Privacy Policy

1. Introduction and Scope

Welcome to YaraCircle, operated by Sitocrats ("Company," "we," "us," or "our"). We operate the website at yaracircle.com, the YaraCircle mobile applications for iOS and Android, and all related services, features, and content (collectively, the "Service" or "Platform"). YaraCircle is a social communication platform that enables users to connect through anonymous stranger matching, friend messaging, group communities, voice and video calls, anonymous posting (Whispers), daily community prompts (Daily Pulse), personality-driven icebreakers (Sparks), an AI companion (Yara), content discovery, and more.

This Privacy Policy describes how we collect, use, process, store, and disclose your personal information when you access or use the Service. It applies to all users of the Service globally, regardless of how you access the Platform (web browser, mobile app, API, or any other means).

This Privacy Policy should be read alongside our Terms of Service, Community Guidelines, and Cookie Policy, which are incorporated by reference.

This Privacy Policy is governed by the laws of the Republic of India and is compliant with the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023 (DPDPA). For users in the European Economic Area, it also complies with the General Data Protection Regulation (GDPR). For users in California, it complies with the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA). For users in the United States, it complies with the Children's Online Privacy Protection Act (COPPA).

BY ACCESSING OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THE COLLECTION, STORAGE, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED IN THIS PRIVACY POLICY. IF YOU DO NOT AGREE, PLEASE DO NOT USE THE SERVICE.

2. Who We Are

YaraCircle is operated by Sitocrats, a company based in India. Sitocrats is the data controller (under GDPR) and Data Fiduciary (under DPDPA) responsible for your personal data when you use the Service.

3. Information We Collect

We collect information in several ways: information you provide directly at registration, information you provide during use, information collected automatically, and information generated through AI features.

3.1 Information You Provide at Registration

When you create a registered account, we collect:

• Email address (required)
• Password (required; hashed with bcrypt using 12 salt rounds before storage — we never store plaintext passwords)
• Date of birth (required; used for age verification and content filtering)
• Gender (required; options: male, female, non-binary, other, prefer not to say)
• Display name (optional; 2–50 characters)
• YaraID / username (optional; auto-generated if left empty)
• Referral code (optional; captured from URL parameter if present)

If you sign in with Google OAuth, we receive your Google account email address, display name, and profile picture URL as permitted by your Google account settings. We do not receive your Google password.

3.2 Information Collected for Guest Users

Guest access is available only to users aged 18 and older. When you use guest mode, we collect:

• Date of birth (required; must confirm you are 18 or older)
• Gender (required; options: male, female, other)
• Display name (optional; maximum 20 characters)

Guest sessions expire automatically after 2 hours and all associated session data is deleted from our servers upon expiry.

3.3 Information You Provide During Use

• Profile data: Profile picture, cover image, tagline, bio, occupation, education, interests (up to 15 tags), conversation starters, pronouns, languages, country, and city.
• Chat messages: Messages and content you send through stranger chats, friend conversations, and group chats. Messages are encrypted at rest with different encryption contexts for each chat type.
• Whisper data: Content, title, category, maturity rating, target audience, hashtags, reactions, and bookmarks you create on Whispers.
• Pulse data: Your answers to daily community prompts (Daily Pulse), challenge participation, and streak information.
• Yara AI conversations: Messages you send to and receive from the Yara AI companion.
• Group information: Group names, descriptions, topics, settings, membership, and participation data.
• Reviews and feedback: Rating, title, content, category, and platform information when you submit a review.
• Media uploads: Profile pictures, cover images, and other images you upload to the Service.
• Reports and blocks: When you report or block another user, we collect your user ID, the reported/blocked user ID, the reason, and any description you provide.
• Payment information: When you subscribe, your payment details are collected and processed directly by Stripe (our PCI-compliant payment processor). We store only your Stripe customer ID, subscription plan, subscription status, and subscription dates. We never store your full card number or CVV.

3.4 Information Collected Automatically

• Session data: IP address (extracted from request headers), user agent string, browser type, operating system, and device type.
• Geolocation: City and country derived from your IP address. We do not collect precise GPS location data.
• Connection data: Real-time online/offline status, last active timestamps, and Socket.IO session identifiers for live features.
• Call metadata: Call ID, caller and receiver IDs, call type (audio or video), start and end timestamps, duration, and end reason. We do not record call audio or video — calls are peer-to-peer via WebRTC and our server handles only signaling.
• Push notification tokens: Web push subscription data (VAPID keys, endpoint) and mobile push data (FCM token, platform, device ID, device name, app version) required to deliver notifications via Firebase Cloud Messaging.
• Review metadata: IP address and user agent collected when you submit reviews or feedback.

3.5 Client-Side Data Storage

We store certain data locally on your device to enable the Service to function:

• Web (Frontend): Encrypted localStorage stores your access token and user object using the Web Crypto API with a device-derived key. Plain localStorage stores cookie consent preferences and UI state flags. We do not use persistent cookies beyond session management.
• Mobile (Flutter): FlutterSecureStorage (platform keychain/keystore) stores access tokens, refresh tokens, and session IDs with encryption. SharedPreferences stores user ID, user profile data, theme preference, language setting, FCM token, and chat filter preferences (not encrypted). Hive local database caches API responses with time-to-live (TTL) expiration for offline access.

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Provision and Core Features

• Create and manage your account (including guest sessions)
• Match you with other users for anonymous stranger chat sessions based on your interests and preferences
• Enable friend messaging, group chat, and real-time communication features
• Facilitate voice and video calls between users via WebRTC
• Publish and display your Whispers to other users based on maturity rating and audience settings
• Deliver Daily Pulse prompts and display community responses
• Provide Sparks icebreakers and personality challenges
• Power the Yara AI companion for conversational interactions and support
• Curate the Discover feed with trending and relevant content
• Process subscription payments and manage premium feature access
• Deliver push notifications for messages, calls, and platform activity
• Display user profiles, badges, and interests to other users as configured in privacy settings

4.2 Safety, Security, and Moderation

• Detect, investigate, and prevent fraud, abuse, harassment, and security incidents
• Enforce our Terms of Service and Community Guidelines
• Process user reports and block requests
• Perform automated and manual content moderation (see Section 7)
• Verify user age and enforce age-based feature restrictions
• Administer warning and ban systems for policy violations
• Detect crisis situations (e.g., self-harm indicators) and deliver safety resources

4.3 Communication

• Send technical notices, service updates, security alerts, and support messages
• Respond to your inquiries and customer service requests
• Send promotional communications (only with your consent where required by applicable law)
• Notify you about changes to our policies or Service

4.4 Analytics, Improvement, and Personalization

• Analyze usage trends, feature adoption, and user behavior patterns
• Conduct internal research and development to improve the Service
• Personalize your experience including content recommendations in the Discover feed
• Monitor application performance and resolve technical issues via error tracking
• Generate aggregated, de-identified analytics and reports

4.5 Legal Compliance

• Comply with applicable laws, regulations, and legal processes
• Respond to lawful requests from government authorities and law enforcement
• Establish, exercise, or defend legal claims
• Protect our legal rights and interests

5. Legal Bases for Processing (GDPR Art. 6)

For users in the European Economic Area, United Kingdom, and Switzerland, we process your personal data based on the following legal grounds under GDPR Article 6. The applicable legal basis depends on the specific processing activity:

Where we rely on legitimate interests, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. You may contact us to obtain information about our balancing assessments. Where we rely on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

6. Age Requirements and Children's Privacy

6.1 Tiered Age Model

YaraCircle enforces the following age-based access restrictions. Your date of birth, provided at registration, determines which features are available to you:

6.2 Content Maturity Rating System

User-generated content on Whispers uses a three-tier maturity rating system that determines visibility based on the viewer's age:

• EVERYONE: Visible to all users aged 13 and older
• TEEN: Visible to users aged 16 and older
• MATURE: Visible to users aged 18 and older only

6.3 Children Under 13 (COPPA Compliance)

YaraCircle does not knowingly collect, use, or disclose personal information from children under 13 years of age. Users under 13 are blocked from the platform entirely at registration. We do not offer a parental consent mechanism for users under 13. If we discover that an account belongs to a user under 13, we will immediately terminate the account and permanently delete all associated data. This is in compliance with the Children's Online Privacy Protection Act (COPPA).

6.4 Minors Aged 13–17

Users aged 13–17 are considered minors on the platform and have restricted access as detailed in the tiered model above. Specifically, minors cannot access stranger chat, guest mode, or mature content. The platform restricts features that involve interaction with unknown adults.

6.5 Age Verification

We use date of birth verification during account registration to enforce age restrictions. Providing false age information is a violation of our Terms of Service and may result in immediate account termination. We reserve the right to implement additional age verification measures as required by applicable law.

6.6 Reporting Underage Users

Parents, legal guardians, and any users may contact us at support@yaracircle.com to:

• Report suspected underage users (under 13)
• Request immediate deletion of an underage person's account and personal information
• Ask questions about our age verification and safety measures

7. Content Moderation and Safety

We employ a multi-layered content moderation pipeline to keep the platform safe for all users. This section explains how content is reviewed and how violations are handled.

7.1 Moderation Pipeline

Content posted on YaraCircle goes through the following moderation stages:

• Synchronous pre-publish check: Before content is published, it is screened for PII patterns (phone numbers, email addresses, social media handles), critical blocklist items (slurs, violence threats, CSAM-related keywords), and other prohibited content. Content that fails this check is blocked from publishing.
• Asynchronous AI moderation: Published content is sent to OpenAI's Moderation API for automated classification of harmful content categories.
• Report handling: User reports are processed through a two-layer system: first through OpenAI's Moderation API, then through contextual analysis using Anthropic's Claude AI. Reports are never auto-dismissed.

7.2 Warning and Ban System

Policy violations result in warning points assigned by severity:

• Minor violation: 1 point
• Moderate violation: 2 points
• Severe violation: 3 points

Consequences based on accumulated points:

• 5 points: 24-hour suspension from the platform
• 10 points: Permanent ban from the platform

Warning points expire after 90 days. Ban status is checked on every authenticated request. Users may appeal warnings and bans through our support channels.

7.3 Crisis Detection

The Yara AI companion includes crisis detection capabilities. When messages contain keywords indicating potential self-harm or suicidal ideation (e.g., "kill myself," "suicide," "self-harm"), the system triggers a pre-written crisis response that includes local and international helpline numbers and support resources. This is designed to prioritize user safety, not to diagnose or treat mental health conditions.

8. AI-Powered Features

8.1 Yara AI Companion

Yara is an AI-powered conversational companion powered by Anthropic's Claude Haiku 4.5 model. When you interact with Yara, the following data is sent to Anthropic's servers for processing:

• Profile context: Your display name, username, interests, country, premium status, friend count, and days since you joined the platform
• Memory context: Facts Yara has remembered from previous conversations, your favorite topics, and mood trends
• Conversation messages: The last 15 messages from your conversation history with Yara

Yara uses this data to generate conversational responses, perform mood analysis, and detect crisis situations. Under our data processing agreement with Anthropic, your conversations are not used to train Anthropic's AI models. Yara is not a substitute for professional medical, legal, financial, or mental health advice. Responses are generated by AI and may contain errors or inaccuracies.

8.2 Content Moderation AI (OpenAI)

We use OpenAI's Moderation API for automated content safety screening. The following data is sent to OpenAI:

• Whisper content text (for moderation classification)
• Reported content text (for policy violation assessment)

This data is used solely for content safety purposes. Under our agreement with OpenAI, this data is not used to train OpenAI's models.

8.3 Automated Matching

Our stranger chat matching system uses automated algorithms to pair users based on shared interests, preferences, and availability. This matching is performed by our own systems and does not involve third-party AI processing.

8.4 Your Rights Regarding Automated Processing

Under GDPR Article 22 and similar laws, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. Our automated processing (matching, content moderation) does not produce legal effects. However, if you believe an automated decision has significantly affected you, you may contact us to request human review.

9. Third-Party Service Providers

We use the following third-party service providers (sub-processors). Each provider processes your data only as necessary to perform their designated function and is bound by data processing agreements:

10. Data Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

10.1 With Other Users

When you use the Service, certain information is visible to other users depending on the feature and your privacy settings:

• Profile: Your display name, profile picture, bio, interests, badges, and age (as configured in your settings: exact age, age range, or hidden) are visible based on your profile visibility setting (public, discoverable, or private).
• Stranger Chat: Your age, gender, interests, and country may be visible to facilitate matching. You can use incognito mode to limit visibility.
• Friend Conversations: Messages are visible only to you and the specific friend.
• Group Chat: Messages are visible to all members of the group.
• Whispers: Your Whispers are anonymous by design. Other users see the content, hashtags, and reactions but not your identity.
• Daily Pulse: Your responses to daily prompts may be visible to other users.

Your email address, date of birth, password, and other private account information are never shared with other users.

10.2 With Service Providers

We share information with the third-party service providers listed in Section 9, who process your data only as necessary to perform their designated function under data processing agreements.

10.3 For Legal Reasons

We may disclose your information if we believe in good faith that such disclosure is necessary to:

• Comply with applicable laws, regulations, legal processes, or enforceable governmental requests (including under Indian IT Act, GDPR, or other applicable laws)
• Enforce our Terms of Service and other agreements
• Protect our rights, property, or safety, or that of our users or the public
• Detect, prevent, or address fraud, security, or technical issues
• Respond to an emergency involving danger of death or serious physical injury to any person
• Cooperate with law enforcement in child safety investigations

10.4 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, dissolution, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy. Where required by law, we will seek your consent prior to such transfer.

10.5 Aggregated or De-identified Data

We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you. This includes aggregate usage statistics, trend data, and anonymized analytics. Such data is not considered personal information under applicable law.

11. International Data Transfers

Our primary operations are in India. When we transfer personal data outside India, the EEA, UK, or Switzerland, or across other jurisdictional borders, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): We use European Commission-approved SCCs and UK International Data Transfer Agreements with our service providers.
• Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission or UK Secretary of State recognizing that a country provides an adequate level of data protection.
• Data Processing Agreements: All service providers are bound by data processing agreements that include obligations for data security, confidentiality, and data subject rights.
• Supplementary Measures: We implement technical measures (encryption in transit and at rest) and organizational measures (access controls, security policies) to protect transferred data.

You may request a copy of the safeguards we use for international data transfers by contacting us at privacy@yaracircle.com.

12. Data Retention and Deletion

We retain your information only for as long as necessary to fulfill the purposes described in this Privacy Policy, after which it is securely deleted or anonymized.

12.1 Retention Periods

12.2 Account Deletion

You have two options for deleting your account:

• Soft delete with 30-day grace period: Your account is deactivated and scheduled for permanent deletion after 30 days. During this period, you may cancel the deletion and restore your account.
• Immediate permanent deletion: Your account and all associated data are permanently deleted immediately. This requires email confirmation and cannot be undone.

Upon permanent deletion, the following data is removed: your user record, friend chat messages, friend requests, reports filed by you, block records, and support tickets. Your reference is also removed from other users' friend lists.

In some cases, we may retain anonymized or aggregated data indefinitely for statistical purposes, provided it cannot be used to identify you. Legal holds or pending litigation may require extended retention of specific data.

13. Your Rights by Jurisdiction

Regardless of your location, we provide the following rights to all YaraCircle users:

13.1 Universal Rights (All Users)

• Access and Data Export: Request a full JSON download of all your personal data (profile, chats, friends, reports, blocks, tickets) via the in-app data export feature. A 30-day cooldown applies between export requests.
• Correction: Update or correct your personal information at any time through your account settings.
• Deletion: Delete your account (soft delete with 30-day grace period or immediate permanent deletion). See Section 12.2.
• Privacy Controls: Configure profile visibility (public, discoverable, or private), age display (exact, range, or hidden), online status visibility, incognito mode, searchability, and friend request permissions.
• Notification Preferences: Control which push notifications you receive through your device settings and in-app preferences.
• AI Interaction: Delete your Yara AI conversation history at any time.
• Block and Report: Block other users and report content or behavior that violates our guidelines.

13.2 GDPR Rights (EEA, UK, and Switzerland)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation:

• Right of Access (Art. 15): Request a copy of your personal data and information about how it is processed.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"). We will process erasure requests within 30 days.
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances.
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON).
• Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling.
• Right Related to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal effects. See Section 8.4.
• Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: Lodge a complaint with your local Data Protection Authority (list available at edpb.europa.eu).

To exercise your GDPR rights, contact us at privacy@yaracircle.com. We will respond within one month (extendable by two additional months for complex requests with notice to you).

13.3 CCPA/CPRA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: Request that we delete personal information we have collected from you, subject to certain legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Information: Request that we limit use and disclosure of sensitive personal information to what is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

Categories of personal information collected in the preceding 12 months:

• Identifiers: Name, email address, IP address, device identifiers, account ID
• Protected Classifications: Age/date of birth, gender
• Commercial Information: Subscription and transaction history
• Internet/Electronic Activity: Usage data, interaction data, device information
• Geolocation: Approximate location based on IP address (country/city level)
• Inferences: Interest preferences, content recommendations

To exercise your California rights, email privacy@yaracircle.com with the subject line "CCPA Request." We will respond within 45 days (extendable by an additional 45 days with notice).

13.4 DPDPA Rights (India Residents)

If you are located in India, the Digital Personal Data Protection Act, 2023 (DPDPA) provides you with the following rights:

• Right to Information: Obtain a summary of your personal data being processed and the processing activities undertaken.
• Right to Correction and Erasure: Request correction of inaccurate or misleading personal data and erasure of data no longer necessary for the purpose for which it was collected.
• Right to Grievance Redressal: Have your grievances addressed. See Section 18 for Grievance Officer details.
• Right to Nominate: Nominate another individual to exercise your rights in the event of your death or incapacity.

Consent: Where we process your personal data based on consent under the DPDPA, we will obtain your consent through a clear and specific notice. You may withdraw your consent at any time by contacting us, and we will cease processing within a reasonable period, subject to any legal retention obligations.

Data Fiduciary Obligations: As a Data Fiduciary under the DPDPA, Sitocrats implements reasonable security safeguards to protect your personal data and will notify you and the Data Protection Board of India in the event of a personal data breach.

14. Cookie Policy Summary

We use cookies and similar technologies to operate and improve the Service. This section provides a summary; please refer to our full Cookie Policy for complete details.

14.1 Cookie Categories

14.2 Cookie Consent

When you first visit our website, you will see a cookie consent banner with three options:

• Accept All: Enables all cookie categories including analytics and marketing
• Necessary Only: Enables only strictly necessary cookies
• Customize: Opens a panel where you can toggle individual cookie categories on or off

Microsoft Clarity runs in cookieless mode by default and only activates cookies after you provide explicit consent. Your cookie preferences are stored in localStorage on your device.

14.3 Managing Cookies

You can update your cookie preferences at any time through the cookie settings available in the website footer. You can also manage cookies through your browser settings. Note that disabling strictly necessary cookies may prevent you from using the Service. For our full cookie details, see our Cookie Policy.

15. Data Security Measures

We implement appropriate technical and organizational security measures designed to protect your information against unauthorized access, alteration, disclosure, or destruction:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using HTTPS (TLS/SSL).
• Encryption at Rest: Chat messages are encrypted at rest with different encryption contexts for stranger, friend, and group chats. Uploaded media files are encrypted on Cloudflare R2.
• Password Security: Passwords are hashed using bcrypt with 12 salt rounds. We never store plaintext passwords.
• Token Security: Web tokens are encrypted in localStorage via Web Crypto API with a device-derived key. Mobile tokens are stored in platform-level secure storage (iOS Keychain, Android Keystore). JWT access tokens use short expiration periods with automatic refresh.
• Access Controls: Role-based access controls and authentication requirements for all internal systems.
• Rate Limiting: API rate limiting to prevent abuse and brute-force attacks.
• Call Security: Voice and video calls use WebRTC for peer-to-peer connections. Our servers handle only signaling — no audio or video is recorded or stored.

16. Data Breach Notification

16.1 Notification to Authorities

• GDPR (EEA/UK): We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms, as required by GDPR Article 33.
• DPDPA (India): We will notify the Data Protection Board of India and affected Data Principals as prescribed under the DPDPA and associated rules.
• CCPA (California): We will notify affected California residents in the most expedient time possible and without unreasonable delay.
• Other Jurisdictions: We will comply with data breach notification requirements in all applicable jurisdictions.

16.2 Notification to Users

Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly via email and/or in-app notification. Our notification will include:

• The nature of the breach and the categories of data affected
• The likely consequences of the breach
• The measures we have taken or propose to take to address the breach
• Recommendations for steps you can take to protect yourself
• Contact details for our privacy team

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, applicable law, or for other operational, legal, or regulatory reasons.

How we notify you of changes:

• We will post the revised Privacy Policy on this page with an updated "Last updated" date.
• For material changes, we will provide prominent notice through email notification, in-app notification, or a banner on the Service before the changes take effect.
• Where required by applicable law (including GDPR and DPDPA), we will obtain your consent to material changes before they become effective.

Your continued use of the Service after the effective date of any modified Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the changes, you should discontinue use of the Service and may request deletion of your account. We encourage you to review this Privacy Policy periodically.

18. Grievance Officer (India IT Act)

In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer to address your concerns regarding the processing of your personal data.

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India (once constituted under the DPDPA) or other applicable regulatory authority.

19. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy, our privacy practices, or how we handle your personal information, please contact us:

We will acknowledge receipt of your request within 48 hours and provide a substantive response within the timeframe required by applicable law (generally 30 days for GDPR/DPDPA, 45 days for CCPA/CPRA). Complex requests may require additional time with prior notice to you.