Yey
Compliance

GDPR by design

Yey was built from day one to comply with the EU General Data Protection Regulation. Here's what that means in practice.

GDPR Principles (Article 5)

Lawfulness, fairness, transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability

How Implements GDPR

Legal basis for processing

We process data under three legal bases: (a) contract — to deliver the service you pay for; (b) legitimate interest — to improve the platform through usage analytics; (c) consent — for marketing emails, which you can withdraw at any time.

EU-only data storage

All personal data is stored in Frankfurt, Germany. We do not transfer data outside the European Economic Area. Our sub-processors (Neon, Resend, Vercel) are all bound by Data Processing Agreements and store EU customer data within the EEA.

Data minimisation

We collect only what's needed to provide the service. Worker profiles contain: name, nationality, date of birth, contact information, and work documents. We do not collect biometric data. GPS coordinates for check-in are optional and require explicit configuration by the account administrator.

Data Processing Agreement

As a processor acting on behalf of your organization (the controller), we offer a full GDPR Article 28-compliant DPA. Read our standard DPA here. Enterprise customers can request a custom DPA.

Breach notification

In the event of a personal data breach, we will notify affected Controllers within 48 hours. We will notify the relevant supervisory authority (CNPD in Portugal) within 72 hours as required by Article 33.

Your Rights Under GDPR

Right of Access (Art. 15)

Request a complete export of all personal data we hold about you or your workers.

Right to Rectification (Art. 16)

Correct inaccurate personal data at any time directly in the platform or via email.

Right to Erasure (Art. 17)

Request deletion of any worker's data. Admins can delete worker records directly in the app.

Right to Restriction (Art. 18)

Ask us to stop processing specific data while a dispute is resolved.

Right to Data Portability (Art. 20)

Export your full dataset in machine-readable format (JSON/CSV) at any time.

Right to Object (Art. 21)

Object to processing based on legitimate interest. We will stop unless we have compelling grounds.

Privacy contact

For any GDPR-related requests — data subject rights, DPA inquiries, or compliance questions — contact our privacy team. We respond within 30 days.

privacy@yeydigital.eu

Supervisory authority: CNPD — Comissão Nacional de Proteção de Dados (Portugal)