privacy policy

Privacy Policy

Published: March 27th, 2026 - Last updated: March 27th, 2026

1. Who We Are

This Privacy Policy explains how Thrive Route Digital Limited ("YesHello", "we", "us"), a company incorporated in Hong Kong (BRN: 73780714), collects, uses, stores, and protects personal data when you use the YesHello platform at yeshello.app (the "Service").

Registered Address: 21/F CMA Building, 64 Connaught Road Central, Hong Kong Privacy Contact: [email protected]

This policy applies to all users of the Service globally. If you are located in a specific region, additional rights may apply to you under Section 10.

2. What Data We Collect

2.1 Data You Provide Directly

Account Data: Name, email address, password, and any profile information you provide during registration.

Billing Data: When you purchase a paid Plan, Stripe collects your payment card details directly. We receive and store only: Stripe customer ID, Stripe event IDs, last four digits of your card, card brand, expiry date, billing country, and transaction timestamps. We never receive, process, or store full card numbers, CVV codes, or other sensitive payment authentication data.

Card Content: Text, images, links, and other content you upload or create on your Cards.

Form Submissions: If you use lead capture forms on your Cards, we store the data submitted by your Visitors on your behalf. You are the data controller for this data; see Section 5.

Communications: Emails, support requests, and messages you send us.

2.2 Data Collected Automatically

Usage Data: Pages visited within the Service, features used, actions taken, timestamps, referring URLs, and session duration.

Device and Browser Data: IP address, browser type and version, operating system, device type, screen resolution, and language preference.

Card Analytics: When Visitors view or interact with your Cards, we collect: page views, click events, referral source, Visitor IP address (anonymised for analytics), browser type, device type, and country-level geolocation derived from IP address.

2.3 Data from Third Parties

Stripe: Transaction confirmations, payment status updates, and dispute notifications.

Google (where enabled): Google Reviews data associated with a business profile you connect to your Card.

DataForSEO (where enabled): Google Reviews data retrieval for display on your Card.

AI Content Generation: When you use the AI-from-URL feature, we retrieve publicly available content from the URL you provide to generate Card content. We do not store the source URL content after generation is complete.

2.4 Data We Do Not Collect

We do not collect: biometric data, health data, data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or data concerning sex life or sexual orientation.

3. How We Use Your Data

We process personal data only for the following purposes:

PurposeLegal Basis (GDPR)Providing and operating the Service, including creating and displaying your CardsPerformance of contractProcessing payments and managing subscriptionsPerformance of contractSending transactional emails (account confirmations, billing receipts, security alerts)Performance of contractProviding customer supportPerformance of contractGenerating analytics visible in your Account dashboardLegitimate interestDetecting and preventing fraud, abuse, and security incidentsLegitimate interestEnforcing our Terms and Conditions and Acceptable Use PolicyLegitimate interestSending product updates and feature announcementsLegitimate interest (with opt-out)Improving the Service based on aggregated, anonymised usage patternsLegitimate interestComplying with legal obligations (tax records, law enforcement requests)Legal obligation

We do not use your data for behavioural advertising. We do not sell your data. We do not share your data with data brokers.

4. How We Share Your Data

We share personal data only in the following circumstances:

4.1 Service Providers (Sub-processors)

ProviderPurposeLocationData SharedNetcup GmbHServer hostingGermanyAll data stored on the platformStripe, Inc.Payment processingUS / GlobalBilling data (card data goes directly from your browser to Stripe)Google LLCGoogle Reviews display (where enabled by you)US / GlobalBusiness profile identifierDataForSEOGoogle Reviews retrieval (where enabled by you)USBusiness profile identifier

All sub-processors are bound by data processing agreements that impose obligations materially equivalent to those in our Data Processing Addendum (https://yeshello.app/page/dpa).

4.2 Webhook Recipients

When you configure webhooks, form submission data is transmitted to the third-party endpoint you designate. You direct this transfer; the recipient is not our sub-processor. You are responsible for the recipient's data practices.

4.3 Legal Requirements

We may disclose personal data if required by law, court order, or governmental regulation, or if disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you before your data becomes subject to a different privacy policy.

4.5 With Your Consent

We may share data in other circumstances with your explicit consent.

We do not sell personal data. We do not share personal data for cross-context behavioural advertising.

5. Visitor Data and Your Role as Data Controller

When you collect personal data from Visitors through your Cards' lead capture forms, you are the data controller for that Visitor Data. YesHello processes it on your behalf as a data processor.

Your obligations: You must have a lawful basis to collect Visitor Data, provide Visitors with your own privacy notice, and respond to their data rights requests. Full details are in our Data Processing Addendum at https://yeshello.app/page/dpa.

Our obligations: We process Visitor Data solely on your documented instructions, implement appropriate security measures, notify you of breaches within 72 hours, and delete Visitor Data within 60 days of Account termination.

6. Cookies and Tracking

6.1 Cookies We Use

Strictly Necessary Cookies: Authentication tokens, session identifiers, and security cookies required for the Service to function. These cannot be disabled.

Analytics Cookies: We use first-party analytics to understand how Users interact with the Service. This data is aggregated and does not identify individual users. You may opt out of analytics cookies via the cookie settings on the Service.

6.2 Cookies We Do Not Use

We do not use third-party advertising cookies. We do not use tracking pixels for ad networks. We do not use session replay or screen recording tools. We do not participate in ad exchanges or real-time bidding.

6.3 Cookies on Your Cards

Cards served to Visitors use only strictly necessary cookies for functionality (such as form state). We do not place advertising or tracking cookies on Visitor-facing Card pages.

7. Data Storage and Security

7.1 Where We Store Data

All personal data is hosted on servers located in Germany operated by Netcup GmbH.

7.2 Security Measures

We implement the following measures to protect your data: encryption in transit using TLS 1.2 or higher; encryption at rest for stored personal data; role-based access controls with principle of least privilege; automated backups with tested recovery procedures; firewall protection and network monitoring; regular software updates and security patching; documented incident response procedures.

7.3 Payment Security

Payment card data is collected directly by Stripe's PCI DSS Level 1-validated infrastructure. Card data never touches our servers. We maintain compliance with applicable PCI DSS requirements for our integration method.

7.4 No Absolute Guarantee

No system is completely secure. While we take reasonable measures to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your Account credentials.

8. Data Retention

Data TypeRetention PeriodAccount DataDuration of active Account, plus 30 days after deletionBilling Data and Transaction Records7 years from transaction date (legal and tax obligations)Card ContentDuration of active Account, plus 30 days after deletionVisitor Data (form submissions)Duration of active Account, plus 60 days after terminationUsage Data and Analytics24 months, then aggregated and anonymisedSupport Communications3 years from resolutionServer Logs90 days

After the retention period expires, data is permanently deleted or irreversibly anonymised. You may request earlier deletion of your data at any time (see Section 9).

9. Your Rights

9.1 Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the European Economic Area, UK, or Switzerland, you have the right to: access your personal data and receive a copy; rectify inaccurate or incomplete data; erase your data ("right to be forgotten"); restrict processing in certain circumstances; data portability (receive your data in a structured, machine-readable format); object to processing based on legitimate interest; withdraw consent at any time, where processing is based on consent; lodge a complaint with your local data protection supervisory authority.

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the right to: know what personal information we collect, use, and disclose; delete your personal information; correct inaccurate personal information; opt out of the sale or sharing of personal information (we do not sell or share your data, so this right is already satisfied); limit the use of sensitive personal information (we do not use sensitive personal information beyond what is necessary to provide the Service); non-discrimination for exercising your privacy rights.

Categories of personal information collected in the preceding 12 months: Identifiers (name, email, IP address); commercial information (transaction history, subscription plan); internet activity (usage data, analytics); geolocation data (country-level, derived from IP).

Categories sold or shared: None. We do not sell or share personal information.

Categories disclosed to service providers: Identifiers and commercial information to Stripe for payment processing. All categories to Netcup for hosting.

9.3 Rights Under Hong Kong PDPO

If you are located in Hong Kong, you have the right to: access your personal data held by us; correct any inaccurate personal data; request that we cease using your data for direct marketing.

9.4 Rights Under Other Jurisdictions

If you are located in Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act 1988), or another jurisdiction with applicable data protection law, you may have similar rights. Contact us at [email protected] and we will honour your request in accordance with applicable law.

9.5 How to Exercise Your Rights

Submit requests to [email protected]. We will verify your identity and respond within: 30 days for GDPR requests; 45 days for CCPA requests (extendable by 45 days with notice); 40 days for PDPO requests. All requests are free of charge unless manifestly unfounded or excessive.

10. Region-Specific Disclosures

10.1 European Economic Area, UK, and Switzerland

Data Controller: Thrive Route Digital Limited, 21/F CMA Building, 64 Connaught Road Central, Hong Kong.

Legal Bases for Processing: See the table in Section 3. Where we rely on legitimate interest, we have conducted balancing tests and concluded that our interests do not override your fundamental rights and freedoms.

International Transfers: Your data is hosted in Germany (adequate protection within the EEA). Where data is transferred to sub-processors outside the EEA (such as Stripe in the US), we rely on Standard Contractual Clauses or the EU-US Data Privacy Framework, as applicable.

Supervisory Authority: You have the right to lodge a complaint with the data protection authority in your country of residence. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

10.2 California (CCPA/CPRA)

This section supplements Section 9.2 with disclosures required by the CCPA as amended.

Do Not Sell or Share: YesHello does not sell personal information. YesHello does not share personal information for cross-context behavioural advertising.

Sensitive Personal Information: We collect email addresses and Account credentials, which are classified as sensitive under the CCPA. We use these solely to provide the Service and do not use or disclose them for purposes beyond what is necessary to provide the Service.

Retention: See Section 8 for retention periods by category.

Financial Incentives: We do not offer financial incentives in exchange for personal information.

10.3 Hong Kong

We comply with the six Data Protection Principles of the Personal Data (Privacy) Ordinance (Cap. 486): data is collected for a lawful purpose directly related to the Service; practical steps are taken to ensure data accuracy; data is not kept longer than necessary; data is used only for the purpose for which it was collected, unless consent is obtained; reasonable security measures are in place; information about our data policies is publicly available in this Privacy Policy.

10.4 Australia

We comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth) to the extent that we are required to do so. You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au.

11. Children

The Service is not directed at children under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, contact us at [email protected].

12. AI and Automated Processing

12.1 AI-Generated Content

When you use the AI-from-URL feature, we process the URL you provide to generate Card content. The source content is processed temporarily and not retained after generation. The generated content becomes your User Content.

12.2 No Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.

12.3 AI Training

We do not use your personal data, User Content, or Visitor Data to train AI or machine learning models, except where we use aggregated, anonymised data that cannot be linked to any individual, or where you have provided explicit consent.

13. Third-Party Links

Your Cards may contain links to third-party websites. This Privacy Policy does not apply to those websites. We are not responsible for their privacy practices. We encourage you to read the privacy policies of any third-party website you visit.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least thirty (30) days before the changes take effect and post a notice on the Service. For non-material changes (corrections, clarifications), we will update this page with a new "Last Updated" date.

Previous versions of this Privacy Policy are available at https://yeshello.app/page/privacy-policy.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or want to lodge a complaint:

Thrive Route Digital Limited 21/F CMA Building, 64 Connaught Road Central, Hong Kong Email: [email protected] General Support: [email protected] Website: https://yeshello.app