SERENITY DECODED
PRIVACY, DATA & COOKIE POLICY
1. INTRODUCTION
Yellow Tail Investment Enterprise, LLC and its affiliated entities (collectively, “Company”) are committed to protecting your personal data.This Policy explains what we collect, why, how we use and share it, and your rights.It applies to all users of the Serenity Decoded website (serenitydecoded.com), the Serenity Aligned™ application, and the Aarav The Serenity Genie™ AI System, regardless of location.
2. DATA CONTROLLER
Yellow Tail Investment Enterprise, LLC
30 N Gould St, Ste R, Sheridan, WY 82801, United States of America
Website: serenitydecoded.com
EU/EEA and UK representative: contact through serenitydecoded.com.
3. DATA CONTROLLER
3.1 Data You Provide
- Identity: first name, last name, username, date of birth (age verification);
- Contact: email address, postal address, telephone number;
- Account: credentials, subscription details, preferences;
- Payment: billing name, billing address, and limited transaction confirmation data received from our third-party payment processor.We do not receive or store full card numbers, CVV codes, or bank account details;
- AI Interaction: all Inputs submitted to Aarav The Serenity Genie™ and all Outputs generated;
- SMS and push notification consent records;
- Communications: messages, feedback, support requests, complaints.
3.2 Data Collected Automatically
- Technical: IP address, browser, OS, device identifiers, mobile advertising IDs (IDFA/GAID);
- Usage: pages viewed, session duration, navigation paths, feature interactions;
- Geolocation: approximate location from IP address;
- App: device model, app version, crash reports, performance data.
3.3 Sensitive Data
We do not intentionally collect sensitive personal data.Do not submit sensitive data to the AI System.
4. DATA CONTROLLER
| Purpose | Data | Legal Basis |
| Account creation and management | Identity, Contact, Account | Performance of contract |
| Age verification | Date of birth, Identity | Legal obligation / Contract |
| Delivering AI sessions via Aarav The Serenity Genie™ | AI Interaction, Account | Performance of contract |
| Personalising AI responses | AI Interaction, Usage | Contract / Consent |
| Improving AI (anonymised) | Anonymised AI Inputs | Legitimate interests |
| Processing subscription payments through our third-party payment processor | Billing name, billing address, transaction confirmation data | Performance of contract |
| Transactional notices | Contact, Account | Contract / Legal obligation |
| Marketing (opt-in only) | Identity, Contact | Consent |
| SMS/push (specific consent) | Phone, Device ID | Consent |
| Analytics and performance | Usage, Technical | Legitimate interests |
| Security and fraud prevention | Technical, Usage, Account | Legitimate interests / Legal obligation |
| Legal and regulatory compliance | Any relevant data | Legal obligation |
5. AI SYSTEM — DATA TRANSPARENCY
- Inputs sent to Aarav The Serenity Genie™ are transmitted to OpenAI’s infrastructure.OpenAI’s API terms prohibit training on API inputs without opt-in.
- AI Inputs and Outputs are stored within your account for session continuity.Anonymised data may be used for Platform improvement.
- We do not use identifiable personal AI Inputs to train publicly available AI models.
- AI Interaction data may be reviewed by Company personnel for safety, compliance, or dispute resolution under confidentiality obligations.
- The AI System uses automated processing to personalise responses.Contact us through serenitydecoded.com to request human review of any automated processing.
6. DATA SHARING
We do not sell personal data. We share only as follows: (a) service providers bound by data processing agreements including OpenAI, hosting providers, our third-party payment processor, email and SMS providers, analytics providers, and support tools; (b) legal and regulatory disclosure where required by law; (c) business transfers with advance notice; (d) safety disclosures to prevent harm; (e) with your explicit consent.
6.1 Third-Party Payment Processing
Subscription purchases made directly through the Platform are processed by a third-party payment processor engaged by the Company (“Payment Processor”). The following disclosures apply specifically to your payment data:
| Third-Party Payment Processing — Data Disclosure |  |
| What the Payment Processor receives from you | When you complete a subscription purchase, your payment card details are submitted directly to the Payment Processor. The Company does not receive, store, process, or transmit your full card number, CVV, card expiry date, or bank account details at any stage. All card data is processed exclusively by the Payment Processor. |
| What the Company receives from the Payment Processor | Upon confirmation of a successful payment, the Company receives only: (a) payment success confirmation; (b) the last four digits of your card for account identification; (c) card type (e.g., Visa, Mastercard); (d) your billing name and billing address; and (e) a unique transaction reference identifier. |
| PCI-DSS compliance | The Payment Processor is PCI-DSS compliant. The Company’s integration is designed to achieve the lowest possible PCI-DSS scope, meaning card data processing responsibility rests entirely with the Payment Processor. |
| Payment Processor’s own privacy policy | The Payment Processor collects and processes your payment data under its own privacy policy, which applies independently of this Policy. We encourage you to review the Payment Processor’s privacy policy before completing a purchase. Contact us through serenitydecoded.com for current Payment Processor details. |
| Data sharing purpose and legal basis | Data shared with the Payment Processor is used solely to process your subscription payment and manage recurring billing. Legal basis: performance of contract. The Payment Processor is bound by a data processing agreement with the Company. |
| Subscriptions through Apple or Google | Subscriptions purchased through the Apple App Store or Google Play are processed by Apple and Google respectively under their own payment terms and privacy policies. The Company does not receive card data for app store purchases. Contact Apple or Google directly for those transactions. |
7. INTERNATIONAL DATA TRANSFERS
Data may be processed in the US and other countries. We use Standard Contractual Clauses for EU/EEA transfers, the UK IDTA for UK transfers, and equivalent mechanisms for other jurisdictions. Our Payment Processor may process payment data in jurisdictions outside your country of residence; their privacy policy describes the safeguards they apply to international transfers.
8. DATA RETENTION
| Category | Retention | Basis |
| Account and identity data | Duration + 7 years post-closure | Contractual and regulatory |
| AI Interaction data (personal) | Duration + 3 years post-closure | Service delivery; dispute resolution |
| AI Interaction data (anonymised) | Indefinitely | Platform improvement |
| Payment records | 7 years from transaction | Tax and financial regulatory |
| Consent records | Duration + 7 years | Proof of lawful processing; legal defence |
| Complaint and dispute records | 7 years from resolution | Legal defence; compliance |
| Security and fraud logs | 2 years from creation | Security and fraud prevention |
9. SECURITY
- Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent);
- Need-to-know access controls and multi-factor authentication for administrative access;
- Regular security assessments, penetration testing, and staff training;
- Payment card data is never stored on Company systems. PCI-DSS compliance for card processing is the exclusive responsibility of our third-party payment processor.
10. DATA BREACH NOTIFICATION
- Regulatory authority notification within applicable timeframes: 72 hours under GDPR; 30 days under Florida FIPA; as required under other applicable laws;
- Affected user notification without undue delay where high risk to their rights exists;
- Notification will include: breach description; affected data categories; consequences; and remediation measures.
Note: A breach of payment card data held by the Payment Processor is the Payment Processor’s responsibility to notify and remediate under their own contractual and regulatory obligations. The Company will cooperate fully with any such notification process.
11. COOKIES AND TRACKING
| Category | Purpose | Disable? |
| Strictly Necessary | Authentication, security, session management | No |
| Functional | Settings, preferences, personalisation | Yes |
| Analytics | Usage analysis, error tracking | Yes |
| Marketing | Advertising where applicable | Yes |
| Third-Party Tools | Payment widgets, support tools | Partially |
We request consent before placing non-essential cookies. We honour GPC opt-out signals as Do Not Sell or Share requests under CPRA. On iOS, we request ATT permission before accessing IDFA. Manage preferences through the cookie banner or Cookie Settings in the footer at any time.
12. SMS AND PUSH NOTIFICATIONS
- Marketing SMS: sent only with express written TCPA-compliant consent, documented separately.
- Transactional SMS: account and billing notices sent as necessary for account management.
- Opt-out: reply STOP to any marketing message, processed within 10 business days.
- Push: managed through device notification settings; ATT permission requested on iOS.
13. CHILDREN’S PRIVACY
The Platform is for users 18 and older. We do not knowingly collect data from anyone under 18. If discovered: access is restricted immediately; data is deleted within 30 days; parent/guardian notified where feasible.
14. YOUR RIGHTS
Depending on your location: access; rectification; erasure; restriction; portability; objection; withdrawal of consent; human review of automated decisions; and complaint to a supervisory authority. Exercise rights through serenitydecoded.com. We do not discriminate for exercising rights.
15. JURISDICTION-SPECIFIC PROVISIONS
15.1 EU / EEA (GDPR)
Legal bases per §4. Complaints to your local DPA (edpb.europa.eu). DPIAs conducted for high-risk processing.
15.2 UK (UK GDPR / DPA 2018)
Equivalent rights. Complaints to the ICO (ico.org.uk).
15.3 Canada (PIPEDA / Quebec Law 25)
Canadian rights under PIPEDA. Quebec users: additional rights including portability and opt-out from automated profiling under Law 25. Breach notification as required.
15.4 California (CCPA / CPRA)
Know, delete, correct, opt-out of sale/sharing, limit sensitive data use, no discrimination. We do not sell data. GPC signals honoured.
15.5 Florida (Digital Bill of Rights / FIPA)
Access, correction, deletion, portability, opt-out rights. Breach notification within 30 days under FIPA.
15.6 Other US States
Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with privacy laws: rights consistent with §14.
15.7 India (DPDPA 2023)
Access, correction, erasure, grievance redressal. Lawful basis: consent.
15.8 Singapore, Malaysia, Philippines, Japan, South Korea, Hong Kong, Thailand, Australia
We comply with: Singapore PDPA; Malaysia PDPA 2010; Philippines DPA 2012; Japan APPI (2022); South Korea PIPA; Hong Kong PDPO; Thailand PDPA; Australia Privacy Act 1988 (APPs). Contact us through serenitydecoded.com to exercise jurisdiction-specific rights.
16. CHANGES AND CONTACT
Material changes will be communicated in advance and re-consent obtained where required. Prior versions archived on request.
Yellow Tail Investment Enterprise, LLC
30 N Gould St, Ste R, Sheridan, WY 82801, United States of America
Website: serenitydecoded.com