# Yoto Guardian — Privacy Policy Last Updated: March 13, 2026 Yoto Guardian is operated by Coe Code LLC ("Coe Code", "we", "us"). Yoto Guardian is an independent product and is not made by, endorsed by, or affiliated with Yoto Ltd. We provide parental controls and a library manager for Yoto audio players. --- ## Who We Are Yoto Guardian is operated by Coe Code LLC ("Coe Code", "we", "us"). Yoto Guardian is an independent product and is not made by, endorsed by, or affiliated with Yoto Ltd. --- ## Information We Collect ### Account Information When you create a Yoto Guardian account, we collect your email address and a hashed password. We use this information solely to authenticate you and provide the service. ### Yoto Account Credentials When you link your Yoto account, we use OAuth (the same authentication method used by the official Yoto app) to obtain access tokens. These tokens are encrypted using AES-256-GCM before storage and are used exclusively to communicate with Yoto's API on your behalf. We never store your Yoto username or password. ### Device and Playback Data To provide parental controls and the live dashboard, we store: - Device names and identifiers from your Yoto account - Playback events (what card is playing, track changes, play/pause events) - Daily listening time totals - Device configuration (quiet time schedules, daily limits, playback rules) This data is necessary to enforce quiet time, daily limits, and playback rules, and to display listening history on your dashboard. ### AI API Keys (Optional) If you use the library manager's AI features (automatic title and description generation), you may provide your own Anthropic or OpenAI API key. These keys are encrypted using AES-256-GCM and stored in our database so they persist across sessions. You can delete your stored API keys at any time from Settings. When available, Yoto Guardian may also provide shared AI access so a personal key is not required. --- ## How We Use Your Information - To provide and operate Yoto Guardian's features (quiet time, daily limits, playback rules, live dashboard, library management) - To authenticate you and protect your account - To communicate with Yoto's cloud API on your behalf using your encrypted OAuth tokens - To send you service-related emails if necessary --- ## Children's Privacy Yoto Guardian is designed for parents and caregivers to manage children's Yoto players. The service does not collect personal information directly from children. All data collection and account management is performed by the parent or caregiver who creates the Yoto Guardian account. We do not knowingly collect personal information from children under 13. --- ## Data Sharing We do not sell, rent, or trade your personal information. We share data only in these limited circumstances: - **With Yoto's API:** To operate the service, we send commands to and receive data from Yoto's cloud infrastructure using your OAuth tokens. - **With AI providers (optional):** If you use AI-powered library features, audiobook metadata may be sent to Anthropic or OpenAI using your configured API key, or via Yoto Guardian-provided access when available. - **Legal requirements:** When required by law, legal process, or to protect our rights. --- ## Data Security - Yoto OAuth tokens are encrypted with AES-256-GCM before database storage - Passwords are hashed using industry-standard algorithms - All communication uses HTTPS/TLS encryption - JWT access tokens expire after 15 minutes; refresh tokens after 7 days with rotation - CSRF protection is enforced on all state-changing requests --- ## Data Retention We retain your data for as long as your account is active. Playback history is retained to provide listening statistics and weekly charts. To request account closure and permanent deletion of associated data, contact privacy@yotoguardian.com. We process deletion requests manually. --- ## Your Rights - **Access:** You can view all data we store about you through the dashboard and settings. - **Deletion:** You can request account and data deletion by contacting privacy@yotoguardian.com. - **Yoto connection:** You can re-link your Yoto account from Settings. For account disconnection or data-removal requests, contact support@yotoguardian.com. - **Export:** Contact us to request a copy of your data. --- ## Cookies Yoto Guardian itself uses essential first-party cookies only: an authentication token (httpOnly, secure) and a CSRF token. We do not use first-party tracking or advertising cookies. Marketing pages also embed a Ko-fi donation widget, and that third-party service may set cookies under its own domain and privacy policy. --- ## Contact For questions about this privacy policy or your data: - privacy@yotoguardian.com - support@yotoguardian.com - Coe Code LLC, Missoula, Montana, USA