YBA.ai

Select Language

English

YBA Privacy Policy

Your privacy is important to us. It is Yesboss Assistant (YBA)'s policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you.

This Privacy Policy explains how YBA collects, uses, and protects personal information in two distinct capacities:

Part A — YBA as Data Controller: When we collect and process personal information directly from individuals who visit our website, create an account, or interact with us outside of a contractual B2B relationship.

Part B — YBA as Data Processor: When we process personal data on behalf of our business clients ("Customers") through the YBA Cloud Service, as governed by our Data Processing Agreement (DPA).

Personal information is any information about you which can be used to identify you. This includes information about you as a person (such as name, address, and date of birth), your devices, payment details, and even information about how you use an app or online service.

In the event our website or app contains links to third-party sites and services, please be aware that those sites and services have their own privacy policies. After following a link to any third-party content, you should read their posted privacy policy. This Privacy Policy does not apply to any of your activities after you leave our website or app.

PART A — YBA AS DATA CONTROLLER

This section applies to personal information we collect directly from individuals who visit our website (yba.ai), create an account, contact us, or otherwise interact with us for our own business purposes. In this context, YBA determines the purposes and means of processing and acts as a Data Controller under applicable data protection laws.

A.1 Information We Collect

Information we collect falls into two categories: "voluntarily provided" information and "automatically collected" information.

Voluntarily provided information refers to any information you knowingly and actively provide us when using our website, app, or associated services. We may ask for personal information — for example, when you register an account or when you contact us — which may include one or more of the following: name, email address, phone or mobile number, home or mailing address, and time zone.

Automatically collected information refers to any information automatically sent by your device in the course of accessing our website or app.

Log Data. When you access our servers, we may automatically log the standard data provided by your device. It may include your device's Internet Protocol (IP) address, your device type and version, your activity within the app, time and date, and other details about your usage. Additionally, when you encounter certain errors, we automatically collect data about the error and the circumstances surrounding its occurrence. Please be aware that while this information may not be personally identifying by itself, it may be possible to combine it with other data to personally identify individual persons.

A.2 Purposes and Legal Bases for Processing

We only collect and use your personal information when we have a legitimate reason for doing so. Our lawful bases depend on the services you use and how you use them:

Consent. Where you give us consent to collect and use your personal information for a specific purpose. You may withdraw your consent at any time using the facilities we provide; however, this will not affect any use of your information that has already taken place.

Performance of a Contract or Transaction. Where you have entered into a contract or transaction with us, or in order to take preparatory steps prior to entering into a contract or transaction with you. For example, we need technical information about your device in order to provide the essential features of our app.

Our Legitimate Interests. Where we assess it is necessary for our legitimate interests, such as for us to provide, operate, improve, and communicate our services. We consider our legitimate interests to include research and development, understanding our audience, marketing and promoting our services, measures taken to operate our services efficiently, marketing analysis, and measures taken to protect our legal rights and interests.

Compliance with Law. In some cases, we may have a legal obligation to use or keep your personal information. Such cases may include (but are not limited to) court orders, criminal investigations, government requests, and regulatory obligations.

We may collect, hold, use, and disclose information for the following purposes, and personal information will not be further processed in a manner that is incompatible with these purposes: to provide you with our platform's core features and services; to enable you to customize or personalize your experience; to contact and communicate with you; for analytics, market research, and business development; for advertising and marketing, including to send you promotional information about our products and services; to enable you to access and use our app and associated platforms; for internal record keeping and administrative purposes; to comply with our legal obligations and resolve any disputes; and for technical assessment, including to operate and improve our app and associated platforms.

A.3 AI Development and Data Privacy

Confidentiality is our top priority at YBA. We do not use any personal data collected in our capacity as Controller to develop, improve, or train generalized AI or ML models. For added clarity, Google Workspace APIs and Microsoft APIs are strictly not used for the development, improvement, or training of any generalized AI or ML models. We partner with technology providers for whom confidentiality is a top priority and who do not use data for training purposes (such as Azure AI Foundry).

A.4 Security of Your Personal Information

When we collect and process personal information, and while we retain this information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use, or modification.

Although we will do our best to protect the personal information you provide to us, we advise that no method of electronic transmission or storage is 100% secure and no one can guarantee absolute data security.

You are responsible for selecting any password and its overall security strength, ensuring the security of your own information within the bounds of our services.

A.5 How Long We Keep Your Personal Information

We keep your personal information only for as long as we need to. This time period may depend on what we are using your information for, in accordance with this Privacy Policy. For example, if you have provided us with personal information as part of creating an account with us, we may retain this information for the duration your account exists on our system. If your personal information is no longer required for this purpose, we will delete it or make it anonymous by removing all details that identify you.

However, if necessary, we may retain your personal information for our compliance with a legal, accounting, or reporting obligation or for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes.

A.6 International Transfers of Personal Information

The personal information we collect in our capacity as Controller is stored and processed within the European Union, primarily in data centers located in France, Ireland, Sweden, Germany, and Belgium operated by our infrastructure providers (Amazon Web Services, Microsoft Azure, and Google Cloud). Our infrastructure providers maintain ISO 27001 and SOC 2 certifications.

If we transfer your personal information to third parties in other countries: (i) we will perform those transfers in accordance with the requirements of applicable law; and (ii) we will protect the transferred personal information in accordance with this Privacy Policy, including through the use of Standard Contractual Clauses (SCCs) approved by the European Commission where required.

A.7 Children's Privacy

We do not aim any of our products or services directly at children under the age of 13 and we do not knowingly collect personal information about children under 13. We never directly market to any person(s) under 18 years of age.

A.8 Use of Cookies

Our Privacy Policy covers the use of cookies between your device and our servers. A cookie is a small piece of data that an app may store on your device, typically containing a unique identifier that allows the app servers to recognise your device when you use the app.

We use cookies to give your device access to core features of our app, to track app usage and performance on your device, to tailor your experience based on your preferences, and to serve advertising to your device. Any communication of cookie data between your device and our servers occurs within a secure environment.

At all times, you may decline cookies from our site if your browser permits. Most browsers allow you to activate settings on your browser to refuse the setting of all or some cookies.

Please refer to our Cookie Policy for more information.

A.9 Business Transfers

If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, we would include data, including your personal information, among the assets transferred to any parties who acquire us. You acknowledge that such transfers may occur, and that any parties who acquire us may, to the extent permitted by applicable law, continue to use your personal information according to this Privacy Policy.

PART B — YBA AS DATA PROCESSOR

This section applies to personal data that our business clients ("Customers") submit to the YBA Cloud Service. In this context, the Customer is the Data Controller (or a Processor acting on behalf of its own Controller), and YBA acts as a Data Processor (or Sub-processor) processing personal data solely on the Customer's documented instructions.

B.1 Scope and Governing Documents

The processing of Customer Personal Data is governed by our Data Processing Agreement (DPA), available at https://yba.ai/legal/dpa, and our Cloud Service Agreement (CSA), available at https://yba.ai/legal/csa. In the event of any conflict between this Privacy Policy and the DPA or CSA, the DPA and CSA shall prevail with respect to the processing of Customer Personal Data.

B.2 Categories of Data Processed

As described in Annex I of the DPA, YBA may process the following categories of personal data on behalf of Customers: names; contact information such as email, phone number, or address; user activity and analysis such as device information or IP address; and any personal data contained within the Customer Content or prompts submitted by users to the AI Service for processing.

Categories of Data Subjects include: Customer's end users or customers, and Customer's employees.

No special category data (as defined in Article 9 of the GDPR) is intentionally processed.

B.3 No AI Training Commitment

YBA is strictly prohibited from using Customer Personal Data to train, improve, or fine-tune any foundational or generalized AI or ML models. This prohibition is contractually binding under both the DPA (Processing Instructions section) and the CSA (Section 1.6 — No AI Training). All processing of Customer Content by AI sub-processors is performed transitionally and is not used for foundational or generalized model improvement.

In accordance with our contractual agreements with our infrastructure providers (Microsoft Azure, Amazon Web Services, and Google Cloud), we guarantee that no Customer Content is used by YBA or its sub-processors to train, improve, or fine-tune any foundational or generalized AI models. Data submitted for inference is processed transitionally or stored in logically isolated environments dedicated to YBA.

B.4 Sub-processors

To provide its Cloud Service and AI capabilities, YBA relies on trusted technology partners. The current list of approved sub-processors is maintained at https://yba.ai/legal/subprocessors. Our primary sub-processors include:

Microsoft Ireland Operations Ltd — Cloud infrastructure hosting, database management, and AI model inference (Azure OpenAI Service). Location: European Union (France, Ireland).

Amazon Data Services Ireland Ltd — Cloud infrastructure hosting and AI model inference (AWS Bedrock). Location: European Union (Sweden, Germany).

Google Cloud France SARL — Cloud infrastructure hosting and AI model inference (Vertex AI). Location: European Union (Belgium, France).

All sub-processors undergo a rigorous selection and audit process and maintain ISO 27001, ISO 27017, ISO 27018, and SOC 2 Type II certifications.

Customers are notified at least 10 business days in advance of any changes to the approved sub-processor list, in accordance with the DPA.

B.5 Security Measures

YBA maintains a comprehensive security program as described at https://yba.ai/security-matters, including: universal encryption using AES-256 for data at rest and TLS 1.2+ for all data in transit; multi-cloud infrastructure deployed across multiple Availability Zones for high availability; identity management via Keycloak (OIDC/OAuth 2.0) with mandatory Multi-Factor Authentication (MFA) and strict Role-Based Access Control (RBAC); immutable audit logs via AWS CloudTrail and Azure Monitor; and continuous vulnerability scanning via Trivy integrated into CI/CD pipelines.

YBA has successfully completed the CASA Tier 2 assessment with a score of 9.7/10.

B.6 Data Retention and Deletion

The YBA platform operates on a "fetch-on-demand" model. Agent execution history is retained for a maximum rolling period of 90 days during the active Subscription Period. Upon expiration or termination of the Agreement, all Customer Content, including agent execution logs, is deleted within the 60-day period set forth in Section 5.5 of the Cloud Service Agreement.

Right to Erasure requests related to Customer Personal Data are fulfilled within 30 days.

B.7 Data Subject Rights

If you are an end user of a YBA Customer and wish to exercise your data protection rights (access, rectification, erasure, restriction, portability, or objection), please direct your request to the relevant YBA Customer (the Data Controller). YBA will assist the Customer in fulfilling such requests in accordance with the DPA and applicable data protection laws.

B.8 Security Incident Response

Upon becoming aware of any Security Incident (as defined in the DPA), YBA will notify the affected Customer without undue delay and no later than 72 hours after becoming aware of the incident, provide timely information as it becomes known, and promptly take reasonable steps to contain and investigate the incident.

YOUR RIGHTS AND CONTROLLING YOUR PERSONAL INFORMATION

This section applies to personal information we process in our capacity as Data Controller (Part A). For rights related to data we process as a Data Processor on behalf of our Customers, please see Section B.7 above.

Your choice. By providing personal information to us, you understand we will collect, hold, use, and disclose your personal information in accordance with this Privacy Policy. You do not have to provide personal information to us, however, if you do not, it may affect your use of our app or the products and services offered through it.

Information from third parties. If we receive personal information about you from a third party, we will protect it as set out in this Privacy Policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person's consent to provide the personal information to us.

Marketing permission. If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below.

Access. You may request details of the personal information that we hold about you.

Correction. If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, please contact us. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading, or out of date.

Deletion. You may request that we delete the personal information we hold about you at any time, and we will take reasonable steps to delete your personal information from our current records. If you terminate or delete your account, we will delete your personal information within 30 days of the deletion of your account.

Non-discrimination. We will not discriminate against you for exercising any of your rights over your personal information.

Notification of data breaches. We will comply with laws applicable to us in respect of any data breach.

Complaints. If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you in writing. You also have the right to contact a regulatory body or data protection authority in relation to your complaint.

Unsubscribe. To unsubscribe from our email database or opt-out of communications (including marketing communications), please contact us using the details provided below, or opt-out using the opt-out facilities provided in the communication.

ADDITIONAL DISCLOSURES FOR GDPR COMPLIANCE (EU)

The following additional disclosures apply when the General Data Protection Regulation (EU) 2016/679 ("GDPR") governs the processing of your personal information.

Roles. With respect to personal information collected directly through our website or app (Part A), YBA acts as a Data Controller. With respect to personal data processed on behalf of our business Customers through the YBA Cloud Service (Part B), YBA acts as a Data Processor, as governed by our Data Processing Agreement.

International Transfers Outside the EEA. We ensure that any transfer of personal information from countries in the European Economic Area (EEA) to countries outside the EEA will be protected by appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission or other legally accepted means.

Your Additional Rights Under GDPR:

Restrict. You have the right to request that we restrict the processing of your personal information if (i) you are concerned about the accuracy of your personal information; (ii) you believe your personal information has been unlawfully processed; (iii) you need us to maintain the personal information solely for the purpose of a legal claim; or (iv) we are in the process of considering your objection in relation to processing on the basis of legitimate interests.

Objecting to processing. You have the right to object to processing of your personal information that is based on our legitimate interests or public interest.

Data portability. You may have the right to request a copy of the personal information we hold about you in a machine-readable format and to request that we transfer this personal information to a third party.

Deletion. You may have a right to request that we delete the personal information we hold about you at any time, subject to specific legal exceptions.

Competent Supervisory Authority. The competent supervisory authority for YBA is the Commission Nationale de l'Informatique et des Libertés (CNIL), 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France. Website: www.cnil.fr.

ADDITIONAL DISCLOSURES FOR UK GDPR COMPLIANCE (UK)

The following additional disclosures apply when the UK General Data Protection Regulation ("UK GDPR") governs the processing of your personal information.

International Transfers. Where we transfer personal data outside the United Kingdom, we adopt appropriate safeguards in accordance with the UK GDPR (Article 45) and Data Protection Act 2018, including Standard Contractual Clauses (SCCs) or binding corporate rules.

Your Data Subject Rights. In addition to the rights described above (access, correction, deletion, non-discrimination), you have the following rights under UK GDPR: right to restrict processing, right to object, right to be informed, right of access (DSAR fulfilled within 30 calendar days), right to erasure, right to portability, and right to rectification.

Notification of data breaches. Upon discovery of a data breach, we will investigate the incident and report it to the UK's data protection regulator and yourself, if we deem it appropriate to do so.

Complaints. You have the right, at any time, to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO.

Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Tel: 0303 123 1113 (local rate) Website: www.ico.org.uk

ADDITIONAL DISCLOSURES FOR AUSTRALIAN PRIVACY ACT COMPLIANCE (AU)

Where the disclosure of your personal information is solely subject to Australian privacy laws, you acknowledge that some third parties may not be regulated by the Privacy Act and the Australian Privacy Principles. You acknowledge that if any such third party engages in any act or practice that contravenes the Australian Privacy Principles, it would not be accountable under the Privacy Act, and you will not be able to seek redress under the Privacy Act.

ADDITIONAL DISCLOSURES FOR U.S. STATES PRIVACY LAW COMPLIANCE

The following section includes provisions that comply with the privacy laws of California, Colorado, Delaware, Florida, Virginia, and Utah and is applicable only to the residents of those states.

Do Not Track. Some browsers have a "Do Not Track" feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not respond to browser "Do Not Track" signals. We adhere to the standards outlined in this Privacy Policy, ensuring we collect and process personal information lawfully, fairly, transparently, and with legitimate legal reasons for doing so.

Cookies and Pixels. At all times, you may decline cookies from our site if your browser permits. Please refer to the Cookies section of this Privacy Policy for more information.

California Privacy Laws (CCPA/CPRA)

Under California Civil Code Section 1798.83, if you live in California and your business relationship with us is mainly for personal, family, or household purposes, you may ask us about the information we release to other organizations for their marketing purposes.

In accordance with your right to non-discrimination, we may offer you certain financial incentives permitted by the California Consumer Privacy Act and the California Privacy Rights Act (collectively, "CCPA") that can result in different prices, rates, or quality levels for the goods or services we provide. Any CCPA-permitted financial incentive we offer will reasonably relate to the value of your personal information, and we will provide written terms that describe clearly the nature of such an offer. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time.

California Notice of Collection. In the past 12 months, we have collected the following categories of personal information enumerated in the CCPA: identifiers (such as name, email address, phone number, account name, IP address, and an ID or number assigned to your account) and customer records (such as billing and shipping address, and credit or debit card data).

Right to Know and Delete. You have rights to delete your personal information we collected and know certain information about our data practices in the preceding 12 months, including: the categories of personal information collected; the sources from which it was collected; the categories disclosed for a business purpose; the categories of third parties to whom it was disclosed; the business or commercial purpose for collecting it; and the specific pieces of personal information collected. To exercise any of these rights, please contact us using the details provided below.

Shine the Light. You have the right to request information from us regarding the manner in which we share certain personal information with third parties for their own direct marketing purposes. Requests must include "Privacy Rights Request" in the first line and include your name, street address, city, state, and ZIP code.

Service Provider Relationship. To the extent the CCPA applies to the relationship between YBA and its business Customers, YBA is a service provider receiving personal data from Customers to provide the YBA Cloud Service. YBA will not sell or share any personal data provided by Customers and will not retain, use, or disclose any personal data except as necessary for providing the Service or as permitted by applicable data protection laws. YBA certifies that it understands the restrictions of this paragraph and will comply with them.

ADDITIONAL DISCLOSURES FOR PIPEDA COMPLIANCE (CANADA)

Additional Scope of Personal Information

In accordance with PIPEDA, we broaden our definition of personal information to include any information about an individual, such as financial information, information about your appearance, your views and opinions, opinions held about you by others, and any personal correspondences you may have with us. As PIPEDA refers to personal information using the term Personally Identifying Information (PII), any references to personal information and PII in this Privacy Policy are intended as equivalent.

Valid Consent

Where you give us consent to collect and use your personal information for a specific purpose, you may withdraw your consent at any time. Under PIPEDA, consent is only valid if it is reasonable to expect that an individual would understand the nature, purpose, and consequences of the collection, use, or disclosure of the personal information to which they are consenting.

International Transfers

While YBA endeavors to keep, store, and handle data within the European Union, it may use agents or service providers located in the European Economic Area (EEA) or United Kingdom (UK) to collect, use, retain, and process personal information as part of providing services. While we use all reasonable efforts to ensure that personal information receives the same level of security in any jurisdiction, please be aware that privacy protections may vary.

Customer Data Rights Under PIPEDA

PIPEDA grants consumers the right to: access the personal information organizations hold about them; correct any inaccurate or outdated personal information; and withdraw consent for any activities for which they have consented (e.g., direct marketing or cookies).

Right to Withdraw Consent

You can, at any time, refuse to consent or continue to consent to the collection, use, or disclosure of your personal information by notifying us using the contact details below. Withdrawal of consent may impact our ability to provide or continue to provide services.

You cannot refuse collection, use, and disclosure of personal information if such information is required to: be collected, used, or disclosed as required by any law; fulfill the terms of any contractual agreement; or be collected, used, or disclosed as required by any regulators including self-regulatory organizations.

Right of Access Under PIPEDA

Under PIPEDA, you need to make your access request in writing and pay a minimal fee of $30.00. We will take all necessary measures to fulfill your request in 30 days from receipt.

We may extend the time limit if meeting the time limit would unreasonably interfere with our business activities or the time required for consultations would make it impractical. In these circumstances, we will advise you of the delay within the first 30 days and explain the reason for it.

Right of Rectification Under PIPEDA

You may request a correction to any factual errors or omissions within your PII. Under PIPEDA, an organization must amend the information if you successfully demonstrate that it is incomplete or inaccurate. If we cannot agree on changing the information, you have the right to have your concerns recorded with the Office of the Privacy Commissioner of Canada.

Compliance with PIPEDA's Ten Principles of Privacy

This Privacy Policy complies with PIPEDA's requirements and ten principles of privacy:

Accountability. YBA is responsible for the PII under its control and has designated one or more persons to ensure organizational accountability for compliance with the ten principles of privacy under PIPEDA. All personnel are accountable for the protection of customers' personal information.

Identifying purposes. YBA identifies the purposes for which personal information is collected at or before the time the information is collected.

Consent. Consent is required for YBA's collection, use, or disclosure of personal information, except where required or permitted by PIPEDA or other law. Express consent may be obtained verbally, in writing, or through electronic means. Alternatively, consent may be implied through the actions of customers or continued use of a product or service following YBA's notification of changes.

Limiting collection. Personal information collected will be limited to that which is necessary for the purposes identified by YBA.

Limiting use, disclosure, and retention. We will not use or disclose personal information for purposes other than those for which the information was collected, except with your consent or as required by law. We will retain personal information only for as long as is necessary to fulfill the purposes for collecting such information.

Accuracy. Personal information will be maintained in an accurate, complete, and up-to-date format as is necessary for the purpose(s) for which it was collected.

Safeguards. We will protect personal information with security safeguards appropriate to the sensitivity of such information.

Openness. We will make our policies and practices relating to the collection and management of personal information readily available upon request.

Customer access. We will inform customers of the existence, use, and disclosure of their personal information and will provide access, subject to any legal restrictions. Customers may verify the accuracy and completeness of their personal information and may request correction or update.

Challenging compliance. Customers are welcome to direct any questions or inquiries concerning our compliance using the contact information provided below.

Cookie Compliance

Our email interactions with our customers are compliant with Canadian Anti-Spam Legislation. We do not send unsolicited email to persons with whom we have no relationship. We will not sell personal information, such as email addresses, to unrelated third parties.

Please refer to our Cookie Policy for more information.

Enquiries, Reports, and Escalation (Canada)

If we fail to resolve your concern to your satisfaction, you may also contact the Office of the Privacy Commissioner of Canada: 30 Victoria Street, Gatineau, QC K1A 1H3 Toll Free: 1.800.282.1376 Website: www.priv.gc.ca

LIMITS OF OUR POLICY

Our website or app may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.

CHANGES TO THIS POLICY

At our discretion, we may change our Privacy Policy to reflect updates to our business processes, current acceptable practices, or legislative or regulatory changes. If we decide to change this Privacy Policy, we will post the changes here and update the "Last Updated" date.

If the changes are significant, or if required by applicable law, we will contact you (based on your selected preferences for communications from us) and all our registered users with the new details and links to the updated or changed policy.

If required by law, we will get your permission or give you the opportunity to opt in to or opt out of, as applicable, any new uses of your personal information.

For any questions or concerns regarding your privacy, or to exercise your data protection rights, you may contact us using the following details:

Yesboss Assistant (YBA) 8 Rue De La Chabottière 27250 Neaufles-Auvergny, France

Privacy and Security Contact: privacyandsecurity@yba.ai General inquiries: yba@yba.ai Phone: +33 6 50 00 11 46

For enquiries about YBA's privacy practices, to report violations of user privacy, or to exercise your data subject rights, please contact our Privacy and Security team at privacyandsecurity@yba.ai.

Last Updated: April 2026 Version: 2.0