Home / Legal / Privacy policy

Privacy policy

Last modified: August 21, 2025
  • Claudio BertherLegal Counsel & Data Protection Officer, Yokoy

Overview

Scope

This Privacy Policy and the Cookie Policy (can be found here) applies to all entities of Yokoy (see A. 8 ("Yokoy" or "we"). You can use our Cookiebot to granularly determine which optional cookies you want to allow and which you do not.

Security and compliance

Data protection is of utmost importance to Yokoy. We ensure through various technical and organizational measures (TOMs) as well as contractual measures that your data is always kept up to date, stored securely and processed in accordance with Swiss (Federal Data Protection Act; FADP) and European data protection regulations (in particular the General Data Protection RegulationGDPR). This applies both in our company and in the cooperation with our partners and suppliers as outlined in our Partner Code of Conduct. Yokoy has also established an Information SecurityManagement System (ISMS) in accordance with the requirements of the ISO 27001:2013 standard, which has been certified by TÜV Rheinland since November 2022. The processing of card data is certified according to PCI-DSS 4.0 Payment Card Industry Data Security Standard by PGI (ProtectionGroup International). Penetration testing through an independent third party is conducted on an annual basis.

Yokoy is further certified by the Spanish State Tax Administration Agency (AEAT), enabling our customers to safely utilize digitized receipts and invoices, and remove the burden of collecting and storing physical copies as it is confirmed here. As part of this certification, we use Q-Seal provided by D-Trust which is an electronic token and therefore cannot be shared publicly for security reasons.

Our legal security and compliance hub shall provide a quick overview of our efforts so that our stakeholders are up to date with the most relevant documents.  Yokoy runs on high-availability mode on the Google Cloud Platform. The cloud data is stored in Zurich, Frankfurt and St. Ghislain, Belgium. An overview of the certifications can be found at Google Cloud security or specifically for data centers at data center security.

International transfers

Despite our best try to work with Swiss or EU Partners wherever we can, international data transfers cannot always be avoided. We make sure that the transfer of data is in line with the mechanisms in chapter V of GDPR and Art. 16 ff. FADP.

Storage and deletion

We store the data only as long as it is necessary for the fulfillment of the contract or the statutory retention periods upon customers’ request. This is subject to your right to deletion in accordance with Art. 17 GDPR, provided that the requirements for this are met.

Third parties

We are aware of our responsibility towards third parties. Therefore, we conduct a rigorous screening before engaging with third parties. Such screening includes data protection, security, utility and finance review. Besides the Partner Code of conduct we are following legal developments closely and make sure our partners are doing the same, being up to date with legal and security developments.

Your rights

The FADP and the GDPR grant the person whose data is processed (data subject) several rights with which the person can influence the data processing. For an overview of the rights and how you can exercise them please see section G of this Privacy Policy.

Responsibility and review

This Privacy Policy is reviewed at least once a year and signed off by our internal Data ProtectionOfficer. The last update results from the versioning under the title.

How to reach us?

Our Data Protection Officer is available to answer your questions for all Yokoy entities:

Contact Data Protection Officer:
Dpo@yokoy.ai.

Yokoy Switzerland Ltd (Headquarter)

Förrlibuckstrasse 181

8005 Zurich

info@yokoy.ai

Tel: +41 (0)43 508 15 77

CHE-172.979.264

Managing Director: Philippe Sahli, Thomas Inhelder

Yokoy Deutschland GmbH - Munich

Yokoy Deutschland GmbH

Unicorn Workspaces

Isartor Isartorplatz 8

80331 Munich

info@yokoy.ai

Tel: +49 151 42 04 31 22

Germany Commercial Register Number: HRB 267689

VAT Nr. DE346829209

Managing Director: Philippe Sahli, ThomasInhelder

Yokoy GmbH Austria - Vienna  

Yokoy GmbH Hamerlingplatz 8/17

1080 Vienna  

info@yokoy.ai

Tel: +43 1 417 01 15  

Industry: Software Managing Director: Mag. (FH) Stephan Hebenstreit, LL.M.

Commercial register court: Vienna Commercial Court Number of the company register: FN 534254

UID: ATU75770818

Place of jurisdiction: Vienna Commercial Court Chamber af Commerce

Yokoy Netherlands B.V. - Amsterdam

Yokoy (Netherlands) B.V.  

Singel 542

1017 AZ Amsterdam

info@yokoy.ai

Tel: +31 20 241 0606

KVK number: 84480742

VAT-registration number

NL 863227806B01

Managing Director Philippe Sahli, ThomasInhelder

Yokoy LTD United Kingdom - London

7-12 Noel Street, 7th Floor, C/O Travelperk, London, England, W1F 8GQ

England

info@yokoy.ai

Tel: +44 1274 015979

Company number 15337919

Registered in England and Wales

Managing Director: Philippe Sahli and Thomas Inhelder

 

Categories of personal data

The personal data as defined in Art. 5 FADP and Art. 4 GDPR we process are divided into the following categories:

  • Basic data (e.g. last name, first name)
  • Contact details (e.g. telephone, email, postal address)
  • Browser and device data, meta or boundary data and usage data, content data that you submit to us (e.g., through the contact form, registration for newsletters, webinars, and protected content or applications as well as spend management receipts).
  • Location data for trip reports
  • Contact, sales, contract and payment data in our customer relationship management system.
  • Customer and prospect point of contact

Categories of data subjects

SituationCategory of data subjects
Yokoy Expense and Yokoy Pay modulesEmployees of the customer who have received access to Yokoy
Yokoy InvoiceSupplier of the customers who are included in the invoices
Visiting our website or social media linksWebsite or social media visitors

Use cases of data processing

Data Processing When Using Yokoy

The data processed when using our software depends on the Yokoy modules in use. Further information on how we use artificial intelligence can be found in our AI Policy. A list of actual subprocessors is published in our legal, security and compliance section of the website. A Data Processing Addendum is part of the SaaS contract concluded between Yokoy and the customer.

In this context Yokoy is the processor and the customer is the controller.

Yokoy Package (as applicable)Processed Data Categories
Yokoy Expense

- Last name, first name, business e-mail address, cost center and content data uploaded by Customer into Yokoy, which may contain Personal Data.
- Additional data fields can be added at the Customer's request and may contain Personal Data.
- Google location data (geocoding), e.g., for calculating mileage allowances or displaying business trips in Yokoy. Data entered by the customer or extracted from travel provider via API, SFTP or custom file.

For further information see

https://developers.google.com/maps/documentation/javascript/examples/geocoding-simple

Yokoy Invoice- Supplier name and supplier ID as well as content data uploaded by Customer (invoices).
- Additional data fields can be added by the Customer and may contain Personal Data.
Yokoy Pay- Cardholder data: Last name, first name, address, phone number, email (for 3DS or tokenization).
- Account data: Account number and account information.
- Card data: Partial PAN, expiration date, CVV, service code.
- Authentication data: validation codes/values, full card data (magnetic stripe/chip), PIN, sensitive authentication data, PIN locks.
- Transaction data related to electronic card payments.
Custom filesData processing according to the Customer's specifications.
Apple Pay (optional)

When a user makes a purchase, Apple Pay uses a device-specific number together with a unique transaction code. This means that the credit card number is never stored on the user's device or on Apple servers. Apple never shares card numbers with merchants when the user pays. When the user pays with a debit or credit card, Apple Pay does not store any data about transaction that could be traced back to the user. And with Apple Pay, data is only stored for troubleshooting, fraud prevention and legal purposes. (from https://www.apple.com/chde/privacy)

Google Pay (optional)

When the user pays, Google Pay sends a virtual account number to the merchant instead of the actual card number - so the user's payment information is always well protected. (from https://safety.google/pay/). Here you can find the setting options for Google Pay: Google Pay privacy settings.

Data You Give Us

When You Contact Us

By Phone: Aircall
Data storage locationGermany
Purpose of processingManaging customer enquiries via phone
Transfer mechanismEU-US Privacy Framework certified company
Security measuresAircall security
Legal basisLegitimate interest in managing enquiries (Art. 6 Para. 1 lit. f GDPR)
Address & Privacy contact

11 Rue Saint Georges, 75009 Paris, France

privacy@aircall.io

By Email: Microsoft Outlook
Data storage locationSwitzerland
Purpose of processingManaging customer enquiries via email
Transfer mechanismEU-US Privacy Framework certified company
Security measures

Microsoft security

Regarding Microsoft’s Switzerland data center

Microsoft Swiss data center

Legal basisLegitimate interest (Art. 6 Para. 1 lit. f GDPR)
Address & Privacy contact

The Circle 02,

8058 Zürich-Flughafen,

Switzerland
https://www.microsoft.com/en-us/concern/privacy

By Chat: Intercom
Data storage locationIreland
Purpose of processingManaging customer enquiries via chat function
Transfer mechanismEU-US Privacy Framework certified company
Security measuresIntercom security
Legal basisLegitimate interest (Art. 6 Para. 1 lit. f GDPR)
Address & Privacy contact

Stephen Court, 18-21 Saint Stephen's Green, Dublin 2, Ireland

dataprotection@intercom.io

When you sign up for the newsletter/gated content

Data storage locationGermany
Purpose of processingSending out newsletters
Transfer mechanismEU-US Privacy Framework certified company
Security measuresHubSpot trust center
Legal basis

Consent according to Art. 6 Para. 1 lit. a GDPR Double opt-in is implemented, with every

newsletter there is an option to opt-out in the e-mail footer.

When you apply for a job at Yokoy

We use Lever, Inc. To manage the application process. Lever allows us to cooperate seamlessly between the different departments, leave comments and personal hiring recommendations. Aside from that Lever gives us the necessary functions to comply with GDPR and has a strong security posture in place which is crucial giving the data stored in this application.

 

ProviderLever, Inc.
Data storage locationGermany
Purpose of processingManaging incoming job applications
Transfer mechanismEU-US Privacy Framework certified company
Security measuresLever security exhibit, Lever privacy center
Legal basisConsent (Art. 6 Para. 1 lit. a GDPR). Data stored up to 2 years with consent; otherwise deleted after process.
Address & Privacy contact

Lever, Inc. 1125 Mission Street, San Francisco, CA 94103 privacy@lever.co

Data We Process on Our Own Behalf

While in the general set-up we are a SaaS company acting as data processors on behalf of our customers, there are also situations where we act as data controllers and process data on our own behalf, at times using third-party companies. Here is a brief overview of the situations we process data on our own behalf.

CRM

We are using Salesforce as our customer relationship management tool.

Data storage location

Ireland

Purpose of processing

Managing customer and contractual relationships.

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures 

https://compliance.salesforce.com/

Legal basis

Legitimate interest in managing customer relationships according to Art. 6 Para. 1 lit. f GDPR

Address and privacy contact

SFDC Ireland Limited 3rd and 4th Floor 1 Central

Park, Block G, Central Park, Leopardstown 18

Dublin, Ireland

privacy@salesforce.com

Our Website

Our website www.yokoy.io and its subdomains are hosted by WP engine, which is a trusted, globally active provider for website hosting for companies of all sizes including some of the largest corporations. Regarding the cookie-usage of our website please see our Cookie Policy.

Data storage location

USA

Purpose of processing

Presenting the company, product and services by running yokoy.io and all its subdomains.

Transfer mechanism

SCC 4.6.2021

Security measures 

WP engine security

Legal basis

Legitimate interest in presenting the company, product and services by running yokoy.io and all its subdomains according to Art. 6 para. 1 lit f. GDPR.

Address and privacy contact

WPEngine, Inc.

504 Lavaca Street, Suite 1000

Austin, TX 78701

legal@wpengine.com

Our Marketing

Engaging with existing and potential clients is a key part of our sales process. Therefore, this section lays out how the marketing team is interacting with all stakeholders.

Hubspot

A central part of our marketing activities is processed through HubSpot (see the table in the data you give us section for more information on HubSpot).

Data storage location

Germany

Purpose of processing

Managing our marketing activities.

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures

HubSpot Trust Center

Legal basis

Legitimate interest in managing our marketing activities according to Art. 6 Para. 1 lit. f GDPR.

Address and privacy contact

Hub Spot Germany GmbH Am Postbahnhof 17

10243 Berlin, Germany

privacy@hubspot.com

HubSpot uses web beacons and cookies to analyze your use of our website and to cover various aspects of online marketing. This includes email marketing, contact management (e.g. performance segmentation & CRM), landing pages and contact forms on our website and in the app. This information as well as parts of our website are stored on servers of our software partner HubSpot. It is used by us to contact visitors to our website and determine which of our company's services are of interest to them. The information collected is subject to this Privacy Policy. We use all collected information exclusively to optimize our marketing measures and to communicate with users and improve user experience.

Intercom

Another central tool is our Chat function provided by Intercom, inc. To find out more about intercomsee the data you give us section for more details.

Data storage location

Ireland

Purpose of processing

Providing a chat function, fast customer support and providing product updates directly to the user.

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures

Intercom security

Legal basis

Legitimate interest in providing a Chat function, fast customer support and product updates directly to the user according to Art. 6 Para. 1 lit. f GDPR.

Address and privacy contact

Intercom R&D Unlimited Company

Stephen Court, 18-21 Saint Stephen's Green, Dublin 2,

Dublin, Ireland

dataprotection@intercom.io

Google Tag Manager

Google Tag Manager is a solution that allows website tags to be managed via an interface. The Tag Manager tool (which implements the tags) is a cookieless domain and does not collect any personal data. The tool takes care of forwarding data and triggering other tags, which in turn may collect data. Yokoy does not have access to this data. If a deactivation has been made at the domain or cookie level, it will remain in place for all tracking tags implemented with Google Tag Manager, but the tracking is disabled.

Data storage location

USA

Purpose of processing

Managing cookie execution on our website.

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures

https://developers.google.com/tag-platform/security

Legal basis

Legitimate interest in managing cookie execution on our website according to Art. 6 Para. 1 lit f. GDPR

Address and privacy contact

Gordon House Barrow Street

Dublin 4, D04E5W5 Ireland

Data protection contact

Google ReCAPTCHA

ReCAPTCHA is a free service from Google that helps protect websites from spam and abuse. A “CAPTCHA” is a Turing test to tell human and bots apart. It is easy for humans to solve, but hard for “bots” and other malicious software to figure out.

Data storage location

USA

Purpose of processing

Making sure that data is entered (e.g. in a form) by humans and by that prevent automatic bots overflowing the system.

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures

Google ReCAPTCHA security

Legal basis

Legitimate interest in making sure that data is entered (e.g. in a form) by humans and by that prevent automatic bots overflowing the system according to Art. 6 para. 1 lit f. GDPR.

Address and privacy contact

Gordon House Barrow Street

Dublin 4, D04E5W5 Ireland

Data protection contact

Google Web Fonts

When you call up a page, your browser loads the required web fonts into the browser cache to display texts and fonts correctly. For this purpose, the browser must establish a connection to Google's servers. In this way, Google learns that our website was accessed via your IP address.

Data storage location

USA

Purpose of processing

Making sure that fonts are displayed correctly on our

website.

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures

Google Fonts security and privacy.

Legal basis

Legitimate interest in making sure that fonts are displayed correctly on our website according to Art. 6 Para. 1 lit f. GDPR

Address and privacy contact

Gordon House Barrow Street

Dublin 4, D04E5W5 Ireland

Data protection contact

Google Analytics

We use google Analytics to track activities on the website. Such activities include page view, clicks and dwell time. We are using Google Analytics 4 that has improved privacy credentials. More details can be found here. We as Yokoy do not have access to the IP-addresses. A further option to control the ads shown is possible by the Ads Preferences Manager.

Data storage location

USA or EU, when accessed via devices in the EU

Purpose of processing

Website traffic and interaction measurement

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures

Google Analtytics data controls

Legal basis

Legitimate interest in website traffic and interaction measurement according to Art. 6 Para. 1 lit f. GDPR.

Address and privacy contact

Gordon House Barrow Street

Dublin 4, D04E5W5 Ireland

Data protection contact

jsDelivr CDN

A CDN is a network of regionally distributed servers connected via the Internet. To use the service, it is possible that your browser sends personal data to jsDelivr. This may allow jsDelivr to collect and store data such as browser type/version, date and time of access or IP address. To avoid this, you can install a JavaScript blocker e.g. No Script.

Processing Location

Poland

Purpose of processing

Enabling faster website loading times

Transfer mechanism

SCC 4.6.2021

Security measures

JsDelivr TOMs

Legal basis

Legitimate  interest  in  faster  website performance according to Art. 6 Para. 1 lit f. GDPR.

Address and privacy contact

Krolewska 65a 30-081 Krakow

Legal@jsdelivr.com

Videoask

Videoask is an interactive video-tool used in webforms.

Processing Location

USA

Purpose of processing

Interactive video software.

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures

Typeform security

Legal basis

Legitimate     interest    in    interactive     video    software according to Art. 6 Para. 1 lit f. GDPR

Address and privacy contact

Carrer    de    Bac    de    Roda,   163,  Barcelona,    Spain

gdpr@typeform.com

Navattic

Navattic allows us to improve your customer experience by taking tours of key components of our product or integrations with third parties. The tours can be found here.

Data storage location

USA

Purpose of processing

Enabling video-product tours on our website.

Transfer mechanism

SCC of 4.6.2021

Security measures

https://trust.navattic.com/

Legal basis

Legitimate interest in displaying demo videos on our website.

Address and privacy contact

2261 Market Street #4301 San Francisco, CA 94114, USA.

Marketing tools that use cookies

Certain marketing tools use cookies. To learn what cookies are, what they do, and how you can disable them, visit our Cookie Policy or the Cookie Manager on our website. This allows you to fine- tune your consent to the use of cookies that are not strictly necessary to provide the website. Our management tool Cookiebot is provided by the German company Usercentrics.

Data storage location

Germany/Belgium

Purpose of processing

Managing cookie consent.

Transfer mechanism

SCC of 4.6.2021

Security measures

https://usercentrics.com/de/trust-center/

Legal basis

Legal obligation of accountability according to Art. 5 Para. 2 GDPR.

Address and privacy contact

Usercentrics GmbH Sendlinger Straße 7

80331 Munich

datenschutz@usercentrics.com

Social Media activities

We have various presences on social networks to communicate with users active there and to inform them about our services. For example, we use icons that lead to the pages of YouTube, LinkedIn, Meta and X. For more information about this and about the use of cookies, please see our Cookie Policy . The processing of data in this context is covered by the legitimate interest of interacting with customers and prospects alike according to Art. 6 Para. 1 lit. F GDPR.

Technical data

When you use our website, information that your browser transmits to us is automatically collected and stored.

  • Browser type and version
  • The operating system
  • IP address (anonymized for geolocation)
  • Referrer URL
  • Host name of the computer
  • Request date

The data is needed, for example, to deliver the content of our website correctly, to ensure the functionality of our website according to Art. 6 Para. 1 lit. f GDPR or to provide law enforcement authorities with the appropriate information in the event of a cyber-attack based on Art. 6 Para. 1 lit. c GDPR. The anonymous data of the server log files are stored separately from your personal data.

Login data

When you are logging in to Yokoy via the website the following data will be stored.

  • Login information
  • Browser type
  • Amount of sent data in bytes
  • Date and time of access
  • IP address
  • Language setting

This data is stored to provide the portal, its security and functionality, legitimate interests according to Art. 6 Para. 1 lit. f GDPR.

Sales

Identifying and connecting with potential clients and helping them optimize their spend management process is an important part of the sales process. To achieve this goal Yokoy is using different software products as outlined below.

Cognism

Data storage location

UK

Purpose of processing

Prospecting

Transfer mechanism

Adequacy decision

Security measures

https://www.cognism.com/security

Legal basis

Legitimate interest in prospecting according to Art. 6 Para. 1 lit. f GDPR

Address and privacy contact

Cognism Ltd

C/O Worldwide Corporate Advisors 150 Minories London

EC3N 1LS

Opt-out

If you wish to opt-out of the database of Cognism this can easily be done by using this opt-out link.

LinkedIn Sales Navigator

Data storage location

USA

Purpose of processing

Prospecting

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures

LinkedIn security

Legal basis

Legitimate interest in prospecting according to Art. 6 Para. 1 lit. f GDPR

Address and privacy contact

LinkedIn Ireland Unlimited Company

Attn: Legal Dept. (Privacy Policy and User Agreement) Wilton Plaza

Wilton Place, Dublin 2 Ireland

DPO contact

6sense

Data storage location

USA

Purpose of Processing

Prospecting

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures

https://trust.6sense.com/

Legal basis

Legitimate interest in prospecting according to Art. 6 Para. 1 lit. f GDPR mostly reflects buying intentions of customers based on a proprietary system. With that our outbound efforts can be more targeted to customers

who are really interested in our products.

Address and privacy contact

450 Mission Street, Suite 201 San Francisco, CA, 94105 privacy@6sense.com

Opt-out

If you wish to opt-out of the 6sense database, you can e-mail datasubjectrequests@6sense.com and ask for a removal.

Salesloft
Data storage location

Germany

Purpose of processing

Prospecting

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures

Salesloft security and compliance

Legal basis

Legitimate interest in prospecting according to Art. 6 Para. 1 lit. f GDPR to ensure we only contact potential customers who have an interest in our services.

Address and privacy contact

Atlanta Office

1180 W Peachtree St NW Suite 2400,

Atlanta, GA 30309

Opt-out

If you wish to opt-out of the Salesloft database, you can do so by clicking on the e-mail footer or contact dpo@yokoy.ai Salesloft offers granular opt-out options

available at Salesloft opt-out

Yokoy Analytics

Legitimate interest of analyzing usage of Yokoy according to Art. 6 Para. 1 lit. f GDPR. Yokoy wants its tool to be as close to the customers’ needs as possible. Amplitude gives us an insight into how our customers use Yokoy which will in return allow us to prioritize the product roadmap and product development. Since individual users are pseudonymized, it is not possible for Yokoy to track down individual users or expenses with Amplitude.

  • Geographical location
  • Browser
  • The operating system
  • IP address
  • Duration of the visit
  • Reference URL
  • Information about how often the website is visited
  • Newsletter subscription data
  • Pages called

Data storage location

Germany

Purpose of processing

Usage analytics of Yokoy platform (web and mobile).

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures

Amplitude trust center

Legal basis

Legitimate interest of  analyzing usage of Yokoy according to Art. 6 Para. 1 lit. f GDPR.

Address and privacy contact

Amplitude, Inc.

Personio

After your successful application via Lever, your data will be transferred to Personio our HR tool.

Data storage location

Germany

Purpose of processing

Managing internal HR data

Transfer mechanism

N/A EU provider, no data leaves EU

Security measures

Data security Personio

Legal basis

Legitimate interest in managing internal HR data.

Address and privacy contact

Personio SE&Co. KG

Seidlstraße 3,

80335 Munich, Germany

datenschutz@bitkom-consult.de

Partner

As outlined in more detail in the SaaS Agreement Yokoy uses Partners to distribute and implement Yokoy. Some partners are also delivering parts of our service to us that we are connecting Yokoy to. Examples thereof are our VAT-Reclaim partners, our travel partners or our e-invoicing partners. An overview of our partner landscape can be found in the partner section of our website. Individual exceptional cases excluded, the customer has individual contracts with those partners and the data necessary to provide the services will be shared with those partners. This happens on a need-to-know basis and is contractually agreed upon with the individual customer.

To manage these partnerships, we are using the partner tool Reveal. Reveal allows us to synchronize opportunities with our distribution partners to look for cooperation opportunities of mutual partners with potential customers. Aside from limiting the data shared, Reveal has a comprehensive security posture. Yokoy remains in full control of what is shared with Reveal. An internal policy is shared and enforced to ensure that only company names are shared, and NDAs are respected. If your company shall not be mentioned, please reach out to dpo@yokoy.ai.

Data storage location

Belgium

Purpose of processing

Partner management tool.

Transfer mechanism

SCC of 4.6.2021

Security measures

https://reveal.co/security

Legal basis

Legitimate interest of partner management according to Art. 6

Address and privacy contact

Reveal SAS

14 avenue de l'Opera,

75001 Paris, France

team@reveal.co

DocuSign

Data storage location

Germany

Purpose of processing

Germany, Netherlands and France (multi-tenant to ensure availability of the contract data)

Transfer mechanism

Binding Corporate Rules according to Art. 47 GDPR BCR DocuSign

Security measures

https://www.docusign.com/trust/security

Legal basis

Execution of contracts by e-signature according to Art. 6 Para. 1 lit. b GDPR. The parties contractually agree to use DocuSign to sign their contracts.

Address and privacy contact

DocuSign Inc.,

Attention: Privacy Team

221 Main Street, Suite 1550, San Francisco, CA 94105.

privacy@docusign.com

DocuSign is a widely recognized supplier of e-signatures. By using DocuSign, we do not only speed up the signing process by making contracts signable from wherever there is an internet connection, but we also contribute positively to the environment by not having to unnecessarily print out documents and use resources. If you want to know more about our environmental efforts visit here.

Slack

Data storage location

Germany

Purpose of processing

Internal instant messaging tool.

Transfer mechanism

EU-US Data Privacy Framework certified company

Security measures

Slack security.

Legal basis

Legitimate interest according to Art. 6 Para. 1 lit. f GDPR internal instant messaging tool.

Address and privacy contact

Slack Technologies Limited

Salesforce Tower

60R801, North Dock

Dublin, Ireland

privacy@slack.com

Holycode / HolyERP

Holycode is a Swiss company supplying development resources based out of Serbia for a wide variety of Swiss companies https://www.holycode.com/clients/ Holycode supports our engineering team with coding (Holycode) and connector tasks (HolyERP). No one at Holycode / HolyERP performs any work without a written statement of work from Yokoy. Yokoy remains responsible for any development executed by Holycode/HolyERP.

Data storage location

Serbia

Purpose of processing

Development support.

Transfer mechanism

Individually signed Standard contractual Clauses

Security measures

ISO 27001, ISO 9001 certified

Legal basis

Data processing agreement in place Art. 28 GDPR.

Address and privacy contact

Holycode AG, Im Gerstenacker 8, 4102 Binningen,

Switzerland /

Holycode d.o.o.

Jurija Gagarina 12, Beograd, Serbia

intro@holycode.com

International Data transfers

We are aware that transferring data abroad requires us to take precautions. Where possible we strive to store the data within Switzerland and the EU. Since Yokoy’s headquarters are in Switzerland, it is important to point out that Switzerland is recognized as a country with adequate protection of personal data just like the United Kingdom is, where we have another subsidiary. If we work withUS providers, we choose EU storage wherever it is offered. In addition, most of our US processors are certified according to the EU-US Privacy Framework, the newest transfer framework that is recognized by the EU Commission as providing adequate protection of your data. Additionally, Standard Contractual Clauses are either part of the contract or signed separately. On top of that we have conducted a data transfer impact assessment in which we concluded that the risk is minimal and together with the security measures we and our partners have taken to protect the data the risk of a government intervention is minimal. Should we ever get a request from a government entity the internal procedures for how to react to such a request are in place. That said, we are aware that this is a dynamic field of law that requires continuous attention. Should action become necessary, we will act accordingly. As of the date of publication of this Privacy Policy no US request has ever been raised to any Yokoy entity.

Data storage and deletion

We store data during the contractual relationship with the customer. The data storage locationsof our cloud provider are Zurich, Switzerland Frankfurt, Germany and St. Ghislain, Belgium.

The default data storage is defined by the contract with the customer. Upon customer request we can also store data for as long as the legal requirement for data retention in the specific customer country requires. Yokoy offers read-only access allowing auditors to access the spend management records for their specific purpose. The data can be provided in a. JSON or .CSV format to the customer. The right to erasure according to Art. 17 GDPR remains unaffected and will be granted if the requirements set out in this provision are met. Data is encrypted at rest and in transit with a 256Bit-AES encryption and the keys are with Yokoy.

Your data protection rights

Right to confirmation Art. 25 Para 1 FADP Art. 15 GDPR

Art. 25 Para 1 FADP and 15 GDPR give you the right to request confirmation from us as to whether personal data relating to you is being processed. To do so, please contact us at dpo@yokoy.ai.

Right to information Art. 25 Para 2 FADP and Art. 15 GDPR

In accordance with Art. 15 GDPR and Art. 25 Para. 2 FADP, you also have the right to receive from us at any time and free of charge information about the data stored about you and a copy of this data in accordance with the legal provisions. To do so, please contact us via dpo@yokoy.ai This data will be provided in JSON or .csv format within 30 days according to Art. 25 Para. 7 FADP.

Right to rectification Art. 32 FADP and Art. 16 GDPR

You have the right to request the rectification of inaccurate personal data concerning you. You also have the right to request that incomplete personal data be completed, considering the purpose of the processing. The obligation to keep the employee user master data up to date lies with the customer, as we receive this data from the customer and are not able to verify it.

Right to erasure Art. 6 Para. 4 FADP and Art. 17 GDPR

You have the right to demand that we delete the personal data concerning you without delay, provided that one of the reasons provided for by law applies and as far as the processing or storage is not necessary. To do so, please contact us via dpo@yokoy.ai. The FADP does not specifically grant a right to erasure, but Art. 6 Para. 4 FADP is requesting the destruction or anonymization of data which are no longer necessary to fulfill the purpose.

Restriction of processing Art. 18 GDPR

You have the right to request that we restrict processing if one of the legal requirements is met. To do so, please contact us via dpo@yokoy.ai. This right is not explicitly granted in the FADP, but it is covered by the purpose limitation stipulated in Art. 6 Para. 3 FADP.

Obligation to notify Art. 9 Para. 3 FADP and Art 19 GDPR

Yokoy will communicate changes, deletions and restrictions of data processing to third parties, unless this proves impossible or involves a disproportionate effort. Art. 9 Para. 3 FADP require this in specific case of the engagement of a new subprocessor. If we do so, customers will be informed of a notice period of 14 days as stipulated in the Data Processing Agreement.

Data portability Art. 28 FADP and Art. 20 GDPR

You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. We provide the data in .csv or JSON format. You also have the right to transfer this data to another controller without hindrance from us, to whom the personal data has been provided, provided that the processing is based on consent pursuant to Art. 6 Para. 1 lit. a GDPR or Art. 9 Para 2 lit. a GDPR or on a contract pursuant to Art. 6 Para. 1 lit. b GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, when exercising your right to data portability pursuant to Article 20 Para I GDPR, you have the right that the personal data be transferred directly from one controller to another controller, to the extent technically feasible and if this does not adversely affect the rights and freedoms of other individuals. For this purpose, the data may be provided in .CSV or. JSON format. To do so, please contact us via dpo@yokoy.ai. The right to data portability is also granted in Art. 28 FADP, but restrictions apply on feasibility and proportionality.

Objection Art. 30 Para. 2 lit. b FADP and Art. 21 GDPR

You have the right to object at any time, on grounds relating to your situation, to the processing of personal data concerning you that is carried out based on Art. 6 Para. 1 lit. e or lit. f GDPR. This also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defense of legal claims. In individual cases, we process personal data to conduct direct advertising. You may object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling, as far as it is associated with such direct advertising. If you object to the processing for direct marketing purposes, we will no longer process the personal data for these purposes. You also have the right to object, on grounds relating to your situation, to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 Para. 1 GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

Notwithstanding Directive 2002/58/EC, you are free to exercise your right to object to the use of information society services by automated means using technical specifications. To do so, please contact us via dpo@yokoy.ai.

Revocation of consent in Art. 7 Para. 3 GDPR

You have the right to revoke your consent to the processing of personal data in accordance withArt. 7 Para. 3 GDPR at any time with effect for the future. To do so, please contact us via dpo@yokoy.ai.

Complaint to a supervisory authority

You have the right to lodge a complaint about the processing of personal data by us with a supervisory authority responsible for data protection in accordance

CountrySupervisory AuthorityContact
SwitzerlandFDPIC – Federal Commissioner for Data Protection and Freedom of InformationFeldeggweg 1, CH-3003 Berne
Phone: +41 (0)58 462 43 95
GermanyBayLDA – Bayerisches Landesamt für DatenschutzaufsichtPromenade 18, 91522 Ansbach
Phone: +49 981 1800930
Fax: +49 981 180093-800
AustriaÖsterreichische DatenschutzbehördeBarichgasse 40-42, 1030 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
NetherlandsDutch Personal Data AuthorityPO BOX 93374, 2509 AJ The Hague
Phone: +31 (0)88 1805 250
United KingdomICO – Information Commissioner’s OfficeWycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: +44 (0)303 123 1113
Email: icocasework@ico.org.uk

Updates

We can adapt and supplement this data protection declaration at any time. We will inform you about such adjustments and additions in an appropriate form, by publishing the respective current Privacy Policy on our website.

Table of Contents