Privacy and Data Protection Policy

This Privacy and Data Protection Policy ("Policy") describes how Yonetior ("Yonetior", "we", "us", "our"), operating the Yonetior platform at yonetior.com, collects, processes, stores, and protects personal data of its users ("you", "your", "Data Subject").

This Policy applies to all personal data processed through the Yonetior web application, mobile-responsive interfaces, APIs, and related services (collectively, the "Services"). We are committed to processing personal data in compliance with the General Data Protection Regulation (GDPR) and all applicable data protection laws in the jurisdictions where we operate.

By creating an account or using our Services, you acknowledge that you have read and understood this Policy. Where processing relies on consent, we will obtain your explicit consent separately.

• Personal Data: Any information relating to an identified or identifiable natural person (Data Subject), such as name, email address, IP address, or any other identifier.
• Data Controller: The natural or legal person that determines the purposes and means of processing personal data. For account and platform data, Yonetior acts as the Data Controller.
• Data Processor: The natural or legal person that processes personal data on behalf of the Data Controller. For content uploaded by tenant administrators, Yonetior acts as the Data Processor.
• Data Subject: The natural person whose personal data is processed.
• Processing: Any operation performed on personal data, including collection, recording, storage, alteration, retrieval, use, disclosure, restriction, erasure, or destruction.
• Explicit Consent: Freely given, specific, informed, and unambiguous indication of the Data Subject's wishes, relating to a particular processing activity.
• Sub-Processor: A third party engaged by the Data Processor to process personal data on behalf of the Data Controller.

Yonetior processes personal data in accordance with the following principles, as required by GDPR:

• Lawfulness, fairness, and transparency: Data is processed lawfully, fairly, and in a transparent manner.
• Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
• Data minimization: Only data that is adequate, relevant, and limited to what is necessary is collected.
• Accuracy: Personal data is kept accurate and, where necessary, kept up to date.
• Storage limitation: Data is kept in a form that permits identification of Data Subjects for no longer than is necessary.
• Integrity and confidentiality: Data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
• Accountability: We are responsible for, and able to demonstrate compliance with, these principles.

Yonetior operates in a dual capacity depending on the type of data:

• As Data Controller: For account registration data (name, email, organization), billing information, usage analytics, cookie data, and support communications. Yonetior determines the purposes and means of processing this data.
• As Data Processor: For content uploaded by tenant administrators and users within their workspace (client records, project data, documents, expense receipts, notes, financial records). In this capacity, the tenant organization is the Data Controller, and Yonetior processes the data solely on their instructions and in accordance with our Data Processing Agreement (DPA).

Each tenant administrator is responsible for ensuring that data entered into the platform by their team complies with applicable data protection laws, and for providing any necessary privacy notices to their own clients and contacts.

• Account and User Data: Full name, email address, phone number (optional), organization name, role within organization, Keycloak authentication identifiers, IP address, browser and device information.
• Billing and Transaction Data: Credit card details (processed and stored by our payment processor iyzico; we do not store full card numbers), billing address, invoice records, subscription plan and payment history.
• Usage Data: Login timestamps, feature usage patterns, page views, API request logs, session duration, preferred language and timezone settings.
• Content and Business Data (processed as Data Processor): Client information entered by users, project details, task descriptions, expense records, uploaded documents, receipt images processed by AI OCR, calendar events, notes, time tracking entries, financial transaction records, and any other data entered by users within their tenant workspace.

Yonetior does not intentionally collect or process special categories of personal data as defined in Article 9 of the GDPR (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or data concerning sex life or sexual orientation).

If you are a tenant administrator, please ensure that your team does not upload special category data to the platform unless you have a lawful basis and have implemented appropriate safeguards. If special category data is inadvertently uploaded, please contact us immediately so we can assist with its secure deletion.

We implement comprehensive technical and organizational measures to protect your personal data:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS).
• Encryption at rest: Data stored on our servers is encrypted using AES-256 encryption.
• Access controls: Role-based access control (RBAC) ensures that users can only access data relevant to their role. Administrative access to infrastructure is restricted and logged.
• Authentication: Keycloak-based identity management with RS256 JWT tokens, password policies, and account lockout protection.
• Network security: Firewall rules, intrusion detection, and DDoS protection are in place.
• Backups: Regular automated backups with point-in-time recovery capabilities.
• Multi-tenant isolation: Strict data isolation between tenant organizations at the database level.
• Hosting: Our infrastructure is hosted on secure servers within the European Union.
• Security audits: Regular security assessments and vulnerability scanning of our platform.

We engage the following sub-processors to provide our Services. Each sub-processor is bound by contractual obligations to protect personal data:

• Google Cloud Platform (EU region): Infrastructure hosting, AI services (Gemini Flash-Lite for receipt OCR and document classification). Data processed within EU data centers.
• iyzico (Iyzipay): Payment processing for subscription billing. iyzico is PCI DSS compliant and processes credit card data securely. We do not store full credit card numbers on our servers.
• Keycloak (self-hosted): Identity and access management, authentication services. Hosted within our own infrastructure.
• SendGrid: Transactional email delivery (password reset, notifications). Only email addresses and message content are shared.
• Redis (self-hosted): Caching layer for performance optimization. Hosted within our own infrastructure.

We will notify you of any changes to sub-processors that may affect the processing of your personal data. You may object to a new sub-processor within 30 days of notification.

Your personal data is primarily stored and processed within the European Union (EU). Where data needs to be transferred outside the EU/EEA, we ensure that appropriate safeguards are in place in compliance with Articles 46-49 of the GDPR:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with sub-processors located outside the EU/EEA.
• Adequacy decisions: Where applicable, we rely on European Commission adequacy decisions confirming that the recipient country ensures an adequate level of data protection.
• Additional safeguards: We conduct transfer impact assessments and implement supplementary measures (such as encryption) where necessary.

You may request information about the specific safeguards applied to international transfers of your data by contacting us.

In the event of a personal data breach, we follow the procedures set out in Articles 33-34 of the GDPR:

• Supervisory authority notification: We will notify the relevant data protection authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons.
• Data Subject notification: If the breach is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay, describing the nature of the breach, likely consequences, and measures taken or proposed.
• Tenant notification: For breaches affecting data processed in our capacity as Data Processor, we will notify the affected tenant administrators promptly so they can fulfill their own notification obligations.
• Documentation: We maintain a breach register documenting all breaches, their effects, and remedial actions taken.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Active accounts: Data is retained for the duration of your active subscription and use of the Services.
• After cancellation: Account data is retained for 30 days following cancellation to allow for reactivation. After this period, data is permanently deleted or anonymized.
• Billing records: Transaction and invoice records are retained for 10 years as required by applicable tax and commercial law.
• Usage logs: Server access logs and usage analytics are retained for 12 months for security and performance monitoring.
• Backup retention: Data may persist in encrypted backups for up to 90 days after deletion from active systems.

You may request early deletion of your data at any time, subject to our legal retention obligations. We will confirm deletion within 30 days of your request.

Yonetior supports tenant organizations in responding to Data Subject requests:

• Request assistance: We provide tools and processes to help tenant administrators fulfill data access, rectification, portability, and erasure requests from their users and clients.
• Data export: Tenant administrators can export their workspace data in standard formats.
• Audit rights: Tenant organizations may request information about our processing activities and security measures. We will cooperate with reasonable audit requests and provide relevant documentation.
• DPA availability: A Data Processing Agreement (DPA) is available for enterprise customers upon request.

Under the GDPR (Articles 15-22), you have the following rights regarding your personal data:

• Right of access (Article 15): You have the right to obtain confirmation of whether your personal data is being processed and to access a copy of that data.
• Right to rectification (Article 16): You have the right to request correction of inaccurate personal data and completion of incomplete data.
• Right to erasure (Article 17): You have the right to request deletion of your personal data where there is no compelling reason for its continued processing ("right to be forgotten").
• Right to restriction (Article 18): You have the right to request restriction of processing in certain circumstances.
• Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes.
• Right not to be subject to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you.
• Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at info@yonetior.com. We will respond to your request within 30 days. If your request is particularly complex, we may extend this period by an additional 60 days, and we will inform you of any such extension.

If you believe your rights have been infringed, you have the right to lodge a complaint with the relevant data protection authority.

Yonetior uses cookies and similar technologies to operate and improve the Services. For detailed information about the cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.