Privacy Policy

Last updated: June 13, 2026

Introduction

Welcome to Yulio OÜ (“Yulio”, “we”, “us”, or “our”). We respect your privacy and are strongly committed to keeping secure any information we obtain from or about you.

This Privacy Policy describes our practices with respect to Personal Data we collect from or about you when you use our website at https://yulio.ai and our related services (collectively, the “Services”). It explains how we collect, safeguard, and disclose information that results from your use of the Services. By using the Services, you agree to the collection and use of information in accordance with this policy.

For the purposes of the EU General Data Protection Regulation (GDPR), Yulio OÜ is the Data Controller of the Personal Data described in this Policy. This Privacy Policy is referenced by our Terms of Service; unless otherwise defined here, terms have the meanings given in the Terms of Service.

Our role: controller and processor

This Privacy Policy applies where Yulio OÜ acts as a data controller, for account and profile information, billing and subscription data, usage data, communications with us, and data collected on our website.

Where the Services are used on behalf of a business customer and Personal Data is processed through connected systems and integrations at that customer’s direction, for example, records in a connected CRM, the content of communications, or other data made available to the Services, the customer is the data controller and Yulio processes that data as a data processor under a Data Processing Agreement (DPA) with that customer. Such processing is governed by the customer’s instructions and the DPA, not by this Privacy Policy. If your Personal Data has been submitted to the Services by one of our customers and you wish to exercise your rights, please contact that customer directly; we will assist them in responding in accordance with our DPA.

1. Definitions

  • Personal Data, data about a living individual who can be identified from that data (or from that and other information in our possession or likely to come into our possession).
  • Usage Data, data collected automatically, either generated by use of the Services or from the Services’ infrastructure (for example, the duration of a page visit).
  • Cookies, small files stored on your device (computer or mobile device).
  • Data Controller, the natural or legal person who determines the purposes and manner of processing Personal Data. For this Privacy Policy, we are the Data Controller of your data.
  • Data Processor (or Service Provider), any natural or legal person who processes data on behalf of the Data Controller.
  • Data Subject, any living individual who is the subject of Personal Data.
  • User, the individual using our Services, who corresponds to the Data Subject.

2. Information collection and use

We collect several different types of information for various purposes to provide and improve our Services to you.

As an AI automation service, our Services are powered by your context and actions, including the content you make available to us via our integrations with your third-party services. Depending on how you use the Services, the data we collect and process on your behalf can include any data you choose to make available to our Services.

3. Types of data collected

Personal Data. While using our Services, we may ask you to provide certain personally identifiable information that can be used to contact or identify you, including but not limited to:

  • Email address
  • First and last name
  • Phone number
  • Address, state/province, postal code, city
  • Cookies and Usage Data

Account Information. When you create an account, you can register using your email address or by signing in with Google. We collect information associated with your account, including your name, contact information, account credentials, and transaction history.

User Content. In addition to Personal Data we automatically collect via integrations you set up, we collect Personal Data that you directly provide in the input to our Services, including your prompts, configurations, and other content you upload, depending on the features you use.

Payment Information. If you use our paid Services, we collect information needed to complete your transactions, including name, payment card information, and billing information. This information is processed by our payment processor, Stripe, which handles your payment information in accordance with its own privacy policy. We do not have access to your full payment card information. See Section 13.

Communication Information. We collect information when you contact us with questions or concerns, and when you voluntarily respond to questionnaires, surveys, or requests for feedback.

Usage Data. We collect information that your browser or device sends whenever you access the Services. This may include your IP address, browser type and version, the pages of our Services you visit, the time and date of your visit, time spent on pages, unique device identifiers, operating system, and other diagnostic data.

Tracking Cookies Data. We use cookies and similar tracking technologies to track activity on our Services and hold certain information. We use Session Cookies (to operate the Services), Preference Cookies (to remember your settings), Security Cookies (for security), and Analytics Cookies (to understand usage). You can instruct your browser to refuse cookies, but some portions of the Services may not function.

Authentication Tokens for Integrated Services. When you connect a third-party service, we collect and store, in encrypted form, the authentication tokens for the services you have chosen to integrate, so that the Services can act on your behalf. You can revoke these at any time by disconnecting the integration.

Information from Third-Party Services. When you link, connect, or log in to our Services with a third-party service (e.g., Google, Slack, or other productivity tools), you may direct that service to send us information controlled by it, as authorized by you via your privacy settings on that service.

4. Use of data

We use the collected data for the following purposes:

  • To provide, operate, analyze, and maintain our Services
  • To create and manage your account and authenticate you
  • To carry out the agents, automations, and tasks you request
  • To process payments and manage your subscription
  • To notify you about changes to your account or the Services
  • To allow you to participate in interactive features when you choose to
  • To provide customer support
  • To gather analysis or valuable information so we can improve our Services
  • To monitor usage of our Services
  • To detect, prevent, and address technical issues, fraud, and abuse
  • To carry out our obligations and enforce our rights arising from contracts between you and us, including for billing and collection
  • To provide you with news, special offers, and general information about goods, services, and events similar to those you have purchased or enquired about, unless you have opted out
  • For any other purpose with your consent

Our legal bases (GDPR Art. 6). We rely on: performance of a contract (to provide the Services, manage your account, and process payments); legal obligation (for accounting, tax, and lawful requests); legitimate interests (to secure and improve the Services and prevent fraud); and consent (for marketing communications, which you may withdraw at any time).

Use of User Content for Service Improvement. We may use aggregated, de-identified usage patterns and metadata (such as feature adoption rates and error logs) to improve and develop our Services. For the avoidance of doubt, we do not use your User Content, your prompts, configurations, uploaded data, or data passing through your workflows, to train, fine-tune, or otherwise improve any AI or machine learning models. This applies to all users, on every plan.

Aggregated Information. We may aggregate Personal Data and use the aggregated information to analyze the effectiveness of our Services, improve and add features, and for other similar purposes.

Marketing. We may contact you with information we believe will be of interest. You may opt out of marketing emails by following the unsubscribe link in each promotional email or by contacting us. If you unsubscribe, you will still receive communications regarding the operation of your account and our Services.

Automated decision-making. We do not engage in automated decision-making or profiling that produces legal or similarly significant effects within the meaning of Article 22 GDPR.

5. AI training data

We are committed to protecting your data. We do not use any of your uploaded data, User Content, the automations you create, or data passing through your workflows to train, fine-tune, or otherwise develop any AI or machine learning models, whether generalized or specific to our Services.

We do not use Google Workspace APIs to develop, improve, or train generalized AI and/or ML models. Data obtained through Google Workspace APIs is not transferred to third-party AI tools for the purpose of creating generalized AI/ML models.

We maintain agreements with our AI providers (such as Anthropic and OpenAI) that contractually prohibit them from training their models on any data sent to them via our Services. These agreements are consistent with the data processing terms we offer to our customers.

6. Retention of data

We retain your Personal Data only for as long as necessary for the purposes set out in this Privacy Policy. When you close your account, we delete or anonymize your Personal Data within 90 days, unless we are required to retain it longer to comply with our legal obligations (for example, where we are required to retain data under Estonian accounting and tax law), resolve disputes, or enforce our legal agreements and policies.

We also retain Usage Data for internal analysis. Usage Data is generally retained for a shorter period, except where used to strengthen security or improve functionality, or where we are legally obligated to retain it longer. Where appropriate, we may anonymize data so it can no longer be associated with you and use it indefinitely.

7. Transfer of data

We store your data within the European Union wherever possible. Some of our Service Providers (including AI providers and certain infrastructure providers) are located outside the European Economic Area (EEA), in particular in the United States. Your information, including Personal Data, may therefore be transferred to, and maintained on, computers located outside your jurisdiction, where data protection laws may differ.

Where personal data is transferred to a third country, such transfers are made only where permitted under Articles 44 et seq. GDPR, subject to appropriate safeguards, in particular adequacy decisions (such as the EU–US Data Privacy Framework) or the EU Standard Contractual Clauses (SCCs). We will take all steps reasonably necessary to ensure your data is treated securely and in accordance with this Privacy Policy, and you may request a copy of the relevant safeguard by contacting us.

8. Disclosure of data

We do not sell or rent your Personal Data to any third party for any purpose. You are the owner of your Personal Data and can request disclosure or deletion at any time. We may disclose Personal Data we collect or that you provide:

  • Service Providers, to contractors, service providers, and other third parties who support our business, under data processing agreements (Art. 28 GDPR) that limit their use of the data to providing services to us.
  • Connected services, to the third-party services you choose to integrate, as directed by you.
  • Law enforcement, where required to do so by law or in response to valid requests by public authorities.
  • Business transaction, if we are involved in a merger, acquisition, or asset sale, your Personal Data may be transferred to the successor entity.
  • With your consent, for any other purpose disclosed when you provide the information.

The current list of sub-processors we use when processing data on behalf of our business customers is published at https://yulio.ai/sub-processors.

9. Security of data

The security of your data is important to us, but no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. We implement the following measures:

  • Regular Backups, our database is backed up regularly so we can restore user data in an emergency.
  • Access Control, access to internal data is restricted by default; employees are only given access to the scopes necessary to complete their work.
  • Two-Factor Authentication, enforced for all accounts with access to sensitive data.
  • Encryption, data is encrypted in transit and at rest, including stored integration tokens.
  • Credential Protection, no user can access another user’s personal credentials under any circumstances.

10. Your data protection rights under the GDPR

If you are a resident of the European Union or European Economic Area, you have certain data protection rights under the GDPR. We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data. In certain circumstances, you have the right to:

  • Access, update, or delete the information we hold about you
  • Rectification, have inaccurate or incomplete information corrected
  • Object, object to our processing of your Personal Data
  • Restriction, request that we restrict the processing of your information
  • Data portability, receive a copy of your Personal Data in a structured, machine-readable, commonly used format
  • Withdraw consent, where we rely on your consent to process your information

To exercise any of these rights, email us at [email protected]. We may ask you to verify your identity before responding. Please note we may not be able to provide some Services without certain necessary data.

You also have the right to lodge a complaint with a Data Protection Authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) , www.aki.ee. You may also contact the supervisory authority where you live, including, for users in Ukraine, the authority under the Law of Ukraine “On Personal Data Protection.”

11. Third-party services and integrations

Our Services integrate with various third-party services to provide automation capabilities. When you connect third-party services, you may be providing us access to data from those services. Your use of third-party services is governed by their own privacy policies and terms. We are not responsible for the privacy practices of third-party services, and we encourage you to review their privacy policies. Any data you share with third-party services through our platform is subject to those services’ privacy policies.

12. Analytics

We use third-party Service Providers to monitor and analyze the use of our Services, namely PostHog, a product analytics platform that helps us understand how users interact with our Services. PostHog collects usage data to help us improve our product, governed by its own privacy policy (https://posthog.com/privacy).

13. Payments

We provide paid products and/or services within the Services. For payment processing, we use a third-party processor. We will not store or collect your payment card details, that information is provided directly to our third-party payment processor, Stripe, whose use of your personal information is governed by their Privacy Policy. Stripe adheres to the standards set by PCI-DSS as managed by the PCI Security Standards Council.

Stripe’s Privacy Policy: https://stripe.com/privacy

14. Links to other sites

Our Services may contain links to other sites not operated by us. If you click a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party sites or services.

15. Children’s privacy

Our Services are not intended for use by children under the age of 16. We do not knowingly collect personally identifiable information from children under 16. If you become aware that a child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from a child without verification of parental consent, we take steps to remove that information from our servers.

16. Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “last updated” date. Where notable changes occur, we will notify you via email and/or a prominent notice on our Services prior to the change becoming effective. You are advised to review this Privacy Policy periodically. Changes are effective when posted on this page.

17. Contact us

If you have any questions about this Privacy Policy, please contact us:

Yulio OÜ
Sepapaja tn 6, Lasnamäe, 15551 Tallinn, Harju County, Estonia
By email: [email protected]