Security & Privacy
How we protect your data, where it lives, and who can reach it — without the legalese.
Last updated: May 2026 · yorame.de · security@yorame.de
What data we store
We store three categories only: your conversations with Yora, your memories (facts you choose to save), and OAuth tokens for the integrations you connect. Everything lives in Supabase in the EU region (Frankfurt). We do not keep US backups. We do not cache Drive files locally — we read them on demand and discard them from memory.
Encryption — at rest and in transit
All data is encrypted with AES-256 at rest inside Supabase. Memories are stored as pgvector embeddings — the same table is encrypted. Every connection between your browser and Yora, and between Yora and AI providers, runs over TLS 1.3. OAuth tokens are protected by row-level security policies that prevent any account from reading another account’s data.
Google scopes we request
When you connect Google, we request only the scopes needed for the feature you asked for. Gmail: read recent messages on demand, send emails you compose, modify labels when you tell Yora to. Calendar: read upcoming events, create events when you ask. Drive: read files you name explicitly. Everything follows the least-privilege principle.
Scopes we do NOT request
We do not request full Gmail.metadata (read headers of every email). We do not request permission to delete email. We do not request contacts management. We do not request Calendar.acls (calendar sharing). We do not request Drive.file as a blanket scope — only files you explicitly name. We do not request YouTube, Photos, or any Google service unrelated to assisting you.
Google API Limited Use disclosure
Yora’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. The exact required Google policy sentence is reproduced verbatim below this section.
What Yora can access
Yora reads the most recent ~20 Gmail messages when you ask "what’s in my inbox today?". It reads upcoming Calendar events when you request a daily briefing. It reads a specific Drive file when you name it. It sends an email after you draft one with Yora and tell it to send. It creates a Calendar event when you ask Yora to schedule something. Every read or write is tied to an explicit action you took in that moment.
What Yora can NEVER access
We do not auto-read every email in your inbox. We do not monitor your messages in the background. We do not train any AI model on your data — not ours, not Anthropic’s, not OpenAI’s (we use their zero-retention API agreements). We do not sell your data to advertisers. We do not share your data with any third party not listed in the DPA. We do not analyze your content for advertising.
Retention
Conversations and memories are kept while your account is active. When you delete your account, all data is removed from Supabase and all backups within 30 days. OAuth tokens are deleted immediately when you disconnect an integration on /integrations. Integration cache entries live 30–60 minutes and auto-refresh.
Your controls
At any time you can: export everything as JSON from Settings, delete any memory from the Memory page, disconnect any integration instantly from /integrations (this revokes OAuth tokens and ends access), delete your full account from Settings or by emailing security@yorame.de, or revoke Yora’s Google access from myaccount.google.com/permissions directly.
Contact security
Vulnerability reports, scope questions, or urgent deletion requests — email security@yorame.de. We respond within 72 hours. For general privacy questions, use hello@yorame.de.