Rights, mapped.

This appendix supplements our Privacy page for visitors and customers in the EEA, UK, or Switzerland.

Where the General Data Protection Regulation (GDPR) or UK GDPR applies, the substance of how we handle your data is the same for everyone; this page just spells out the GDPR-specific terminology and your statutory rights.

For data you give us about yourself (your account, payment, support history), Yo Bio Pty Ltd is the data controller. We decide how that information is used.

For data your visitors give you (audience emails captured on your page, page analytics you act on), you are the controller and Yo is your processor. The activities we carry out on your behalf — storing, transmitting, aggregating — are governed by our standard terms and, on the Business plan, by an optional Data Processing Addendum.

Each operation falls under one of Article 6's bases:

• Contract (Art. 6(1)(b)) — provisioning your account, running your pages, taking your payment.
• Legitimate interest (Art. 6(1)(f)) — first-party analytics, fraud prevention, sign-in security telemetry. Our interest balanced against the limited processing and the visibility you have into the data.
• Consent (Art. 6(1)(a)) — audience captures, optional marketing emails from us. You can withdraw consent at any time without losing access to the service.
• Legal obligation (Art. 6(1)(c)) — tax records and responses to lawful requests.

For data we hold about you, you can ask us to do any of the below. Email privacy@yo.bio. We'll respond within 30 days, or up to three months for complex requests with notice.

• Access (Art. 15) — a copy of everything we hold about your account, with the lawful basis for each category.
• Rectification (Art. 16) — correct inaccurate data. Most fields you can correct yourself in settings.
• Erasure (Art. 17)— the “right to be forgotten.” Close the account; we'll purge personal data on the schedule in the Privacy page. Some records (tax invoices, audit log) we're legally required to retain.
• Restriction (Art. 18) — ask us to pause certain processing while a dispute is open.
• Portability (Art. 20) — get your data in a machine-readable format you can take elsewhere.
• Objection (Art. 21) — object to processing based on legitimate interest.
• Automated decisions (Art. 22)— we don't make decisions about you using automated processing alone.

You can also lodge a complaint with your local Data Protection Authority. For Ireland that's the DPC; for the UK, the ICO.

Our infrastructure is global. Personal data may be transferred outside the EEA to the United States and Australia. Where that happens we rely on:

• Adequacy decisions where the destination country has one (UK ↔ EEA).
• Standard Contractual Clauses (the 2021 EU SCCs and the UK addendum) with sub-processors operating outside the EEA / UK.
• EU–US Data Privacy Framework certification of the sub-processor where applicable.

On request we can share copies of the relevant transfer mechanisms with Business customers.

Business customers can request our standard DPA. It binds Yo as a processor on the data you control through your audience captures, sets out sub-processor flow-down terms, and incorporates the EU SCCs and UK addendum by reference.

Email legal@yo.bio with the legal entity that needs to be on the addendum and we'll send a copy back within two business days.

We don't currently have a dedicated Data Protection Officer (we're below the threshold under Article 37) but our privacy contact is privacy@yo.bio. We respond from within Australia.