Privacy Policy
Last updated: April 25, 2026 · Yellsy SAS · Data Controller
Yellsy is fully GDPR-compliant. We never sell your personal data. Sensitive information is encrypted at rest using AES-256-GCM.
1. Who We Are
Yellsy SAS, a French simplified joint-stock company, is the data controller for personal data processed through the Yellsy platform. Contact: [email protected]
2. Data We Collect
Account data
Legal full name (immutable), email address, phone number (optional), country, preferred language, hashed password, referral code.
Search & booking data
Trip requests (origin, destination, dates, preferences), booking confirmations, price history.
Financial data
Stripe customer ID, subscription status, commission amounts. We do not store raw card numbers — payments are handled entirely by Stripe.
Technical data
IP addresses, login timestamps, browser user agent, 2FA verification events.
3. How We Use Your Data
- →Providing the Service: account management, price monitoring, booking, notifications.
- →Security: fraud detection, brute-force protection, IP-based login alerts.
- →Legal compliance: record-keeping, dispute resolution, regulatory obligations.
- →Communication: transactional emails (2FA codes, booking confirmations, deal alerts). We do not send marketing emails without explicit consent.
- →Analytics: aggregated, anonymised usage statistics to improve the Service.
4. Legal Bases for Processing (GDPR)
Contract performance (Art. 6(1)(b))
Account registration, bookings, subscriptions.
Legitimate interests (Art. 6(1)(f))
Fraud prevention, security monitoring.
Legal obligation (Art. 6(1)(c))
Tax records, regulatory compliance.
Consent (Art. 6(1)(a))
Marketing communications (where applicable).
5. Data Security
Passwords are hashed using bcrypt with unique salt. Sensitive PII (name, email, phone) is encrypted at rest using AES-256-GCM. Email and phone are additionally stored as one-way hashes for uniqueness checks. All connections use TLS 1.2+. Access to production systems is restricted to authorised personnel with MFA.
6. Data Retention
Account data is retained for the lifetime of your account plus 5 years for legal compliance. Booking records are retained for 10 years per French accounting law. Login logs are retained for 12 months. You may request deletion of non-legally required data at any time.
Payment transaction audit logs
To protect both parties in the event of a payment dispute, YELLSY LLC retains a payment audit record for each hold, booking, or cancellation event. This record includes IP address, browser information, device type, and a hash of the authorization text you agreed to at the time of the transaction. These logs are retained for 18 months (540 days) from the date of the event, then automatically and permanently deleted. Legal basis: legitimate interests (Art. 6(1)(f) GDPR) — dispute resolution and fraud prevention.
7. Data Sharing
We share data only with the following processors:
Duffel / Amadeus
Flight & hotel search (search parameters only)
Stripe
Payment processing
Resend
Transactional email delivery
Twilio
SMS 2FA verification
Cloudflare
CDN, DDoS protection, bot management
Legal authorities
When required by applicable law
We never sell personal data.
8. International Transfers
Some of our processors are located outside the EU. Transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission. Our DPA at /legal/dpa governs processor relationships.
9. Your Rights (GDPR)
Access
Art. 15
Rectification
Art. 16
Erasure
Art. 17
Restriction
Art. 18
Portability
Art. 20
Objection
Art. 21
To exercise your rights, email [email protected]. We will respond within 30 days. Identity verification required for sensitive requests. You may also lodge a complaint with the CNIL (cnil.fr).
10. Cookies
We use only essential cookies for session management and security. See our Cookie Policy for full details. No advertising or tracking cookies are used.
11. Children
The Service is not directed at persons under 18. We do not knowingly collect data from minors.
12. Contact
Questions? Contact us