Privacy Policy
Draft for review — last updated 26 May 2026. Effective date: [effective date to be confirmed].
This Privacy Policy explains how personal data is collected, used, and protected in connection with YeahApp, the community operating system for civil society organisations. YeahApp is a product of Elevatech Oy, a limited company (osakeyhtiö) registered in Finland under business ID (Y-tunnus) 3417825-3, with its registered address at Mannerheiminaukio 1, 00100 Helsinki, Finland (“YeahApp”, “we”, “us”).
It applies to this marketing website (yeahapp.co) and to the YeahApp application at app.yeahapp.co. We process personal data in line with the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act.
1. Controller and processor roles
Elevatech Oy is the data controller for the personal data of the organisers and administrators who hold a YeahApp account, and for visitors to this website.
For the member directories that community organisers build and manage inside YeahApp, the organising community is the data controller and Elevatech Oy acts as a data processor, processing that data on the community’s instructions and under our Data Processing terms.
2. Data we collect
Account and profile data. Name, email address, phone number, date of birth, password credentials, and optional profile details such as a biography and avatar.
Community and member-directory data. When a community uses YeahApp, the directory may include each member’s name and contact details, join date, event attendance history, QR check-in records, membership tier and status, payment history, and responses to custom forms configured by the community.
Payment data. Billing details needed to process subscription fees, ticket sales, and membership dues. Card numbers are handled directly by Stripe — we never receive or store them.
Technical and usage data. IP address, device and browser information, and — where you have consented — analytics data about how the website is used.
3. How we use personal data
- To provide, operate, and secure the YeahApp service.
- To process payments, subscriptions, and payouts through Stripe.
- To send transactional messages such as confirmations, receipts, and account notices.
- To send product updates or marketing only where you have opted in.
- To understand and improve website performance, with your consent.
- To comply with legal, accounting, and tax obligations.
4. Legal bases
We rely on the following GDPR Article 6 legal bases: performance of a contract (providing the service you sign up for); consent (analytics cookies and optional marketing); legitimate interests (securing and improving the service, and operating our sales and customer-relationship processes, including AI-assisted help for our staff); and legal obligation (financial record-keeping and responding to lawful requests).
5. Subprocessors
We rely on a small number of vetted service providers to run YeahApp. Each processes personal data only as needed to provide its service and under a data processing agreement.
| Provider | Purpose | Data involved |
|---|---|---|
| Vercel | Application hosting and content delivery | Technical data, data in transit |
| Neon | Managed PostgreSQL database | All persistent account and community data |
| Stripe | Payment processing and Stripe Connect payouts | Name, email, billing and payout details |
| UploadThing | File and image uploads | Profile images, form attachments |
| Resend / Plunk | Transactional and notification email | Email address, email content |
| Optional OAuth sign-in | Name, email, profile picture | |
| Google Analytics | Website analytics (loaded only with your consent) | Pseudonymous usage and device data |
| Anthropic | AI assistant features in our sales tooling — drafting, summarisation, analytics | CRM data sent as model context: contact names, email addresses, notes, email content |
Account authentication is handled by a self-hosted Better Auth setup running on our own infrastructure.
6. AI-assisted features
We use an AI assistant in our internal sales tooling to help our staff draft emails, summarise records, and answer analytics questions about our own prospect and account data.
To do this, the relevant personal data — such as contact names, email addresses, notes, and email-thread content — is sent to Anthropic, our AI provider, to be processed as model input. Anthropic acts as our processor under a data processing agreement (incorporating the European Commission’s Standard Contractual Clauses) and does not use this data to train its models. By default, Anthropic deletes API inputs and outputs within 30 days of receipt [confirm whether a zero-retention agreement is in place for our use]. Anthropic processes data in the United States unless an EU-region deployment is used [confirm our processing region].
The assistant is human-supervised — a person reviews and decides on any action; for example, an email is only ever sent by a staff member, never automatically. We do not use it to make decisions producing legal or similarly significant effects about you by solely automated means (GDPR Art. 22).
Processing by Anthropic may occur outside the EU/EEA; such transfers are covered by appropriate safeguards — see “International transfers” below.
7. Payments
Payments are processed by Stripe. Each community organiser connects their own Stripe account through Stripe Connect; subscription fees, ticket sales, and membership dues are split at Stripe between our platform fee and the organiser’s balance, and payouts are made by Stripe directly to the organiser. Elevatech Oy never holds member funds and never stores card details. Stripe’s processing is governed by its own privacy policy.
8. Data residency and security
YeahApp is designed and engineered in the EU, and we host member data with EU data residency in mind [exact data region to be confirmed]. Personal data is encrypted in transit and at rest. Higher service tiers add configurable retention windows, and the Enterprise tier offers the option of a self-hosted database for full data sovereignty.
9. Cookies and analytics
This website uses essential cookies required for it to function. It also uses Google Analytics to understand site usage — this loads only after you accept through the cookie banner shown on your first visit. If you decline, no analytics cookies are set. You can change your choice at any time by clearing your browser storage for this site.
10. Data retention
We retain personal data for as long as an account or community remains active, and afterwards only as long as needed for the purposes described here or as required by law (for example, financial records kept for statutory accounting periods). When an account is deleted, associated personal data is deleted or anonymised.
11. Your rights
Under the GDPR you have the right to access your personal data, to have it corrected or erased, to restrict or object to processing, to data portability, and to withdraw consent at any time. To exercise these rights, contact us using the details below.
If a community holds your data as the controller (for example, as a member of its directory), please direct directory-related requests to that community; we will support them as their processor.
You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) or your local supervisory authority.
12. International transfers
Where a subprocessor processes data outside the EU/EEA, that transfer is covered by appropriate safeguards such as the European Commission’s Standard Contractual Clauses. For example, Anthropic (United States) — our AI provider for the sales tooling described in “AI-assisted features” — processes the relevant CRM data under such Standard Contractual Clauses.
13. Children
YeahApp is intended for organisations and their adult members. It is not directed at children, and we do not knowingly collect personal data from children without an appropriate legal basis and any required parental consent.
14. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated through the service or this page, and the “last updated” date above will be revised.
15. Contact
For any privacy question or to exercise your rights, contact us at support@yeahapp.co [dedicated privacy/DPO contact email to be confirmed], or by post to Elevatech Oy, Mannerheiminaukio 1, 00100 Helsinki, Finland.
This document is a working draft and not yet legal advice. Bracketed items must be confirmed, and it should be reviewed by qualified counsel before publication.