Privacy Policy

Last updated: 2026-05-12 · Effective: 2026-05-12

This Privacy Policy explains how Yolt Cloud OÜ ("we", "us", "yolt.cloud") collects, uses, stores, and discloses personal data when you use the yolt.cloud analytics service (the "Service"). We follow the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018, and applicable Ukrainian data protection law.

Plain-language summary. We process the business data you connect (CRM orders, ad spend, website analytics) only to deliver the analytics you signed up for. We do not sell your data. We do not share it across tenants. You can request deletion at any time and we will complete it within 30 days.

Data controller
Categories of data
Legal basis
Recipients & processors
International transfers
Retention
Your rights
Automated decisions
Cookies & tracking
Security
Children
Changes to this policy
Contact

1. Data controller

The data controller responsible for personal data processed in connection with the Service is:

Yolt Cloud OÜ
Registered office: Tallinn, Estonia
EU representative inquiries: [email protected]
Data Protection contact: [email protected]

For users in the European Union, you may also contact our representative under Article 27 GDPR using the email address above. We respond to data subject requests within 30 days of receipt.

2. Categories of data we process

The Service is a business-to-business analytics platform. The data we process falls into the following categories:

Category	Examples	Source
Account data	Email, hashed password, workspace name, role, language preference	Provided by user during sign-up
CRM order data	Order ID, order amount, currency, line items, product SKU, order status, hashed customer identifiers	Imported from your CRM (Shopify, WooCommerce, KeyCRM, CSV)
Web analytics data	Session ID, page views, referrer, UTM parameters, anonymous device identifier	Read from your connected Google Analytics 4 property
Ad spend data	Campaign name, ad set, daily spend, impressions, clicks, conversions reported by ad platform	Read from Google Ads and Meta Ads APIs you connect
Usage data	Pages viewed inside the Service, time spent, feature interactions, audit log entries	Collected automatically when you use the Service
Support data	Messages you send to support, attachments, chat transcripts	Provided by user when contacting support

We do not knowingly collect special category data (Article 9 GDPR). If you upload data that contains health, biometric, religious, or other special category information, please do not — the Service is not designed to handle it.

Customer identifiers from your CRM (phone numbers, emails of your end customers) are hashed at ingestion using a one-way function before they reach our analytical storage. We do not store the raw values of your end customers' identifiers.

3. Legal basis for processing

We rely on the following legal bases under Article 6 GDPR:

Performance of a contract (Article 6(1)(b)) — to deliver the analytics service you subscribed to, including ingesting your CRM and ad data, computing metrics, generating reports, and providing access to your workspace.
Legitimate interests (Article 6(1)(f)) — to operate, secure, and improve the Service: aggregated usage analytics, anomaly detection, fraud prevention, billing, and dispute resolution. Our balancing test concluded these interests do not override your rights given the limited scope of processing.
Consent (Article 6(1)(a)) — for optional features such as marketing emails about new features or product newsletters. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal obligation (Article 6(1)(c)) — to retain invoices and accounting records for the period required by Estonian and EU tax law (7 years for accounting records).

4. Recipients and processors

We engage a small set of subprocessors to deliver the Service. Each subprocessor is bound by a written data processing agreement and processes data only on our documented instructions.

Subprocessor	Purpose	Location
Supabase Inc.	Database hosting, authentication, file storage	European Union (eu-central-1)
Cloudflare Inc.	CDN, DNS, DDoS protection, edge caching	Global edge network
Anthropic PBC	LLM-powered narrative summaries (optional feature)	United States
Stripe Inc. / Paddle / Dodo	Payment processing for subscriptions	European Union, United States
Resend / Postmark	Transactional email delivery	European Union / United States

Google LLC and Meta Platforms Inc. are not our subprocessors — they are the upstream sources of data you choose to connect via OAuth. When you connect a Google Ads or Meta Ads account, you authorise us to read data on your behalf. The data flow is one way: from these platforms into your workspace.

We do not share your data across tenants. Tenant isolation is enforced at the database row level using PostgreSQL Row Level Security and per-tenant subdomain binding. We do not sell your data, and we do not use your data to train any general-purpose AI model.

5. International transfers

Some of our subprocessors are based in the United States. When we transfer personal data outside the European Economic Area, we rely on:

The European Commission's Standard Contractual Clauses (Module 2 — Controller to Processor) as adopted by Decision 2021/914, with supplementary measures including encryption in transit (TLS 1.3) and at rest (AES-256).
The EU–US Data Privacy Framework where the relevant subprocessor is certified.
Documented Transfer Impact Assessments updated at least annually.

You may request a copy of the SCC documentation by emailing [email protected]. We will provide redacted versions where necessary to protect commercial confidentiality.

6. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

Active subscription data — for the duration of your subscription plus 30 days after termination to allow account recovery.
Data after cancellation — automatically purged 30 days after subscription cancellation, except for invoicing records (see next item) and audit log entries required for security investigations.
Invoices and accounting records — 7 years from the date of issue, as required by Estonian Accounting Act §12. These records are pseudonymised and stored separately from the operational database.
Support tickets — 2 years from ticket closure for quality assurance and recurring-issue analysis.
Marketing consent records — 3 years after consent is withdrawn (to demonstrate compliance with the original consent).

You may request earlier deletion at any time via our data deletion form. Subject to the legal retention exceptions above, we will complete deletion within 30 days.

7. Your rights

Under GDPR you have the following rights:

Right of access — request a copy of the personal data we hold about you.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — request deletion of your data, subject to retention exceptions above. Use our data deletion form.
Right to restriction of processing — pause processing while you contest accuracy or pursue an objection.
Right to data portability — receive your data in a structured, commonly-used, machine-readable format (CSV or JSON export from your workspace settings).
Right to object — object to processing based on legitimate interests, including profiling.
Right to withdraw consent — where consent is the legal basis, withdraw at any time without affecting prior lawful processing.
Right to lodge a complaint — with a supervisory authority. In Ukraine: the Ukrainian Parliament Commissioner for Human Rights (Ombudsman). In the EU: the European Data Protection Board or your national authority. In Estonia: the Estonian Data Protection Inspectorate.

To exercise any of these rights, email [email protected]. We will verify your identity (to prevent abusive requests) and respond within 30 days. We do not charge a fee for routine requests.

8. Automated decision-making

The Service includes anomaly detection on your business metrics — for example, flagging a sudden drop in conversion rate or a spike in ad cost. These detections are not automated decisions that produce legal effects or similarly significant effects within the meaning of Article 22 GDPR. They are advisory signals displayed in your workspace; you decide what action to take.

Every anomaly flag is accompanied by an explanation: the metric, the threshold, the comparison window, and the underlying values. You can always see why something was flagged. There is no opaque scoring or profiling that classifies you or your business.

Where we use language-model features (for example, a written summary of your week), the output is generated from your aggregated workspace data, is reviewable, and can be turned off in workspace settings.

9. Cookies and tracking

The marketing site at yolt.cloud uses a minimal set of strictly necessary cookies (session, CSRF protection) and one analytics cookie for aggregated visit measurement. We do not use third-party advertising cookies or cross-site tracking pixels on our marketing site.

Inside the authenticated application we use:

Session cookie (strictly necessary) — keeps you signed in.
CSRF token cookie (strictly necessary) — protects against cross-site request forgery.
UI preferences (functional) — stores theme, language, last-viewed page.

No third-party advertising or tracking cookies are set inside the application. You can clear cookies at any time via your browser settings.

10. Security

We implement appropriate technical and organisational measures, including:

Encryption in transit (TLS 1.3) and at rest (AES-256).
PostgreSQL Row Level Security enforcing tenant isolation at the database layer.
Per-tenant subdomain binding to prevent cross-tenant token replay.
Hashing of customer identifiers at ingestion (CRM phone numbers, emails of your end customers).
Quarterly internal security reviews and annual third-party penetration testing.
Audit logs for all administrative actions, retained for at least 12 months.
Documented incident response plan with notification to affected users within 72 hours of confirmed breach, as required by Article 33 GDPR.

11. Children

The Service is intended for use by businesses and is not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe we hold data about a child, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes (those that expand processing or reduce your rights) will be announced by email to workspace owners and via an in-app banner at least 30 days before they take effect. Non-material changes (clarifications, typo fixes) take effect on publication. The "Last updated" date at the top of this page always reflects the current version.

13. Contact

Email: [email protected]
Postal: Yolt Cloud OÜ, Tallinn, Estonia
Data deletion: /data-deletion.html
Terms of Service: /terms.html