Privacy policy
Last updated:
In the event of any conflict between the Norwegian and English versions of this policy, the Norwegian version prevails.
1. Data Controller
Yem AS is the data controller for the personal data processed when you use Yem.
Yem AS
Organisation number: 937 322 585
Geitsundvegen 104, 3540 Nesbyen
Norway
Email: privacy@yemapp.com
If you have questions about how we process your personal data, or wish to exercise your rights, please contact us at the email address above.
2. What data we collect and why
2.1 Account information
When you create an account in Yem, we collect the following information:
| Data | Required | Purpose |
|---|---|---|
| Email address | Yes | Login, account verification and communication from us |
| Password | Yes | Authentication. Your password is never stored in plain text |
| First and last name | Yes | Recognition between household members and personalisation of the service |
| Date of birth | Yes | Verification that you are 15 years of age or older |
| Profile picture | No | Personalisation and recognition within the household |
We do not require your first and last name to be your legal name.
Legal basis: The processing is necessary to perform the agreement with you for the use of Yem (GDPR Art. 6(1)(b)).
2.2 Household data
When you create or join a household in Yem, we collect the following:
| Data | Required | Purpose |
|---|---|---|
| Household name | Yes | Identification of the household within the service |
| Country | Yes | Subscription management and billing |
| Household members and roles | Yes | Administration of access and features within the household |
| Invitation code | Yes | Inviting new household members |
| Email address of invited person | No | Sending an invitation by email |
Invitation codes expire after 14 days.
If you choose to share your date of birth with your household, it will appear as a birthday marker in other household members’ calendars.
Legal basis: The processing is necessary to perform the agreement with you for the use of Yem (GDPR Art. 6(1)(b)).
2.3 Content you create
Most of the data we store is content you enter yourself as part of your normal use of the service:
| Content type | Examples of data |
|---|---|
| Tasks | Title, description, location, comments, assigned household members |
| Calendar events | Title, description, location, date and time, participants |
| Messages | Message content and attachments (images and documents, up to 10 MB per file) |
| Shopping lists | List names and item names |
| Sharing activity | Log of content shared between household members |
All content you create is only visible to you and your household members.
If you delete your account, messages you have sent will appear under the name “Deleted user” in conversations where other household members are participants. The message content itself is retained so that conversations remain coherent for the remaining members.
Legal basis: The processing is necessary to perform the agreement with you for the use of Yem (GDPR Art. 6(1)(b)).
2.4 Payment and subscription data
Yem uses Stripe as its payment provider. All card information is processed directly by Stripe on their secure payment pages - we never store card numbers, expiry dates or security codes.
We store the following subscription information in our own database:
| Data | Purpose |
|---|---|
| Stripe customer ID and subscription ID | Linking your account to Stripe |
| Subscription status and plan | Managing access and billing |
| Subscription period and trial period dates | Access control and notifications |
The following information is shared with Stripe when a subscription is created: email address, household name and country. These are used to identify you as a customer with Stripe (see section 3).
Yem offers a free 30-day trial period. After an expired or cancelled subscription, your household is kept in read-only mode for 90 days so you can download your data, after which it is permanently deleted.
Stripe may retain transaction data in accordance with their own legal obligations, independently of our deletion.
Legal basis: The processing is necessary to perform the agreement with you for the use of Yem (GDPR Art. 6(1)(b)). Data required for accounting purposes is processed on the basis of a legal obligation (Art. 6(1)(c)).
2.5 Technical information
To ensure the service functions correctly and securely, we automatically collect certain technical information when you use Yem.
Session data
When you log in, a session is created that stores your IP address and information about your browser or device. This is used to keep you logged in and to protect your account against unauthorised access. Session data is automatically deleted when the session expires or when you log out, and no later than upon deletion of your account.
Cookies
| Cookie | Purpose | Duration | Requires consent |
|---|---|---|---|
| Session token | Keeps you logged in | 7 days | No - necessary |
| Language preference | Remembers your preferred language | 1 year | No - functional |
| Timezone | Adapts date and time display | 1 year | No - functional |
| Analytics (PostHog) | Usage statistics and session recordings | 1 year | Yes |
Local storage on your device
To make the service fast and accessible, Yem stores a local copy of your household data on your device. This data is deleted when you log out. Your browser may also store temporary files to improve load times.
Infrastructure logs
Cloudflare, which provides our technical infrastructure, processes technical information about requests to the service, including IP addresses. See section 3 for more information about Cloudflare and our other sub-processors.
Legal basis: Session data and necessary cookies are processed on the basis of the agreement with you (GDPR Art. 6(1)(b)). Functional cookies and infrastructure logs are justified by our legitimate interest in providing a secure and well-functioning service (Art. 6(1)(f)). Analytics are processed only with your consent (Art. 6(1)(a)).
2.6 Analytics and error monitoring
Analytics and session recordings (PostHog)
We use PostHog to understand how the service is used, so we can improve it. This includes information about which features are used, navigation patterns and - if you consent - screen session recordings. Session recordings use masking, meaning that text fields and sensitive information are not visible in the recordings.
PostHog is only active if you have consented to analytics on your first visit or in your settings. You can withdraw your consent at any time.
PostHog does not store your IP address, and it is not used to identify or locate you. Data is processed on PostHog’s European servers.
Error monitoring (Sentry)
We use Sentry to capture technical errors in the service’s backend. Sentry receives no names, email addresses or user IDs - only technical information about what went wrong and which part of the service was involved.
Marketing website (Plausible)
On our marketing website (yemapp.com) we use Plausible Analytics to measure visits. Plausible stores no cookies and collects no personal data.
Legal basis: PostHog analytics are processed on the basis of your consent (GDPR Art. 6(1)(a)). Error monitoring is justified by our legitimate interest in maintaining a stable and secure service (Art. 6(1)(f)).
2.7 Notifications and push notifications
Yem can send you notifications about activity in your household, for example new messages, tasks and calendar changes.
Notification preferences
You control which notifications you wish to receive via your settings. We store these preferences in our own database.
Push notifications
If you consent to push notifications in your browser, a unique device token is generated via Firebase (Google). This token is sent to our notification service Knock, which uses it to deliver push notifications to your device. The token is stored with Knock - not in our own database.
To deliver push notifications, we share the following information with Knock: user ID, name, email address, profile picture and language preference. See section 3 for more information about Knock and our other sub-processors.
You can withdraw your consent to push notifications at any time in the notification settings within the service, or by changing the settings in your browser.
Legal basis: Storage of notification preferences is necessary to perform the agreement with you for the use of Yem (GDPR Art. 6(1)(b)). Push notifications are only sent with your consent (Art. 6(1)(a)).
3. Sub-processors
We share data with a limited number of sub-processors that are necessary to deliver the service. All sub-processors are bound by data processing agreements in accordance with GDPR Article 28. Where data is transferred to countries outside the EEA, this takes place on the basis of the EU’s Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.
| Provider | Purpose | Location | Data shared |
|---|---|---|---|
| Cloudflare (opens in new tab) | Infrastructure, file storage and email delivery | EU/USA* | All requests to the service, uploaded files, exported data and outgoing emails |
| Neon (opens in new tab) | Database hosting | EU (Frankfurt) | All personal data stored in the database |
| Stripe (opens in new tab) | Payment and subscription processing | USA | Email address, household name, country |
| Knock (opens in new tab) | Push notifications and alerts | USA | User ID, name, email address, profile picture, language preference, device token |
| PostHog (opens in new tab) | Analytics and session recordings | EU | User ID, navigation data and session recordings (only with consent) |
| Firebase (Google) (opens in new tab) | Push token issuer | USA | Device token |
| Sentry (opens in new tab) | Error monitoring (backend) | EU | Technical error information, no user identity |
| Plausible (opens in new tab) | Visit statistics on marketing website | EU | No personal data |
*Cloudflare processes network traffic globally, but file storage is configured to use European servers.
We never share your personal data with third parties for advertising purposes.
4. How long we keep your data
We store personal data only for as long as is necessary for the purposes described in this policy.
| Data type | Retention period |
|---|---|
| Account information and household data | For as long as the account is active |
| Content you create (tasks, messages, calendar events, shopping lists) | For as long as the household is active |
| Sessions | 7 days |
| Invitation codes | 14 days |
| Email verification links | 24 hours |
| Export files | 7 days after the export is completed |
| Invoice and transaction data (accounting records) | Up to 5 years after the end of the financial year, cf. the Norwegian Bookkeeping Act (bokføringsloven) section 13 |
| Analytics (PostHog) | Governed by PostHog’s own retention rules |
When you delete your account
Your account information and all content you have created is deleted upon account deletion, with the exception of messages you have sent in shared conversations. These are retained under the name “Deleted user” so that conversations remain coherent for the remaining household members.
Certain invoice and transaction data is nevertheless retained after account deletion, for as long as we are legally required to keep it as accounting records - see “Invoice and payment data” below.
When a subscription ends
If your subscription expires or is cancelled, your household is kept in read-only mode for 90 days so you can download your data. After this, the household and all associated content is permanently deleted.
Invoice and payment data
Under the Norwegian Bookkeeping Act, we are required to retain invoice and transaction data as accounting records for up to 5 years after the end of the financial year. This data is therefore kept even if you delete your account or end your subscription, but is not used for any purpose other than accounting and statutory reporting.
In addition, Stripe may retain transaction data in accordance with its own legal obligations, independently of our deletion.
5. Your rights
You have the following rights regarding your personal data. Some rights can be exercised directly within the service; others require you to contact us.
Access
You have the right to confirmation of whether we process personal data about you, and if so, to receive a copy of it. You can download your data directly in the settings under “Export data”.
Rectification
You have the right to have inaccurate data corrected. You can update your account information directly in your settings.
Erasure
You have the right to have your personal data deleted. You can delete your account directly in your settings. Please note that messages you have sent in shared conversations will appear under the name “Deleted user” after deletion - see section 2.3.
The right to erasure does not extend to data we are legally required to retain. Invoice and transaction data that constitutes accounting records is kept for up to 5 years after the end of the financial year in accordance with the Norwegian Bookkeeping Act, cf. GDPR Art. 17(3)(b). See section 4 for more information on retention periods.
Data portability
You have the right to receive your personal data in a structured and machine-readable format. Use the export function in your settings to download your data as CSV, JSON or iCalendar.
Restriction of processing
You have the right to request that the processing of your personal data be restricted in certain situations, for example while we are handling an objection from you.
Objection
You have the right to object to processing that is based on legitimate interest, for example error monitoring and infrastructure logs.
Withdrawing consent
Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing that took place before the withdrawal. For analytics and session recordings: go to your settings and select “Manage consent”. For push notifications: go to the notification settings in the service, or change the settings in your browser.
How to contact us
For rights you cannot exercise directly within the service, send a request to privacy@yemapp.com. We will respond within 30 days. In complex cases the deadline may be extended by a further two months - we will notify you if this is the case.
Complaints to the Norwegian Data Protection Authority
If you believe we are processing your personal data in breach of data protection law, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at www.datatilsynet.no (opens in new tab).
6. Cookies and tracking
A cookie is a small text file stored in your browser when you use the service. We use cookies to keep you logged in, remember your language preference and - with your consent - to analyse the use of the service. A full overview of the cookies we use can be found in section 2.5.
Consent
The first time you visit Yem, you will be asked to make a choice regarding the use of analytics and session recordings. Necessary and functional cookies are set without consent, as they are required for the service to function. You can change your choices at any time in your settings.
How to manage cookies
You can delete or block cookies via your browser settings. Please note that blocking necessary cookies will prevent you from logging in and using the service.
We do not use cookies for advertising purposes.
7. Children and minors
Yem is not intended for children under the age of 15. We verify your age at registration by asking for your date of birth, and deny access to anyone under 15. This age limit is in accordance with Norwegian data protection legislation.
If we become aware that a person under the age of 15 has created an account, we will delete the account and associated data without undue delay.
Children under a parent account
We plan to introduce support for children under the age of 15 linked to a parent or guardian’s account. This feature is not available as of today. When it is introduced, this privacy policy will be updated with information on how consent from parents or guardians is obtained and processed.
8. Changes to this policy
We may update this privacy policy from time to time. The date of the most recent update will always appear at the top of the policy.
For material changes - for example if we begin processing new categories of personal data or engage new sub-processors - we will notify you by email before the changes take effect. For minor editorial changes, the policy will be updated without specific notice.
Continued use of the service after changes have taken effect will be considered acceptance of the updated policy.
9. Contact and complaints
Contact us
If you have questions about this privacy policy or how we process your personal data, please get in touch:
Yem AS
Geitsundvegen 104, 3540 Nesbyen
Norway
Email: privacy@yemapp.com
We aim to respond within 30 days.
Complaints to the Norwegian Data Protection Authority
If you believe we are processing your personal data in breach of data protection law, you have the right to lodge a complaint with the Norwegian Data Protection Authority:
Datatilsynet
Postboks 458 Sentrum, 0105 Oslo
www.datatilsynet.no (opens in new tab)