Yew

Privacy Policy

Last updated: May 18, 2026 · Effective immediately

Yew is a service operated by Deep Forest AI, LLC ("we", "us", "Yew"). We exist to remove your personal information from data brokers. We can't do that without first holding some of your personal information — so this page explains exactly what we collect, why we collect it, where it goes, and how long we keep it.

Where this policy is silent, we default to the most protective option a reasonable customer would want. If we ever change that posture, we will say so plainly and update this page with a new effective date.

1. What we collect, and why

When you sign up, you provide us with the information we need in order to identify and remove you from broker records:

For the Concierge tier, we additionally request a redacted photo ID and partial Social Security number for FCRA-governed brokers (LexisNexis, TransUnion TLOxp, ChexSystems, Innovis) that legally require identity verification before honoring a suppression request. These are stored encrypted, used only for the specific FCRA letter, and deleted within 30 days of the broker's response.

2. Where your information goes

Your information is shared with three categories of recipient, and only these three:

(a) The data brokers we are removing you from.

This is the entire point of the service. We submit your identifiers to each broker's opt-out endpoint with your explicit authorization. The broker uses them to locate and suppress your record, and then — under their own privacy policies — should not retain them beyond what's required for the suppression. We have no control over what brokers actually do.

(b) Stripe (payment processing).

Stripe holds your billing details under Stripe's privacy policy. We receive only your customer ID and the metadata necessary to associate your account with your payment.

(c) Resend and Lob (operational infrastructure).

Resend sends our transactional email. Lob prints and mails physical opt-out letters to brokers who require mail (about 7 of the 56 we cover). Both are bound by their own published security commitments and may not use your data for any purpose other than completing the service we instructed.

We do not sell or rent your information. We do not share it with advertisers, analytics vendors, or any party not strictly required to deliver the removal service. There are no embedded trackers on this site.

3. How long we keep it

You can request immediate deletion of all your data at any time by emailing [email protected]. We will confirm within 7 days.

4. Your rights

Wherever you live, you have the right to:

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Delete Act (SB 362) apply to you and grant additional rights — specifically the Right to Know, Right to Delete, Right to Correct, Right to Limit Use of Sensitive Personal Information, and Right to Opt-Out of Sale or Sharing. Yew does not sell or share your personal information. When the California Privacy Protection Agency opens Authorized Agent registration under SB 362, Yew will register as an Authorized Agent and will note its registration number here. If you are in the European Economic Area, the United Kingdom, or Switzerland, the GDPR applies. In all cases, the rights above already satisfy or exceed the statutory minimum. Email [email protected] to exercise any right; we respond within the legally required window (45 days under CCPA, 30 days under GDPR) and usually much faster.

5. How we protect it

Your information is stored in Cloudflare D1, an SQLite-based database encrypted at rest using AES-256 and accessible only to Yew application code running on Cloudflare Workers. All connections between you and Yew, and between Yew and its service providers, use TLS 1.3. We do not host any of your information on employee laptops, in shared drives, or in third-party SaaS we have not enumerated in §2.

Access to the production database is limited to authorized Yew engineering personnel and is gated by two-factor authentication on the Cloudflare account. Database queries are performed exclusively through application code; there is no direct human SQL access in the normal course of operations. Application secrets (API keys for Stripe, Resend, Lob, and similar) are stored in Cloudflare's encrypted secret store and rotated quarterly.

We do not write application logs that contain your personal information. Logs reference internal identifiers (UUIDs) only. We retain operational logs for 90 days and audit logs (which contain only timestamps, event types, and internal IDs) for 7 years.

We are a small company. We do not pretend to operate at the maturity of a Fortune 500 security program. If something goes wrong, we will tell you directly, plainly, and within 72 hours of confirming the breach where reasonably possible, and in any event within the time required by applicable state law.

6. Children

Yew is not available to anyone under 18, and we do not knowingly collect information about children. If you are a parent and you believe we have inadvertently received data about a minor, email [email protected] and we will delete it on receipt.

7. Changes to this policy

If we materially change how we handle your data, we will (a) update the effective date at the top of this page, (b) email every active customer at least 14 days before the change takes effect, and (c) preserve a copy of the prior version at /privacy/v1/ for reference.

8. If Yew shuts down

This is the question every careful buyer asks about a new service. The honest answer:

This commitment is binding on Deep Forest AI, LLC and any successor or assignee.

9. Contact

Privacy questions, requests, or complaints: [email protected]
General questions: [email protected]

Deep Forest AI, LLC
Operating as Yew
26 Poinciana Cove Rd
Saint Augustine, FL 32084
United States