How we protect your data

All data is encrypted on two layers:

• In transit: TLS 1.2 or higher on every communication between the app, our servers, and partners. Plain HTTP is not accepted.
• At rest: AES-256 in our database (including your face's mathematical representation) and in our media storage.

Access to Yaz uses email and password. Passwords are stored as a secure hash, never in plain text.

Sessions use tokens with rotating refresh. The access token expires after 1 hour; the refresh token is invalidated on logout.

Facial data is treated as the most sensitive asset in the app. Three protection layers:

• We never store the original image. The selfie is processed in memory and discarded immediately after the mathematical representation is extracted.
• The representation is not a photo. It is a sequence of numbers describing only mathematical features of your face. It is not possible to reconstruct the face from it — the inverse operation is mathematically infeasible.
• Restricted access. Only you can read or delete your facial registration; no other user has access. Our staff only sees audit and log data. The comparison is performed by PhotoShared through a secure API, with no data retention by the partner.

We work only with partners certified to recognized standards:

• Database and authentication provider — SOC 2 Type II, ISO 27001.
• Media storage provider — SOC 2, ISO 27001, ISO 27018, PCI-DSS.
• Apple Push Notification Service — native Apple ecosystem security.
• PhotoShared — partner company responsible for processing and comparing the mathematical representations of faces. Meets the security requirements applicable to biometric data processing and does not store the data it receives.

In the event of a security incident that may affect users' personal data, we will notify the affected users and the Brazilian Data Protection Authority (ANPD) within 72 hours, as required by LGPD (art. 48). The notification will detail the nature of the data involved, measures taken, and recommendations to users.

If you discover a security vulnerability, please email contato@yazexperience.com.br with subject [security]. We ask that you not publicly disclose before we have a chance to fix (responsible disclosure). We will acknowledge your contribution publicly if you wish.