Privacy Notice

Last updated: 29.11.2025

1. Introduction

This Privacy Policy explains how Yumi (“we”, “us”, “our”) collects, uses, stores, and protects personal data when users access our website, platform, services, communication channels, or any related features.
We process personal data in accordance with:

  • the EU General Data Protection Regulation (GDPR),

  • the UK GDPR and the UK Data Protection Act 2018,

  • the Swiss Federal Act on Data Protection (nDSG),

  • relevant U.S. state privacy laws (including the California Consumer Privacy Act CCPA/CPRA),

  • and applicable international data protection regulations.

This Privacy Policy applies to all users outside the DACH region (Germany, Austria, Switzerland).
For users in the DACH region, the German-language Privacy Policy applies.

2. Data Controller

Yumi (Business Unit of PP Path Provider)
Owner: Mina Massoudy
Goebenstrasse 10
50672 Cologne
Germany

Email: support@yumi.com
Website: yumiassistant.com

A Data Protection Officer has not been appointed as it is not legally required.

Processing on Behalf of Business Customers (Data Processing Agreement)

Where Yumi processes personal data on behalf of its business customers, in particular when configuring and operating communication channels (including WhatsApp, messaging, or voice systems) used by such customers to contact their own end customers (“clients’ customers”), Yumi acts as a data processor within the meaning of Art. 28 GDPR (or equivalent international standards).

In these cases, the respective business customer remains the data controller and is solely responsible for determining the purposes and means of processing, including the legal basis for contacting end customers and compliance with applicable marketing and communications laws.

Yumi processes such data strictly in accordance with documented instructions from the business customer and based on a data processing agreement.

3. Personal Data We Collect

Depending on how you interact with our services, we may process the following categories of personal data:

  • Identity data: name, company affiliation (if applicable)

  • Contact data: email address, phone number

  • Account data: login credentials (hashed password), role assignments

  • Transaction data: subscription details, billing information (processed by Stripe)

  • Communication data: messages sent via email, WhatsApp, phone or forms

  • Usage data: logins, accessed features, system interactions

  • Technical data: IP address, device information, browser data, server logs

  • Voice interaction data: audio content and call metadata for inbound calls (voice AI processing)

We do not sell personal data.

4. How We Use Personal Data

We process personal data for the following purposes:

  • Operating and maintaining our website and platform

  • Creating and managing user accounts

  • Providing contractual services and subscriptions

  • Processing payments

  • Responding to inquiries and providing customer support

  • Onboarding and service configuration

  • Handling inbound calls, including automated voice functionality

  • Conducting internal process automation

  • Ensuring system security and stability

  • Fulfilling legal or regulatory obligations

5. Legal Bases for Processing

We rely on the following legal bases, depending on the processing activity:

  • Contractual necessity (Art. 6(1)(b) GDPR / equivalent international standards)

  • Legitimate interests (Art. 6(1)(f) GDPR)

  • Consent (Art. 6(1)(a) GDPR where applicable)

  • Legal obligation (Art. 6(1)(c) GDPR)

For users in the UK, Switzerland, and the U.S., corresponding national legal bases apply.

6. Hosting & Website Operation

Our website is hosted by a professional hosting provider. Technical data such as IP addresses, device information, and access logs may be processed to ensure secure and stable operation.

Legal basis: legitimate interests (security and functionality).

7. Log Files

When visiting our website, the system processes:

  • IP address

  • date and time of access

  • browser and operating system

  • referrer information

  • device and system metadata

Legal basis: legitimate interests.

8. Cookies and Tracking

We currently use:

  • no cookies requiring consent,

  • no analytics or tracking tools,

  • only technically necessary processing to operate the website.

9. Forms (Contact, Onboarding)

When submitting forms, we process:

  • identity and contact data

  • onboarding-related information

  • technical metadata

Purpose: communication, onboarding, responding to inquiries.
Legal bases: contract, legitimate interest.

Forms are processed via an external service provider acting as a data processor.

10. User Accounts

To access certain functions, you may create a user account.

Data processed includes:

  • name

  • email address

  • company affiliation (if applicable)

  • login credentials (hashed password)

  • onboarding details

  • usage data related to account activity

Purposes include:

  • authentication and login

  • managing roles and access rights

  • providing contracted services

  • supporting onboarding and configuration

  • communication regarding the account

Legal basis: contractual necessity.

11. Subscriptions & Payments (Stripe)

Payments are handled via:

Stripe Payments Europe Ltd., Dublin, Ireland

Stripe processes:

  • payment information

  • technical identifiers

  • IP addresses

Stripe acts as an independent data controller.
Legal basis: contractual necessity.

12. CRM & Communication System (anonymized)

We use a professional CRM and communication platform for:

  • customer management

  • email, SMS, and WhatsApp communication

  • scheduling appointments

  • form processing

  • internal automations

  • processing inbound calls (including AI-assisted functions)

Data categories:

  • identity and contact data

  • communication data

  • interaction data

  • contract and usage data

Legal bases:

  • contractual necessity

  • legitimate interests

  • consent (for optional marketing, currently not used)

The provider acts as a data processor.
International transfers (incl. USA) are safeguarded by Standard Contractual Clauses (SCC).

12.1 Communication with Clients’ End Customers

Where business customers use the platform to communicate with their own customers or prospects via messaging channels such as WhatsApp, Yumi provides the technical infrastructure only.

In these scenarios, Yumi processes personal data solely as a data processor on behalf of the business customer.

The business customer remains the data controller and is responsible for:

·       obtaining and documenting valid opt-ins or other legal bases,

·       compliance with applicable marketing, consumer protection, and telecommunications laws,

·       the content, timing, and recipients of communications.

Yumi does not independently decide on communication purposes, target groups, or message content.

13. WhatsApp Business API (Meta)

If you contact us via WhatsApp, we process:

  • phone number

  • message content

  • communication timestamps

Provider: Meta Platforms Ireland Ltd.
Data may be transferred to the U.S. under SCC.

Legal bases: contractual necessity, legitimate interests, and—where required—consent, in particular for marketing, promotional, newsletter-like, or proactive WhatsApp messaging.

13.1 WhatsApp Opt-In and Consent Verification

WhatsApp communication for marketing, promotional, newsletter-like, or proactive messaging purposes is carried out only where a prior, explicit, and verifiable opt-in has been obtained from the data subject, or where messaging is strictly necessary to provide a requested service (e.g. transactional/service messages), as permitted by applicable law.

The opt-in may be obtained, depending on the use case, through:

·       the data subject actively initiating communication via WhatsApp (e.g. sending the first message or keyword),

·       an explicit opt-in outside of WhatsApp (e.g. checkbox or form submission clearly referring to WhatsApp communication),

·       or a confirmation step within WhatsApp (e.g. replying “YES” or confirming a code), where used for verification purposes.

To demonstrate consent, Yumi may process and store consent-related metadata, including:

·       phone number,

·       date and time of opt-in and (where applicable) confirmation,

·       source of opt-in (e.g. form, QR code, chat initiation),

·       version and language of the consent text,

·       opt-out or stop events.

The legal basis for such processing is consent (Art. 6(1)(a) GDPR or equivalent international provisions). Consent may be withdrawn at any time with future effect (e.g. by sending “STOP”).

14. Voice AI for Inbound Calls

We use an automated telephone system (voice AI) to handle inbound calls. During a call, the spoken audio is processed in real time to understand and handle the request. We do not record calls or store audio files, and we do not create verbatim transcripts.

Data processed may include:

·       caller phone number

·       call metadata (e.g., date/time, duration, routing/transfer events)

·       conversation notes / outcome data (e.g., appointment request, requested time window, topic of inquiry, callback request, booking status)

Purposes: handling inbound calls, appointment scheduling, responding to inquiries, routing/escalation to our team, and ensuring the security and stability of our phone systems.

Legal bases: contractual necessity and legitimate interests (customer service efficiency and reliable operations).

Retention: call-related notes/outcome data are stored only as long as necessary for the purposes above and in line with the retention periods described in Section 19.

Wenn ihr Dienstleister/Unterauftragsverarbeiter nennt, fügt 1 Satz an:
“Service providers processing such data act as processors under applicable law; international transfers, where applicable, are addressed in Section 18.”

15. Internal Process Automation

We use an automation platform to support internal workflows.
Only data required for each process is transferred.

Legal basis: contract, legitimate interests.

16. Employee Accounts (B2B Clients)

Business customers may create employee accounts.

Processed data:

  • name

  • email address

  • assigned role

  • usage data

Legal basis: contractual necessity.

17. Mandatory Data Provision

Certain data is required to use specific services (e.g., account creation, billing).
Without this data, some features cannot be provided.

18. International Data Transfers

When using external processors or communication services, data may be transferred to countries outside your jurisdiction, including the United States.

We use:

  • Standard Contractual Clauses (SCC)

  • additional organisational and technical safeguards

to ensure an adequate level of protection.

19. Data Retention

We retain personal data only as long as necessary for the purposes described or as required by law.
Typical retention periods:

  • contractual and billing data: 6–10 years

  • account-related data: until deletion

  • communication and support data: based on necessity

20. Your Rights

Depending on your location, you may have rights including:

  • right to access

  • right to rectification

  • right to deletion

  • right to restrict processing

  • right to data portability

  • right to object

  • right to withdraw consent

  • right to lodge a complaint with an authority

Additional rights for California residents (CCPA/CPRA):

  • right to know

  • right to delete

  • right to correct

  • right to opt-out of the sale or sharing of personal information (not applicable; we do not sell or share personal information as defined under the CCPA/CPRA)We do not use automated decision-making or profiling.

We do not “sell” or “share” personal information as those terms are defined under the CCPA/CPRA, including for cross-context behavioral advertising.

If Yumi processes your personal data as a processor on behalf of a business customer, requests to exercise your rights should generally be directed to that business customer as the controller. Yumi will support the controller as required by applicable law and our contractual arrangements.

You can withdraw consent at any time, for example by sending “STOP” (or an equivalent opt-out message).

21. Security Measures

We implement technical and organisational measures such as:

  • SSL/TLS encryption

  • access controls

  • firewalls and monitoring

  • continuous system updates

  • secure storage environments

22. Changes to This Privacy Policy

We may update this Privacy Policy if legal, technical, or operational requirements change.

Updates may occur due to:

  • new legal requirements,

  • introduction or modification of features or services,

  • adjustments to internal processes,

  • changes in service providers or international data transfers.

The latest version is always available on our website.
If changes significantly affect your rights, we may provide additional notice (e.g., via email or platform message).
The updated version becomes effective upon publication.
Where consent is the legal basis and the purpose changes materially, we will request renewed consent where required.