Privacy policy

Privacy Policy
for Yalp

How we collect, use, and protect your data
when you use Yalp.

1. Who We Are

Yalp is operated by ProducterHQ OÜ, an Estonian private limited company (OÜ). Yalp is a todo application with optional MCP integrations that let users manage tasks from AI clients such as Cursor and Claude.

2. Data We Collect

Depending on how you use Yalp, we process:

  • Account details (such as email and auth identifiers from Supabase).
  • Task content and task metadata (lists, due dates, completion status).
  • Connection settings for integrations (for example MCP and OAuth-related records).
  • Billing and subscription status from Stripe (we do not store full card numbers).
  • Basic technical and usage events used for security, reliability, and product improvement.

3. Why We Process Data

We use personal data to:

  • Provide the core Yalp service and sync your todos across web and integrations.
  • Authenticate users and protect accounts.
  • Process purchases, manage subscriptions, and prevent payment fraud.
  • Maintain platform security, debug incidents, and improve product quality.
  • Comply with legal obligations and enforce our Terms of Use.

4. Legal Bases (EEA/UK)

Where GDPR applies, we rely on contractual necessity (to provide Yalp), legitimate interests (service security and improvement), legal obligations, and consent where required.

5. Processors and Third Parties

We use service providers to run Yalp, including:

  • Supabase for authentication and database infrastructure.
  • Stripe for checkout, subscription management, and payment operations.
  • Hosting and analytics tools needed to run and improve the service.

We share data only as needed for these services, legal compliance, or a lawful request.

6. International Transfers

Your data may be processed outside your country. Where required, we use appropriate safeguards (such as contractual protections) for international transfers.

7. Retention

We keep personal data only as long as needed for service delivery, legal compliance, and dispute resolution. Account and todo data is typically removed or anonymized after account deletion, unless we must retain specific records for legal or accounting reasons.

8. Your Rights

Depending on your location, you may have rights to access, correct, delete, or export your data, and to object to or restrict certain processing. You may also have the right to lodge a complaint with your local supervisory authority.

9. Security

We apply technical and organizational measures to protect personal data. No system is perfectly secure, but we continuously work to reduce risk and respond quickly to incidents.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material updates will be reflected on this page with a new effective date.

Effective date: April 9, 2026.