§ Privacy

What Yelt sees, stores, and never touches.

Last updated · 2026-05-04

This is the contract for what Yelt does with your data. If anything below is unclear, email legal@yelt.ai.

What we collect

  • Account data. Email, username, OAuth subject id from your sign-in provider (Google or GitHub), org membership and role.
  • Policy authoring. The plain-English sentences you type, the parsed IR, version history.
  • Audit metadata. Each agent action's type, decision outcome, fired policies, evidence-chain references, timestamp, hash-chain links, redacted parameter set.
  • Operational telemetry. Error reports (Sentry), product analytics (PostHog), webhook delivery state.

What we don't store

  • Raw tool-call payloads. Yelt's gateway sees them in flight to evaluate against policy; only redacted metadata is persisted to the audit ledger.
  • Customer PII inside agent outputs. The PII-block policy is on by default — outbound messages with PII get redacted before logging.
  • Wallet keys, OAuth bearer tokens, or any signing material. We don't hold authentication credentials for downstream systems; the agent host does.
  • Anything we don't need. If you can't see why we'd need a field, we don't collect it.

Subprocessors

We use the following third parties to operate Yelt. Each is contractually bound to handle your data per this policy.

  • Supabase (US) — Postgres, authentication, file storage. Audit ledger lives here.
  • Vercel (US) — application hosting and edge compute for the dashboard, marketing site, and API.
  • Stripe (US) — subscription billing. We never see card numbers.
  • Resend (US) — transactional email (invitations, digests, magic links).
  • Anthropic (US) — large language model used for policy compilation and weekly digest generation. Only the policy text and the audit metadata used to generate digests are sent. Customer financial data does not leave Yelt's environment to Anthropic.
  • Sentry (US) — error tracking. Stack traces only; no customer payload is captured.
  • PostHog (EU/US dual-region) — product analytics on the marketing and dashboard surfaces. Customer-data tables are not sent to PostHog.

The audit ledger

Yelt's audit ledger is the most sensitive store we run. Three properties hold:

  • Append-only. Postgres triggers reject UPDATE and DELETE on the audit_events table. Even Yelt's engineers can't silently amend history.
  • Hash-chained. Every row contains a SHA-256 of the previous row's canonical payload. Tampering breaks every downstream link.
  • Redacted at write. The redaction layer in our audit ingestion path strips PII and tool-call payload bodies before insert.

Your rights

  • Access. Export your audit ledger from the Audit tab (PDF, CSV, JSON). Your full account record is available on request.
  • Correction. Account data is editable from Settings. Audit ledger is immutable by contract; corrections take the form of new events, never edits.
  • Deletion. You can delete your org from Settings. Account data is hard-deleted within 30 days; audit ledger is retained per your tier's retention rule before purging.
  • Portability. Audit exports are in standard formats. No vendor lock-in.

Contact

Privacy questions: legal@yelt.ai. We'll respond within 5 business days.