YAYIKA ·

Comprehensive Privacy Notice

Last updated: June 3, 2026 · Compliant with LFPDPPP 2025 (Mexico) · GDPR Art. 9 (EU) · CCPA/CPRA (California) · Washington MHMDA and state health laws (USA) · LGPD (Brazil) · DPA (Philippines)

1. Data Controller

Edgar Apolonio Aguilera, operating under the brand Yayika.
Website: yayika.com
Privacy contact / Data Controller: privacidad@yayika.com

For European Union data protection matters, you may contact the same email, which serves as the privacy point of contact (Data Protection Officer / representative for GDPR purposes). If we appoint a formal EU representative under Art. 27 GDPR in the future, we will indicate it here.

2. Personal data we collect

⚠️ Sensitive reproductive health data: Yayika collects information about your menstrual cycle, physical symptoms and emotional state. This data receives the highest legal protection in all jurisdictions:

México (LFPDPPP 2025): sensitive personal data requiring your express and written consent.
Unión Europea (GDPR Art. 9): "special category" data whose processing is prohibited except with explicit consent [Art. 9(2)(a)].
EE.UU. — Washington (My Health My Data Act): "consumer health data" and "reproductive health information", requiring separate opt-in consent to collect and an additional consent to share.
Brasil (LGPD Art. 11): sensitive personal data requiring specific and prominent consent.

We collect this data only with your explicit and separate consent, given through a specific checkbox at registration and reaffirmed when using the tracker or My Confessional. You can withdraw this consent at any time from your profile or by writing to privacidad@yayika.com, without affecting the rest of your account.

Category	Specific data	Sensitive
Identification	Name, email address	No
Account	Password (encrypted), membership plan	No
Payment	Stripe customer ID, payment history (we do not store card data)	No
Menstrual cycle	Last period date, active phase, cycle days	Yes
Symptoms	Energy, mood, pain, productivity (daily tracker)	Yes
Confessional	Private journal entries, anonymous posts in The Circle	Yes
Progress	Completed modules, XP, badges, streaks	No
Technical	IP address, device type, browser, session cookies	No

3. Purposes of processing

Primary purposes (necessary for the service):

Create and manage your membership account
Process payments and manage subscriptions
Give you access to the portal, modules and personalized features
Personalize content according to your cycle phase
Send you service-related notifications

Secondary purposes (require your consent):

Send you retention emails and motivational reminders
Aggregated and anonymous analytics to improve the service
Send you information about new products or features

4. Legal basis for processing

Data	Legal basis (Mexico/GDPR)
Account and payments	Performance of contract
Health data (cycle, symptoms)	Explicit consent
My Confessional	Explicit consent
Retention emails	Legitimate interest / consent
Technical data / cookies	Legitimate interest

5. Transfers to third parties

Provider	Country	Purpose	Safeguards
Supabase	EU (AWS)	Database and authentication	GDPR compliant, SCCs
Stripe	EU / Global	Payment processing	PCI-DSS, GDPR
Resend	EU	Email delivery	GDPR compliant
GitHub Pages	EU / Global	Site hosting	GDPR compliant

Yayika does not sell, rent or share your personal data with third parties for advertising purposes. Ever.

6. Data retention

Data	Retention period
Active account	For the duration of membership + 12 months
Health and cycle data	For the duration of membership. Deleted upon cancellation if you request it.
My Confessional (private)	Stored locally on your device. In Supabase: until you delete it or cancel.
Payment history	7 years (tax obligation)
Technical logs	90 days

7. Your rights

ARCO rights (Mexico — LFPDPPP 2025):

Access: Know what data we have about you
Rectification: Correct incorrect data
Cancellation: Request deletion of your data
Objection: Object to certain uses of your data

Additional rights under GDPR (European Union):

Data portability — receive your data in machine-readable format
Restriction of processing
Withdraw consent at any time
Lodge a complaint with your country’s supervisory authority

Rights under CCPA (California, USA):

Know what personal information we collect and why
Request deletion of your personal information
Non-discrimination for exercising your rights
Yayika does not sell personal information — the opt-out right applies but there is nothing to opt out of

Rights under LGPD (Brazil):

Confirmation and access to processing
Correction of incomplete or inaccurate data
Anonymization, blocking or deletion
Portability to another provider
Revocation of consent

Rights under DPA (Philippines):

Access, rectification, deletion and data portability
Right to be informed about security breaches
Lodge a complaint with the National Privacy Commission

    To exercise any of these rights, write to: privacidad@yayika.com

    We will respond within a maximum of 20 business days per LFPDPPP. For GDPR requests, within a maximum of 30 calendar days.

7-bis. Specific reproductive health rights (USA)

If you reside in the United States, in addition to the above, reinforced protections apply to your health data:

Washington — My Health My Data Act (MHMDA):

We collect your consumer health data only with your opt-in consent, and only share data with separate and additional consent (which we currently do not request because we do not share health data with anyone).
You have the right to confirm what health data we collect, access it, know which third parties it has been shared with, withdraw your consent and request its deletion. We will respond within a maximum of 45 days.
Yayika never sells your health data. Selling health data would require a valid, independent authorization that we will never request from you.
We do not use geofencing around clinics, hospitals or reproductive health centers to track you, collect data or send you messages.

Other states (California CCPA/CPRA, Nevada, Virginia, Colorado, Connecticut, Texas, Oregon and other state privacy laws): we treat reproductive health information as "sensitive data" subject to opt-in and, where applicable, we offer you the rights of access, correction, deletion, portability and limitation of the use of sensitive data. To exercise them: privacidad@yayika.com.

HIPAA: Yayika is not a "covered entity" or "business associate" under HIPAA, so your data is not regulated by HIPAA; precisely for this reason we voluntarily apply the standards of the strictest state health privacy laws.

8. Security

Passwords encrypted with bcrypt — Yayika cannot read your password
Communications protected with TLS/HTTPS
Database with Row Level Security — only you access your data
Private My Confessional: stored on your device, never in plain text on the server
Payments processed directly by Stripe — Yayika does not store card data

In the event of a security breach affecting your data, we will notify affected users within a maximum of 72 hours in accordance with GDPR.

9. Cookies

Yayika uses strictly necessary cookies for the portal to function (session, authentication). We do not use advertising tracking cookies or share data with advertising networks. See our Cookie Policy.

10. Minors

Yayika is a service exclusively for users over 18. We do not intentionally collect data from minors. If we detect a minor’s account, we will cancel it immediately and delete the associated data.

11. Changes to this Notice

Material changes to this Notice will be notified by email at least 15 days in advance. Continued use implies acceptance.

12. Contact and supervisory authority

Privacy contact: privacidad@yayika.com

Supervisory authorities:

Mexico: Secretaría Anticorrupción y Buen Gobierno (former INAI)
European Union: Data protection authority of your member country
Spain: Spanish Data Protection Agency (aepd.es)
Brazil: Autoridade Nacional de Proteção de Dados (anpd.gov.br)
Philippines: National Privacy Commission (privacy.gov.ph)
California: California Privacy Protection Agency (cppa.ca.gov)