Legal

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how yabby ("we", "us", "our"), operated by Andreas Keller, Einzelfirma, Dorfhalde 36, 3612 Steffisburg, Switzerland, collects, uses, and protects personal data when you use our website builder platform at yabby.page and any related services (collectively, the "Service").

We are committed to protecting your privacy in accordance with the Swiss Federal Act on Data Protection (FADP/nDSG) and, where applicable, the EU General Data Protection Regulation (GDPR).

Data Controller

Andreas Keller, Einzelfirma Dorfhalde 36, 3612 Steffisburg, Switzerland Email: legal@yabby.page

Information We Collect

Information You Provide

When you create an account and use the Service, we collect:

  • Account information: name, email address, username, and profile image
  • Authentication credentials: password (stored as a cryptographic hash), two-factor authentication secrets, and OAuth tokens when you sign in via Google
  • Organization data: organization name, logo, and membership details
  • Payment information: collected and processed by Stripe (see "Third-Party Service Providers" below); we store Stripe customer IDs and transaction metadata but never your credit card number
  • Website content: website names, descriptions, theme preferences, navigation and social links, and YouTube channel/video data you choose to import
  • Communications: any messages you send us via email or support channels

Information Collected Automatically

When you access the Service, we automatically collect:

  • Session data: IP address, user agent (browser type and version), session tokens, and active organization context
  • Analytics data: page views, traffic sources, referral information, and revenue attribution data, collected via DataFast (see below)
  • Error and performance data: browser errors, performance metrics, and session replays (sampled), collected via Sentry (see below)
  • Cookies: see our Cookie Policy for details

Information from Third Parties

  • Google OAuth: when you sign in with Google, we receive your name, email address, and profile picture from your Google account
  • YouTube Data API: when you connect a YouTube channel, we access publicly available channel metadata, video titles, descriptions, thumbnails, view counts, durations, and playlist information via the YouTube Data API. Our use of the YouTube Data API is subject to the Google Privacy Policy. You can revoke our access to your YouTube data at any time via the Google security settings page
  • Stripe: we receive payment confirmation events, subscription status updates, and customer IDs from Stripe

How We Use Your Information

We use your personal data for the following purposes:

  • Providing the Service: creating and managing your account, building and publishing your websites, syncing YouTube channel data, processing payments and subscriptions
  • Authentication and security: verifying your identity, maintaining session security, enforcing two-factor authentication, detecting and preventing fraud and abuse
  • Communications: sending transactional emails (email verification, password resets, organization invitations, new user notifications) via Resend
  • Billing: processing subscription payments, managing seat-based billing, and sending payment-related notifications via Stripe
  • Analytics and improvement: understanding how the Service is used so we can improve it, attributing marketing channels to conversions via DataFast
  • Error monitoring: identifying and resolving bugs and performance issues via Sentry
  • Legal compliance: complying with applicable laws, regulations, and legal processes
  • Account moderation: enforcing our Terms of Service, including account suspension where necessary

Legal Basis for Processing

We process your personal data on the following legal bases:

  • Contract performance: processing necessary to provide the Service you signed up for (account management, website building, payment processing)
  • Legitimate interests: analytics, error monitoring, security, and fraud prevention, where these interests are not overridden by your rights
  • Consent: where we rely on your consent (e.g., optional cookies), you may withdraw it at any time
  • Legal obligation: where processing is required to comply with applicable law

Third-Party Service Providers

We share personal data with the following third-party service providers, who act as data processors on our behalf:

  • Vercel -- Hosting and infrastructure. Data shared: all data processed by the Service. Location: US (us-east-1).
  • Neon (via Vercel) -- PostgreSQL database hosting. Data shared: all stored data. Location: US (us-east-1).
  • Stripe -- Payment processing. Data shared: name, email, billing details, transaction data. Location: US.
  • Resend -- Transactional email delivery. Data shared: email addresses, names, email content. Location: US.
  • Sentry -- Error monitoring and session replay. Data shared: IP address (anonymized), browser metadata, error traces, sampled session replays. Location: US.
  • DataFast -- Web analytics and revenue attribution. Data shared: page views, traffic sources, visitor IDs (cookie-based), revenue attribution data. Location: see DataFast's privacy policy.
  • Google (OAuth & YouTube Data API) -- Authentication and YouTube data access. Data shared: OAuth tokens, YouTube channel/video metadata. Location: US.
  • Cloudflare -- CAPTCHA verification (Turnstile). Data shared: IP address, browser metadata. Location: global.

Each provider processes data in accordance with their own privacy policy and our data processing agreements.

International Data Transfers

Our Service is hosted in the United States (us-east-1 region). If you are accessing the Service from Switzerland, the EU/EEA, or another jurisdiction, your personal data will be transferred to the United States. We ensure appropriate safeguards are in place for such transfers, including:

  • Standard contractual clauses (SCCs) where required
  • Data processing agreements with all sub-processors
  • Reliance on adequacy decisions where applicable

Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data: retained until you delete your account
  • Session data: sessions expire after the configured inactivity period and are then deleted
  • Payment records: retained as required by applicable tax and accounting laws (typically 10 years under Swiss law)
  • Analytics data: retained according to DataFast's retention policy
  • Error monitoring data: retained according to Sentry's retention policy (typically 90 days)
  • Email delivery logs: retained according to Resend's retention policy

When you delete your account, we delete your personal data and all associated content within 30 days, except where retention is required by law.

Your Rights

Under the Swiss FADP and, where applicable, the GDPR, you have the following rights:

  • Access: request a copy of the personal data we hold about you
  • Rectification: request correction of inaccurate personal data
  • Deletion: request deletion of your personal data (you can also delete your account directly in the dashboard)
  • Data portability: request a copy of your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interests
  • Restriction: request that we restrict processing of your data
  • Withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at legal@yabby.page. We will respond within 30 days.

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, if applicable, your local EU/EEA supervisory authority.

Security

We take appropriate technical and organizational measures to protect your personal data, including:

  • Encrypted data transmission (TLS/HTTPS)
  • Hashed passwords (never stored in plain text)
  • Two-factor authentication support
  • Role-based access controls within organizations
  • Organization-level data isolation (multi-tenant architecture)
  • Automated session expiry

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If we learn that we have collected personal data from a child under 16, we will take steps to delete that data promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: legal@yabby.page

Address: Andreas Keller, Dorfhalde 36, 3612 Steffisburg, Switzerland