party provides an adequate level of data protection through appropriate safeguards in accordance with data protection laws, including processor agreements (Art. 28 GDPR) and international transfer compliance.

Our Sub-Processors

We maintain a complete list of sub-processors, which we keep up to date.

Each sub-processor is contractually bound by data processing agreements that meet the requirements of Art. 28 GDPR and equivalent nFADP provisions.

If we are required to delete, change, or stop processing personal data, we ensure that sub-processors with whom we shared the data fulfill these obligations accordingly.

When Yaan Is a Data Processor

When yaan's bot protection code runs on a customer's website, yaan acts as a data processor on behalf of the website operator (the data controller). Processing in this capacity is governed by our End User Privacy notice and is limited to what is strictly necessary to detect and block automated traffic.

6. International Data Transfers

Yaan is based in Switzerland, which the European Commission has recognized as providing an adequate level of data protection (Adequacy Decision 2000/518/EC, renewed in 2024). Personal data transferred from the EU/EEA to Switzerland benefits from this adequacy decision.

When we transfer personal data to countries without an adequacy decision (e.g., the United States for Stripe), we implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs) — we use the European Commission's standard contractual clauses for transfers to third countries
  • Technical safeguards — data is encrypted in transit and at rest; where possible, data is pseudonymized or anonymized before transfer
  • Data Processing Agreements — all international sub-processors are bound by DPAs that meet EU and Swiss standards

For the full list of adequate countries, see the FDPIC's list of adequate jurisdictions.

In the absence of an adequacy decision or standard safeguards, we may transfer personal data only as a last resort, based on compelling legitimate interests or other derogations strictly permitted under applicable law. Explicit consent for such transfers, where relied upon, will be obtained separately with specific information about the risks involved.

7. Your Rights (Data Subject Rights)

Under the nFADP and GDPR, you have the following rights regarding your personal data. To exercise any of these rights, email support@yaan.ch.

We respond to all data subject requests within one month. If more time is needed (e.g., complex requests), we'll inform you and may extend the response period by up to two additional months. We verify your identity before processing any request to protect your data.

Right to Information and Access

You have the right to:

  • Know whether we process your personal data
  • Obtain details about the purposes of processing, categories of data, recipients, retention periods, and your rights
  • Receive a copy of the personal data undergoing processing

Right to Rectification

If your personal data is inaccurate or incomplete, you can request correction or completion. We'll update your data promptly upon verification.

Right to Erasure (Right to Be Forgotten)

You can request deletion of your personal data when:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent and there is no other legal ground for processing
  • You object to processing and there are no overriding legitimate grounds
  • Processing is unlawful
  • Erasure is required by law

We may refuse erasure when processing is necessary for:

  • Exercising the right of freedom of expression and information
  • Compliance with a legal obligation (e.g., tax retention requirements)
  • The establishment, exercise, or defense of legal claims

Right to Restriction of Processing

You can request restriction of processing when:

  • You contest the accuracy of the data (restriction for a period enabling us to verify accuracy)
  • The processing is unlawful and you oppose erasure, requesting restriction instead
  • We no longer need the data, but you need it for legal claims
  • You have objected to processing pending verification of overriding grounds

During restriction, we only store the data or use it with your consent or for legal claims.

Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller, where:

  • Processing is based on consent or a contract, AND
  • Processing is carried out by automated means

Right to Object

You have the right to object to processing of your personal data based on:

  • Legitimate interests — including direct marketing. We'll stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms
  • Scientific or historical research or statistical purposes — unless the processing is necessary for the performance of a task carried out for reasons of public interest

You can object to direct marketing at any time without providing a reason.

Where processing is based on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

We do not engage in automated decision-making that produces legal effects or similarly significant effects on data subjects.

Right to Lodge a Complaint

If you believe our processing of your personal data violates data protection laws, you have the right to lodge a complaint with:

8. Data Retention

We define clear data storage periods for each processing activity. After storage periods end, data is removed or destroyed completely, including from backups.

Data TypeRetention PeriodLegal Basis
Account dataDuration of account activity + 30 days after deletionContract performance
Payment / transaction data10 yearsSwiss Code of Obligations Art. 958f
Support communications3 years after last interactionLegitimate interest

Exceptions to Retention Periods

  • Legal holds: Data subject to litigation or regulatory investigation is retained until the matter is resolved
  • Technical impossibility: In rare cases where immediate deletion is technically impossible (e.g., backup systems), data is restricted from further processing and deleted at the earliest opportunity
  • Anonymized data: Data fully anonymized (all identifiers irreversibly removed) may be retained indefinitely

9. Security

We implement appropriate technical and organizational security measures to protect personal data against unauthorized access, modification, disclosure, or destruction.

10. Data Breach Response

Upon discovering a data breach, we form a response team to:

  • Contain and mitigate the breach
  • Assess the risk to data subjects' rights and freedoms
  • Notify the relevant supervisory authority within the required timeframe
  • Notify affected data subjects when the breach is likely to result in a high risk to their rights and freedoms
  • Document the breach and our response

Notification Timeframes

  • GDPR (EU): We notify the competent supervisory authority within 72 hours of becoming aware of a breach likely to risk data subjects' rights and freedoms
  • nFADP (Switzerland): We notify the FDPIC as soon as possible (generally within 72 hours) when a breach is likely to pose a high risk to data subjects' personality or fundamental rights

Notifications include:

  • Nature of the breach, including categories and approximate number of affected data subjects and records
  • Name and contact details of our data protection contact point
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate adverse effects

For high-risk breaches, we notify affected data subjects directly without undue delay, providing:

  • A description of the breach in clear, plain language
  • Recommended steps to mitigate potential adverse effects
  • Contact information for further questions

Exceptions to data subject notification may apply when:

  • Data was encrypted or otherwise rendered unintelligible
  • Subsequent measures ensure the high risk is no longer likely to materialize
  • Individual notification would involve disproportionate effort (in which case we'll issue a public communication)

11. Cookies and Tracking

Essential cookies (required for the site to function):

  • Authentication / session cookies — expire after 7 days
  • Security cookies: used by our CDN (Bunny.net) for DDoS protection

Analytics:

We use a self-hosted instance of Umami for website analytics on yaan.ch. Umami is deployed on our own infrastructure and does not share data with any third party. All analytics data remains under our exclusive control.

Umami collects the following anonymized data when you visit yaan.ch:

  • Page views (URL and page title)
  • Referrer (the site that linked you to yaan.ch)
  • Browser and operating system information
  • Device type (desktop, mobile, tablet)
  • Country-level location (derived from anonymized IP address — raw IPs are never stored)

Umami does not use cookies, does not track users across sites, and does not build individual user profiles. All collected data is aggregated and used solely to understand how visitors interact with our website so we can improve it.

Payment:

  • Stripe: sets cookies required for fraud prevention and payment processing

12. Privacy by Design and Default

We adhere to the principles of Privacy by Design and Privacy by Default as required by both the nFADP and GDPR:

  • Data minimization by default: Our systems are configured to collect only the minimum data necessary for each processing purpose. No optional data collection is enabled by default.
  • Privacy-first architecture: Bot detection works without cookies, without storing raw IP addresses, and without building user profiles. Browser signals are hashed and discarded within 30 seconds.
  • Design-phase privacy review: All new features and processing activities undergo privacy review before implementation.
  • Default security settings: Encryption, access controls, and data retention limits are enabled by default, not as opt-in features.

13. Record of Processing Activities

Yaan maintains a record of processing activities as required by Art. 30 GDPR and the nFADP. This record includes:

  • Name and contact details of the data controller (Zenith Hosting KLG)
  • Purposes of each processing activity
  • Categories of data subjects and personal data
  • Categories of recipients
  • Data retention periods for each category
  • General description of technical and organizational security measures
  • International transfer safeguards, where applicable

The record is maintained by our data protection contact point and is available to supervisory authorities upon request.

14. Children's Privacy

Yaan's services are not intended for children under the age of 16.

We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at support@yaan.ch. We will take steps to delete such information promptly. Side Note: If your kid decides to use yaan under 16 make sure they can pursue this hobby. SWEs make more than doctors :) (Written before the AI takeover)

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons.

For material changes affecting how we collect, use, store, or share your personal information:

  • We will provide at least 30 days' advance notice via email to registered users and a prominent notice on our website
  • We will clearly explain what changes are being made and how they may affect you
  • Your continued use of the service after the notice period constitutes acceptance of the changes
  • If you do not agree with the changes, you may terminate your account before they take effect

Minor, non-material updates (e.g., wording clarifications, updated contact details) may be made without advance notice. The date at the top of this page indicates when this policy was last revised.

Previous versions of this Privacy Policy are available upon request by emailing support@yaan.ch.

Questions?

If you have any questions or concerns about yaan's privacy policy or data protection practices, please don't hesitate to reach out.

Send an email to support@yaan.ch.

Terms of Service

Last updated on the 29th April 2026

Subprocessors

Third-party processors used by yaan services

On this page

IntroductionCompetent Supervisory AuthorityData Protection OfficerData Processing Agreement1. Scope and DefinitionsKey Definitions2. Data Processing Principles3. Legal Grounds and PurposesPerformance of a ContractLegitimate InterestsConsentLegal ObligationPurposes and Legal Bases Summary4. What Data We CollectDirectly From YouAutomatically CollectedWhat We DO NOT Collect5. Third Parties and Sub-ProcessorsOur Sub-ProcessorsWhen Yaan Is a Data Processor6. International Data Transfers7. Your Rights (Data Subject Rights)Right to Information and AccessRight to RectificationRight to Erasure (Right to Be Forgotten)Right to Restriction of ProcessingRight to Data PortabilityRight to ObjectRight to Withdraw ConsentRights Related to Automated Individual Decision-MakingRight to Lodge a Complaint8. Data RetentionExceptions to Retention Periods9. Security10. Data Breach ResponseNotification Timeframes11. Cookies and Tracking12. Privacy by Design and Default13. Record of Processing Activities14. Children's Privacy15. Changes to This Privacy PolicyQuestions?