Privacy Policy
Last updated: 2026-03-05
2.1 Introduction and Scope
yukolab ("we," "us," "our") is committed to protecting the privacy and personal data of all individuals who interact with the UGC Travel SaaS Platform ("Platform"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights in relation to it.
This Policy applies to:
- Registered users and subscribers of the Platform;
- Visitors to yukolab.com;
- Individuals whose email addresses are displayed to Platform users (establishment contacts).
Data Controller. yukolab, che fourcade 97430, Le Tampon, privacy@yukolab.com, is the data controller for personal data processed through the Platform, within the meaning of the EU General Data Protection Regulation (GDPR) Regulation (EU) 2016/679.
2.2 Data We Collect
2.2.1 Data You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, email address, company name | Account creation and authentication (via Clerk) |
| Payment data | Billing address, last 4 digits of card (tokenized) | Subscription management (processed by Stripe; we never store raw card data) |
| Profile data | Professional role, social media handles, portfolio links | Service personalization |
| Communications | Support messages, feedback submissions | Customer support |
| Email content | Templates and messages composed on the Platform | Delivering the email prospection service |
2.2.2 Data Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Usage data | Pages visited, features used, clicks, session duration | Service improvement and analytics |
| Device/technical data | IP address, browser type, OS, screen resolution | Security, fraud prevention, compatibility |
| Log data | Server logs, error reports, timestamps | Debugging and security monitoring |
| Cookie data | Session identifiers, preference cookies, analytics identifiers | See Cookie Policy |
2.2.3 Data from Third Parties
| Source | Data type | Purpose |
|---|---|---|
| Clerk | OAuth tokens, SSO data | Authentication |
| Bright Data | Publicly available business data (establishment names, addresses, phone numbers) | Core search feature |
| Hunter.io | Publicly inferred business email addresses | Email enrichment feature |
| Google Gmail API | Email address, profile name, profile picture, Gmail signature, email metadata, email thread content (for outreach emails only) | Gmail integration: send outreach emails, detect replies, fetch signature, identify connected account |
| Stripe | Payment status, subscription events | Billing management |
We do not knowingly collect personal data from individuals under 18 years of age.
2.3 How and Why We Use Your Data (Legal Bases)
| Purpose | Data used | Legal basis (GDPR Art. 6) |
|---|---|---|
| Account creation and authentication | Account data | Contract (Art. 6(1)(b)) |
| Delivering the Platform's features | Usage data, email content, search queries | Contract (Art. 6(1)(b)) |
| Processing payments | Payment data | Contract (Art. 6(1)(b)) |
| Customer support | Communications data | Contract / Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Technical data, log data | Legitimate interest (Art. 6(1)(f)) |
| Platform improvement and analytics | Usage data, technical data | Legitimate interest (Art. 6(1)(f)) |
| Sending service communications (transactional) | Email address | Contract (Art. 6(1)(b)) |
| Sending marketing communications | Email address | Consent (Art. 6(1)(a)) |
| Legal compliance | All relevant data | Legal obligation (Art. 6(1)(c)) |
2.4 Establishment Contact Data
The Platform displays publicly available contact information about hospitality establishments (names, addresses, phone numbers, business email addresses) retrieved from third-party data providers.
This data is processed as business contact information. Where individual employees' email addresses are retrieved, we rely on the legitimate interest of professional B2B prospection (GDPR Recital 47 and applicable national guidance on B2B marketing), provided:
- The data was made publicly available by the individual or their employer;
- The prospection is relevant to the individual's professional role;
- The individual is provided with a clear opt-out mechanism in every communication.
Users of the Platform are independently responsible for ensuring that their use of establishment contact data complies with applicable data protection and anti-spam laws in the recipient's jurisdiction.
2.5 Data Sharing and Disclosure
We do not sell your personal data to third parties.
We share personal data only in the following circumstances:
- Service providers (data processors): Third-party providers acting on our documented instructions, including Clerk (authentication), Stripe (payments), Inngest (background job processing), Bright Data (data sourcing), Hunter.io (email enrichment), and hosting providers. All processors are bound by data processing agreements.
- Legal requirements: Where required by law, court order, or regulatory authority; or where necessary to protect the rights, property, or safety of the Company, its users, or the public.
- Business transfers: In connection with a merger, acquisition, financing, or sale of all or a portion of the Company's assets, provided the acquiring party commits to uphold the protections in this Policy.
- With your consent: For any other purpose with your explicit prior consent.
2.6 International Data Transfers
Some of our service providers (including Stripe, Clerk, Bright Data, and Hunter.io) operate outside the European Economic Area (EEA). Where personal data is transferred to countries not recognized by the European Commission as providing an adequate level of protection, we implement appropriate safeguards in accordance with GDPR Chapter V, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission; and/or
- Binding Corporate Rules (BCRs) where applicable.
You may request a copy of the relevant transfer safeguards by contacting us at privacy@yukolab.com.
2.7 Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.
| Data type | Retention period |
|---|---|
| Account data | Duration of account + 3 years after closure |
| Payment records | 10 years (French tax/accounting law) |
| Email campaign logs | 3 years |
| Support communications | 3 years |
| Server logs and security logs | 12 months |
| Analytics data (aggregated) | 25 months (CNIL recommendation) |
When a retention period expires, data is securely deleted or anonymized.
2.8 Security
We implement technical and organizational measures appropriate to the risk, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
- Access controls and role-based permissions;
- Regular security reviews and penetration testing;
- Incident response procedures aligned with GDPR 72-hour notification requirements.
No transmission over the internet is 100% secure. While we use industry-standard safeguards, we cannot guarantee absolute security.
2.9 Your Rights
Depending on your location, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access (Art. 15 GDPR) | Request a copy of the personal data we hold about you |
| Rectification (Art. 16 GDPR) | Request correction of inaccurate or incomplete data |
| Erasure (Art. 17 GDPR) | Request deletion of your personal data ("right to be forgotten") |
| Restriction (Art. 18 GDPR) | Request that we restrict processing in certain circumstances |
| Portability (Art. 20 GDPR) | Receive your data in a structured, machine-readable format |
| Objection (Art. 21 GDPR) | Object to processing based on legitimate interest, including direct marketing |
| Withdraw consent (Art. 7(3) GDPR) | Withdraw consent at any time where processing is consent-based |
| Lodge a complaint | File a complaint with a supervisory authority (France: CNIL, www.cnil.fr) |
CCPA rights (California residents). California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete, the right to opt out of sale (we do not sell data), and the right to non-discrimination. To exercise these rights, contact us at privacy@yukolab.com.
To exercise your rights, submit a request to privacy@yukolab.com. We will respond within thirty (30) days (extendable by sixty (60) additional days with notice for complex requests). We may need to verify your identity before processing your request.
2.10 Data Protection Officer
If you have questions about our data protection practices or wish to contact our data protection officer, please reach us at privacy@yukolab.com.
2.11 Changes to this Policy
We may update this Policy from time to time. We will notify you of material changes at least thirty (30) days in advance by email or in-app notification. The "Last updated" date at the top of this Policy reflects the most recent revision.
2.12 Contact
For all privacy-related inquiries: privacy@yukolab.com — yukolab, che fourcade 97430, Le Tampon.
2.13 Google Gmail Integration & Limited Use Disclosure
2.13.1 What Gmail Data We Access
When you connect your Gmail account, our application requests access to the following Google API scopes:
| Scope | What it does | Data accessed |
|---|---|---|
| gmail.send | Send outreach emails to travel establishments on your behalf | Compose and send emails from your Gmail address |
| gmail.readonly | Detect when establishments reply to your outreach emails and display conversation threads | Email threads and metadata (sender, recipient, subject, thread IDs) related to emails sent through our Platform |
| userinfo.email | Identify your connected Google account | Your email address |
| userinfo.profile | Display your name and profile picture in the dashboard | Your name and profile picture |
2.13.2 How We Use Gmail Data
We use your Gmail data exclusively to:
- Send outreach emails to travel establishments on your behalf, from your Gmail address
- Detect replies from establishments to automatically cancel scheduled follow-up emails
- Include your Gmail signature in outreach emails for authenticity
- Display your connected account information (email, name, avatar) in the dashboard
2.13.3 How We Store Gmail Data
- OAuth tokens: Encrypted (AES-256) and stored in our database to maintain your Gmail connection
- Sent emails: Subject, recipient, and status of emails sent through our Platform are stored for your records
- Reply detection: We store only whether a reply was received (boolean status) and the thread ID — we do not store the content of replies
- Signature: Cached locally for display in email previews; refreshed on each session
- We do NOT store: The full content of your Gmail inbox, drafts, contacts, or any emails not related to our Platform
2.13.4 What We Do NOT Do With Gmail Data
- We do not sell your Gmail data to any third party
- We do not use your Gmail data for advertising, retargeting, or personalized ads
- We do not share your Gmail data with data brokers or information resellers
- We do not use your Gmail data to determine creditworthiness or for lending purposes
- We do not use your Gmail data for AI/ML model training unrelated to providing our service
- We do not allow any human to read your Gmail data unless required for security purposes, to comply with applicable law, or with your explicit consent
2.13.5 Limited Use Disclosure
Our use of information received from Gmail APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
2.13.6 Disconnecting Gmail & Revoking Access
You can disconnect your Gmail account at any time:
- From the Platform: Navigate to your dashboard settings and click "Disconnect Gmail." This immediately stops all Gmail access and deletes stored OAuth tokens.
- From Google: Visit Google Account Permissions and remove our application's access. This revokes all granted permissions.
Upon disconnection, we stop accessing your Gmail data. Stored OAuth tokens are deleted. Historical records of emails sent through the Platform are retained per our standard data retention policy (section 2.7).