Privacy policy

1. Introduction

This Privacy Policy explains how Y factor collects, uses, stores, and shares the Users' information, as well as the Users' rights under applicable laws and regulations such as the EU and UK General Data Protection Regulation (GDPR). Any capitalized terms not defined herein shall have the meanings set forth in the Company's Terms of Service.

2. Data Controller

Y factor (the "Company") is the data controller responsible for the Users' personal data. Users can contact the Company at:

Email: hello@yfactor.app

Address: Y factor ApS (CVR: 44690934), Suomisvej 4, 1927 Frederiksberg C, Denmark

3. The Users' Personal Data

This Privacy Policy applies to Y factor's processing of personal data when Users:

a. use Y factor's Website or interact with the Company;

b. use Y factor's Services, including the App;

c. provide personal data about themselves as part of creating a User account; and

d. make a purchase or enter into a subscription.

3.1 The Personal Data Y factor Collects

The Company collects the following categories of data from its Users when using the Services:

• Account Information (e.g. full name, email, phone number, date of birth, user type, etc.)

• User Content (e.g. basic info, physical traits, personal traits, descriptions, messages, and other content the User uploads - see section 3.2 below)

• Technical Data (IP address, browser type, device identifiers, usage logs)

• Verification Data (identity verification details as processed through Veriff)

• Payment Data (payment details are processed through the Apple App Store or Google Play Store)

E-mail addresses and names are used to connect Users to their accounts. The e-mail address is also used for re-setting passwords if the User has forgotten the password set upon creating the account, and if the Company needs to contact the User outside the app.

The information will only be stored as long as the User has an active account. Any User may delete their account at any time. Any User can request their account to be deleted immediately inside the App or by contacting support@yfactor.app.

3.2 User content - The Personal Data That the User Provides

This is the data that Users enter themselves when using the Services. This data includes but is not limited to:

a. Basic information: includes nickname, location, age, and family type for future parents.

b. Physical information: includes photos, physical appearance group, height, weight, eye colour, hair colour.

c. Personal information: includes profile description, values, occupation, education, lifestyle habits on tobacco, alcohol and activity, children, donation history for donors.

d. Donation preferences: includes commitment preferences, method preferences, donation type preferences, and family type preferences for donors.

e. Interaction data: includes reports the User makes of other Users, chat conversations with other Users, support conversations, feedback, and any other content the User publishes or uploads to the Service.

3.3 Cookies

The Company uses cookies and similar technologies on the Website to collect data about how the Website is used; for example, how many visitors it has, how much time the visitors spend on the Website, and which pages the visitors are interested in when they visit.

This information is used for statistical purposes to enable the Company to better understand what the visitors are interested in. The Company uses this information to continually improve the Services. This information may also be used for online marketing purposes. For example, if the User has visited the Website or Apps, the User may later see an advertisement from the Company on a platform that the Company advertises on, for example, Facebook, Instagram, or Google Search.

The collection of the information through cookies is based on consent through a cookie banner on the Website, in accordance with GDPR Art. 6(1)(a). In the event that a User is not interested in being tracked and targeted by marketing, the User can change their consent via the cookie banner.

The Company uses the following types of cookies:

a. Necessary cookies - no consent needed (authentication, security, session management, User preferences etc.)

b. Analytics and performance cookies - consent required (Mixpanel)

c. Marketing and third-party cookies - consent required (Google Analytics, Meta Pixel, retargeting ads, etc.)

3.4 Other storage in the mobile application

In the Apps, the Company depends on storage through:

a. Secure authentication storage to store credentials like passwords, tokens, or authentication keys that Users use to log in or verify their identity (e.g., Keychain).

b. Local storage for preferences to allow the Apps to remember the User's choices and improve the user experience (e.g., AsyncStorage).

c. Third-party software development kits (SDKs) store User identifiers or session tokens to provide essential features like analytics, messaging, identity verification, and payments (e.g., Mixpanel, Stream, Veriff, RevenueCat, OneSignal, Crowdin, Singular).

4. Purposes for The Company's processing of the User's Data

The Company uses the Users' data in order to:

a. Provide and improve the Services

b. Verify the Users' identities and maintain account security

c. Analyse app performance and User behavior (via e.g. Mixpanel, Stream, Sentry)

d. Communicate with the Users (e.g., customer support, updates)

e. Prevent fraud and ensure compliance with legal obligations

The Company has the right to analyse and disclose market statistics which can be based on anonymous data from Y factor Users. Y factor never shares identifiable User data with third parties for marketing purposes.

5. Legal Basis for Processing

The Company processes the Users' personal data based on:

a. Each User's Consent (e.g., marketing communications, use of User-uploaded photos with prior written consent)

b. Contract Performance (e.g., required account details e.g. name, e-mail and User type are necessary for providing the Services to the User)

c. Legitimate Interests (e.g., improving and providing the Services, fraud prevention, security)

d. Legal Obligations (e.g., compliance with regulatory requirements)

6. Data Retention

The Users' data (including personal data) is stored securely on AWS servers in Frankfurt, Germany, which comply with GDPR and other applicable legal requirements.

The Company retains each User's data only for as long as necessary to fulfill the purposes outlined in this policy.

Inactive accounts will be automatically deactivated (following notification) after being inactive for 3 months. Deactivated accounts will be automatically deleted (following notification) after being deactivated for 3 years.

After deleting the User's account (either at the User's own initiation or as part of the automatic flow), some of the User's content like chat history, reports of other Users, and support e-mails, might be kept. This is necessary in order for the Company to continue to provide its Services to other Users. When no longer needed, the Company securely deletes or anonymises the User's data.

7. Data Sharing with Third-Parties

The Company may share the User's data with the Company's third-party data processors and others including:

1. Service Providers (e.g., AWS - servers in Frankfurt, Germany, Bitbucket, Apple Developer, Google Play, Mixpanel, Veriff, Stream, Sentry, OneSignal, Crowdin, Singular, RevenueCat, Google Workspace, Freshworks, Meta)

2. Legal Authorities if required by law

3. Other Y factor Users through the Service

4. With the User's Consent, when explicitly approved by the User

8. International Data Transfers

Some of the Company's service providers operate outside the EEA. When the Company transfers the User's data internationally, the Company implements appropriate safeguards such as Standard Contractual Clauses (SCCs) or relies on adequacy decisions.

9. Data Protection Rights

For users in the EU/EEA/UK/Switzerland, to the extent required by GDPR, the User has the right to; and/or for users in the US, to the extent required by applicable laws and regulations of the United States, the Users may have the right to:

a. Right to Know/Access: The User may request that the Company disclose certain information to the User about the Company's collection and use of the User's personal information over the past 12 months. This includes the categories of personal information the Company collected about the User, the categories of sources for the personal information, the Company's business or commercial purpose for collecting, selling, or sharing that personal information, the categories of third parties with whom the Company shares that personal information, and the specific pieces of personal information the Company collected about the User. Accessing the User's personal data is done through the app with immediate effect, using the 'Export my data' function.

b. Right to Correct/Rectify: The User may request that the Company corrects inaccurate personal information that the Company maintains about the User, taking into account the nature of the personal information and the purposes of the processing. Rectifying inaccurate data is done through the App with immediate effect, using the edit functions in Settings and Profile.

c. Right to Data Portability: The User may request to receive the User's data in a structured machine-readable format to transfer to another service. This is done through the App, where the User can request a copy of the User's data sent via email, using the 'Export my data' function.

d. Right to Delete/Be Forgotten: The User may request that the Company deletes any of their personal information that the Company collected from the User and retained, subject to certain exceptions (e.g., to complete a transaction, provide a requested service, or comply with legal obligations). Requesting erasure of the User's data is done through the App with immediate effect, using the 'Delete account' function. The User can request a copy of the User's data sent via email, before deletion, using the 'Export my data' function.

e. Right to Limit Use and Disclosure of Sensitive Personal Information: If the Company collects or uses sensitive personal information, the User has the right to limit the Company's use and disclosure of that information to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.

f. Right to Restrict: The User may restrict processing of the User's data, by pausing their profile, hiding the profile from search results of other users. This is done through the App, under Settings, using the 'Pause profile' function.

g. Right to Object: The User may object to data processing.

h. Right to Non-Discrimination: The Company will not discriminate against the User for exercising any of their data privacy rights, including by denying the User goods or services, charging different prices or rates, or providing a different level or quality of goods or services.

i. Right to Withdraw Consent: The User may at any time withdraw consent for processing based on consent.

To exercise these rights, some things can be done by the User directly via the App, as specified under each right. For other things the User might need to request it through the Company's customer support. The User may contact support at support@yfactor.app with any inquiries in this regard, by submitting a verifiable consumer request. In the request, the User should specify which right they are seeking to exercise and provide sufficient detail to allow the Company to properly understand, evaluate, and respond. The Company may require the User to verify their identity before responding to such requests. This may include providing information such as the User's name, the email address used on the account, or other details that match the Company's records. The Company will respond to the User's verifiable request within 45 days of receipt, though the Company may extend this period by an additional 45 days if reasonably necessary, in which case the Company will notify the User of the extension. If the Company cannot verify the User's identity or authority to make the request, or if the request is manifestly unfounded or excessive, the Company may deny the request or charge a reasonable fee. If the User has an authorized agent submitting a request on User's behalf, the agent must provide proof of authorization, and the Company may still require the User to verify their identity directly with the Company.

If the User has any concerns about the way in which the Company is processing the User's personal data, the User is encouraged to contact the Company first at support@yfactor.app, so we can try to resolve the issue together.

In certain geographies, as listed below, if the User is not satisfied with the Company's response, the User has the right to lodge a complaint.

For users in the EU, the User has a right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):

Datatilsynet

Carl Jacobsens Vej 35, 2500 Valby, Denmark

Phone: +45 33 19 32 00

Email: dt@datatilsynet.dk

Website: www.datatilsynet.dk

For Users in the UK, the User has the right to lodge a complaint with the British Information Commissioner's Office:

https://ico.org.uk/make-a-complaint/data-protection-complaints/

10. Selling or Sharing of Personal Information

The Company does not sell or share the Users' personal information as such terms are defined by applicable data privacy laws.

11. Automated Decision-Making and Profiling

The Company does not use automated decision-making or profiling that significantly affects the User.

12. CMIA Rights

In addition to the rights described above under clause 9, California residents have specific protections under the Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code §§ 56 et seq.) for "medical information," which includes individually identifiable information about the User's medical history, mental or physical condition, or treatment. Certain data collected through the Services – such as donation preferences, height, weight, eye color, hair color, and other profile details that may relate to fertility or reproductive health – may qualify as medical information under CMIA.

The Company complies with CMIA by protecting and using the User's medical information only as permitted. Key aspects include:

1. Authorization for Disclosures: The Company will not disclose the User's medical information without the User's specific written authorization, except as permitted by CMIA (e.g., for providing the Services, fraud prevention, or legal compliance). Authorizations are voluntary, informed, and revocable at any time via the App or support@yfactor.app.

2. Prohibited Uses: The Company does not use or disclose the User's medical information for marketing without the User's explicit authorization. Third-party disclosures (e.g., to service providers like Veriff) are limited and require CMIA-compliant agreements.

3. Access and Amendment Rights: The User has the right to access their medical information (free of charge) and request amendments if inaccurate. Submit a verifiable request to support@yfactor.app; the Company will respond within 30 days.

4. Data Security: The Company uses reasonable safeguards, including encryption, access controls, and data segregation, to protect the User's medical information. The Company's systems (e.g., AWS) meet CMIA standards.

5. Breach Notification: For unauthorized access or disclosure, the Company will notify the Users and the California Attorney General (if required) within 15 business days of discovery.

6. Private Right of Action: The User may sue for CMIA violations to seek damages or injunctive relief.

To exercise CMIA rights, the User must submit a verifiable request to support@yfactor.app (identity verification may be required). For concerns, contact the California Attorney General's Office.

This section supplements other rights under CCPA/CPRA or federal laws like HIPAA (which does not apply to the Company as Y factor is not a HIPAA-covered entity).

13. Updates to This Privacy Policy

The Company may update this Privacy Policy from time to time. The User will be notified of any significant changes.

14. Contact The Company

For any privacy-related inquiries, please contact the Company at support@yfactor.app