Overview

Scope

This Privacy Policy and the Cookie Policy (can be found here) applies to all entities of Yokoy (see A. 8 ("Yokoy" or "we"). You can use our Cookiebot to granularly determine which optional cookies you want to allow and which you do not.

Security and compliance

Data protection is of utmost importance to Yokoy. We ensure through various technical and organizational measures (TOMs) as well as contractual measures that your data is always kept up to date, stored securely and processed in accordance with Swiss (Federal Data Protection Act; FADP) and European data protection regulations (in particular the General Data Protection RegulationGDPR). This applies both in our company and in the cooperation with our partners and suppliers as outlined in our Partner Code of Conduct. Yokoy has also established an Information SecurityManagement System (ISMS) in accordance with the requirements of the ISO 27001:2013 standard, which has been certified by TÜV Rheinland since November 2022. The processing of card data is certified according to PCI-DSS 4.0 Payment Card Industry Data Security Standard by PGI (ProtectionGroup International). Penetration testing through an independent third party is conducted on an annual basis.

Yokoy is further certified by the Spanish State Tax Administration Agency (AEAT), enabling our customers to safely utilize digitized receipts and invoices, and remove the burden of collecting and storing physical copies as it is confirmed here. As part of this certification, we use Q-Seal provided by D-Trust which is an electronic token and therefore cannot be shared publicly for security reasons.

Our legal security and compliance hub shall provide a quick overview of our efforts so that our stakeholders are up to date with the most relevant documents.  Yokoy runs on high-availability mode on the Google Cloud Platform. The cloud data is stored in Zurich, Frankfurt and St. Ghislain, Belgium. An overview of the certifications can be found at Google Cloud security or specifically for data centers at data center security.

International transfers

Despite our best try to work with Swiss or EU Partners wherever we can, international data transfers cannot always be avoided. We make sure that the transfer of data is in line with the mechanisms in chapter V of GDPR and Art. 16 ff. FADP.

Storage and deletion

We store the data only as long as it is necessary for the fulfillment of the contract or the statutory retention periods upon customers’ request. This is subject to your right to deletion in accordance with Art. 17 GDPR, provided that the requirements for this are met.

Third parties

We are aware of our responsibility towards third parties. Therefore, we conduct a rigorous screening before engaging with third parties. Such screening includes data protection, security, utility and finance review. Besides the Partner Code of conduct we are following legal developments closely and make sure our partners are doing the same, being up to date with legal and security developments.

Your rights

The FADP and the GDPR grant the person whose data is processed (data subject) several rights with which the person can influence the data processing. For an overview of the rights and how you can exercise them please see section G of this Privacy Policy.

Responsibility and review

This Privacy Policy is reviewed at least once a year and signed off by our internal Data ProtectionOfficer. The last update results from the versioning under the title.

How to reach us?

Our Data Protection Officer is available to answer your questions for all Yokoy entities:

Contact Data Protection Officer:
Dpo@yokoy.ai.

Categories of personal data

The personal data as defined in Art. 5 FADP and Art. 4 GDPR we process are divided into the following categories:

• Basic data (e.g. last name, first name)
• Contact details (e.g. telephone, email, postal address)
• Browser and device data, meta or boundary data and usage data, content data that you submit to us (e.g., through the contact form, registration for newsletters, webinars, and protected content or applications as well as spend management receipts).
• Location data for trip reports
• Contact, sales, contract and payment data in our customer relationship management system.
• Customer and prospect point of contact

Categories of data subjects

Use cases of data processing

Data Processing When Using Yokoy

The data processed when using our software depends on the Yokoy modules in use. Further information on how we use artificial intelligence can be found in our AI Policy. A list of actual subprocessors is published in our legal, security and compliance section of the website. A Data Processing Addendum is part of the SaaS contract concluded between Yokoy and the customer.

In this context Yokoy is the processor and the customer is the controller.

Data You Give Us

When You Contact Us

By Phone: Aircall

By Email: Microsoft Outlook

By Chat: Intercom

When you sign up for the newsletter/gated content

Data We Process on Our Own Behalf

While in the general set-up we are a SaaS company acting as data processors on behalf of our customers, there are also situations where we act as data controllers and process data on our own behalf, at times using third-party companies. Here is a brief overview of the situations we process data on our own behalf.

CRM

We are using Salesforce as our customer relationship management tool.

Our Website

Our website www.yokoy.io and its subdomains are hosted by WP engine, which is a trusted, globally active provider for website hosting for companies of all sizes including some of the largest corporations. Regarding the cookie-usage of our website please see our Cookie Policy.

Our Marketing

Engaging with existing and potential clients is a key part of our sales process. Therefore, this section lays out how the marketing team is interacting with all stakeholders.

Hubspot

A central part of our marketing activities is processed through HubSpot (see the table in the data you give us section for more information on HubSpot).

HubSpot uses web beacons and cookies to analyze your use of our website and to cover various aspects of online marketing. This includes email marketing, contact management (e.g. performance segmentation & CRM), landing pages and contact forms on our website and in the app. This information as well as parts of our website are stored on servers of our software partner HubSpot. It is used by us to contact visitors to our website and determine which of our company's services are of interest to them. The information collected is subject to this Privacy Policy. We use all collected information exclusively to optimize our marketing measures and to communicate with users and improve user experience.

Intercom

Another central tool is our Chat function provided by Intercom, inc. To find out more about intercomsee the data you give us section for more details.

Google Tag Manager

Google Tag Manager is a solution that allows website tags to be managed via an interface. The Tag Manager tool (which implements the tags) is a cookieless domain and does not collect any personal data. The tool takes care of forwarding data and triggering other tags, which in turn may collect data. Yokoy does not have access to this data. If a deactivation has been made at the domain or cookie level, it will remain in place for all tracking tags implemented with Google Tag Manager, but the tracking is disabled.

Google ReCAPTCHA

ReCAPTCHA is a free service from Google that helps protect websites from spam and abuse. A “CAPTCHA” is a Turing test to tell human and bots apart. It is easy for humans to solve, but hard for “bots” and other malicious software to figure out.

Google Web Fonts

When you call up a page, your browser loads the required web fonts into the browser cache to display texts and fonts correctly. For this purpose, the browser must establish a connection to Google's servers. In this way, Google learns that our website was accessed via your IP address.

Google Analytics

We use google Analytics to track activities on the website. Such activities include page view, clicks and dwell time. We are using Google Analytics 4 that has improved privacy credentials. More details can be found here. We as Yokoy do not have access to the IP-addresses. A further option to control the ads shown is possible by the Ads Preferences Manager.

jsDelivr CDN

A CDN is a network of regionally distributed servers connected via the Internet. To use the service, it is possible that your browser sends personal data to jsDelivr. This may allow jsDelivr to collect and store data such as browser type/version, date and time of access or IP address. To avoid this, you can install a JavaScript blocker e.g. No Script.

Videoask

Videoask is an interactive video-tool used in webforms.

Navattic

Navattic allows us to improve your customer experience by taking tours of key components of our product or integrations with third parties. The tours can be found here.

Marketing tools that use cookies

Certain marketing tools use cookies. To learn what cookies are, what they do, and how you can disable them, visit our Cookie Policy or the Cookie Manager on our website. This allows you to fine- tune your consent to the use of cookies that are not strictly necessary to provide the website. Our management tool Cookiebot is provided by the German company Usercentrics.

Social Media activities

We have various presences on social networks to communicate with users active there and to inform them about our services. For example, we use icons that lead to the pages of YouTube, LinkedIn, Meta and X. For more information about this and about the use of cookies, please see our Cookie Policy . The processing of data in this context is covered by the legitimate interest of interacting with customers and prospects alike according to Art. 6 Para. 1 lit. F GDPR.

Technical data

When you use our website, information that your browser transmits to us is automatically collected and stored.

• Browser type and version
• The operating system
• IP address (anonymized for geolocation)
• Referrer URL
• Host name of the computer
• Request date

The data is needed, for example, to deliver the content of our website correctly, to ensure the functionality of our website according to Art. 6 Para. 1 lit. f GDPR or to provide law enforcement authorities with the appropriate information in the event of a cyber-attack based on Art. 6 Para. 1 lit. c GDPR. The anonymous data of the server log files are stored separately from your personal data.

Login data

When you are logging in to Yokoy via the website the following data will be stored.

• Login information
• Browser type
• Amount of sent data in bytes
• Date and time of access
• IP address
• Language setting

This data is stored to provide the portal, its security and functionality, legitimate interests according to Art. 6 Para. 1 lit. f GDPR.

Sales

Identifying and connecting with potential clients and helping them optimize their spend management process is an important part of the sales process. To achieve this goal Yokoy is using different software products as outlined below.

Cognism

LinkedIn Sales Navigator

6sense

Salesloft

Yokoy Analytics

Legitimate interest of analyzing usage of Yokoy according to Art. 6 Para. 1 lit. f GDPR. Yokoy wants its tool to be as close to the customers’ needs as possible. Amplitude gives us an insight into how our customers use Yokoy which will in return allow us to prioritize the product roadmap and product development. Since individual users are pseudonymized, it is not possible for Yokoy to track down individual users or expenses with Amplitude.

• Geographical location
• Browser
• The operating system
• IP address
• Duration of the visit
• Reference URL
• Information about how often the website is visited
• Newsletter subscription data
• Pages called

Personio

After your successful application via Lever, your data will be transferred to Personio our HR tool.

Partner

As outlined in more detail in the SaaS Agreement Yokoy uses Partners to distribute and implement Yokoy. Some partners are also delivering parts of our service to us that we are connecting Yokoy to. Examples thereof are our VAT-Reclaim partners, our travel partners or our e-invoicing partners. An overview of our partner landscape can be found in the partner section of our website. Individual exceptional cases excluded, the customer has individual contracts with those partners and the data necessary to provide the services will be shared with those partners. This happens on a need-to-know basis and is contractually agreed upon with the individual customer.

To manage these partnerships, we are using the partner tool Reveal. Reveal allows us to synchronize opportunities with our distribution partners to look for cooperation opportunities of mutual partners with potential customers. Aside from limiting the data shared, Reveal has a comprehensive security posture. Yokoy remains in full control of what is shared with Reveal. An internal policy is shared and enforced to ensure that only company names are shared, and NDAs are respected. If your company shall not be mentioned, please reach out to dpo@yokoy.ai.

DocuSign

DocuSign is a widely recognized supplier of e-signatures. By using DocuSign, we do not only speed up the signing process by making contracts signable from wherever there is an internet connection, but we also contribute positively to the environment by not having to unnecessarily print out documents and use resources. If you want to know more about our environmental efforts visit here.

Slack

Holycode / HolyERP

Holycode is a Swiss company supplying development resources based out of Serbia for a wide variety of Swiss companies https://www.holycode.com/clients/ Holycode supports our engineering team with coding (Holycode) and connector tasks (HolyERP). No one at Holycode / HolyERP performs any work without a written statement of work from Yokoy. Yokoy remains responsible for any development executed by Holycode/HolyERP.

International Data transfers

We are aware that transferring data abroad requires us to take precautions. Where possible we strive to store the data within Switzerland and the EU. Since Yokoy’s headquarters are in Switzerland, it is important to point out that Switzerland is recognized as a country with adequate protection of personal data just like the United Kingdom is, where we have another subsidiary. If we work withUS providers, we choose EU storage wherever it is offered. In addition, most of our US processors are certified according to the EU-US Privacy Framework, the newest transfer framework that is recognized by the EU Commission as providing adequate protection of your data. Additionally, Standard Contractual Clauses are either part of the contract or signed separately. On top of that we have conducted a data transfer impact assessment in which we concluded that the risk is minimal and together with the security measures we and our partners have taken to protect the data the risk of a government intervention is minimal. Should we ever get a request from a government entity the internal procedures for how to react to such a request are in place. That said, we are aware that this is a dynamic field of law that requires continuous attention. Should action become necessary, we will act accordingly. As of the date of publication of this Privacy Policy no US request has ever been raised to any Yokoy entity.

Data storage and deletion

We store data during the contractual relationship with the customer. The data storage locationsof our cloud provider are Zurich, Switzerland Frankfurt, Germany and St. Ghislain, Belgium.

The default data storage is defined by the contract with the customer. Upon customer request we can also store data for as long as the legal requirement for data retention in the specific customer country requires. Yokoy offers read-only access allowing auditors to access the spend management records for their specific purpose. The data can be provided in a. JSON or .CSV format to the customer. The right to erasure according to Art. 17 GDPR remains unaffected and will be granted if the requirements set out in this provision are met. Data is encrypted at rest and in transit with a 256Bit-AES encryption and the keys are with Yokoy.

Your data protection rights

Right to confirmation Art. 25 Para 1 FADP Art. 15 GDPR

Art. 25 Para 1 FADP and 15 GDPR give you the right to request confirmation from us as to whether personal data relating to you is being processed. To do so, please contact us at dpo@yokoy.ai.

Right to information Art. 25 Para 2 FADP and Art. 15 GDPR

In accordance with Art. 15 GDPR and Art. 25 Para. 2 FADP, you also have the right to receive from us at any time and free of charge information about the data stored about you and a copy of this data in accordance with the legal provisions. To do so, please contact us via dpo@yokoy.ai This data will be provided in JSON or .csv format within 30 days according to Art. 25 Para. 7 FADP.

Right to rectification Art. 32 FADP and Art. 16 GDPR

You have the right to request the rectification of inaccurate personal data concerning you. You also have the right to request that incomplete personal data be completed, considering the purpose of the processing. The obligation to keep the employee user master data up to date lies with the customer, as we receive this data from the customer and are not able to verify it.

Right to erasure Art. 6 Para. 4 FADP and Art. 17 GDPR

You have the right to demand that we delete the personal data concerning you without delay, provided that one of the reasons provided for by law applies and as far as the processing or storage is not necessary. To do so, please contact us via dpo@yokoy.ai. The FADP does not specifically grant a right to erasure, but Art. 6 Para. 4 FADP is requesting the destruction or anonymization of data which are no longer necessary to fulfill the purpose.

Restriction of processing Art. 18 GDPR

You have the right to request that we restrict processing if one of the legal requirements is met. To do so, please contact us via dpo@yokoy.ai. This right is not explicitly granted in the FADP, but it is covered by the purpose limitation stipulated in Art. 6 Para. 3 FADP.

Obligation to notify Art. 9 Para. 3 FADP and Art 19 GDPR

Yokoy will communicate changes, deletions and restrictions of data processing to third parties, unless this proves impossible or involves a disproportionate effort. Art. 9 Para. 3 FADP require this in specific case of the engagement of a new subprocessor. If we do so, customers will be informed of a notice period of 14 days as stipulated in the Data Processing Agreement.

Data portability Art. 28 FADP and Art. 20 GDPR

You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. We provide the data in .csv or JSON format. You also have the right to transfer this data to another controller without hindrance from us, to whom the personal data has been provided, provided that the processing is based on consent pursuant to Art. 6 Para. 1 lit. a GDPR or Art. 9 Para 2 lit. a GDPR or on a contract pursuant to Art. 6 Para. 1 lit. b GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, when exercising your right to data portability pursuant to Article 20 Para I GDPR, you have the right that the personal data be transferred directly from one controller to another controller, to the extent technically feasible and if this does not adversely affect the rights and freedoms of other individuals. For this purpose, the data may be provided in .CSV or. JSON format. To do so, please contact us via dpo@yokoy.ai. The right to data portability is also granted in Art. 28 FADP, but restrictions apply on feasibility and proportionality.

Objection Art. 30 Para. 2 lit. b FADP and Art. 21 GDPR

You have the right to object at any time, on grounds relating to your situation, to the processing of personal data concerning you that is carried out based on Art. 6 Para. 1 lit. e or lit. f GDPR. This also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defense of legal claims. In individual cases, we process personal data to conduct direct advertising. You may object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling, as far as it is associated with such direct advertising. If you object to the processing for direct marketing purposes, we will no longer process the personal data for these purposes. You also have the right to object, on grounds relating to your situation, to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 Para. 1 GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

Notwithstanding Directive 2002/58/EC, you are free to exercise your right to object to the use of information society services by automated means using technical specifications. To do so, please contact us via dpo@yokoy.ai.

Revocation of consent in Art. 7 Para. 3 GDPR

You have the right to revoke your consent to the processing of personal data in accordance withArt. 7 Para. 3 GDPR at any time with effect for the future. To do so, please contact us via dpo@yokoy.ai.

Complaint to a supervisory authority

You have the right to lodge a complaint about the processing of personal data by us with a supervisory authority responsible for data protection in accordance

Updates

We can adapt and supplement this data protection declaration at any time. We will inform you about such adjustments and additions in an appropriate form, by publishing the respective current Privacy Policy on our website.