Y Logo
Legal

Privacy Policy

Effective February 13, 2026

Privacy Policy

Effective Date: February 13, 2026 Last Updated: February 13, 2026

1. Introduction

This Privacy Policy explains how Homo SAS ("we", "us", "our"), a French simplified joint-stock company registered at 145 Rue de Noisy-le-Sec, 93260 Les Lilas, France (RCS Bobigny 934 191 743), collects, uses, stores, and protects your personal data when you use the Y mobile application, web application, and related services (the "Service").

We are the data controller for the purposes of the EU General Data Protection Regulation (GDPR) and applicable French data protection law (Loi Informatique et Libertes).

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

Data Source Required
Email address Apple Sign-In, Google Sign-In, or direct input Yes
Display name You provide or imported from sign-in provider No
Username You provide No
Profile photo You upload No
Bio You provide No
External link You provide No
Preferred language You select No
Account creation date Automatically recorded Yes
Account type Assigned based on subscription status Yes

Alternatively, you may use the Service as a guest without providing personal information. Guest accounts can later be upgraded to full accounts.

2.2 Content You Create

Depending on the features you use, we store:

  • YTodo: Task lists, task items (title, description, due date, priority, completion status)
  • YNote: Note content, creation and modification timestamps
  • YCal: Calendar events (title, description, start/end dates, category, recurrence rules)
  • YBudget: Budgets (name, amount, currency, period, categories) and transactions (amount, description, category, type, date)
  • YSpot: Briefs (captions, videos, thumbnails), guides (titles, captions, tags), spots (names, addresses, location data)
  • YCook: Recipes (titles, descriptions, videos, thumbnails) and AI-generated recipe analysis (summary, ingredients, cooking steps, nutritional estimates)

2.3 Business Data (Spot Owners)

If you register as a business user, we additionally collect:

  • Company name and tax ID
  • Billing email address
  • Stripe customer and subscription identifiers
  • Staff member assignments and permission configurations
  • Spot details (name, address, coordinates, contact information, business hours, menu)
  • Customer order data (items, amounts, order status)

2.4 Location Data

With your permission ("When In Use"), we collect:

  • Geographic coordinates (latitude and longitude)
  • City and country (via reverse geocoding)

Location data is used to show nearby spots and provide location-based features. You can revoke location permission at any time in your device settings.

2.5 Device and Technical Data

We collect:

  • Device platform (iOS)
  • Push notification tokens (FCM and APNS tokens)
  • Firebase authentication tokens

We do not collect device advertising identifiers (IDFA) or use fingerprinting techniques.

2.6 Usage Data

We collect analytics events including:

  • Login method used (Apple, Google, email)
  • Login success/failure events (without passwords)
  • Screen views within the app
  • Content engagement data (which content you viewed, when, and viewing duration)

2.7 Media

When you create content, we process:

  • Photos you select from your photo library (resized to max 1024x1024)
  • Videos you upload for recipes and briefs
  • Images of restaurant menus (for AI-assisted menu generation)

2.8 AI Interaction Data

When you interact with our AI agent:

  • Your queries and the agent's responses
  • A cumulative summary of past queries (approximately 100 tokens)
  • Semantic memory entries derived from your tasks, notes, calendar events, budgets, transactions, recipes, and briefs for context-aware assistance

2.9 Table and Ordering Data

When you use restaurant features (table check-in, menu ordering, service requests), we collect:

  • Table assignment information
  • Service requests you make and their timestamps
  • Order details (items, amounts, order status)

3. How We Use Your Data

Purpose Legal Basis (GDPR) Data Used
Provide and operate the Service Performance of contract (Art. 6(1)(b)) Account data, content, technical data
Process business subscriptions and payments Performance of contract (Art. 6(1)(b)) Business data, Stripe identifiers
Send push notifications (e.g., table ready, order updates) Performance of contract (Art. 6(1)(b)) FCM/APNS tokens
Show nearby spots and location-based features Consent (Art. 6(1)(a)) Location data
Analyze and transcribe recipe videos Performance of contract (Art. 6(1)(b)) Video content, audio
Translate recipes and ingredients Performance of contract (Art. 6(1)(b)) Recipe content
AI-assisted menu generation from images Performance of contract (Art. 6(1)(b)) Menu images
Power AI agent with semantic memory Performance of contract (Art. 6(1)(b)) User documents, interaction history
Improve the Service and fix bugs Legitimate interest (Art. 6(1)(f)) Analytics events, crash reports
Moderate content and enforce Terms Legitimate interest (Art. 6(1)(f)) User Content, reports
Comply with legal obligations Legal obligation (Art. 6(1)(c)) As required by law

4. Data Sharing and Third-Party Processors

We share your data with the following categories of third-party processors, all of which are bound by data processing agreements:

4.1 Google / Firebase (Infrastructure)

  • Services used: Firebase Authentication, Cloud Firestore, Cloud Storage, Cloud Functions, Cloud Messaging, Analytics, Crashlytics
  • Data shared: Account data, all stored content, media files, push tokens, analytics events, crash data
  • Purpose: Core infrastructure for the Service
  • Location: EU/EEA data regions (Firebase)
  • Legal framework: EU Standard Contractual Clauses where applicable

4.2 Google Vertex AI / Gemini

  • Data shared: Recipe content for analysis, menu images for extraction
  • Purpose: AI-powered recipe analysis and menu generation
  • Location: EU data regions where available
  • Legal framework: Google Cloud Data Processing Terms

4.3 Stripe

  • Data shared: Billing email, company name, tax ID, payment method (handled directly by Stripe), subscription details
  • Purpose: Business subscription billing and payment processing
  • Location: EU
  • Legal framework: Stripe DPA (EU)
  • Note: We do not store credit card numbers. Payment details are handled entirely by Stripe.

4.4 Groq

  • Data shared: AI agent queries (user prompts)
  • Purpose: Large language model inference for the AI agent feature
  • Legal framework: Groq Data Processing Agreement

4.5 OpenAI

  • Data shared: Text snippets from user documents for embedding generation
  • Purpose: Vector embeddings for semantic memory (used to provide contextual AI assistance)
  • Legal framework: OpenAI Data Processing Agreement
  • Note: Embeddings are mathematical representations, not readable text

4.6 Apple

  • Data shared: Authentication credentials (Apple Sign-In)
  • Purpose: User authentication
  • Legal framework: Apple Developer Agreement

We do not sell your personal data to any third party.

5. International Data Transfers

Your data is primarily processed within the European Union/European Economic Area. Where data is transferred outside the EU/EEA (e.g., to Groq or OpenAI in the United States), we ensure appropriate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs)
  • Data processing agreements with each provider
  • Adequacy decisions where applicable

6. Data Retention

Data Type Retention Period
Account data Until you delete your account
User-created content (todos, notes, calendar, budgets, recipes, briefs, guides) Until you delete the item or your account
Push notification tokens Until token refresh or account deletion
Analytics events 14 months (Firebase Analytics default)
Crash reports 90 days (Firebase Crashlytics default)
Semantic memory entries Until the source document is deleted or account deletion
QR-based tokens (orders, redemptions, check-ins) 5-10 minutes (auto-deleted via TTL)
Restaurant table data (check-ins, service requests) Auto-deleted after session expiry (variable TTL)
Payment processing records 30 days (idempotency tracking)
Business subscription data Until subscription end + legal retention period

7. Data Caching

To provide fast, responsive performance, the Service caches your data locally on your device using SwiftData. Cached data includes copies of your todos, notes, calendar events, budgets, and transactions. This cache is stored only on your device and is cleared when you uninstall the app or delete your account.

8. Your Rights Under GDPR

As an EU/EEA resident, you have the following rights:

8.1 Right of Access (Art. 15)

You may request a copy of all personal data we hold about you.

8.2 Right to Rectification (Art. 16)

You may correct inaccurate personal data through the app settings or by contacting us.

8.3 Right to Erasure (Art. 17)

You may delete your account at any time from within the app. This permanently removes all your personal data, content, and media from our systems. You may also request erasure by contacting us.

8.4 Right to Restriction of Processing (Art. 18)

You may request that we restrict processing of your personal data in certain circumstances.

8.5 Right to Data Portability (Art. 20)

You may request your personal data in a structured, commonly used, machine-readable format.

8.6 Right to Object (Art. 21)

You may object to processing based on legitimate interests, including analytics and crash reporting.

8.7 Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent (e.g., location data), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the French data protection authority:

CNIL (Commission Nationale de l'Informatique et des Libertes) 3 Place de Fontenoy, TSA 80715 75334 Paris Cedex 07, France https://www.cnil.fr

Or with the supervisory authority of your EU/EEA country of residence.

To exercise any of these rights, contact us at contact@ygrec.app. We will respond within one month, as required by GDPR.

9. Children's Privacy

The Service is available to users aged 13 and older. Users between 13 and 16 require parental or guardian consent in accordance with the applicable laws of their country of residence. We do not knowingly collect personal data from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly.

If you are a parent or guardian and believe your child under 13 has provided us with personal data, please contact us at contact@ygrec.app.

10. Cookies and Tracking Technologies

10.1 Mobile App

The iOS app does not use cookies. We use Firebase Analytics for usage analytics and Firebase Crashlytics for crash reporting. You may opt out of analytics by contacting us.

10.2 Web Application

The web application (https://ygrec.app) may use cookies and similar technologies for:

  • Essential cookies: Authentication session management (Firebase Auth)
  • Functional cookies: Language preferences
  • Third-party cookies: Stripe (payment processing), Firebase (authentication)

You can manage cookie preferences through your browser settings.

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encrypted data transmission (HTTPS/TLS for all communications)
  • Firebase Security Rules controlling data access
  • Role-based access control for business features
  • Token-based authentication for API access
  • Rate limiting to prevent abuse
  • Automatic expiration of security tokens (QR codes, order tokens)
  • Secure deletion of all user data upon account deletion

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

12. Automated Decision-Making

The Service does not make automated decisions that produce legal effects or similarly significantly affect you within the meaning of GDPR Article 22.

The following automated processes may affect your experience:

  • Content moderation: Content reported by users is automatically restricted once a report threshold is reached. Restricted content is hidden behind an overlay. If you believe your content was restricted in error, contact us at contact@ygrec.app.
  • AI agent: The AI assistant processes your queries using large language models and generates responses automatically. These are informational responses, not decisions affecting your legal rights.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via the Service or by email. The "Last Updated" date at the top indicates the most recent revision.

If changes materially affect how we process your personal data, we will provide notice at least 30 days before the changes take effect and, where required, obtain your consent.

14. Contact Us

For any questions about this Privacy Policy or to exercise your data protection rights:

Homo SAS (Data Controller) 145 Rue de Noisy-le-Sec 93260 Les Lilas, France RCS Bobigny 934 191 743

Email: contact@ygrec.app Support: support@ygrec.app Website: https://ygrec.app