Privacy Policy

Last Updated: November 21, 2025 Version: 1.0.0 Effective Date: November 21, 2025

1. Introduction

YAPL Project Management Ltd. ("YAPL", "we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our project management platform and related services ("Service").

This Privacy Policy applies to all users of our Service and complies with:

General Data Protection Regulation (GDPR) - EU Regulation 2016/679
California Consumer Privacy Act (CCPA) - California Civil Code Section 1798.100 et seq.
Other applicable data protection laws and regulations

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Data Controller

The data controller responsible for your personal data is:

YAPL Project Management Ltd. Email: privacy@yapl.com Legal Contact: legal@yapl.com Data Protection Officer: dpo@yapl.com Address: [Company Address - To Be Updated]

If you have any questions about how we handle your data or wish to exercise your data protection rights, please contact us using the details above.

3. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Article 6):

3.1 Contractual Necessity (Article 6(1)(b))

Processing necessary to perform our contract with you (Terms of Service), including:

Account creation and management
Service delivery and support
Billing and subscription management

3.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests, including:

Service improvement and analytics
Security and fraud prevention
Marketing to existing customers (with opt-out rights)

3.3 Legal Obligation (Article 6(1)(c))

Processing necessary to comply with legal obligations, including:

Tax and accounting requirements
Regulatory compliance
Response to lawful requests from authorities

3.4 Consent (Article 6(1)(a))

Processing based on your explicit consent, including:

Optional marketing communications
Non-essential cookies
Third-party integrations

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. Data We Collect

4.1 Information You Provide (Account Data)

During Registration:

Full name
Email address
Company name
Workspace name
Password (encrypted and hashed)

During Service Use:

Project information (names, descriptions, dates)
Task and milestone data
Team member information
Documents and files uploaded
Comments and communications
Settings and preferences

4.2 Information We Collect Automatically

Usage Data:

IP address
Browser type and version
Device information (type, operating system)
Pages visited and features used
Time and date of access
Time spent on pages
Referring website addresses

Authentication and Security Data:

Login timestamps
Session information
Device fingerprints (for security purposes)
Two-factor authentication data

Cookies and Tracking Technologies:

Essential cookies (authentication, security)
Preference cookies (language, settings)
Analytics cookies (with consent)

4.3 Information from Third Parties

Payment Processors:

Payment method information (tokenized)
Billing address
Transaction history

OAuth/SSO Providers (if you use social login):

Profile information
Email address
Authentication tokens

5. How We Use Your Data

We use your personal data for the following purposes:

5.1 Service Provision

Create and manage your account
Provide access to the platform
Process and fulfill service requests
Facilitate team collaboration
Store and manage your project data

5.2 Communication

Send transactional emails (account notifications, password resets)
Respond to your inquiries and support requests
Send service updates and announcements
Marketing communications (with consent or opt-out rights)

5.3 Service Improvement

Analyze usage patterns and trends (aggregated data)
Identify and fix bugs
Develop new features
Improve user experience

5.4 Security and Fraud Prevention

Detect and prevent unauthorized access
Monitor for suspicious activities
Enforce our Terms of Service
Protect against fraud and abuse

5.5 Legal Compliance

Comply with legal obligations
Respond to lawful requests from authorities
Enforce our legal rights
Resolve disputes

6. Data Sharing and Disclosure

6.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

6.2 Service Providers

We share data with trusted service providers who assist us in operating our Service:

Infrastructure Providers:

Supabase (database and authentication) - Supabase Privacy Policy
Vercel (hosting and deployment) - Vercel Privacy Policy

Payment Processors:

LemonSqueezy (payment processing) - LemonSqueezy Privacy Policy

Email Services:

Resend (transactional emails) - Resend Privacy Policy

All service providers are contractually obligated to:

Process data only as instructed by us
Implement appropriate security measures
Comply with GDPR and applicable data protection laws

6.3 Legal Requirements

We may disclose your data when required by law or to:

Comply with legal processes (subpoenas, court orders)
Respond to government requests
Enforce our Terms of Service
Protect our rights, property, or safety
Prevent fraud or illegal activities

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. We will notify you of any such change and your options regarding your data.

6.5 With Your Consent

We may share your data with third parties when you explicitly consent, such as:

Integrations you enable (Google Drive, Dropbox, etc.)
Sharing project data with external collaborators
Public features you choose to use

7. Data Retention

7.1 Active Accounts

We retain your data for as long as your account is active and you continue to use our Service.

7.2 Inactive Accounts

If your account is inactive for 12 months, we may:

Send reminders about account status
Archive your data
Delete your account after 90 days notice

7.3 Account Deletion

When you delete your account:

Your data is retained for 30 days for recovery purposes
After 30 days, your data is permanently deleted
Backup copies are deleted within 90 days

7.4 Legal Retention

We may retain certain data longer when required by law:

Financial records: 7 years (tax compliance)
Legal proceedings: Duration of proceedings plus 1 year
Consent records: 7 years (GDPR compliance)

7.5 Anonymized Data

We may retain anonymized, aggregated data indefinitely for analytics and service improvement. This data cannot be used to identify you personally.

8. Data Security

We implement industry-standard security measures to protect your data:

8.1 Technical Measures

Encryption in Transit: TLS 1.3 for all connections
Encryption at Rest: AES-256 encryption for stored data
Password Security: Bcrypt hashing with salt
Two-Factor Authentication: Optional MFA for enhanced security

8.2 Organizational Measures

Access Control: Role-based access with principle of least privilege
Employee Training: Regular security awareness training
Security Audits: Periodic security assessments and penetration testing
Incident Response: Documented procedures for breach notification

8.3 Multi-Tenancy Security

Row-Level Security (RLS): Database-level isolation between workspaces
Data Segregation: Each workspace's data is logically separated
Access Validation: Every request validates workspace membership

8.4 Limitations

While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security but will:

Notify you of breaches within 72 hours (GDPR requirement)
Take immediate action to mitigate risks
Provide guidance on protective measures

9. Your Data Protection Rights (GDPR)

Under the GDPR, you have the following rights:

9.1 Right to Access (Article 15)

You can request:

Confirmation of whether we process your data
A copy of your personal data
Information about how we use your data

How to exercise: Contact privacy@yapl.com or use the account settings page.

9.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete data.

How to exercise: Update your profile in account settings or contact us.

9.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your data when:

Data is no longer necessary for the purposes collected
You withdraw consent (for consent-based processing)
You object to processing (for legitimate interest processing)
Data was unlawfully processed

How to exercise: Delete your account or contact privacy@yapl.com.

Exceptions: We may retain data when required by law or for legal claims.

9.4 Right to Restriction of Processing (Article 18)

You can request we limit processing when:

You contest the accuracy of data
Processing is unlawful but you don't want deletion
We no longer need the data but you need it for legal claims
You object to processing pending verification

How to exercise: Contact privacy@yapl.com.

9.5 Right to Data Portability (Article 20)

You can request your data in a structured, machine-readable format (CSV, JSON).

How to exercise: Use the data export feature in account settings or contact us.

9.6 Right to Object (Article 21)

You can object to:

Processing based on legitimate interests
Direct marketing (including profiling)
Processing for scientific/historical research

How to exercise: Adjust settings or contact privacy@yapl.com.

9.7 Right to Withdraw Consent (Article 7(3))

For consent-based processing, you can withdraw consent at any time.

How to exercise: Adjust settings or contact privacy@yapl.com.

9.8 Right to Lodge a Complaint

You can file a complaint with your local data protection authority if you believe we violated your rights.

EU Supervisory Authorities: List of EU DPAs

10. International Data Transfers

10.1 Data Location

Your data is primarily stored in:

Primary Region: [To Be Specified - e.g., EU/US]
Backup Region: [To Be Specified]

10.2 GDPR Compliance for Transfers

When we transfer data outside the EEA, we ensure adequate protection through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy Decisions for countries with equivalent protection
Service Provider Certifications (e.g., SOC 2, ISO 27001)

10.3 Your Control

Enterprise customers can request data residency in specific regions (subject to availability).

11. Cookies and Tracking Technologies

11.1 Essential Cookies (No Consent Required)

We use essential cookies for:

Authentication and session management
Security features
Service functionality
Load balancing

Duration: Session cookies (deleted when you close browser) or up to 30 days.

11.2 Analytics Cookies (Consent Required)

With your consent, we may use analytics cookies to:

Understand how you use our Service
Identify popular features
Improve user experience

Analytics Provider: We do not currently use third-party analytics. If implemented, we will use privacy-friendly solutions (e.g., Plausible, Fathom).

11.3 Marketing Cookies (Consent Required)

We do not currently use marketing or advertising cookies. If we implement them, we will:

Request explicit consent
Provide granular control
Respect Do Not Track signals

11.4 Cookie Management

You can control cookies through:

Browser Settings: Block or delete cookies
Our Cookie Banner: Manage preferences on first visit
Account Settings: Update cookie preferences anytime

Note: Blocking essential cookies may affect Service functionality.

12. Children's Privacy

Our Service is not intended for children under 18 years of age. We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at privacy@yapl.com. We will promptly delete such data.

13. Changes to This Privacy Policy

13.1 Notification of Changes

We may update this Privacy Policy to reflect:

Changes in our practices
Legal or regulatory requirements
New features or services

We will notify you of material changes by:

Email notification to your registered address
In-app notifications
Prominent notice on our website

13.2 Effective Date

Changes take effect 30 days after notification unless:

Required by law to take effect immediately
Changes are favorable to you (effective immediately)

13.3 Version History

We maintain a version history of this Privacy Policy. Previous versions are available upon request.

14. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the CCPA:

14.1 Right to Know

You can request:

Categories of personal information collected
Sources of personal information
Business purposes for collection
Categories of third parties we share data with
Specific pieces of personal information we collected

14.2 Right to Delete

You can request deletion of your personal information, subject to legal exceptions.

14.3 Right to Opt-Out of Sale

We do not sell personal information. If this changes, we will provide an opt-out mechanism.

14.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

14.5 Authorized Agent

You may designate an authorized agent to make requests on your behalf.

How to exercise CCPA rights: Contact privacy@yapl.com or call [phone number to be added].

15. Contact Us

For privacy-related questions, concerns, or to exercise your rights, contact us:

Privacy Team: Email: privacy@yapl.com Subject: "Privacy Inquiry - [Your Concern]"

Data Protection Officer: Email: dpo@yapl.com

Legal Department: Email: legal@yapl.com

Mailing Address: YAPL Project Management Ltd. [Address to be updated]

Response Time: We aim to respond to all inquiries within 30 days.

16. Supervisory Authority

If you are in the EU/EEA and believe we have not addressed your concerns, you have the right to lodge a complaint with your local supervisory authority.

Find your supervisory authority: EDPB Member List

By using YAPL Project Management, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Back to registration Terms of Service