Youtab
← Back

Privacy Policy

Data Controller: Youtab B.V., registered in the Netherlands (Chamber of Commerce / Kamer van Koophandel No. [pending KvK registration]).
Registered address: Amsterdam, the Netherlands.
Effective date: 13 July 2026.
Last updated: 13 July 2026.

Youtab B.V. ("Youtab", "we", "us", "our") operates youtab.io and the Youtab AI service (the "Service"), which is powered by our proprietary Youtab AI C-OS (Cognitive Operating System). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have over it.

This Policy is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Dutch Uitvoeringswet Algemene verordening gegevensbescherming (UAVG), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and the disclosure requirements of the Apple App Store and Google Play policies.

In plain language: we collect the minimum data needed to run the Service, we never sell it, we store it inside the European Economic Area whenever possible, and we give you real, working controls to see, export, and delete everything we hold about you.

1. Who we are & how to contact us

The data controller for personal data processed through the Service is Youtab B.V., a private limited company registered in the Netherlands under Chamber of Commerce number [pending KvK registration], with its registered office in Amsterdam, the Netherlands.

For privacy-related requests, contact:

Under Article 37 GDPR, appointment of a Data Protection Officer is not mandatory for our current scale of processing. We have nonetheless designated a single privacy contact who owns all data-subject requests.

2. Data we collect

We collect the following categories of personal data:

Category Examples Source
Account identifiers Email address, hashed password, display name, unique user ID. You, during registration.
Google sign-in data Email, verified-email status, given name, family name, Google subject identifier (sub). No password. Google OAuth 2.0 / OpenID Connect, when you choose "Continue with Google". See §6.
Authentication metadata Multi-factor authentication (MFA) enrollment state, WebAuthn passkeys (public key only), refresh-token hashes, IP address of login attempts, User-Agent snapshot at login. Generated during use of the Service.
Usage & interaction data Chat prompts and AI responses, uploaded files, feedback ratings, preferred language, workspace mode. You, when you interact with the Service.
Device & technical data Browser type, OS, screen size (for responsive rendering), IP address, request timestamps, error traces. Automatically, via HTTP headers and client telemetry.
Billing data (if applicable) Plan tier, billing status, subscription start/end dates. Payment card data is never stored by Youtab — it is handled by our payment processor ([payment processor to be selected before paid tier launch]). You and the payment processor.
Audit & security logs Login events, permission changes, admin actions, kill-switch events, email delivery attempts. Generated by the Service for security and compliance.

We do not intentionally collect special categories of personal data under Article 9 GDPR (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, sex life or sexual orientation). If such data appears in content you submit to the Service (for example, in a chat prompt), you provide it voluntarily and we process it only to respond to your request.

We rely on the following legal bases:

4. Purposes of processing

5. Third parties & processors

We use a small set of trusted sub-processors to run the Service. All are bound by written data-processing agreements (GDPR Art. 28) and, where they operate outside the EEA, by Standard Contractual Clauses (2021/914/EU).

Sub-processor Purpose Location
Hetzner Online GmbH Hosting of the application backend and PostgreSQL database. Germany (EEA).
Cloudflare, Inc. CDN, DDoS protection, TLS termination, DNS. United States (with EU edge nodes; SCCs in place).
Google LLC OAuth 2.0 sign-in (only if you choose "Continue with Google"). See §6. United States (SCCs and EU-US Data Privacy Framework in place).
Youtab AI C-OS (proprietary) Processing of prompts you send. The Youtab AI C-OS (Cognitive Operating System) is operated by Youtab B.V. on infrastructure listed above (Hetzner, Germany). Prompts are transmitted over TLS. If we introduce any external model provider in the future, we will update this policy and notify affected users before routing prompts to that provider. Germany (EEA).
Email delivery Transactional emails (verification, password reset, security alerts), sent from [email protected] via own SMTP hosted on the same Hetzner infrastructure. Germany (EEA).
Payment processor (future) Card-payment processing. Youtab does not store card numbers. No payment processor is engaged at the effective date of this policy. This row will be updated with the processor's name and location before we activate any paid tier. To be disclosed before paid tier launch.

We do not sell personal data. We do not share personal data with advertising networks or data brokers. We share data with authorities only when required by a valid legal order.

6. Google OAuth & Google user data

If you choose to sign in with Google, we receive from Google only the following claims from your ID token (OpenID Connect): sub (Google user identifier), email, email_verified, given_name, and family_name. We do not receive your Google password.

We use this information exclusively to:

We refuse to complete the sign-in flow if email_verified is false. Google user data is not shared with third parties beyond the sub-processors listed in §5, and is deleted along with the rest of your account when you delete your account (see §8).

Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

7. International data transfers

We keep personal data inside the European Economic Area (EEA) whenever possible. Where a sub-processor is located outside the EEA (for example, Cloudflare or a US-based AI provider), transfers are protected by:

8. Data retention

We keep personal data only as long as needed for the purposes in §4 or to comply with legal obligations:

9. Your rights under the GDPR

If you are in the EEA, you have the following rights:

To exercise any of these rights, contact us at [email protected]. We respond within 30 days as required by Article 12(3). We may ask you to verify your identity before acting on the request.

10. Rights of California residents (CCPA/CPRA)

If you are a resident of California, you have additional rights under the California Consumer Privacy Act as amended by the CPRA:

To exercise these rights, email [email protected] with the subject "CCPA Request".

11. Security

We apply industry-standard technical and organisational measures:

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Autoriteit Persoonsgegevens within 72 hours as required by Article 33 GDPR, and affected users without undue delay under Article 34.

12. Cookies & local storage

We use a minimal set of cookies and browser storage:

Name Purpose Category Retention
yt_session Keeps you signed in. Strictly necessary Session, or up to 30 days if "remember me" is on.
yt_oauth_session Binds a Google OAuth flow to the browser tab that started it. Strictly necessary 15 minutes.
yt_csrf Anti-CSRF token for authenticated actions. Strictly necessary Session.
Local preferences (localStorage) UI language, theme, workspace mode. Functional Until you clear browser storage.

Strictly necessary cookies do not require consent under Article 5(3) of the ePrivacy Directive. We do not use advertising, tracking, or profiling cookies.

13. Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us and we will delete it.

14. AI outputs & training data

Youtab AI produces responses using third-party and self-hosted large language models. AI responses can be inaccurate, incomplete, or unsuitable for your purpose. Do not rely on AI output for medical, legal, financial, or other professional advice.

By default, we do not use your prompts or the Service's responses to train foundation models. If we later offer an opt-in programme to use prompts for model improvement, participation will be strictly opt-in with a clear disclosure, and you may withdraw at any time. Some third-party model providers may retain prompts under their own terms — see the provider's policy for details.

15. Changes to this Policy

We may update this Policy from time to time to reflect changes in the Service, in our processing, or in the law. Material changes will be announced by email (to the address on file) and by a notice on the Service at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision. Historical versions are archived and available on request.

16. Complaints & supervisory authority

If you have a concern about how we handle your personal data, please contact us first at [email protected]. You also have the right to lodge a complaint with a supervisory authority.

The competent authority for Youtab BV is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Postbus 93374, 2509 AJ Den Haag, the Netherlands
autoriteitpersoonsgegevens.nl

Residents of other EEA countries may lodge a complaint with their local supervisory authority.