Support

Legal

Privacy Policy

This privacy policy applies to our website https://www.yayphotobooks.com, the photobooks and related products we create, and any associated external online platforms, such as our social media profiles. All references to terms such as "processing" or "controller" are in accordance with Article 4 of the EU General Data Protection Regulation (GDPR).

Definitions

In the context of this policy:

The Controller is the entity that determines the purposes and means of processing personal data. In our business model, the controller is our business partner who provides customer data to us. We also refer to the controller throughout this policy as the "Partner" or "Business Partner".

The Processor is the entity that processes personal data on behalf of the controller. YAY (the operator of yayphotobooks.com) acts as the processor.

§1 Scope of the Agreement

a. The subject of this agreement is the creation of photobooks for the customers of our business partners, using YAY's photobook software, systems, and related services. Acting as a processor, YAY produces photobooks based on the photos, texts, and videos submitted by partners, and issues invoices to the respective customers. YAY is also responsible for forwarding the photobooks to a print service provider and for managing potential complaints related to the photobooks.

b. YAY is permitted to store, further process, and delete the data transmitted by the partner.

c. The types of data processed, the purposes of the processing, and the categories of data subjects are defined in Sections 4 and 5 of this policy.

d. The specifics of the data processing agreement are outlined in the individually negotiated master service agreements.

e. This agreement takes effect upon signature by both parties and remains valid until revoked or terminated. Revocation or termination must be submitted in writing via email.

As a processor, YAY handles personal data on behalf of its partners. This privacy policy specifies the activities and measures relating to the data processing. YAY is obligated to process data only in accordance with instructions received and to document such processing accordingly. Detailed terms are governed by the individual agreements entered into with our partners.

§2 Types of Data and Purpose of Processing

2.1 Types of Data (Art. 28(3), sentence 1 GDPR)

Master data: Name, email address, country of residence, mailing address, and—if provided—the customer's telephone number.

Files: Images, portraits, texts, and videos submitted by the customer for use in photobooks or related products.

2.2 Purpose of Processing

  • • Creation, editing, storage, and delivery of photobooks and other photo products
  • • Communication with the customer in relation to the creation of the photobook

§3 Inquiries from Data Subjects

If a data subject contacts YAY (the processor) with a request for correction, deletion, or access to data, YAY will inform the controller (the partner) that such data must be corrected or deleted by both parties (e.g., a customer's address). If the request concerns the deletion of stored photobooks or related photo products, YAY will also forward the request to the subcontractor responsible for production.

YAY is not liable if the controller or subcontractor fails to respond, responds incorrectly, or fails to respond in a timely manner.

Categories of Data Subjects (Art. 28(3), sentence 1 GDPR)

  • • Customers
  • • Individuals depicted in the submitted media

§4 Duties of the Processor (YAY)

a. YAY may process personal data only within the scope of the assignment and in accordance with the partner's instructions, unless an exception under Article 28(3)(a) GDPR applies. If YAY believes an instruction violates applicable law, the partner will be informed immediately. Processing may be suspended until the instruction is confirmed or amended.

b. YAY deletes data in accordance with legal requirements, the retention periods specified in its deletion policy, or upon explicit request by the partner.

c. YAY shall implement technical and organizational measures (TOMs) to ensure the confidentiality, integrity, availability, and resilience of systems and services used in processing. These measures must be documented, and YAY must provide evidence of compliance with Article 32 GDPR upon request. The partner has the right to audit TOMs. YAY may update its TOMs, provided the agreed protection level is not reduced. Material changes will be communicated to the partner if they impact processing security.

d. YAY will notify the partner of any personal data breach involving the partner's data without undue delay and no later than 72 hours after becoming aware. The notification will be made by email and include:

  • • A description of the nature of the breach, including the categories and approximate number of affected individuals and data records
  • • The likely consequences of the breach
  • • Measures taken or proposed to address the breach and mitigate any negative effects

These measures will be coordinated with the partner to ensure compliance with data protection obligations. YAY also supports the partner in fulfilling its reporting obligations to supervisory authorities or affected individuals.

If a data subject brings a claim under Article 82 GDPR, YAY will assist the partner in defending the claim, to the extent possible, by providing relevant data and implementing risk mitigation measures.

§5 Duties of the Controller (Partner)

a. The partner must promptly inform YAY of any errors or irregularities in data processing or other procedures that may conflict with data protection requirements.

b. The partner is responsible for providing accurate and complete data (e.g., customer master data, files) necessary for YAY to deliver services. The partner is liable only for damages caused by gross negligence or willful misconduct during data transmission.

The partner is not responsible for damages resulting from errors in YAY's processing or storage of data.

§6 Subprocessors (Additional Data Processors)

a. The partner agrees that YAY may engage third-party providers (subprocessors) to fulfill its contractual obligations.

b. YAY is responsible for ensuring that all obligations arising from this agreement are contractually extended to its subprocessors. This includes provisions for confidentiality, data protection, and information security. Any audit of subprocessors by the partner must be coordinated with YAY.

c. No specific approval is required for subprocessors providing ancillary services, such as external personnel, mail and shipping services, or system maintenance.

d. Data transfers to third countries must comply with GDPR requirements (e.g., Standard Contractual Clauses).

The list of relevant subprocessors will be provided to the partner as part of the contract documentation.

§7 Technical and Organizational Measures

We implement a comprehensive range of technical and organizational measures to safeguard the data of our partners and their customers.

7.1 Confidentiality (Art. 32(1)(b) GDPR)

7.1.1 Access Control

Measures to prevent unauthorized physical access to IT systems:

  • • Secured building with lockable access
  • • Lockable office on the first floor
  • • Servers are hosted by Netcup GmbH in a facility with centralized locking systems, alarm systems, video surveillance of entryways and rented data center areas, and visitor access regulations. All rooms are on the first and second floors.

7.1.2 System Access Control

Measures to ensure that only authorized users can access data and that data cannot be read, copied, modified, or deleted without authorization:

  • • All YAY team members (currently two) have full access as both work with all data. No other persons have access.
  • • Role-based access controls are in place for specific applications
  • • Laptops are protected by passwords or PINs
  • • IT infrastructure is protected by firewalls
  • • Antivirus software on all devices
  • • Automatic screen lock after periods of inactivity

7.1.3 Data Segregation

Measures to ensure that data collected for different purposes is processed separately:

  • • Each application accesses only the minimum necessary data and is individually password protected
  • • Customer address data is stored in a CRM system
  • • Media files are editable only via the WebApp
  • • Payment data is processed exclusively through Stripe

§8 Integrity (Art. 32(1)(b) GDPR)

8.1 Data Transfer Control

To ensure data is not accessed, copied, modified, or removed during transmission or storage:

  • Digital: Data from the partner is submitted to YAY via a secure interface to ensure only YAY receives it
  • Physical: Required data is transferred by YAY to the printing partner via the photobook provider's portal or integration, depending on their system. Shipping is carried out in cardboard packaging by the photobook provider
  • • All transfers between the partner, YAY, and the printing partner are encrypted via SSL/TLS

8.2 Input Control

Measures to ensure traceability of who entered, modified, or deleted data:

  • • Input, changes, and deletions are logged using event sourcing (e.g., address updates, data deletions, payment entries)
  • • Some subprocessors, such as Stripe, maintain their own event-based logging systems

8.3 Availability, Resilience, and Recoverability (Art. 32(1)(b), (c) GDPR)

  • • Performance load tests, continuous monitoring, load balancing, container orchestration
  • • Redundant IT infrastructure through virtualization
  • • Redundant storage systems
  • • Hosting with DIN ISO 27001–certified provider Netcup GmbH (TÜV Nord certification for information security)
  • • Antivirus software, firewalls
  • • Regular backups (retained for at least 12 months and reviewed monthly for integrity and recoverability)
  • • Automated provisioning
  • • Redundant services: Each service is handled by at least two servers. If one fails, the other takes over. If a full server fails, services are rebalanced
  • • Event sourcing supports rapid cache restoration without compromising data integrity

§9 Data Protection Contact

YAY has not appointed an external Data Protection Officer. For all privacy-related inquiries, please contact:

Philipp Scheit

Email: phillipp@yaymemories.com

This Privacy Policy is specifically designed for YAY's B2B photobook partnerships and GDPR compliance.