Privacy Policy

Privacy Policy

Effective Date: March 30th, 2026

Yaffa Grace & Co.  |  Effective April 1, 2026  |  Last Revised March 2026

Yaffa Grace & Co. ("YGC," "we," "us," or "our") is committed to protecting the privacy of everyone who uses our website, engages our services, or purchases our digital products. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and what rights you have.

By using www.yaffagraceco.com (the "Site") or engaging YGC's services, you agree to the practices described in this Privacy Policy. This Policy applies to Individual Clients and Organizational Clients alike.

1. Information We Collect

1.1 Information You Provide Directly

• Name and contact information (email address, phone number, mailing address where applicable)

• Payment information processed through Stripe. YGC does not store, access, or retain full payment card details. Stripe handles all payment data under its own PCI DSS-compliant security infrastructure.

• Booking details entered through Acuity Scheduling, including appointment preferences, intake form responses, and scheduling history

• Inquiry and contact form submissions received through the Site

• Communications you share with YGC, including emails, session correspondence, document submissions, and asynchronous support exchanges

• For Organizational Clients: company name, contact names, role titles, engagement scope, and any talent or team information shared in the context of an organizational engagement

• Newsletter subscription data, including your email address and any preferences you indicate

1.2 Information Collected Automatically

When you visit the Site, our website host (Squarespace) automatically collects certain data including your IP address, browser type, device type, referring URL, pages visited, and session duration. This data is collected in aggregate and is used to understand how visitors use the Site and to improve the Site experience.

YGC may also use analytics tools to understand visitor behavior in aggregate. YGC does not use advertising networks or behavioral tracking cookies.

2. How We Use Your Information

YGC uses the information we collect to:

• Provide career strategy, advisory, and talent consulting services you have purchased or engaged

• Schedule sessions and send reminders through Acuity Scheduling

• Process payments through Stripe

• Deliver Digital Products following purchase

• Respond to inquiries, support requests, and client communications

• Send service-related communications such as booking confirmations, session follow-up notes, and deliverable delivery

• Send the YGC newsletter and marketing communications to subscribers who have opted in. You may opt out at any time.

• Fulfill Organizational Client engagements, including outplacement support and talent advisory services

• Improve the Site and understand how visitors engage with our content

• Comply with applicable legal obligations, including tax and accounting record-keeping

YGC does not use your personal information for any purpose that is materially incompatible with the purposes for which it was collected.

3. AI Tools and Your Information

3.1 How YGC Uses AI Tools

YGC uses AI tools to assist with operational tasks including content research, drafting session preparation materials, market intelligence research, and similar work. All AI-assisted outputs are reviewed and approved by Yaffa Grace before delivery to any client.

YGC's practice is not to input personally identifiable client information into third-party AI systems. Session notes, client-specific strategy, and personal identifying details are handled directly within YGC's internal systems.

3.2 AI Tool Disclosure for Clients

Clients should be aware that any information voluntarily shared in emails, documents submitted to YGC, or session correspondence exists within YGC's operational environment. YGC does not use this information to train AI systems and does not share client information with AI vendors for training purposes.

YGC strongly recommends that clients avoid sharing highly sensitive personal information through our services, including Social Security numbers, financial account details, detailed medical information, or legally privileged information, unless specifically required for the engagement.

3.3 Client Use of AI Tools

If a client uses AI tools in connection with their own engagement (such as using AI tools to draft materials they then share with YGC), the client is responsible for ensuring that their use of such tools complies with applicable terms of service and does not misrepresent their professional background. See the Terms & Conditions for YGC's full AI misrepresentation policy.

4. Cookies and Tracking Technologies

The Site uses cookies and similar technologies operated by Squarespace to support basic site functionality, analyze traffic, and improve the user experience. These are functional and analytical cookies only. YGC does not use advertising cookies, retargeting cookies, or third-party ad network cookies.

You may adjust your browser settings to refuse cookies. Some features of the Site may not function properly without cookies enabled. Most browsers allow you to review and delete stored cookies through browser settings.

5. Third-Party Services and Data Sharing

YGC works with a limited number of trusted third-party service providers to operate the business. Each provider has its own privacy policy, which YGC encourages you to review. YGC shares only the minimum information necessary to fulfill each service function:

• Squarespace: Website hosting, analytics, and email campaign delivery. squarespace.com/privacy

• Stripe: Payment processing and transaction records. stripe.com/privacy

• Acuity Scheduling: Appointment booking and scheduling management. acuityscheduling.com/privacy

• Google Workspace (Gmail): Email communications. policies.google.com/privacy

• Notion: Internal project management. Notion is used for internal operational purposes only and does not store client personal information. notion.so/privacy

• PandaDoc: Statement of work and agreement delivery for Organizational Clients only. pandadoc.com/privacy

YGC does not sell, rent, trade, or license your personal information to any third party for their own marketing purposes. YGC may disclose personal information when required by law, court order, or lawful governmental request, or to protect the rights, safety, or property of YGC, its clients, or the public.

6. Email Communications and Newsletter

YGC sends a newsletter (the YGC BioPharma Career Intelligence Brief) to subscribers who have opted in through the Site. Subscriber email addresses are stored in Squarespace Email Campaigns and are used solely to send YGC communications.

You may unsubscribe from marketing communications at any time using the unsubscribe link in any YGC email or by emailing yaffa@yaffagraceco.com. Unsubscribing from marketing emails does not affect receipt of transactional communications (such as booking confirmations or service delivery notices) associated with an active engagement.

YGC does not share subscriber email lists with any third party for marketing purposes.

7. Data Retention

YGC retains personal information for as long as reasonably necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements. In practice:

• Client session notes and correspondence are retained for a reasonable period following the conclusion of an engagement.

• Payment records are retained as required by applicable tax, accounting, and financial reporting law (generally 7 years under Washington State and federal requirements).

• Marketing opt-in records are retained until you opt out and for a reasonable period thereafter to demonstrate consent.

• Organizational Client engagement records are retained as required by the applicable service agreement or applicable law.

Upon request, YGC will delete personal information to the extent permitted by applicable law. See Section 9 for how to submit a deletion request.

8. Data Security

YGC takes reasonable technical and organizational measures to protect your personal information from unauthorized access, disclosure, alteration, or loss. The Site is hosted on Squarespace, which maintains industry-standard security practices. Payments are processed by Stripe, which is PCI DSS compliant.

No method of internet transmission or electronic storage is completely secure. YGC cannot guarantee absolute security of any information transmitted through or stored in connection with our services. If you have concerns about the security of your information, contact yaffa@yaffagraceco.com promptly.

In the event of a data breach that requires notification under Washington State law (RCW 19.255.010) or other applicable law, YGC will provide required notices to affected individuals and applicable authorities within the timeframes required by law.

9. Your Rights — All Clients

Regardless of your location, you have the following rights with respect to your personal information held by YGC:

• Access: Request a copy of the personal information YGC holds about you.

• Correction: Request correction of inaccurate or incomplete personal information.

• Deletion: Request deletion of your personal information, subject to any legal obligations requiring retention.

• Opt-Out of Marketing: Opt out of marketing communications at any time.

To exercise any of these rights, email yaffa@yaffagraceco.com with the subject line "Privacy Rights Request." YGC will respond within 30 days, or notify you if additional time is required.

10. Washington State Residents — Additional Rights

10.1 Washington Consumer Protection Act (WCPA)

Washington State residents have rights under the Washington Consumer Protection Act (RCW 19.86) and other applicable state privacy laws. YGC's practices are designed to comply with these requirements.

10.2 Washington My Health MY Data Act (MHMDA)

The Washington My Health MY Data Act (effective 2023 for entities of YGC's size and nature) governs the collection and use of consumer health data by certain entities. YGC does not deliberately collect consumer health data as defined under the MHMDA. To the extent any health-related information is incidentally shared by a client in the course of an engagement (for example, in the context of a personal background narrative), YGC treats such information as strictly confidential and does not share, sell, or use it for any purpose beyond the direct delivery of the engaged service.

Washington State residents may submit a privacy rights request under applicable state law by emailing yaffa@yaffagraceco.com with the subject line "Washington Privacy Rights Request." YGC will respond within 45 days or notify you if additional time is required.

11. Children's Privacy

YGC's services are intended exclusively for adults 18 years of age and older. YGC does not knowingly collect personal information from any individual under 18. If you believe a minor has submitted personal information through the Site, contact yaffa@yaffagraceco.com immediately and YGC will promptly delete it.

12. Changes to This Privacy Policy

YGC may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational changes. When we do, we will update the "Last Revised" date at the top of this document. We encourage you to review this Policy periodically. Continued use of the Site or engagement of YGC services after changes are posted constitutes your acceptance of the updated Policy.

13. Contact — Privacy Questions

For any privacy-related questions, requests, or concerns, contact:

Yaffa Grace & Co.

yaffa@yaffagraceco.com

www.yaffagraceco.com

Mercer Island, Washington State, United States

Recruiter intelligence. Career strategy. Built for BioPharma.