Privacy Policy

Last updated: April 23, 2026

Who we are

Yuki Capital is an AI product studio operating yukicapital.com and a portfolio of SaaS products including Humanizer AI and Melies. This policy explains what data we collect on yukicapital.com and the Yuki Affiliates program. Each product SaaS has its own privacy policy linked from its site.

What we collect

When you browse yukicapital.com

  • Page views and basic device info via Plausible Analytics (stats.yukicapital.com). No cookies, no personal identifiers.

When you apply to the Yuki Affiliates program

  • If you sign up with Google: your name, email, profile picture, and a Google user ID.
  • If you sign up with email: email, a bcrypt-hashed password, display name.
  • Information you provide: where you plan to promote, audience description, payout details (Wise email, PayPal email, or bank info), and optional tax info (legal name, address, country, VAT number) so we can pay you.

Referral and conversion tracking

  • When a visitor clicks an affiliate link on a Yuki product site, a ref cookie is set on that product's domain (scoped to that domain, 60-day expiry).
  • We log the referral click: short code, timestamp, landing URL, referrer, user-agent, UTM parameters, a hashed IP (SHA-256, salted — never the raw IP), and an anonymous cookie ID.
  • On successful purchase, we record the conversion: Stripe customer ID, customer email, invoice amount, commission computed.

What we don't collect

  • We never store raw IP addresses. They are hashed with a salt and truncated.
  • We don't share referral data across products in ways that identify individuals outside their own product account.
  • We don't sell personal data.

How we use it

  • Operate the Yuki Affiliates program: attribute conversions, compute commissions, send payouts.
  • Send transactional email (signup received, approval, commission attributed, payout sent) via Postmark.
  • Detect fraud (e.g. same-IP self-referral, abnormal refund rates).

Google Sign-In — data accessed, used, stored, shared

Scopes we request

We request only these OAuth scopes from Google, all of which are non-sensitive:

  • openid — to identify you between sessions.
  • email — to receive your primary Google email address and its verified status.
  • profile — to receive your basic profile info (name, profile picture, Google account ID).

We do not request and do not access any other Google API, scope, or service — including Gmail, Calendar, Drive, Contacts, YouTube, Photos, or any Workspace API. We do not request offline access and we do not store refresh tokens.

Data we access from your Google Account

When you click "Sign in with Google", Google returns an authorization code. We exchange the code for a short-lived access token, call the Google userinfo endpoint once, then discard the access token. From that single call we receive:

  • Your Google account ID (an opaque identifier, e.g. 1082...47).
  • Your primary email address.
  • A flag indicating whether Google has verified that email address.
  • Your display name as set in your Google profile.
  • The URL of your Google profile picture.

How we use that data

  • Account creation and authentication — the Google account ID is the primary key that identifies you on future logins; the email and verified flag let us match a Google login to an existing Yuki Affiliates account.
  • Personalization in the portal — your name and profile picture are displayed in your own affiliate dashboard so you see who you're signed in as. They are not shown to other affiliates or to the public.
  • Transactional email — we may email you at the address Google provided about your application, approvals, commissions, and payouts. We do not send marketing email without a separate opt-in.
  • Fraud prevention — we compare your email to the customer email on Stripe transactions to detect self-referral attempts.

We do not use Google user data to train or improve AI or machine-learning models. We do not sell it, rent it, or use it for advertising.

How we store that data

The five fields above are written to the affiliates collection of our MongoDB database, hosted on Hetzner in the European Union (Germany). Connections are TLS-encrypted and credentials are scoped to the application only. We do not store any Google access token or refresh token.

How we share that data

We do not share, sell, rent, or disclose Google user data to any third party for their own use. Google user data is processed only by the small number of infrastructure sub-processors strictly needed to run the service: our hosting provider (Hetzner) which stores the data at rest, and Postmark which transmits transactional email to the address you registered with. Both act under written data processing agreements and never reuse the data for their own purposes.

How long we keep it

We keep your Google-derived profile fields for as long as your Yuki Affiliates account is active. If you delete your account or email [email protected] asking for deletion, we remove them within 30 days (records tied to paid commissions may be retained in an anonymized accounting form for legal/tax compliance as described below).

Revocation

You can revoke our access to your Google account at any time at myaccount.google.com/permissions. Revoking at Google does not automatically delete your Yuki Affiliates account; email us to also delete the account.

Limited Use compliance

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Google user data only to provide the user-facing feature that the user requested (signing in to Yuki Affiliates) and for the limited operational purposes described above; we do not transfer it except as necessary to provide or improve that feature, comply with applicable law, or as part of a merger or sale in which Google user data remains subject to this policy; we do not use it for advertising; and we do not let humans read it except with the user's explicit consent, for security purposes, to comply with applicable law, or as strictly necessary for operations (and in that case only in aggregated and anonymized form).

Third-party services

  • Google — authentication.
  • Stripe — payment processing and webhook ingestion for conversion tracking. Stripe's privacy policy: stripe.com/privacy.
  • Postmark — transactional email.
  • Wise — payouts. We export a CSV of amounts and recipient emails; we don't share payout data back with Wise outside of the transfer itself.
  • Plausible Analytics — privacy-respecting website analytics, no cookies, self-hosted on stats.yukicapital.com.

How long we keep it

  • Affiliate account: as long as your account is active. You can request deletion at any time — we'll remove your account and personal data within 30 days.
  • Click logs with no conversion: 90 days.
  • Conversion records: kept for at least 7 years for tax and accounting compliance.

Your rights

You have the right to access, correct, export, or delete your personal data. Email [email protected] and we'll respond within 30 days.

Under GDPR, you also have the right to lodge a complaint with your local data protection authority. Yuki Capital is operated from France; the competent authority is the CNIL (cnil.fr).

Security

Passwords are hashed with bcrypt (work factor 11). Session cookies are HMAC-signed with SHA-256, HttpOnly, Secure, SameSite=Lax. Data is transmitted over TLS. Databases are hosted on Hetzner (Germany/Finland).

Changes to this policy

We'll update the "Last updated" date above when we change this policy materially, and email affiliates when the changes affect them.

Contact

Yuki Capital — [email protected]