YumiConnect.← Back to home

Legal · 02

Privacy Policy

Last updated · 31 May 2026

This Privacy Policy explains how Yumi Connect collects, uses, and protects the personal data of people who use our Service: both cardholders (you) and visitors who scan or open your card.

1. Data we collect from cardholders

  • Account data — email, sign-in tokens (we use magic-link OTP by default; passwords are optional and stored hashed via Supabase Auth).
  • Profile data you publish — the name, role, photo, links, achievements, and stats you choose to display on your card.
  • Payment metadata — plan, amount, payment status, invoice numbers. Card numbers and UPI handles are processed by Cashfree and never touch our servers.
  • Usage data — IP address, browser type, pages visited, in aggregated form for analytics and abuse detection.

2. Data we collect from your visitors

  • Only what they submit through Snap & Link — their name, phone, email, role, an optional note, and (if they choose) a selfie. They press a clear “Save Connection” button before any of it leaves their phone.
  • We treat that submission as belonging to you, the cardholder. We don’t mine it, sell it, or use it for our own marketing.

3. Why we use this data

  • To operate the Service: host your card, render it in AR, route lead submissions.
  • To communicate with you: receipts, security alerts, product updates you can opt out of.
  • To improve the Service: aggregate analytics, debug crashes, prevent abuse.
  • To meet legal obligations: tax invoices, fraud reporting, lawful requests from authorities.

4. Who we share it with

We share data only with sub-processors who help us run the Service:

  • Supabase — auth, database, file storage. Hosted on AWS, region ap-south-1 (Mumbai).
  • Cashfree — payments. Regulated by the RBI.
  • Resend — transactional emails (lead notifications, receipts).
  • Vercel — hosting and CDN.

We don’t sell your data and we don’t share it for advertising.

5. How long we keep it

  • Account and card data: for as long as your account exists, plus 90 days backup.
  • Lead submissions: for as long as you keep them in your dashboard. Delete any row any time.
  • Payment records: 7 years (Indian tax law).
  • Server logs: 30 days.

6. Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Sign-in uses Supabase Auth with email OTP by default. We run least-privilege Postgres roles, RLS on every table, and rotate keys quarterly.

7. Your rights

Under the DPDP Act 2023 and other applicable laws, you may:

  • access the personal data we hold about you,
  • correct anything that’s wrong,
  • delete your account and request erasure,
  • export your card and leads (CSV), and
  • nominate someone to act on your behalf.

Email hello@yumi.app with any of these requests. We reply within 7 working days.

8. Cookies

We use only essential cookies: a sign-in session cookie and a cross-site-request-forgery token. We don’t use third-party advertising or behavioural-tracking cookies.

9. Children

Yumi Connect is not directed at children under 18 and we don’t knowingly collect their data. Tell us if you believe we have, and we’ll delete it.

10. Changes

If we materially change this policy, we’ll email everyone with an active account at least 14 days before the change takes effect.

11. Contact & grievance

Grievance officer: Muhibbuddin Shaid Hakkeem, Chennai. Reach us at hello@yumi.app.

Questions? Email hello@yumi.app.