Legal

Privacy Policy

Last updated July 13, 2026

Draft — needs review. This is a starting template for Yoata and has not been reviewed by a lawyer. Have it reviewed and adapted to your business, and replace every [bracketed] placeholder, before you rely on it.

This Privacy Policy explains how [Legal Entity Name] (“Yoata”, “we”), based at [Registered Address], Kathmandu, Nepal, collects and processes personal data. For the purposes of the EU/UK GDPR, Yoata is the data controller of the personal data described here. Contact us at contact@yoata.ai [appoint a Data Protection Officer / EU representative if required and add their details].

1. Personal data we collect

  • Account data — name, email address, company, job title, and a hashed password (we never store passwords in plain text).
  • Sign-in data — if you use Google sign-in, your basic Google profile (name, email) via OAuth.
  • Order & communication data — quote requests, order details, and messages you send us.
  • Technical data — strictly-necessary session/auth cookies and standard server logs (see our Cookie Policy).

2. How we use it, and our legal bases

PurposeGDPR legal basis
Create and secure your account; sign you inPerformance of a contract; legitimate interests (security)
Respond to quote requests, deliver orders, provide supportPerformance of a contract / pre-contract steps
Send transactional emails (order, quote, delivery, messages)Performance of a contract; legitimate interests
Comply with legal obligations; prevent fraud/abuseLegal obligation; legitimate interests

We do not sell your personal data, and we do not use it for third-party advertising.

3. Who we share data with (sub-processors)

We share personal data with service providers who process it on our behalf under contract:

ProviderPurpose
VercelWebsite hosting & delivery
[Database host — e.g. Neon / Supabase / AWS RDS]Application database
Google (OAuth)Optional sign-in
ResendTransactional email delivery
Amazon Web Services (AWS)Dataset file storage & delivery

[Keep this list current — GDPR requires you to disclose recipients/categories of recipients, and to have a data-processing agreement with each processor.]

4. International data transfers

We operate from Nepal and use providers located in other countries, including the United States. Nepal is not the subject of an EU “adequacy decision”. Where we transfer personal data of individuals in the EU/UK to a country without an adequacy decision, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) under GDPR Article 46. [Put SCCs / an International Data Transfer Agreement in place with each relevant provider and with any EU customers, and run a transfer risk assessment — confirm with a lawyer.]

5. Data retention

We keep account and order data for as long as your account is active and as needed to provide the service, then for the period required to meet legal, tax, and accounting obligations, after which we delete or anonymise it. [Set specific retention periods.]

6. Your rights

If you are in the EU/UK (GDPR)

You have the right to access, rectify, erase, restrict, or object to processing of your personal data; to data portability; to withdraw consent where processing is based on consent; and to lodge a complaint with your data-protection supervisory authority.

If you are a California resident (CCPA/CPRA)

Where the CCPA applies, you have the rights to know, delete, correct, opt-out of the sale/sharing of personal information, limit the use of sensitive personal information, and not be discriminated against for exercising your rights. We do not sell or share personal information as defined by the CCPA. [The CCPA only applies above certain thresholds ($25M+ revenue, or the personal information of 100,000+ California residents, or 50%+ of revenue from selling it) — confirm whether it applies to you.]

To exercise any right, email contact@yoata.ai. You do not need an account to make a request, and we will not discriminate against you for making one.

7. Privacy of individuals recorded in our datasets

This is separate from the account data above and important: our datasets are recorded in real environments, including homes, and may contain identifiable people, their likenesses, voices, and private property. Footage that can identify a person is personal data, and some of it may constitute special-category / biometric data under GDPR Article 9 or biometric-privacy laws such as the Illinois Biometric Information Privacy Act (BIPA).

  • We obtain written consent / releases from individuals who participate in or appear in recordings, covering the recording, its use as training data, and its licensing to our customers. [Ensure a signed release/consent is collected for every recording — this is essential.]
  • Where required, we minimise, blur, or remove third parties who did not consent, and we honour requests from recorded individuals to access or delete data about them, subject to legal limits.
  • Customers are contractually prohibited from re-identifying or contacting individuals in the data (see our Terms of Service).

If you believe you appear in our data and wish to exercise your rights, contact contact@yoata.ai. [Biometric and special-category processing carries strict consent and, in some US states, statutory-damages exposure — have your release forms and data-handling reviewed by a lawyer.]

8. Security

We use technical and organisational measures appropriate to the risk, including hashed passwords, HTTPS, access controls, and reputable infrastructure providers. No method of transmission or storage is completely secure.

9. Children

The service is not directed to children and is intended for business users. We do not knowingly collect personal data from children.

10. Changes

We may update this policy; material changes will be posted here with a new “Last updated” date.

11. Contact

Privacy questions or requests: contact@yoata.ai.