← Back
Privacy Policy
Youtab B.V. ("Youtab", "we", "us", "our") operates youtab.io and the Youtab AI service (the "Service"), which is powered by our proprietary Youtab AI C-OS (Cognitive Operating System). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have over it.
This Policy is written to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Dutch Uitvoeringswet Algemene verordening gegevensbescherming (UAVG), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and the disclosure requirements of the Apple App Store and Google Play policies.
1. Who we are & how to contact us
The data controller for personal data processed through the Service is Youtab B.V., a private limited company registered in the Netherlands under Chamber of Commerce number [pending KvK registration], with its registered office in Amsterdam, the Netherlands.
For privacy-related requests, contact:
- Privacy contact: [email protected] (we respond within 30 days as required by GDPR Article 12(3)).
- Postal address: Youtab B.V., Amsterdam, the Netherlands.
Under Article 37 GDPR, appointment of a Data Protection Officer is not mandatory for our current scale of processing. We have nonetheless designated a single privacy contact who owns all data-subject requests.
2. Data we collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account identifiers | Email address, hashed password, display name, unique user ID. | You, during registration. |
| Google sign-in data | Email, verified-email status, given name, family name, Google
subject identifier (sub). No password. |
Google OAuth 2.0 / OpenID Connect, when you choose "Continue with Google". See §6. |
| Authentication metadata | Multi-factor authentication (MFA) enrollment state, WebAuthn passkeys (public key only), refresh-token hashes, IP address of login attempts, User-Agent snapshot at login. | Generated during use of the Service. |
| Usage & interaction data | Chat prompts and AI responses, uploaded files, feedback ratings, preferred language, workspace mode. | You, when you interact with the Service. |
| Device & technical data | Browser type, OS, screen size (for responsive rendering), IP address, request timestamps, error traces. | Automatically, via HTTP headers and client telemetry. |
| Billing data (if applicable) | Plan tier, billing status, subscription start/end dates. Payment card data is never stored by Youtab — it is handled by our payment processor ([payment processor to be selected before paid tier launch]). | You and the payment processor. |
| Audit & security logs | Login events, permission changes, admin actions, kill-switch events, email delivery attempts. | Generated by the Service for security and compliance. |
We do not intentionally collect special categories of personal data under Article 9 GDPR (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, sex life or sexual orientation). If such data appears in content you submit to the Service (for example, in a chat prompt), you provide it voluntarily and we process it only to respond to your request.
3. Legal basis for processing (GDPR Art. 6)
We rely on the following legal bases:
- Article 6(1)(b) — Performance of a contract: to create your account, authenticate you, deliver AI responses to your prompts, and provide the Service you asked for.
- Article 6(1)(c) — Legal obligation: to keep records required by Dutch tax law, to respond to lawful requests from Dutch authorities, and to comply with GDPR record-keeping (Art. 30).
- Article 6(1)(f) — Legitimate interests: to secure the Service against fraud and abuse (login rate-limiting, IP-hash recording, MFA), to run internal analytics on aggregated, non-identifying usage data, and to defend legal claims. We have carried out a legitimate-interests balancing test; you may request a summary via the contact in §1.
- Article 6(1)(a) — Consent: for optional cookies and for optional inclusion of your prompts / responses in AI fine-tuning corpora (see §14). You may withdraw consent at any time without affecting the lawfulness of prior processing.
4. Purposes of processing
- Provide, operate, and maintain the Service.
- Authenticate you and secure your account (MFA, WebAuthn, step-up auth for sensitive actions).
- Route prompts to appropriate AI model providers and return responses.
- Handle billing, invoicing, and subscription management.
- Detect, prevent, and respond to security incidents, fraud, and abuse.
- Comply with legal, tax, accounting, and regulatory obligations.
- Communicate service updates, security notices, and (with your opt-in) product news.
- Improve the Service by analysing aggregated, non-identifying usage metrics.
5. Third parties & processors
We use a small set of trusted sub-processors to run the Service. All are bound by written data-processing agreements (GDPR Art. 28) and, where they operate outside the EEA, by Standard Contractual Clauses (2021/914/EU).
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting of the application backend and PostgreSQL database. | Germany (EEA). |
| Cloudflare, Inc. | CDN, DDoS protection, TLS termination, DNS. | United States (with EU edge nodes; SCCs in place). |
| Google LLC | OAuth 2.0 sign-in (only if you choose "Continue with Google"). See §6. | United States (SCCs and EU-US Data Privacy Framework in place). |
| Youtab AI C-OS (proprietary) | Processing of prompts you send. The Youtab AI C-OS (Cognitive Operating System) is operated by Youtab B.V. on infrastructure listed above (Hetzner, Germany). Prompts are transmitted over TLS. If we introduce any external model provider in the future, we will update this policy and notify affected users before routing prompts to that provider. | Germany (EEA). |
| Email delivery | Transactional emails (verification, password reset, security
alerts), sent from [email protected] via own SMTP
hosted on the same Hetzner infrastructure. |
Germany (EEA). |
| Payment processor (future) | Card-payment processing. Youtab does not store card numbers. No payment processor is engaged at the effective date of this policy. This row will be updated with the processor's name and location before we activate any paid tier. | To be disclosed before paid tier launch. |
We do not sell personal data. We do not share personal data with advertising networks or data brokers. We share data with authorities only when required by a valid legal order.
6. Google OAuth & Google user data
If you choose to sign in with Google, we receive from Google only the
following claims from your ID token (OpenID Connect):
sub (Google user identifier), email,
email_verified, given_name, and
family_name. We do not receive your
Google password.
We use this information exclusively to:
- Create your Youtab account (if you are new), or link the Google identity to your existing account (if your Google email matches an existing Youtab account).
- Authenticate you on subsequent logins.
We refuse to complete the sign-in flow if
email_verified is false. Google user data is
not shared with third parties beyond the sub-processors listed in §5,
and is deleted along with the rest of your account when you delete
your account (see §8).
Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.
7. International data transfers
We keep personal data inside the European Economic Area (EEA) whenever possible. Where a sub-processor is located outside the EEA (for example, Cloudflare or a US-based AI provider), transfers are protected by:
- the European Commission's Standard Contractual Clauses (Decision 2021/914/EU), and/or
- an adequacy decision (for US recipients that self-certify under the EU-US Data Privacy Framework), and/or
- supplementary technical measures (TLS 1.2+ in transit, at-rest encryption, minimisation of the data actually sent).
8. Data retention
We keep personal data only as long as needed for the purposes in §4 or to comply with legal obligations:
- Account data — for the life of your account. When you delete your account, we erase it within 30 days, except for records we must keep for legal reasons (e.g. Dutch tax law: 7-year retention of invoices).
- Chat prompts and AI responses — stored per your workspace mode. You can delete individual conversations at any time from your account settings.
- Authentication logs — 90 days for successful logins, longer for security-relevant events.
- OAuth flow state — session tokens auto-expire after 15 minutes; single-use handoff codes after 60 seconds.
- Audit logs — retained for the period required by the applicable legal or contractual obligation (typically 1-3 years for security audit purposes).
- Backups — encrypted backups may retain data for up to 30 days after deletion from live systems, after which they are overwritten.
9. Your rights under the GDPR
If you are in the EEA, you have the following rights:
- Right of access (Art. 15): obtain a copy of your personal data.
- Right to rectification (Art. 16): correct inaccurate or incomplete data.
- Right to erasure — "right to be forgotten" (Art. 17): delete your data, subject to legal retention exceptions.
- Right to restriction (Art. 18): temporarily halt processing.
- Right to data portability (Art. 20): receive your data in a structured, commonly-used, machine-readable format.
- Right to object (Art. 21): object to processing based on legitimate interests, including any profiling.
- Right not to be subject to automated decision-making (Art. 22): we do not make decisions with legal or similarly significant effect using solely automated processing.
- Right to withdraw consent (Art. 7(3)): for processing based on consent, withdraw at any time without affecting earlier lawful processing.
To exercise any of these rights, contact us at [email protected]. We respond within 30 days as required by Article 12(3). We may ask you to verify your identity before acting on the request.
10. Rights of California residents (CCPA/CPRA)
If you are a resident of California, you have additional rights under the California Consumer Privacy Act as amended by the CPRA:
- Right to know what personal information we collect, use, disclose, and sell.
- Right to delete personal information we have collected.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing (we do not sell or share for cross-context behavioural advertising).
- Right to non-discrimination for exercising your rights.
- Right to limit use of sensitive personal information.
To exercise these rights, email [email protected] with the subject "CCPA Request".
11. Security
We apply industry-standard technical and organisational measures:
- TLS 1.2+ for all data in transit.
- At-rest encryption of the primary PostgreSQL database and backups.
- Password hashing using modern algorithms (bcrypt / argon2 as applicable) with per-password salts.
- Multi-factor authentication (TOTP + WebAuthn passkeys) available to all users; step-up MFA required for owner-tier actions.
- Refresh-token hashing at rest; rotation on use.
- Rate-limiting, IP-based abuse detection, kill-switch middleware for platform-wide read-only mode in emergencies.
- OAuth flow state binding to the specific browser session; PKCE, HMAC-signed state, nonce round-trip, JWKS signature verification against Google.
- Audit logging of authentication and administrative events.
- Regular security review of code changes; automated static analysis (Bandit, ruff).
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Autoriteit Persoonsgegevens within 72 hours as required by Article 33 GDPR, and affected users without undue delay under Article 34.
12. Cookies & local storage
We use a minimal set of cookies and browser storage:
| Name | Purpose | Category | Retention |
|---|---|---|---|
yt_session |
Keeps you signed in. | Strictly necessary | Session, or up to 30 days if "remember me" is on. |
yt_oauth_session |
Binds a Google OAuth flow to the browser tab that started it. | Strictly necessary | 15 minutes. |
yt_csrf |
Anti-CSRF token for authenticated actions. | Strictly necessary | Session. |
| Local preferences (localStorage) | UI language, theme, workspace mode. | Functional | Until you clear browser storage. |
Strictly necessary cookies do not require consent under Article 5(3) of the ePrivacy Directive. We do not use advertising, tracking, or profiling cookies.
13. Children
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us and we will delete it.
14. AI outputs & training data
Youtab AI produces responses using third-party and self-hosted large language models. AI responses can be inaccurate, incomplete, or unsuitable for your purpose. Do not rely on AI output for medical, legal, financial, or other professional advice.
By default, we do not use your prompts or the Service's responses to train foundation models. If we later offer an opt-in programme to use prompts for model improvement, participation will be strictly opt-in with a clear disclosure, and you may withdraw at any time. Some third-party model providers may retain prompts under their own terms — see the provider's policy for details.
15. Changes to this Policy
We may update this Policy from time to time to reflect changes in the Service, in our processing, or in the law. Material changes will be announced by email (to the address on file) and by a notice on the Service at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the most recent revision. Historical versions are archived and available on request.
16. Complaints & supervisory authority
If you have a concern about how we handle your personal data, please contact us first at [email protected]. You also have the right to lodge a complaint with a supervisory authority.
The competent authority for Youtab BV is:
Autoriteit Persoonsgegevens (Dutch Data Protection
Authority)
Postbus 93374, 2509 AJ Den Haag, the Netherlands
autoriteitpersoonsgegevens.nl
Residents of other EEA countries may lodge a complaint with their local supervisory authority.