Privacy Policy

Version 2.1 | Last updated: 03 June 2026
 

1. About This Privacy Policy

This Privacy Policy explains how Yabie AB and its group companies (“Yabie”, “we”, “us”, “our”) collect, use, share, and protect personal data. It applies when you:

  • Use the Yabie platform or related services as a merchant or merchant representative;
  • Visit our website (yabie.com) or interact with our marketing communications;
  • Apply for a job with us or interact with us as a job applicant or employee;
  • Contact us for support or other enquiries.

This policy is issued under the EU General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR. Yabie is not required to appoint a Data Protection Officer (DPO) but has designated a Head of GRC to oversee privacy compliance.

 

2. Who Is Responsible for Your Personal Data

Field Details
Company Yabie AB
Reg. No. 559083-2092
Registered in Sweden
Privacy Contact privacy@yabie.com
DSAR Requests dsar@yabie.com
Supervisory Authority Integritetsskyddsmyndigheten (IMY) · imy.se
UK Supervisory Authority Information Commissioner’s Office (ICO) · ico.org.uk

 

3. When We Act as a Data Processor

When merchants use the Yabie platform to process personal data relating to their end-customers (such as loyalty programme members or point-of-sale data), Yabie acts as a data processor on behalf of the merchant (who is the data controller). In this capacity:

  • Processing is governed by the Yabie Data Processing Agreement (DPA), which forms part of the merchant’s service agreement.
  • Merchants are responsible for their own legal bases and transparency obligations towards their end-customers.
  • Yabie’s obligations as processor are set out in the DPA, including security, sub-processor management, and breach notification.
  • Transactional communications sent by Yabie on behalf of merchants (such as receipts or loyalty notifications) are processed under the merchant’s instruction and legal basis.

 

4. When We Act as a Data Controller

Yabie acts as a data controller for personal data it processes for its own purposes, including:

  • Managing accounts and contractual relationships with merchants and merchant representatives;
  • Providing customer support and handling enquiries;
  • Sending product updates, service notifications, and operational communications;
  • Conducting product usage analytics to improve the Yabie platform;
  • Marketing Yabie’s products and services to business contacts;
  • Managing our website and improving user experience;
  • Recruitment and HR administration;
  • Complying with legal obligations, including tax and accounting requirements.

 

5. Categories of Personal Data We Process

 
5.1 Merchant Representatives

Name, job title, business email address, phone number, employer/company details, account credentials, communication history, and contractual information.

 
5.2 End-Customer Data (Processor Role)

Personal data relating to merchants’ end-customers that Yabie processes as a processor. The categories depend on the merchant’s use of the platform and may include names, contact details, transaction history, and loyalty programme data. See the DPA for details.

 
5.3 Product Usage and Analytics Data

Usage logs, feature interaction data, session information, IP addresses, device identifiers, and performance metrics relating to merchant representatives’ use of the Yabie platform. This data is processed to improve the product and is governed by this Privacy Policy (controller role).

 
5.4 Website Users

IP addresses, browser type and version, pages visited, referral source, session duration, and cookie identifiers. See our Cookie Policy for details.

 
5.5 Job Applicants and Employees

Name, contact details, CV/résumé, employment history, qualifications, references, right-to-work documentation, and, for employees, payroll and HR data.

 

6. Legal Bases for Processing

 
6.1 Contract (Art. 6(1)(b) GDPR)

Processing necessary for the performance of a contract with you (or to take steps at your request prior to entering into a contract), including account management, service delivery, and support.

 
6.2 Legal Obligation (Art. 6(1)(c) GDPR)

Processing required to comply with applicable laws, including tax and accounting obligations, fraud prevention, and responding to lawful requests from authorities.

 
6.3 Legitimate Interests (Art. 6(1)(f) GDPR)

Processing based on Yabie’s legitimate interests, where those interests are not overridden by your rights. This includes:

  • Product analytics and platform improvement;
  • Security monitoring and fraud prevention;
  • Direct marketing to existing business contacts and prospects (B2B);
  • Internal record-keeping and business operations;
  • Defending and pursuing legal claims.

 
6.4 Consent (Art. 6(1)(a) GDPR)

Where we rely on consent — for example, for non-essential cookies or certain marketing communications — you may withdraw consent at any time without affecting the lawfulness of prior processing.

 

7. How We Use Personal Data

  • To create and manage merchant accounts and provide platform access;
  • To deliver, maintain, and improve the Yabie platform and services;
  • To communicate with you about your account, service updates, and support requests;
  • To send marketing communications about Yabie products and services (you may opt out at any time);
  • To analyse product usage and conduct research to develop new features;
  • To comply with legal and regulatory obligations;
  • To detect, investigate, and prevent fraud, security incidents, and other unlawful activity;
  • To manage recruitment and employment processes.

Yabie does not sell personal data to third parties.

 

8. Sharing of Personal Data

We may share personal data with:

  • Sub-processors: Third-party service providers who process data on our behalf, listed at yabie.com/legal/sub-processors. All sub-processors are bound by data processing agreements.
  • Group companies: Yabie AB affiliates, where necessary for operational purposes.
  • Merchants: Where end-customer data is processed on behalf of a merchant, relevant data may be made available to that merchant as data controller.
  • Professional advisers: Legal, financial, or other advisers bound by confidentiality obligations.
  • Regulatory and law enforcement authorities: Where required by law or to protect Yabie’s legal rights.
  • Prospective buyers: In the context of a merger, acquisition, or sale of assets, subject to appropriate confidentiality protections.
  • Analytics providers: Such as Google LLC, where Yabie acts as controller for product usage data (see Section 9).

We do not sell personal data. Where legally compelled to disclose data (e.g. by court order or regulatory demand), we will, where permitted, notify the relevant data subject.

 

9. International Transfers

Yabie is headquartered in Sweden and primarily processes data within the European Economic Area (EEA). Some of our sub-processors and service providers — including Google LLC and HubSpot Inc. (USA) — may process personal data outside the EEA. Where such transfers occur, we rely on EU Standard Contractual Clauses (Module 2: Controller to Processor) pursuant to Commission Decision 2021/914, supplemented by the UK ICO International Data Transfer Addendum where applicable. A full list of sub-processors and their transfer mechanisms is available at yabie.com/legal/sub-processors.

 

10. Data Retention

Data Category Retention Period Legal Basis / Notes
Accounting Records 7 years Swedish Bookkeeping Act (Bokföringslagen)
Merchant Account Data Duration of contract + 2 years Contract performance; legitimate interests (dispute resolution)
Product Usage & Analytics Up to 26 months Legitimate interests (product improvement)
Recruitment Data (unsuccessful applicants) Up to 2 years Legitimate interests (future roles); unless candidate objects
Marketing / B2B Contact Data Until opt-out or 12 months of inactivity Legitimate interests (B2B marketing)
Website and Usage Data Per Cookie Policy See yabie.com/legal/cookies
Support Records Duration of contract + 2 years Contract performance; legitimate interests

 

11. Security

Yabie implements appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised access, loss, destruction, or alteration. These measures include encryption at rest and in transit, access controls, regular security assessments, and staff training. In the event of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, Yabie will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and affected individuals where required.

 

12. Your Rights

Right What It Means for You
Access (Art. 15) Request a copy of the personal data we hold about you and information about how we use it.
Rectification (Art. 16) Ask us to correct inaccurate or incomplete personal data.
Erasure (Art. 17) Request deletion of your personal data where we no longer have a lawful basis to hold it.
Restriction (Art. 18) Ask us to restrict processing of your data in certain circumstances (e.g. while accuracy is disputed).
Data Portability (Art. 20) Receive your personal data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
Object (Art. 21) Object to processing based on legitimate interests or for direct marketing purposes.
Withdraw Consent (Art. 7(3)) Withdraw consent at any time where processing is based on consent, without affecting prior processing.
Complaint (Art. 77) Lodge a complaint with a supervisory authority — IMY (Sweden) or ICO (UK).

To exercise your rights, contact us at dsar@yabie.com. We will respond within one month. If you are a merchant’s end-customer and wish to exercise your rights in relation to data processed by Yabie on behalf of that merchant, please contact the merchant directly as they are the data controller for that processing.

 

13. Automated Decision-Making

Yabie does not use automated decision-making, including profiling, that produces legal or similarly significant effects on individuals.

 

14. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website. For full details of the cookies we use, your consent choices, and how to manage your preferences, please see our Cookie Policy.

 

15. Children’s Data

The Yabie platform and website are directed at business users and are not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us at privacy@yabie.com and we will delete it promptly.

 

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. We will publish the updated policy on this page and update the “Last updated” date. Where changes are material, we will notify merchant representatives by email or platform notification. Continued use of our services after the effective date of any update constitutes acceptance of the revised policy.

 

17. Contact Us

Enquiry type Contact
Data Controller Yabie AB, 559083-2092, Sweden
General Privacy Enquiries privacy@yabie.com
Data Subject Requests (DSAR) dsar@yabie.com
Sub-processor List yabie.com/legal/sub-processors
Supervisory Authority (SE) Integritetsskyddsmyndigheten (IMY) · imy.se
Supervisory Authority (UK) Information Commissioner’s Office (ICO) · ico.org.uk