Privacy Policy

1. Introduction

YottaNest ("we," "our," or "us") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered compliance automation platform for European banking institutions.

As a compliance technology provider serving the financial sector, we adhere to the highest standards of data protection, including full compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

YottaNest acts as the data controller for personal data processed through our services. You can contact us at:

3. Information We Collect

3.1 Information You Provide to Us

• Account Information: Name, email address, company name, job title, phone number
• Business Information: Organization details, banking license information, regulatory identifiers
• Payment Information: Billing address and payment details (processed securely through third-party payment processors)
• Communications: Content of messages, support tickets, and feedback you send to us

3.2 Customer Data Processed Through Our Services

• KYC/AML Data: Customer information processed for compliance purposes (names, addresses, identification documents, beneficial ownership structures)
• Compliance Documents: Reports, risk assessments, and regulatory documentation
• Public Registry Data: Information collected from EU business registries, sanction lists, and PEP databases

Note: For customer data processed on behalf of our clients, we act as a data processor. Our clients remain the data controllers responsible for the lawfulness of processing.

3.3 Automatically Collected Information

• Usage Data: Pages viewed, features used, time spent, click patterns
• Device Information: IP address, browser type, operating system, device identifiers
• Log Data: Server logs, error reports, system activity
• Cookies and Tracking: See our Cookie Policy for details

4. How We Use Your Information

We process your personal data for the following purposes:

4.1 Service Delivery

• Providing access to our compliance automation platform
• Processing KYC/AML compliance workflows
• Generating compliance reports and risk assessments
• Maintaining and improving service functionality

4.2 Business Operations

• Account management and billing
• Customer support and technical assistance
• Communicating about service updates and new features
• Conducting analytics to improve our services

4.3 Legal and Regulatory Compliance

• Complying with legal obligations and regulatory requirements
• Responding to lawful requests from authorities
• Protecting against fraud and security threats
• Enforcing our terms and conditions

4.4 AI and Machine Learning

We use AI/ML models to automate compliance processes. Our AI systems:

• Extract and analyze data from public registries
• Identify potential compliance risks and red flags
• Generate recommendations for human review (human-in-the-loop approach)
• Improve accuracy through supervised learning on anonymized data

Important: Final compliance decisions are always made by qualified human professionals, not AI systems alone.

5. Legal Basis for Processing (GDPR)

Under GDPR, we process personal data based on:

• Contractual Necessity: Processing required to deliver our services under our agreement with you
• Legal Obligation: Compliance with financial regulations, AML/KYC laws, and data protection requirements
• Legitimate Interests: Improving our services, preventing fraud, and ensuring security (balanced against your rights)
• Consent: Where you have provided explicit consent (e.g., marketing communications)

6. Data Sharing and Disclosure

We do not sell your personal data. We may share information with:

6.1 Service Providers

• Cloud infrastructure providers (EU-based)
• Payment processors
• Customer support tools
• Analytics and monitoring services

All third-party processors are bound by data processing agreements and GDPR compliance requirements.

6.2 Legal Requirements

We may disclose information when required by law, regulation, or legal process, including:

• Responding to court orders or subpoenas
• Complying with regulatory investigations
• Reporting suspicious activities to financial authorities
• Protecting our legal rights and safety

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

7. Data Security

We implement industry-leading security measures to protect your data:

• Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Access Controls: Role-based access, multi-factor authentication, audit logging
• Infrastructure Security: SOC 2 Type II certified data centers, DDoS protection, intrusion detection
• Regular Audits: Third-party security assessments and penetration testing
• Incident Response: 24/7 monitoring and breach notification procedures

For clients requiring on-premise deployment, all data remains within your infrastructure with zero external transmission.

8. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

• Account Data: Duration of your subscription plus 90 days for account closure processes
• Compliance Records: Minimum 5 years as required by EU AML/KYC regulations (or longer if mandated by local law)
• Audit Logs: 7 years for regulatory compliance
• Marketing Data: Until you withdraw consent or request deletion

After retention periods expire, data is securely deleted or anonymized.

9. Your Privacy Rights

Under GDPR and other privacy laws, you have the following rights:

To exercise these rights, contact us at privacy@yottanest.com. We will respond within 30 days as required by GDPR.

Note: Some rights may be limited by legal obligations to retain certain data for regulatory compliance (e.g., AML record-keeping requirements).

10. International Data Transfers

YottaNest is committed to EU data sovereignty:

• EU Cloud Option: All data stored and processed exclusively within EU data centers (Frankfurt, Amsterdam)
• On-Premise Option: Zero data transfer outside your infrastructure
• Limited Third-Country Transfers: If any data is transferred outside the EU/EEA, we use Standard Contractual Clauses (SCCs) approved by the European Commission

We do not transfer personal data to countries without adequate data protection levels unless properly safeguarded.

11. Children's Privacy

Our services are intended for business use by financial institutions. We do not knowingly collect personal data from individuals under 16 years of age. If you believe we have inadvertently collected such data, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes by:

• Email notification to registered users
• Prominent notice on our website
• In-app notification upon login

Continued use of our services after notification constitutes acceptance of the updated policy.

13. Contact Us

For questions about this Privacy Policy or our data practices, please contact:

14. Supervisory Authority

If you are unsatisfied with our response to your privacy concerns, you have the right to lodge a complaint with your local data protection authority. In Bulgaria, this is: