Privacy policy

Last updated: 21 May 2026

The identification details of the data controller are provisional. They must be replaced with the actual details of the responsible entity before operating with real traffic.

This policy explains how Yireia.chat (hereinafter "Yireia") processes the personal data of people using the service. Processing is governed by Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD).

1. Data controller

The controller of your personal data is the entity identified below. If you need to contact us about any data protection matter, you can do so in writing at the address provided.

  • Legal name: [LEGAL NAME]
  • Tax ID: [TAX ID]
  • Registered office: [POSTAL ADDRESS]
  • Privacy contact: soporte@yireia.chat

2. Data we collect

We only collect data strictly necessary to operate the service:

  • Email and password (stored as a non-reversible hash), required to create the account and authenticate access.
  • Self-declared date of birth, used exclusively to verify that you are at least 18 years old. It is not displayed on your profile and is not shared with third parties.
  • Preferred language and any optional profile information you choose to provide.
  • Operational logs: IP address, browser user agent, session identifiers and timestamps of actions performed in the companion.
  • Textual content of your chat with the companion.
  • If you subscribe to a paid plan, we store the customer identifier returned by the payment provider and the status of your subscription. Yireia NEVER stores bank or credit card details; those are handled directly by the payment provider.

3. Purposes and legal bases of processing

We process your personal data for the following purposes, on the legal bases of Article 6 GDPR:

  • Service provision (account, authentication, chat, conversation persistence) — performance of the contract.
  • Verification of legal age — compliance with a legal obligation applicable to the controller (Directive (EU) 2018/1808 on audiovisual media services).
  • Billing, subscription management and accounting obligations — performance of the contract and compliance with legal obligations.
  • Platform security, fraud and abuse prevention, and incident diagnostics — legitimate interest of the controller.
  • Operational communications strictly necessary for the service (security notices, contractual changes, password recovery) — performance of the contract.
  • We do not carry out automated individual decisions producing significant legal effects within the meaning of Article 22 GDPR, nor profiling for marketing purposes.

4. Recipients and processors

To operate Yireia we rely on the following technology providers, which act as processors under a contract pursuant to Article 28 GDPR:

  • Supabase Inc. (United States) — database, authentication and asset storage.
  • Railway Corp. (United States) — application hosting and frontend delivery.
  • Language model inference provider (presumably RunPod Inc., United States) — execution of the language models that generate the companion's responses, with no content retention by default.
  • CDN and anti-DDoS protection provider (presumably Cloudflare Inc., United States).
  • Adult-content-friendly payment provider (to be determined).
  • We do not sell, transfer or share your personal data with third parties for marketing, targeted advertising or commercial profiling purposes.

5. International data transfers

Some of the processors listed above are established outside the European Economic Area (mainly in the United States). Transfers are carried out under the standard contractual clauses approved by the European Commission (Implementing Decision (EU) 2021/914) and, where applicable, under the EU-U.S. Data Privacy Framework.

You can request a copy of the specific safeguards applicable to each transfer by writing to soporte@yireia.chat.

6. Retention periods

We retain your personal data for the following periods:

  • Account data (email, profile, date of birth, subscription status): for as long as the account remains active. After deletion, a 30-day grace period applies for potential recovery, after which the data is permanently deleted or irreversibly anonymised.
  • Operational logs and chat content: at most 180 days from generation, except where retention is justified by legal obligation or a documented abuse investigation.
  • Accounting and billing data: for the period required by applicable tax law (in Spain, up to 6 years from issuance of the document, under the Commercial Code).
  • Data subject to legal retention obligations: for the period required by the relevant regulation.

7. Your rights

As a data subject, you are entitled to the following rights over your personal data (Articles 15 to 22 GDPR):

  • Access to the personal data we process about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("right to be forgotten"), under Article 17 GDPR.
  • Restriction of processing in the cases provided by law.
  • Portability of data in a structured, commonly used format.
  • Objection to processing based on the controller's legitimate interest.
  • Withdrawal of consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal.
  • Not to be subject to automated individual decisions with significant legal effects.

8. How to exercise your rights

To exercise any of the rights above, write to soporte@yireia.chat indicating the right you are exercising and providing reasonable information that allows us to verify your identity and prevent unauthorised access to your data. We will respond without undue delay and, in any case, within one month of receipt, extendable by two further months when complexity or the number of requests justifies it, under Article 12.3 GDPR.

If you believe that your rights have not been properly handled, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), at C/ Jorge Juan 6, 28001 Madrid, accessible at www.aepd.es, or with the supervisory authority competent in your country of residence.

9. Data security

We apply appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration or destruction: encryption in transit (TLS) and at rest, role-based access control at row level (RLS) in the database, separation of development and production environments, audit logs and regular security reviews.

In the event of a security breach that may pose a risk to your rights and freedoms, we will notify the AEPD within a maximum of 72 hours from becoming aware of it (Article 33 GDPR) and, where appropriate, we will inform you directly as soon as reasonably possible (Article 34 GDPR).

10. Cookies and similar technologies

Yireia uses only strictly necessary cookies and local storage required for the operation of the service: keeping your session signed in (Supabase Auth) and remembering the age verification state. These technologies are exempt from prior consent under Article 22.2 of Spanish Law 34/2002 (LSSI-CE), as they are strictly necessary to provide a service expressly requested by the user.

We do not use analytics cookies, advertising cookies, or third-party tracking or profiling cookies. Should this change in the future, we will publish an update to this policy with adequate prior notice and, where required, we will request your prior consent through a cookie configuration panel before activating any non-exempt technologies.

11. Adult content and age verification

Yireia is a service exclusively for people aged 18 or over and contains explicit content intended for adult audiences. Before granting access to the service we ask for your date of birth and block access if you declare to be under 18, in compliance with Article 6a of Directive (EU) 2018/1808.

The date of birth is self-declared and is stored solely to compute and record the age verification status. This verification meets the general requirements of the AVMSD within the European Union, but does NOT replace the reinforced identity verification requirements imposed by some jurisdictions (for example, the United Kingdom under the Online Safety Act 2023, or certain U.S. states). For that reason, the service applies geographical restrictions in those jurisdictions.

12. Changes to this policy

We may update this policy to reflect legal, technical or service changes. The date of the latest revision appears at the top of the document. Where changes substantially affect your rights or the processing of your data, we will notify you prominently with reasonable advance notice before they take effect.