Privacy policy
Last updated: 22 May 2026
1. Who we are (Data Controller)
Yolist is a UK business directory operated by Yolist Ltd (company registration pending, England & Wales). When this policy refers to "we", "us" or "Yolist" it means the company.
Contact for data matters: legal@yolist.uk
Postal: Yolist Ltd, [Registered Address to be added on incorporation], England
We are registered with the Information Commissioner's Office (ICO) as required by the UK GDPR and the Data Protection Act 2018. ICO registration number will be published here upon completion of registration.
2. Data we collect
2.1 Account & profile data
- Name and email address (provided on registration)
- Password (stored as a secure hash via Supabase Auth — we never see the plaintext)
- Profile photo (if uploaded)
- Communication preferences
2.2 Business listing data
- Business name, address, phone number, website URL
- Category, opening hours, description
- Photos and logo
- Social media links
2.3 Usage & technical data
- IP address and approximate location (for security and rate-limiting)
- Browser type, device type, operating system
- Pages visited, time on site, referral source (via Google Analytics 4)
- Cookies and similar tracking technologies (see our Cookie Policy)
2.4 Payment data
Payments are handled by Stripe. We store only your Stripe customer reference and subscription status. Full card details are never stored by Yolist.
2.5 Open public data
Some business listings are sourced from public datasets under the UK Open Government Licence v3.0 (Companies House, Food Standards Agency, Ordnance Survey). This data is publicly available and we use it to pre-populate and verify listings.
3. How we use your data (Legal basis)
| Purpose | Data used | Legal basis |
|---|---|---|
| Create and manage your account | Name, email, password hash | Contract (Art. 6(1)(b) UK GDPR) |
| Publish and manage business listings | Business data | Contract / Legitimate interest |
| Process subscription payments | Stripe customer reference | Contract + Legal obligation (tax records) |
| Send transactional emails (booking, lead, invoice) | Email address | Contract |
| Send marketing emails (if opted in) | Email address | Consent (Art. 6(1)(a)) |
| Improve the platform (analytics) | Anonymised usage data | Legitimate interest |
| Security, fraud prevention, rate limiting | IP address, usage patterns | Legitimate interest |
| Comply with UK law (tax, accounting) | Payment records | Legal obligation (Art. 6(1)(c)) |
4. How long we keep your data (Retention)
| Data category | Retention period |
|---|---|
| Active accounts | While your account remains active |
| Inactive accounts | 3 years after last login, then deleted |
| Business listings | While active; dissolved businesses kept 2 years for historical reference |
| Payment records | 7 years (UK Companies Act / HMRC requirement) |
| Server access logs | 30 days |
| Analytics (GA4) | 14 months, then aggregated |
| Marketing email consent | Until withdrawn; suppression list kept indefinitely |
5. Who we share your data with
We do not sell your personal data. We share data with the following trusted processors under Data Processing Agreements (DPAs):
- Supabase — authentication and database hosting
- Hetzner — server infrastructure (EU-based, Nuremberg)
- Stripe — payment processing
- Resend — transactional email delivery
- Cloudflare — CDN and DDoS protection
- Google Analytics — anonymised site analytics (IP anonymisation enabled)
- Sentry — error monitoring (no PII stored in error logs)
- Vercel — deployment infrastructure
We may disclose data to law enforcement or regulators if required by UK law.
6. International transfers
Our primary database infrastructure runs on Hetzner servers in Nuremberg, Germany (EU). Some services (Stripe, Google, Cloudflare) may process data in the USA under Standard Contractual Clauses (SCCs) or other approved transfer mechanisms. All third-party processors are bound by DPAs.
7. Your rights under UK GDPR
You have the right to:
- Access — request a copy of all personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure ("right to be forgotten") — request deletion of your data (subject to legal retention obligations)
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests or for direct marketing
- Restrict processing — request that we limit how we use your data
- Withdraw consent — at any time, where processing is based on consent
To exercise any of these rights, email legal@yolist.uk or use the "Export My Data" and "Delete Account" options in your dashboard settings. We will respond within one calendar month.
8. Cookies
We use cookies and similar technologies. For full details, see our Cookie Policy. You can manage your cookie preferences at any time via the cookie banner or your browser settings.
9. Children
Yolist is not directed at children under 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact legal@yolist.uk.
10. Security
We implement appropriate technical and organisational measures including TLS encryption in transit, bcrypt password hashing, server-side session management, rate limiting, and regular security reviews. Despite these measures, no transmission over the internet can be guaranteed 100% secure.
11. Republic of Ireland users
If you are based in the Republic of Ireland, the supervisory authority for your data protection rights is the Data Protection Commission (DPC): dpc.ie.
12. How to complain
If you have concerns about how we handle your data, please contact us first at legal@yolist.uk.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk | 0303 123 1113
13. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of this page will reflect the most recent revision. For significant changes, we will notify registered users by email.