Privacy policy
1. Who we are
yatabase.gftd.ai ("Yatabase", "the service") is operated by etz hayim
(運営法人), a religious organization / blockchain-registered entity. Gftd Japan株式会社
(Japan corporate ID T9007028460042 — 適格請求書登録番号) is the Japan-side vendor of record for tax-invoice
issuance only. This policy applies to the entire yatabase.gftd.ai domain and every
endpoint listed in /_app/meta.
2. What we collect
The service is opt-in and minimal. Concretely, when you use Yatabase we record the following:
| Field | Source | Where it lives |
|---|---|---|
orgDid (e.g. did:web:t-xxxxx.yata-tenant.gftd.ai) |
Generated server-side when you POST /auth/v1/signup. |
vertex_api_key.owner_did |
API key SHA-256 hash + first 13 chars (sk_live_yata_) |
Mint side-effect of signup. The raw key is shown to you once and never persisted in plaintext. | vertex_api_key |
| Email + display name (optional) | Whatever you choose to send in the signup body. | vertex_email_outbox (recipient_email, recipient_name) |
| Billing events (per-API-call qty + metric) | Every authenticated request emits one row. | vertex_billing_event |
| Audit log (org_did, surface, method, path, status, latency, hashed IP, UA hint) | Recorded fire-and-forget after every authenticated call. | vertex_audit_log |
| Plan tier + Stripe customer/subscription IDs | Set when you complete Stripe Checkout. | vertex_org_plan |
| Object storage data | Whatever you PUT to /storage/v1/object/{bucket}/{key} or /s3/.... |
Backblaze B2 (content-addressed, SHA-256 keyed) |
| Graph data | Whatever you write via Cypher / SPARQL / XRPC. | RisingWave Postgres on Vultr LAX (per-tenant schema yata_*) |
We do not collect: full IP addresses (we hash them with SHA-256 and keep only the first 16 hex chars
for abuse-correlation), browser fingerprints, third-party tracking pixels, advertising IDs, or location data beyond
Cloudflare's standard cf-iata hint. The service sets no first-party cookies. The Studio console uses
localStorage on your device only.
3. Why we collect it (lawful basis)
- Performance of contract (GDPR Art 6(1)(b)): orgDid, billing events, plan tier, audit log, your data.
- Legal obligation (GDPR Art 6(1)(c)): retention of
vertex_billing_eventfor 7 years per 法人税法 §126 / IRS §6001. - Legitimate interest (GDPR Art 6(1)(f)): hashed-IP audit log for abuse prevention, scoped to 90 days.
- Consent: optional email + name on signup; you can omit them entirely.
4. Retention
| Table | Retention | Why |
|---|---|---|
vertex_billing_event | 7 years | 法人税法 §126 (Japan corporate tax) / IRS §6001 (US) |
vertex_audit_log | 90 days | GDPR Art 30 records-of-processing minimum + abuse forensics |
vertex_email_outbox | 1 year | Delivery troubleshooting; CAN-SPAM record-keeping |
vertex_api_key | Until you revoke (POST /auth/v1/revoke) | Authentication state |
vertex_org_plan | 3 years after last subscription | Stripe dispute window + tax |
Tenant schema yata_* | Until you call /api/account/delete | Active account state |
Studio localStorage (your API key, admin key) | Your device only; we never see it | — |
5. Your rights
Each right maps to an authenticated endpoint you already have access to with your sk_live_yata_* key.
| Right | Statute | Endpoint |
|---|---|---|
| Right to know / access / portability | CCPA §1798.100, GDPR Art 15+20, 改正個人情報保護法 §33 | GET /api/export |
| Right to delete / erasure (irreversible) | CCPA §1798.105, GDPR Art 17, 改正個人情報保護法 §34-36 | POST /api/account/delete with {confirm:"DELETE"} |
| Right to restrict processing | GDPR Art 18 | Revoke all keys via /auth/v1/revoke; account stays read-only until renewed. |
| Right to object to direct marketing | CCPA §1798.120, GDPR Art 21, 改正個人情報保護法 §17 | We send no marketing unless you opt in by giving us an email at signup. Reply with "stop" to any operator email. |
| Right to lodge a complaint | GDPR Art 77 | Your local supervisory authority. We will cooperate. |
| Records-of-processing inspection | GDPR Art 30 | GET /api/audit returns the last 90 days for your org. |
Account deletion is irreversible. The endpoint immediately revokes all keys, marks the plan tier
deleted, and runs DROP SCHEMA "yata_<hash>" CASCADE on the tenant schema. The 7-year
billing-event retention is preserved (we are legally required to) but those rows are not associated with any active
account state and contain no PII beyond org_did.
6. Who else sees the data
We use the following sub-processors. None of them receive plaintext object-storage payloads or graph data beyond what their service technically requires:
| Sub-processor | Purpose | Region |
|---|---|---|
| Cloudflare Inc. (Workers, Hyperdrive, R2 cache) | Edge HTTP termination, regional cache, durable-object state. | Global anycast; data flows mostly via PoPs nearest the user. |
| Vultr Holdings, LLC (VKE LAX) | Primary RisingWave Postgres tenancy; runs the per-tenant yata_* schemas. | Los Angeles, USA. |
| Backblaze, Inc. (B2) | Content-addressed object storage. Files keyed by SHA-256 of payload. | USA (us-west / us-east). |
| Stripe, Inc. | Payment processing, subscription state, invoice generation. Card data is handled entirely by Stripe — we never see PAN or CVC. | USA (with EU/JP routing where applicable). |
| Resend, Inc. (when configured) | Transactional email delivery (signup-welcome, plan-upgrade, etc.). Operator-side wiring; until then, email rows queue locally and never leave Yatabase. | USA. |
| RunPod, Inc. (via LangGraph) | LLM inference for marketing graph, when active. Receives only the lead's domain + signal text — no tenant data. | USA. |
We sign data-processing agreements (DPA) with each sub-processor where the law requires it (GDPR Art 28). We do not sell, rent, or share your data with third-party data brokers. The service has no advertising surface.
7. International transfers
If you access the service from outside the United States, your data will be transferred to the United States for processing. We rely on Standard Contractual Clauses (EU 2021/914) for EU/EEA transfers and on the recipient's compliance with the JP-US APEC CBPR for transfers from Japan. The hashed-IP audit log uses an irreversible SHA-256 truncation, so it is not transferable PII under most regimes.
8. Security
- All HTTP traffic is TLS 1.3 (Cloudflare-managed certs, automatic rotation).
- API keys are stored as SHA-256 hashes; the raw
sk_live_yata_*string is shown once at mint and never persisted. - Stripe webhook signatures are verified by HMAC SHA-256 with constant-time compare.
- Inter-service trust uses
x-internal-truston a private mesh. - Tenant isolation is enforced at the SQL layer: every tenant gets a unique RW schema
yata_<sha256(orgDid)[:16]>with RLS byactor_did+org_didper ADR-0095.
9. Children
The service is not directed at children under 16. We do not knowingly collect data from children; if you believe a child has signed up, contact us and we will delete the account.
10. Changes to this policy
We will post material changes to this URL with a new "Last updated" date and a one-line note in the changelog. Material changes that expand the categories of data we collect will require renewed consent for paid plans.
11. Contact
Privacy requests, DPA requests, supervisory-authority cooperation: reach out to privacy@gftd.ai. We aim to respond within 30 calendar days, the GDPR Art 12(3) default.