Privacy Policy

1. Controller and privacy contact

YY Digital is the controller of personal data processed for our own account administration, product operation, billing administration, analytics, security, and customer support purposes. For project content that customers upload about their own clients or collaborators, YY Digital may act as a processor or service provider on behalf of the customer.

Privacy requests can be sent to [email protected]. If we are legally required to appoint or publish details for a Data Protection Officer, EU representative, or local representative for a specific processing activity, we will make those details available through this Policy or another appropriate notice.

2. Personal data we collect

• Account data, including name, email address, profile image, authentication method, account identifiers, and sign-in events.
• Project content, including project names, client names, issues, comments, status values, priorities, approvals, attachments, exports, and client-visible activity.
• Invite and collaborator data, including email addresses, roles, invite status, invite tokens, acceptance timestamps, and project membership records.
• Email intake and notification data, including message headers, message bodies, attachments, notification preferences, and delivery metadata.
• Billing data received from Paddle, including subscription status, plan, billing email, billing country, customer ID, subscription ID, tax-related metadata, and payment status. We do not store full payment card details.
• Device and technical data, including IP address, device and browser information, app version, request logs, security logs, mobile push tokens, and diagnostic data.
• Marketing attribution data, including UTM parameters, first landing page, referring page, and related campaign source fields.
• Cookies, local storage, and similar technologies used for authentication, security, preferences, billing flows, and, where you consent or where permitted by law, analytics.

3. How we use personal data and legal bases

• To provide, operate, authenticate, and maintain the Service: performance of a contract or steps before a contract.
• To host project content, manage collaborators, process attachments, send service notifications, and support email intake: performance of a contract and legitimate interests in operating the Service.
• To process subscriptions, taxes, refunds, payment status, and billing support: performance of a contract and compliance with legal obligations.
• To secure the Service, prevent fraud and abuse, enforce limits, troubleshoot errors, and maintain logs: legitimate interests and, where applicable, legal obligations.
• To improve features, performance, reliability, and product usability: legitimate interests, using aggregated or minimized data where practical.
• To use non-essential analytics cookies or similar tracking technologies: consent where required by law.
• To comply with law, respond to lawful requests, resolve disputes, and enforce agreements: legal obligations and legitimate interests.

4. How we share personal data

We share personal data with providers that help us run the Service, including authentication, billing, hosting, database, storage, email, analytics, push notification, mobile app, and infrastructure providers. The current list is available at /subprocessors.

Project owners and invited collaborators can see project content and related user activity according to their project permissions. We may disclose personal data if required by law, to protect the rights and safety of IssueClear, users, or others, in connection with a merger, acquisition, financing, or sale of assets, or with your instructions or consent.

5. International transfers

Core application infrastructure is currently hosted primarily in the United Kingdom. We also use service providers that may process personal data in the United States, the European Economic Area, Israel, and other locations where they operate. When personal data is transferred internationally, we use appropriate safeguards where required, such as contractual commitments, data processing agreements, standard contractual clauses, adequacy decisions, or other lawful transfer mechanisms.

For transfers from Israeli databases to providers outside Israel, we require appropriate contractual and security commitments where required by Israeli privacy and data-transfer rules.

6. Retention

We retain personal data for as long as needed to provide the Service, maintain accounts, comply with legal obligations, resolve disputes, enforce agreements, preserve security, and maintain backups. Retention periods vary by data type.

• Account and project content is generally retained while the account or project is active.
• Deleted account and project data is removed from active systems through the deletion workflow, subject to backups, logs, billing records, fraud-prevention records, legal holds, and technical limitations.
• Billing and tax records may be retained for the periods required by Paddle, tax, accounting, and commercial laws.
• Security, diagnostic, and access logs are retained for a limited period appropriate to security, debugging, and abuse-prevention needs unless a longer period is required for investigation or legal reasons.

7. Security

We use reasonable technical and organizational measures designed to protect personal data, including access controls, role-based permissions, transport encryption, attachment safety checks, rate limits, security headers, and provider security controls. No method of transmission or storage is completely secure. Additional information is available in our Security Overview.

8. Your rights and choices

Depending on where you live and how we process your data, you may have rights to request access, correction, deletion, portability, restriction, objection, withdrawal of consent, and information about how your personal data is used or shared. Israeli law also provides rights to inspect information about you in a database and request correction or deletion of inaccurate, incomplete, unclear, or outdated information, subject to applicable conditions.

You can update some account and notification settings inside the Service. To exercise privacy rights, contact us at [email protected]. We may need to verify your identity and authority before acting on a request. You may also have the right to complain to your local privacy authority, including the Israeli Privacy Protection Authority if Israeli law applies.

9. California privacy notice

We do not sell personal information for money. We also do not knowingly sell or share personal information of children under 16. If a California privacy law applies to us and our use of analytics or advertising technologies is considered a "sale" or "sharing," you may opt out by declining analytics cookies or contacting us.

In the last 12 months, the categories of personal information we collected are the categories described in Section 2. We use them for the purposes described in Section 3 and disclose them to the categories of recipients described in Section 4.

10. Cookies and analytics

We use necessary cookies and local storage for authentication, security, preferences, and billing flows. We use Google Analytics only after analytics consent is granted where the consent banner is shown. We may also store basic first-touch marketing attribution in our own account records, such as UTM parameters, landing page, and referrer, to understand which channels lead to account creation and checkout. More information is available in our Cookie Policy.

11. Children

The Service is not intended for children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided personal data to us, contact us so we can review and delete it where appropriate.

12. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated policy and update the date above. If changes are material, we will provide additional notice where appropriate.