Yanku — Privacy Policy

Version: v1.0 Effective date: 2026-05-13 Last updated: 2026-05-13 Language: Published in Estonian and English. Where the two versions diverge, the Estonian version controls.

1. Who we are

This Privacy Policy explains how Yanku OÜ ("Yanku", "we", "us") processes personal data when you use the Yanku platform (app.yanku.eu, business.yanku.eu, and related services).

We are the controller of personal data described below unless we state otherwise (see §2).

Yanku OÜ Heki 3-12, Haabneeme, 74001 Viimsi, Estonia Email: info@yanku.eu

Yanku has not appointed a Data Protection Officer (no statutory obligation at our scale). Privacy queries go to info@yanku.eu.

2. How the marketplace model affects who controls your data

Yanku is a marketplace platform. There are two distinct roles, and which one applies depends on the data in question:

• Yanku as controller — for data we collect to operate the platform itself: your account, security and access logs, customer support, marketing communications, and aggregate analytics. We decide the purposes and means of processing this data.

• Yanku as processor for a Facility — for the booking, attendance, payment, and customer-relationship data that a sport club, studio, or other Facility collects from its Members through Yanku Business. The Facility is the controller of that data; Yanku processes it on the Facility's instructions under a Data Processing Agreement (DPA).

When you book or attend a class at a Facility through Yanku, the Facility decides why your data is collected and how long it is kept for its own customer-relationship purposes. The Facility has its own privacy policy you should review. For data the Facility controls, requests to access, correct, or delete your data should go to the Facility first; we will assist as processor.

3. What personal data we collect

We collect only what we need to run the Platform. Categories:

Account data — name, email address, phone number (optional), date of birth (for age verification under §10), password hash, profile photo if uploaded, preferred language. For Facilities: business name, registry code, bank account for payouts, contact details of authorised staff.

Booking and transaction data — bookings, passes, memberships, classes, sessions, and other Bookings you make; the Facility, time, location, price, and status of each Booking; payment status and partial card metadata returned by the Payment Processor (last four digits, card brand, country — we never store full card numbers, CVCs, or full PANs). Refunds and chargebacks.

Usage and device data — IP address, browser type and language, device type, operating system, timestamps and URLs of pages or screens you visit. Used for security, debugging, and product analytics.

Communications — emails, in-app messages, and support requests you exchange with us or with a Facility through Yanku.

Marketing preferences — your opt-in/opt-out status for marketing emails, including the time and channel of any opt-out.

We do not intentionally collect special-category data (health, biometrics, religion, sexual orientation, etc.). Please don't put such data into free-text fields — if you do, it will be processed on the same legal basis as the rest of your account data and stored only as long as the surrounding record.

4. Why we use your data and on what legal basis

We process personal data for the purposes below. The legal basis under GDPR Article 6 is shown in italics after each purpose.

• Create and operate your Yanku account — uses account data. Performance of a contract (Art. 6(1)(b)).

• Process Bookings and pay out Facilities — uses account data and booking/transaction data. Performance of a contract (Art. 6(1)(b)).

• Process payments through Maksekeskus AS — uses name, email, and transaction data. Performance of a contract (Art. 6(1)(b)).

• Send transactional emails (booking confirmations, password resets, receipts) — uses account data and booking data. Performance of a contract (Art. 6(1)(b)).

• Customer support — uses all categories as needed. Performance of a contract (Art. 6(1)(b)) and legitimate interest in providing support (Art. 6(1)(f)).

• Security, fraud prevention, abuse detection — uses account data and usage/device data. Legitimate interest in protecting the Platform and its users (Art. 6(1)(f)).

• Product analytics — understanding how the Platform is used so we can improve it. Uses usage/device data and pseudonymous identifiers. Legitimate interest in improving our services (Art. 6(1)(f)). You can object at any time — see §8.

• Marketing emails to existing Members (re-engagement, related-service updates, newsletters) — uses email address, account data, and marketing preferences. Legitimate interest under the "soft opt-in" model (Estonian Electronic Communications Act §103¹) and GDPR Art. 6(1)(f). Every marketing email contains a one-click unsubscribe.

• Comply with legal obligations (accounting, tax, consumer-protection responses, lawful requests). Legal obligation (Art. 6(1)(c)).

• Defend or enforce legal claims. Legitimate interest in establishing or defending legal claims (Art. 6(1)(f)).

• Sale or restructuring of the business — see §12. Legitimate interest in operating the business (Art. 6(1)(f)).

We do not use your data for automated decision-making that produces legal or similarly significant effects on you. We do not sell your data.

5. Who we share your data with

Yanku is a small operation. The recipients of personal data fall into a short list:

Facilities you interact with. When you book or attend services at a Facility, that Facility receives the Booking and attendance data necessary to provide the service. The Facility is a separate controller for the customer-relationship purposes described in §2.

Sub-processors who help us run the Platform (each bound by a written data-processing agreement):

• DigitalOcean, LLC — cloud hosting (servers, databases, storage). Location: Amsterdam, Netherlands (EEA).

• Maksekeskus AS — payment processing (card and bank-link payments). Location: Estonia (EEA).

• Postmark (operated by ActiveCampaign LLC) — transactional email delivery. Location: United States — see §6 for transfer safeguards.

• PostHog, Inc. — product analytics, EU instance. Location: European Union (EEA).

We will update this list before adding a new sub-processor that handles personal data on our behalf.

Public authorities and legal advisers. Where we are required by law to disclose information (court order, lawful request from a competent authority) or where we need to obtain legal advice, the relevant authority or adviser may receive the minimum data necessary.

Successor of the business. If Yanku is sold or merged with another business, personal data may be transferred to the new owner under the same protections as set out in this policy. See §12.

6. International transfers

Most of your personal data is processed inside the European Economic Area.

Postmark (our transactional-email provider) is operated from the United States. We transfer the minimum personal data needed to deliver emails (recipient address, name as it appears in the email, message body). The transfer is covered by the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and supplementary measures as required after the Schrems II judgment. Where Postmark or its operator participates in the EU-US Data Privacy Framework, that mechanism is also relied on.

You can request a copy of the relevant transfer safeguards from info@yanku.eu.

7. How long we keep your data

• Account data while your account is active — for as long as your account exists. We do not auto-delete inactive accounts; you can delete your account at any time.

• Account data after you delete your account — removed from active systems within 30 days; removed from encrypted backups within 60 days.

• Booking, payment, invoice, and accounting records — 7 years from the end of the calendar year of the transaction (Estonian Accounting Act §12).

• Customer-support correspondence — up to 3 years after the last contact.

• Security and access logs — up to 90 days for technical logs; longer where needed for an active investigation.

• Marketing preferences and unsubscribe records — for as long as needed to honour your choice; typically for the life of the account, and at least 3 years after account deletion to ensure we do not contact you again.

• Cookies and session data — see §9.

If a longer retention is required by law (e.g. an unresolved dispute, regulatory hold), we will keep the relevant records until that requirement ends.

8. Your rights

Under the GDPR you have the following rights regarding personal data that Yanku controls:

• Access — get a copy of the personal data we hold about you.

• Rectification — correct inaccurate or incomplete data.

• Erasure ("right to be forgotten") — have your data deleted, subject to the legal-retention exceptions in §7.

• Restriction — ask us to limit how we use your data while a question is being resolved.

• Portability — receive the data you provided to us in a structured, machine-readable format, and have it transmitted to another controller where technically feasible.

• Object — object to processing based on legitimate interests (§4), including product analytics and marketing. We will stop unless we can show compelling legitimate grounds that override your interests, or the processing is needed for legal claims.

• Withdraw consent — where processing is based on consent, withdraw it at any time; this does not affect processing that already happened.

• Lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, https://www.aki.ee), or with the supervisory authority in your EU country of residence.

To exercise any of these rights, email info@yanku.eu from the address associated with your account. We will respond within 30 days (extendable by two further months for complex requests under GDPR Art. 12(3)). For data the Facility controls (booking and customer-relationship data — see §2), please contact the Facility directly; we will assist as processor.

There is no fee for a reasonable request. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, as permitted by GDPR Art. 12(5).

9. Cookies and similar technologies

Yanku uses only strictly necessary cookies — those needed to keep you signed in and to operate the Platform. No advertising cookies, no third-party tracking cookies. No consent banner is shown because strictly necessary cookies do not require consent under the EU ePrivacy Directive.

Strictly necessary cookies typically include:

• a session cookie that keeps you signed in;

• a CSRF token cookie that prevents cross-site request forgery;

• a language preference cookie.

Product analytics is provided by PostHog using a pseudonymous identifier rather than tracking cookies. The legal basis is legitimate interest (§4); you can object at any time.

You can clear cookies in your browser settings. Doing so will sign you out of Yanku.

10. Children

You must be at least 16 years old to create a Yanku account. If you are a parent or guardian and become aware that a child under 16 has created an account, contact info@yanku.eu and we will delete the account and associated data.

Facilities may offer services to minors; bookings for minors should be made by a parent or guardian under their own account, and the Facility (not Yanku) is responsible for any age-related compliance specific to the service it provides.

11. Security

We take reasonable technical and organisational measures to protect personal data, including:

• TLS encryption for data in transit;

• encryption at rest for backups;

• access controls and the principle of least privilege for staff access to production data;

• segregation of payment data — full card numbers are handled by the Payment Processor and never reach our servers;

• security logging and regular review of access.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours and, where the risk is high, notify affected users without undue delay, as required by GDPR Art. 33 and 34.

12. If the business is sold or restructured

If Yanku OÜ is sold, merged, or otherwise involved in a corporate transaction, personal data may be transferred to the acquirer or merged entity as part of the assets. We will require the recipient to honour the protections in this policy, and we will notify users in advance of any material change in controller through the in-app banner or email channel described in §13.

13. Changes to this policy

We may update this Privacy Policy from time to time. For changes that materially affect how we use your personal data we will notify you in advance — at least 14 days before the change takes effect — by email or an in-app banner. Continued use of the Platform after the notice period means acceptance of the updated policy. The Last updated date at the top of the policy reflects the most recent revision.

14. 14. Deleting your account
    You can delete your Yanku account at any time

- In the app: open Yanku → Profile → Account → Delete account.

- Without the app: email support@yanku.eu (or whatever address) from the email tied to your

account, with the subject "Delete my account". We process deletion requests within 30 days.

Deletion removes your profile, contact details, booking history, and any passes you hold.

Anonymized transaction records may be retained for accounting/legal obligations as required

by Estonian law.

15. Contact

Questions about this Privacy Policy or about your personal data: info@yanku.eu

Postal address: Yanku OÜ, Heki 3-12, Haabneeme, 74001 Viimsi, Estonia

Estonian supervisory authority: Andmekaitse Inspektsioon, Tatari 39, 10134 Tallinn, Estonia — https://www.aki.ee