VERSION 3.0 July 2022
Data protection is of the utmost importance to Yokoy. We use various technical, organizational and contractual measures to ensure that your data is always kept up to date, stored securely and processed in accordance with Swiss (Federal Act on Data Protection; FADP and the associated Ordinance) and European data protection regulations (in particular the General Data Protection Regulation GDPR). This applies both in our company and in the cooperation with our partners and suppliers.
i. Contact person Yokoy Group AG
ii. Categories of personal data
iii. What data we process
iv. International data transmission
v. Directory of data processing
vi. Data security
vii. Storage and deletion of data
viii. Your rights
3. Responsibility and review
I. Contact Yokoy Group AG Zurich
Our Legal and Data Protection Officer is available to answer any questions you may have about data protection.
1. Headquarters Yokoy Group AG – Zurich
Yokoy Group AG
MLaw Claudio Berther, LL.M (University of California, Berkeley)
Legal Counsel and Data Protection Officer
Tel: +41 (0)43 508 15 77
2. Yokoy Germany GmbH – Munich
Yokoy Germany GmbH
Design Offices Munich Macherei
Weihenstephaner Str. 12 (Building M6)
Tel: +49 151 42 04 31 22
Germany Company register number: HRB 267689
3.Yokoy GmbH Austria – Vienna
Tel: +43 1 417 01 15
Managing Director: Mag.(FH) Stephan Hebenstreit, LL.M.
Commercial register court: Vienna Commercial Court
Number of the company register: FN 534254
Place of jurisdiction: Vienna Commercial Court
Chamber affiliation: Vienna Chamber of Commerce
II. Categories of personal data
The personal data we process are divided into the following categories
1. Basic data (e.g. last name, first name)
2. Contact data (e.g. telephone, e-mail, postal address)
3. Browser and Device Data, Meta or Marginal and Usage Data, Content Data that you submit to us (e.g., through the contact form, registration for newsletters, webinars and gated content or applications)
4. Location data
5. Contact, sales, contract and payment data in our Customer Relationship Management System
III. What data we process
1. Data you give us
You voluntarily provide us with data in various situations. For example, when you contact us, subscribe to our newsletter, register in the customer portal, apply for a job, register for a webinar or download protected content. If you want to know more about how we process this data, for what purpose and on what legal basis, read ” A. Data you give us” or click here.
2. Data we process
In order to provide our services, maintain our infrastructure and provide the best possible experience to all stakeholders, we also process personal data. If you would like to know more about the purposes and legal basis for this, read “B. Data we process” or click here.
3. Data processed by our partners
IV. International data transmission
Even though we make every effort to work with Swiss or European providers and make European storage of data a requirement wherever possible to onboard new subprocessors, the outflow of data abroad cannot be fully prevented. You can find out how this is legally implemented by Yokoy and how your data is also transferred in a legally secure manner in connection with foreign transfers under “D. International data transmission” or click here. Yokoy will always keep an eye out on this sensitive and ever changing topic.
V. Data processing Directory
Yokoy maintains an internal data processing directory according to Art. 30 GDPR and Art. 11a FADP.
VI. Data security
Data shared us is treated confidentially and protected against unauthorized access, damage or loss by technical and organizational measures. If you would like to learn more about how we protect your data technically, see “F. Data security” or click here.
VII. Storage and deletion
We store the data only as long as it is necessary for the fulfillment of the contract. The legal retention periods and your right to deletion according to article 17 GDPR remain reserved, provided that the requirements for this are met. If you want to know more about this topic, see “VII. Data storage and data deletion” or click here.
VIII. Your rights
The GDPR grants the person whose data is processed various rights with which the person can influence the data processing. For an overview of the rights and how you can exercise them, see “VIII. Your rights” or click here.
A. Data you give us
1. Contacting us
You can contact us through a variety of channels, including phone, email, contact form, chat, social media, webinar registration, and “gated content” registration. We collect your contact details and information from the inquiry. This may be stored in our CRM (customer relationship management) system. This data is stored for internal use only.
1.1 Purpose of the processing
We store personal data in order to be able to respond to your inquiry or contact. Furthermore, this storage enables us to carry out the contract or pre-contractual measures in case of questions on an existing contractual relationship. In addition, Yokoy may conduct analyses about possible future contractual relationships, e.g. the size of the company, where the company is present and through which channels you have heard about Yokoy.
1.2 Legal basis
The basis for the data processing is Art. 6 I b GDPR, which allows us to process data for the performance of a contract or pre-contractual measures. The analysis purposes are based on the legal basis of legitimate interests according to Art. 6 para. 1 lit. f GDPR to find out whether you fit into our customer portfolio in terms of size and geographical presence. The data processing is carried out in accordance with the data protection principles according to Art. 6 FADP. We use the Hubspot and Salesforce software to enable this service. You can find a link to the data protection principles here https://legal.hubspot.com/privacy-policy or here https://www.salesforce.com/company/privacy/full_privacy/ respectively.
2. Registration for the newsletter
2.1 Purpose of the processing
Creation and dispatch of our newsletter.
2.2 Legal basis
If you subscribe to the newsletter, you give us permission to use your data for sending the newsletter. You also agree to the information described below. On the basis of article 7 para. 3 GDPR, you can revoke your consent at any time for the future; for this purpose, you will find an unsubscribe link in every email sent. For sending our newsletter, we use the software HubSpot. An overview of all partners with whom we cooperate for internal and external purposes as well as links to their data protection statements can be found under ” D. International data Transmission” or click here.
2.3 Double-Opt-In-Procedure for the purpose of verifiability
An important principle of the General Data Protection Regulation is accountability. Article 5 para. 2 GDPR requires not only compliance with data protection regulations, but also proof thereof. For this reason, registration takes place in a double opt-in process. After your registration, you will receive an email in which you must confirm your email address. This prevents misuse with registrations from other email addresses. Registrations are stored in our CRM system so that we can legally prove the registration process. This includes the following data: Sign-up and confirmation time, type of newsletter, IP address and your contact details. The legal basis for this is the fulfilment of a legal obligation according to Art. 6 para. 1 c GDPR.
2.4 National specifics
Germany: The dispatch and performance measurement of the newsletter is based on the consent of the recipients pursuant to Art. 6 para. 1 lit. a, Art. 7 GDPR in conjunction with. Section 7 (2) No. 3 UWG or on the basis of the legal permission pursuant to Section 7 (3) UWG.
Austria: The dispatch of the newsletter and the associated measurement of success is based on the consent of the recipients in accordance with Art. 6 para. 1 lit. a, Art. 7. GDPR in conjunction with Section 107 (2) TKG or on the basis of the legal permission pursuant to Section 107 (2) TKG.
§ 107 para. 2 and 3 TKG. The logging of the registration process is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR. Our interest is directed towards the use of a user-friendly and secure newsletter software. In addition, there is a legal obligation to provide proof of registration. This obligation also results from the accountability according to article 5 III GDPR.
Switzerland: Data processing is carried out in accordance with the data protection principles set out in article 4 of the FADP.
3. Webinar registrations
You can also register for webinars via the Hubspot tool to get to know our products better. We store the data you provide so that we can contact you if necessary, e.g. if it becomes necessary to cancel the event. We base our data processing on your consent according to Art. 6 para. 1 a GDPR. This consent can also be revoked for the future. To do so, contact us via a channel described in the contact section above. The data processing is carried out in accordance with the data protection principles pursuant to Art. 4 FADP.
4. Gated content downloads
Gated content is about sharing knowledge that is valuable to the user in exchange for contact information of the user that is valuable to us. In Yokoy’s case, this could be, for example, events on topics such as digitalization, artificial intelligence or data protection.
4.1 Purpose of the processing
4.2 Legal basis
We base our data processing on your consent pursuant to article 6 para. 1 a GDPR. This consent can also be revoked for the future in accordance with Art. 7 para. 3 GDPR. Contact us by any channel in the contact section above. The data processing is carried out in compliance with the data protection principles in Art. 4 FADP.
5. Job applications
For Job applications we are using the service of Lever. Lever is GDPR and SOC 2 compliant. Employee’s and sub processors are obliged to keep the data strictly confidential. Further information can be found here https://www.lever.co/agreements/dpa/.
5.1 Purpose of the processing
We process the personal data provided to us in order to take pre-contractual measures for the possible conclusion of an employment contract with you. If your application is unsuccessful or you withdraw your application, the data will be deleted within 30 days. If your application is successful, the data will be retained until the purpose is fulfilled, usually for the duration of the contractual relationship, plus a period as required by applicable law.
5.2 Legal basis
The data is stored on the basis of article 6 para. I b GDPR or the consent of the person in accordance with article 6 para. 1 a GDPR. This consent can also be revoked for the future on the basis of article 7 para. 3 GDPR. To do so, contact us via the contact section above. The data processing is carried out in accordance with the data protection principles pursuant to Art. 4 FADP.
B. Data processed by us
1. Server log files
When you use our website, information that your browser transmits to us is automatically collected and stored. These are:
• Browser type and browser version
• The operating system
• IP address
• Referrer URL
• Host name of the computer
• Date of request
We do not draw any conclusions about your person when using this data. Logging is done in accordance with our internal logging and monitoring policy.
1.1 Purpose of the processing
The data is required, for example, to deliver the content of our website correctly, to ensure the functionality of our website or to provide law enforcement authorities with the relevant information in the event of a cyber attack. The anonymous data of the server log files are stored separately from your personal data.
1.2 Legal basis
We base the collection of this anonymised data in the legitimate interest of a functioning website in accordance with article 6 para. 1 f GDPR.
2. Customer login/customer portal
The data protection provisions are agreed and signed with each customer upon conclusion of the contract. The processing of customer data in our CRM system is carried out in accordance with point 3.
In addition, our system automatically records the following log data for each call:
• Browser type
• Amount of data sent in bytes
• Date and time of access
• IP address
• Setting the language
2.1 Purpose of the processing
This data is collected for the purpose of providing the portal. In addition, this data is processed and stored to ensure the functionality of the portal and security.
2.2 Legal basis
Customer portal data is processed in accordance with article 6 para. 1 b and f GDPR. The data is only stored as long as it is necessary for the fulfillment of the purpose. To provide the portal, data is also passed on to technically necessary partners, e.g. the website hoster and the cloud provider. An overview of all partners, their services, the legal basis of processing and contact options can be found here. An internal logging and monitoring policy regulates the details.
3. Customer data (CRM Customer Relationship Management)
3.1 Purpose of the processing
In order to perform our contractual services, we need to process data about our customers. In doing so, we process inventory data (e.g. customer master data, such as names or addresses), contact data (e.g. email, telephone numbers), content data (e.g. charts of accounts), contract data (e.g. subject matter of the contract, term), payment data (e.g. bank details, payment history). This mainly concerns customers, employees and suppliers. The purpose of the processing is the provision of contractual services, billing and our customer service.
3.2 Legal basis
The legal basis for the processing results from article 6 para. I b GDPR. We process data that is necessary for the establishment and performance of the contractual services. We process the data only for the contractual purpose and act in accordance with the legal requirements of commissioned processing pursuant to article 28 GDPR. We delete the data after expiry of the contract or statutory warranty and comparable obligations. In the case of legal archiving obligations, deletion takes place after their expiry (6 years, according to § 257 para. 1 HGB, 10 years, according to § 147 para. 1 AO). In the case of data provided to us by the client as part of an order, we delete the data in accordance with the specifications of the order. Personal data is only collected, processed and used to the extent that it is necessary for the establishment, content or amendment of the legal relationship (inventory data). The data processing is carried out in compliance with the data protection principles according to Art. 4 FADP. We use the services of Salesforce for our CRM. You can find out more about data protection at https://www.salesforce.com/company/privacy/full_privacy/
C. Data collected from our partners
When we involve partners, this is done in accordance with the requirements of Art. 10a FADP and article 5 GDPR. There are data processing contracts that include the requirements of article 28 (3) of the GDPR.
1. When visiting the website
In order to be able to operate a website technically, certain technical requirements are necessary, for which we depend on partners.
1.1.1 Purpose of the processing
Our hosting provider provides us with infrastructure and platform services, database services, computing capacity, security services and storage space as well as technical maintenance services, which we use for the purpose of operating our online offer.
1.1.2 Legal basis
The basis for data processing is article. 6 (1) lit. b GDPR, which allows us to process data for the performance of a contract or pre-contractual measures. Our website is hosted by Inpsyde, GmbH a German Company who stores the data in Frankfurt.. https://inpsyde.com/en/privacy-policy/
1.2 Content Delivery Network (CDN)
1.2.1 Purpose of the processing
We use the open source services of jsDelivr as a CDN to deliver the website quickly. js Delivr is a service of ProspectOne, Królewska 65A/1, 30-081, Krakow, Poland.
1.2.2 Legal basis
1.3 Google Web Fonts
1.3.1 Purpose of the processing
This website uses so-called web fonts provided by Google to display fonts. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This is a service of the American Google LLC. For users in the European Economic Area (EEA) and Switzerland, the Irish company Google Ireland Limited is responsible. When you call up a page, your browser loads the required web fonts into the browser cache in order to display texts and fonts correctly. For this purpose, the browser you are using must establish a connection to Google’s servers. In this way, Google learns that our website was accessed via your IP address.
1.3.2 Legal basis
1.4.1 Purpose of the processing
1.4.2 Legal basis
2. When using the Yokoy app
The Yokoy app is hosted on the Google Cloud Platform. Google Cloud Platform is a service provided by Google Ireland LLC Google Building Gordon House, Barrow St, Dublin 4, Ireland. Specific privacy information about the Google Cloud can be found here https://cloud.google.com/terms/cloud-privacy-notice. Specific information about the data security of the Google Cloud and our products can be found in the Data Security section or will be provided upon request.Customers can download a mobile app to their device. The information required for this process is transmitted to the app store without our intervention. The information includes, for example, the email address, your App Store account customer number or the time of the download. We are not responsible for this data collection and have no influence on it.
When using the Yokoy app, we process the following data to ensure the security and usability of the functions offered:
• Date and time of access
• IP address
• Access to the site
• The operating system
• Personal data as agreed in the data protection regulations with the respective company. Name, first name, e-mail and personnel number or cost center for publication.
To use the app in connection with the expense tool, the following categories are processed by the app: Last name, first name, email address and personnel or vendor number (for posting in the client’s system). For the invoice module, only the supplier name and ID is required. Additional data can be provided by the user, but is not mandatory. For the Yokoy Pay module it is first name, last name, address, birthday and phone number. More detailed information is provided to our customers in the Data Processing Addendum that is part of the contract signed with Yokoy. A specific appendix deals with the data processed within our Yokoy Pay module as well as the partners we work together to put this module in place.
The data is stored in an encrypted private cloud and the transfer to the Google Cloud is also secured with 256-bit AES encryption. By using the app, no employee data of the users is stored in our CRM.
2.1 Purpose of the data processing
This data is only processed for the provision of the Yokoy app.
2.2 Legal basis
This is done on the basis of article 6 I a, b and f GDPR.
3. Our marketing activities
On our website, we use the software HubSpot for various purposes. Our Partner is Hubspot Germany GmbH Am Postbahnhof 17, 10243 Berlin.
3.1.1 Purpose of the processing
Hubspot uses web beacons and cookies to analyze your use of our website and to cover various aspects of online marketing. This
In the context of optimizing our marketing measures, the following data, among others, may be collected and processed via HubSpot:
• Geographical location
• The operating system
• IP address
• Duration of the visit
• Reference URL
• Information about how often the website is visited
• Newsletter registration data
• Pages accessed
We also use HubSpot to provide contact forms.
3.1.2 Legal basis
The Chat-function on our website is provided by Intercom. 2nd Floor, Stephen Court, 18-21 Saint Stephen’s Green, Dublin 2.
3.2.1 Purpose of the processing
Chat Function on our website.
3.2.2 Legal basis
3.3 Google Tag Manager
3.3.1 Purpose of the processing
Our website uses the Google Tag Manager. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Tag Manager is a solution that allows website tags to be managed via an interface. The Tag Manager tool (which implements the tags) is a cookieless domain and does not collect any personal data. The tool takes care of forwarding data and triggering other tags, which in turn may collect data. Google Tag Manager does not have access to this data. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags implemented with Google Tag Manager.
3.3.2 Legal basis
The legal basis for the use of the Google Tag Manager is your consent according to Art. 6 para. I lit. a GDPR. This can be revoked at any time with effect for the future. To do so, contact us on a channel according to point I.
3.4 Google reCaptcha
3.4.1 Purpose of the processing
The purpose of reCAPTCHA is to check whether the data entry on our website (e.g. in a contact form) is made by a human or an automated program. The reCAPTCHA analyses run completely in the background. Visitors to the website are not made aware that an analysis is being carried out.
3.4.2 Legal basis
4. Social media activities
D. International data transmission
Whenever possible and commercially reasonable, Yokoy endeavors to work with providers from Switzerland, the EEA or the EU, or with countries for which the EU Commission has recognized an adequate level of data protection pursuant to article 45 of the GDPR.
Alternatively, the data transfer takes place on the basis of standard contractual clauses pursuant to Art. 46 of the General Data Protection Regulation. We are aware that the judgment of the European Court of Justice C-118-311 of 16.7.2021 has annulled the Privacy Shield and requires from our Subprocessors to implement the new Standard Contractual Clauses published by the EU Commission on June 4th 2021. .
If available at the partner, we base the data transfer on Binding Corporate Rules according to Art. 47 GDPR.
We work exclusively with major international partners who share our conviction regarding the importance of data protection. The guarantee of data protection is further secured by data processing contracts with our suppliers.
Below is an overview of our foreign partners, in which country they are located and for what purpose they process Yokoy data. In addition, an internal policy states that we support any international sanctions against states, territories or persons and do not have business relationships with such states, territories or persons.
|Sub-Processor||Location||Basis of data transmission||Purpose of the processing||Address|
|Google LLC, Irland||EU||SCCs||Use of cloud services for data storage (Google Cloud) in Europe, hosting of Yokoy software (Google Cloud Web Hosting), email communication (Gmail) and document management (G Suite), and data management (BigQuery).||Google Ireland LLCGordon House Barrow Street Dublin 4, D04E5W5 Ireland|
|Inpsyde GmbH||Germany||Adequacy decision Switzerland-EU||Hosting of the website|
https//www.yokoy.io on the basis of Art. 6 para. 1 lit. b and f GDPR
Mutzer Heide 3, 51467 Bergisch Gladbach
|Hubspot Germany GmbH||EU||SCC||Yokoy’s internal CRM is also used for marketing and communication purposes based on your consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 6 para. 1 lit. b for the performance or preparation of a contract and Art. 6 para. 1 lit. f GDPR for our legitimate interests (in particular marketing).||HubSpot Germany GmbH AM Postbahnhof 17, 10243 Berlin|
|Sendgrid LLC, Denver||USA||SCC||Sending platform emails (optional) – the employee’s email is shared with Sendgrid.||1801 California Street Suite 500, Denver, CO 80202 USA |
Twilio, Inc. 375 Beale Street Suite 300 San Francisco, CA 94105 USA (Binding Corporate Rules applicable to Sendgrid, Inc.)
|Slack Technologies, Inc.||USA||SCCs||Web-based instant messaging for internal corporate communication||Slack Technologies, Inc, 500 Howard Street, San Francisco, CA 94105, USA.|
|Prospect One||Poland||Adequacy Decision according to Art. 45 GDPR||For the provision of a CDN (Content Delivery Network). No personal data is requested and also not stored.||jsDelivr, ProspectOne, Królewska 65A/1, 30-081, Kraków, Poland.|
|Microsoft Company||USA||SCCs||Use of cloud services for customer communication (Microsoft Teams Microsoft Azure internal Access Management)||Microsoft Corp.One Microsoft Way, Redmond, WA 98052-6399, USA|
|DocuSign Germany GmbH||Germany||Binding corporate rules according to Art. 47 GDPR.||Electronic signing of contracts on the basis of Art. 6 I. 1 b GDPR||DocuSign Germany GmbH|
New Rothofstraße 13-19
|Aircall, Inc.||France||SCCs||Cloud-based call centre software on the basis of Art. 6 I. b and f||Aircall, Inc.11|
Rue Saint-Georges, 75009 Paris,
|Switzerland||Data transmission only within the EU (to CleverReach GmbH und CO KG for newsletter dispatch, otherwise no transmission) For further information, please refer to the legal notices of Hypothekarbank Lenzburg.||Establishment and management of the billing account and thus necessary fulfillment of legal requirements (in accordance with article 6 I b, c, f) GDPR) |
In addition, for the purpose of issuing the Yokoy Card and the associated legal requirements (pursuant to article 6 I b, c and f) GDPR).
5600 Lenzburg, Switzerland
|Exceet Card Group||Germany||SCC||Processing and authorisation of transactions for the Swiss Yokoy company card. |
Rechtsgrundlage: Art. 6 Ib) and f) GDPR
|Exceet Card Group, Edison Strasse 3, 85716 Unterschleissheim|
|Cookiebot||Danmark||SCC||Cookie management tool on our website.||Havnegade 39, 1058 Copenhagen, Danmark|
|Salesforce Ireland Ltd.||Ireland||BCR||CRM||One Central Park|
|Atlassian||Netherlands||SCC||Development and ticketing tool||Atlassian B.V. |
Singel 236, 1016 AB Amsterdam
E. Directory of data processing
For more information, please see our Directory of Data Processing pursuant to article 30 of the General Data Protection Regulation and article 12 of the FADP.
F. Data security
1. Physical security
Access to the offices is only granted by a badge system, which is handed in personally by the supervisor. Entrances and exits to the engineering offices are also logged for better traceability. There is an internal physical security policy which is included in regular staff training.
Access to our online offer takes place via transport encryption (SSL / TLS, in particular with the Hypertext Transfer Protocol Secure, abbreviated HTTPS). Most browsers indicate the transport encryption by a padlock in the address bar.
Even when the data is with us, it is in good hands. We chose Google as our cloud provider because Google has always evolved in terms of data security and offers us a reliable service. Google’s collaboration with SAP ensures high data availability. The security and data protection of Google products are independently audited on a regular basis (ISO/IEC 27001, 27017, 27018, SOC 1/2/3, GDPR).
Data in the cloud is encrypted with a 256 AES (Advanced Encryption Standard) and all data is also encrypted in transit. Currently Yokoy is in the process of getting an ISO 27001 certification. ISO 9001 and 14001 are planned for the end of 2022.
3. Access management
Access is based on the need-to-know principle and is role-based. All activities are logged in order to be able to verify and prove access to the data. In addition, all access management issues are documented in an internal policy.
4. Availability of data
Data is provided on demand and there are automatic backups every 24 hours in an encrypted cloud (storage period 30 days) to ensure data availability at all times.
5. External review
In addition to the internal measures, we have our data security checked annually by an external partner using so-called penetration tests. The results of these tests also include improvement measures, which we subsequently implement in accordance with the internal penetration test governance policy.
6. Emergency plan
Should a data incident occur despite all measures, we are prepared for it and will put our internal emergency plan into action to minimize the damage.
G. Data storage and data deletion
We respect your data and only store it for as long as is absolutely necessary for the intended purpose. (Principle of data We respect your data and only store it for as long as is absolutely necessary for the intended purpose (Principle of data minimization according to article 5 c GDPR and article 4 para. 2 FADP. We delete the data at the latest after termination of the contractual relationship. This is subject to legal warranty and comparable obligations. In the case of statutory archiving obligations, deletion takes place after their expiry according to country specific legal requirements. In the case of data provided to us by the client as part of an order, we delete the data in accordance with the specifications of the order. Personal data is only collected, processed and used to the extent that it is necessary for the establishment, content or amendment of the legal relationship (inventory data). This is done on the basis of article 6 para. 1 b GDPR, which allows us to process data to fulfill a contract or pre-contractual measures. The right to deletion in accordance with article 17 GDPR is always reserved, provided that the legal requirements for this right are met. In addition, we store daily backups of our data in order to comply with the principle of data availability. The backup data is automatically deleted after 30 days. The data deletion procedure is documented in an internal policy.
H. Your rights
1. Right to confirmation Art. 15 GDPR and 4 para. 3 FADP
On the basis of article 15 GDPR and article 4 para. 3 of the FADP, you have the right to request confirmation from us as to whether personal data concerning you is being processed. To do so, contact us via the contact section above.
2. Right to information Art. 15 GDPR and 8 para. 1 FADP
Pursuant to article 15 GDPR and article 8 para. 1 FADP, you also have the right to obtain from us, at any time and free of charge, information about the data stored about you, as well as a copy of this data in accordance with the legal provisions, by contacting us through the contact section above.
3. Right of rectification article 16 GDPR and 5 para. 2 FADP
You have the right to request the rectification of inaccurate personal data concerning you. You also have the right to request the completion of incomplete personal data, taking into account the purpose of the processing. This obligation to correct data also arises under Swiss law from article 6 of the Data Protection Act, if the legal requirements are met.
4. Right to erasure Article 17 GDPR
You have the right to demand from us the immediate deletion of the personal data concerning you, provided that one of the reasons provided for by law exists and insofar as the processing or storage is not necessary.
5. Restriction of processing Article 18 GDPR
You have the right to request that we restrict processing if one of the legal requirements is met.
6. Data portability Article 20 GDPR
You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without hindrance from us to whom the personal data has been provided, provided that the processing is based on consent pursuant to article 6 I a GDPR or article 9 II a GDPR or on a contract pursuant to article 6 I b GDPR and the processing is carried out with the aid of automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Furthermore, when exercising your right to data portability pursuant to article 20 I DPA, you have the right to obtain that the personal data be transferred directly from one controller to another controller where technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals. The right to data portability has also been included in article 28 of the DPA.
For this purpose, data can be made available in .CSV or .JSON format.
7. Objection Article 21 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 I e or f GDPR.
This also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defense of legal claims.
In individual cases, we process personal data in order to conduct direct advertising. You may object to the processing of personal data for the purpose of such advertising at any time. This also applies to profiling, insofar as it is associated with such direct advertising. If you object to the processing for direct marketing purposes, we will no longer process the personal data for these purposes.
You also have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to article 89 I GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
You are free to exercise your right to object in relation to the use of information society services by automated means using technical specifications, notwithstanding Directive 2002/58/EC.
8. Revocation of consent under data protection law
You have the right to revoke your consent to the processing of personal data in accordance with article 7 para. III GDPR at any time with effect for the future.
9. Complaint to a supervisory authority
You have the right to lodge a complaint about our processing of personal data with a supervisory authority responsible for data protection in accordance with article 77 of the GDPR. In Switzerland, our supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC):
Federal Commissioner for Data Protection and Freedom of Information
CH – 3003 Bern
Telephone: +41 (0)58 462 43 95 (Mon. to Fri., 10.00 to 12.00)
Fax: +41 (0)58 465 99 96
For data subjects from the EU area, our lead supervisory authority is
Bavarian State Office for Data Protection Supervision (BayLDA)
Phone: +49 (0) 981 180093-0
We can adapt and supplement this data protection declaration at any time. We will inform you about such adjustments and additions in an appropriate form, in particular by publishing the respective current data protection declaration on our website.
In December 2021, Yokoy launched the Yokoy corporate Visa Card. This allows card expenses to be processed as easily as expense receipts in Yokoy. In order to provide this service we rely on various partners.
With this appendix, we want to make the data flows transparent. Yokoy has concluded a data processing agreement with all partners in accordance with Art. 28 DSGVO.
Modulr provides Yokoy customers with the account that is linked to the card. Modulr is an e-money institution regulated by the Central Bank of Ireland.
Processed data: Name, surname, account information, transaction data, information related to the KYB process:
Purpose of processing: to provide the Modulr account.
Contact address: 77 Sir John Rogerson’s Quay, Dublin 2, D02 NP08, Ireland.
Further information can be found at www.modulrfinance.com or in our Terms and Conditions on our website www.yokoy.io.
2. Transact Payments Malta Ltd. BIN Sponsor
Transact Payments Malta Ltd. is our card issuer and BIN sponsor. They provide us with the visa license.
Processed data: Name, surname, birthday, address, e-mail address, telephone number transaction and payment data.
Purpose of processing: issuing the card, licensor for Visa.
Contact address: Transact Payment Malta ltd Vault 13-15, Valletta Waterfront, Pinto Wharf, Valletta, Malta, FRN 1913.
Further information can be found at www.transactpaymentsltd.com or in our Terms and Conditions on our website www.yokoy.io.
3. Marqeta, Inc. Processor
Marqueta is our Processor. Marqueta guarantees the correct flow of card transactions.
Processed Data: Cardholder Data, i.e., the primary account number (“PAN”) identifying the particular cardholder account, the cardholder’s name, expiration dates and/or service code (a three or four digit value in the magnetic stripe following the payment card expiration date in the card data), and sensitive authentication data such as card validation codes/values, full card data (from the magnetic stripe or an equivalent chip), personal identification number (“PIN”) and PIN locks.
Transaction data, i.e., data related to the electronic payment card transaction.
Account Data, which consists of Cardholder Data and/or Sensitive Authentication Data and may include a unique representation of data such as name and address (if we provide this information to a card manufacturer) or cell phone number and/or email (if we send SMS or email for 3DS or tokenization).
Processing purpose: To enable card transactions.
Contact Address: Marqeta, Inc. 180 Grand Avenue, 6th Floor, Oakland, CA 94612.
Additional information can be found at www.marqeta.com or in our Terms and Conditions on our website at www.yokoy.io.
4. TagNitecrest: Physical Card Manufacturer
TagNitecrest manufactures the physical maps for Yokoy.
Processed data: First name, last name, card expiration date, CVV, account number, address.
Purpose of processing: physical card production.
Contact address: 32b Marathon Pl, Moss Side Industrial Estate, Leyland PR26 7QN, United Kingdom.
Further information can be found at www.tagnitecrest.com or in our terms and conditions on our website www.yokoy.io.
5. DHL: Physical distribution of the cards
For the physical distribution of the cards, we use the services of DHL Express Austria
Processed data: Address of the corporate customer.
Purpose of processing: physical shipment of the cards to the customer.
Contact address: DHL EXPRESS (Austria) GmbH, Am Euro Platz 2, Euro Plaza 4 / Stiege 5 / 7th floor, 1120 Vienna.
Further information can be found at https://www.dhl.com/at-de/home.html or in our general terms and conditions on our website www.yokoy.io.