Yumo Yumo Privacy Notice
Last Updated: April 20, 2026
This Privacy Notice explains which personal data Yumo Yumo collects, why we process it, who we share it with, and how anonymized or aggregated insight products may be created from eligible datasets.
Data Controller
Yumo Yumo Inc. is the company responsible for Yumo Yumo. Registered mailing address: 8 The Green Suite B, Dover, DE 19901, United States. Phone: +1 302-719-1468. Email: info@yumoyumo.com.
1. Data We Collect
Depending on how you use the Services, we may collect your email address, username, password hash, country, birth date, receipt data, wallet address, support messages, session logs, IP address, device or browser information, captcha verification results, and email verification or password reset records.
2. Why We Process Data
We process personal data to create and secure your account, verify your email, reset your password, provide receipt and spending analysis, support rewards features, respond to support requests, prevent abuse and fraud, keep the platform secure, and comply with legal obligations.
3. Anonymized and Aggregated Insight Products
We may transform eligible datasets into anonymized or aggregated outputs by removing or reducing data points that directly identify a person. These outputs may be used to generate statistics, benchmarks, market insights, analytics, reports, and product intelligence. Where those outputs no longer identify a specific person, they may be shared, licensed, commercialized, or offered to partners or customers.
4. Legal Basis
Where applicable, we process personal data because it is necessary to perform our contract with you, to protect legitimate interests such as security and fraud prevention, to comply with legal obligations, or because you have given consent for optional processing. Not every processing activity depends on consent.
5. Service Providers and Recipients
We may use infrastructure, hosting, database, email, security, analytics, AI, fraud prevention, wallet, blockchain, and support vendors to operate the Services. Current or planned vendors may include Vercel, Neon, Vercel Blob, Cloudflare Turnstile, Resend, Google APIs including Gemini, Vision, Maps and Places, OpenAI, Axiom, Solana infrastructure, wallet providers, and similar service providers. We may also disclose data to regulators, courts, or public authorities where legally required.
6. International Transfers
Because some of our vendors or servers may operate internationally, your data may be processed in countries outside your own jurisdiction. Where required, we aim to use appropriate safeguards such as data processing agreements, standard contractual clauses, transfer impact assessments, access controls, encryption, and data minimization.
7. Retention
We keep personal data only for as long as needed for the purposes described in this Notice, for account security, for service continuity, or to meet legal, tax, audit, and dispute-resolution obligations. Receipt image files are designed to be deleted from blob storage after approximately 48 hours, while receipt metadata, reward ledgers, fraud records, consent logs, and account records may be retained longer where needed for product integrity, legal compliance, dispute handling, and abuse prevention.
8. Your Rights
Depending on where you live, you may have rights to request access to your data, ask for correction or deletion, object to certain processing, request restriction, ask for portability, withdraw consent for optional processing where consent was used, appeal or complain to a privacy authority, or opt out of sale, sharing, or targeted advertising where those rights apply. To make a request, email info@yumoyumo.com. We may need to verify your identity before fulfilling the request. In-app automated account deletion and export are not available in this first version; requests are handled through the email workflow.
9. Security
We use reasonable technical and organizational measures to protect data, including access controls, hashed passwords, and operational security practices. No system can guarantee absolute security.
10. Age Restriction
The Services are intended for adults. You must be at least 18 years old, or the age of legal majority in your jurisdiction, to create an account.
11. Cookies and Similar Technologies
We use strictly necessary cookies and similar local storage technologies for security, authentication, abuse prevention, language preferences, and core site functionality. Where optional cookies or similar technologies are used for functional preferences or analytics, we ask for your choice before enabling them. You may reject optional cookies and continue using the Services. You can reopen Cookie Preferences from the site footer or app settings. If your browser sends a Global Privacy Control signal, we treat it as a request to keep analytics and targeted tracking off where applicable.
12. Sale, Sharing, and Targeted Advertising
We do not sell personal information. We do not intentionally share personal information for cross-context behavioral advertising or targeted advertising in the current product setup. If this changes, we will update this Notice, provide the legally required opt-out controls, and honor applicable Global Privacy Control signals.
13. Privacy Request Process
Send privacy requests to info@yumoyumo.com from the email address attached to your account when possible. Include the request type, your username, and enough information for us to verify the account. We will record the request, verify identity, review legal exceptions, respond within the timeline required by applicable law, and explain if we cannot complete a request in full.
14. Updates
We may update this Privacy Notice from time to time. Material updates may be announced through the website, app, or another appropriate digital channel.
15. Contact
For privacy or data protection questions, contact us at info@yumoyumo.com. You may also contact Yumo Yumo Inc. by phone at +1 302-719-1468 or by mail at 8 The Green Suite B, Dover, DE 19901, United States.
Data categories and purposes
| Category | Purpose / legal basis | Typical recipients |
|---|---|---|
| Account data | Create accounts, authenticate users, provide service, security, legal compliance | Hosting, database, email, security providers |
| Receipt data and metadata | Analyze receipts, generate insights, detect fraud, calculate rewards | Hosting, blob storage, AI/OCR providers, database providers |
| Wallet and reward data | Support utility rewards, eligibility, blockchain-related features when enabled | Wallet providers, blockchain infrastructure, analytics and fraud systems |
| Support and request data | Respond to support, privacy, legal, and security requests | Email, support, hosting, database providers |
| Cookie and device data | Security, language, preferences, optional analytics where allowed | Hosting, analytics, security providers |
Retention schedule
| Data type | Default retention approach | Notes |
|---|---|---|
| Receipt images | Approximately 48 hours after upload | May be kept longer only if required for abuse, legal, or dispute handling |
| Receipt metadata and analysis outputs | For account life plus legal/audit needs | Used for insights, reward records, fraud prevention, and account history |
| Account and consent records | For account life plus legal limitation periods | Includes Terms, Privacy, cookie, and marketing consent records |
| Security, fraud, and abuse logs | As needed for platform integrity | May be retained after account closure where legally permitted |
| Waitlist and marketing records | Until unsubscribe, deletion request, or business need ends | Suppression records may be retained to honor unsubscribe requests |
Subprocessors and transfers
| Vendor / category | Role | Transfer safeguard |
|---|---|---|
| Vercel / Vercel Blob | Hosting, deployment, blob storage | Vendor DPA, technical safeguards, transfer safeguards where required |
| Neon | PostgreSQL database | Vendor DPA, access controls, transfer safeguards where required |
| Cloudflare Turnstile | Captcha and abuse prevention | Vendor terms/DPA, security purpose limitation |
| Resend | Transactional email | Vendor DPA, email delivery controls |
| Google APIs, Gemini, Vision, Maps, Places | OCR, AI analysis, maps and place enrichment | Vendor terms/DPA, data minimization, transfer safeguards where required |
| OpenAI | AI-assisted analysis where configured | Vendor terms/DPA, data minimization, transfer safeguards where required |
| Axiom | Operational logging when enabled | Vendor DPA, log minimization |
| Wallet and Solana providers | Wallet connection and blockchain infrastructure | Public-chain constraints, user-controlled wallet interactions |
This Notice should be read together with the Terms & Conditions and the disclosures shown during signup.
Last Updated: April 20, 2026