Privacy Policy
How Youda Ltd handles personal data on behalf of its customers, and the commitments we make under UK data protection law.
Last updated: 26 May 2026
1. Who we are
This policy is published by Youda Ltd ("Youda", "we", "us"). It explains how we handle personal data in the course of providing our services to our customers.
2. Our role under data protection law
For the personal data we process on behalf of our customers, Youda acts as a data processor. Our customers are the data controllers — they determine the purposes and means of processing their employees' data.
This relationship is formalised in a Data Processing Addendum within each customer subscription agreement, consistent with the UK GDPR and the Data Protection Act 2018. We process customer data solely on the customer's documented instructions.
3. How we process personal data
- We process personal data only on the customer's written instructions, or where we are required to by law — in which case we notify the customer first, unless the law prohibits it.
- Processing is limited to the categories of data subjects and data described in the relevant subscription agreement.
- Everyone we authorise to process personal data is bound by a duty of confidentiality.
4. The data we process
Depending on the customer's configuration, the personal data we process on a customer's behalf may include:
- Employee records, including names and contact details.
- Employment information.
- Data passed through HR and scheduling integrations connected by the customer.
- Where the customer enables it, special category and sensitive data (such as health information, ethnicity, immigration status, bank details and National Insurance numbers) processed through our backend, our Agent and our onboarding assistant.
Integrations we may receive data from
5. Confidentiality and security
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. We are working towards ISO 27001 certification.
All personnel authorised to process personal data are under a binding duty of confidentiality.
6. Sub-processors
- We engage sub-processors to help deliver the service.
- We maintain and publish a current list of sub-processors and notify customers of any intended changes.
- Customers have 30 days to raise an objection to a sub-processor change. If an objection cannot be resolved within that period, either party may terminate.
- Every sub-processor is engaged on terms no less protective than those in our Data Processing Addendum.
7. Personal data breaches
On becoming aware of a personal data breach affecting a customer's data, we notify the affected customer in writing without undue delay. Our notification includes, so far as we are able:
- The nature of the breach.
- The categories and approximate number of data subjects affected.
- The categories and approximate number of records affected.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
We assist the customer's investigation, make relevant records, logs and files available, take prompt steps to mitigate, and bear the reasonable expenses of meeting these obligations — except where the cause of the breach is attributable to the customer.
8. Data subject requests
If we receive a request from an individual relating to a customer's employee data — for example, a request to access, correct or delete data — we do not respond directly. Instead:
- We notify the relevant customer promptly so that they, as the controller, can respond.
- We do not respond to the individual without the customer's consent.
- We also promptly notify the customer of any complaint, regulator notice, or third-party claim relating to their data.
9. International data transfers
Some personal data may be transferred outside the UK and EEA — for example, to certain technology vendors based overseas. Where this happens, we rely on appropriate safeguards:
- Standard Contractual Clauses under Article 46 of the UK GDPR; or
- An adequacy decision for the destination country, where one is in place — in which case Standard Contractual Clauses are not required.
We maintain an appropriate transfer mechanism for every sub-processor located outside the UK and EEA.
10. Retention and deletion
On termination of a customer's subscription:
- We delete or return all personal data, at the customer's election.
- We may retain data where we are required to by applicable law.
11. Audit rights
- Customers may audit our compliance with our data protection obligations, on reasonable notice.
- Audits are limited to once per year, unless a breach has occurred.
- Where reasonable, we may satisfy an audit by providing a current third-party audit report or certification.
12. AI providers and fair use
Our Agent relies on third-party AI providers. We reserve the right to change the underlying large language model provider(s) at any time; we will notify customers of such a change.
We may apply reasonable usage limits to prevent abuse, and may rate-limit or temporarily suspend access in cases of excessive use, assessed relative to the customer's contracted employee count.
13. Modern slavery and anti-bribery
We are committed to acting ethically across our operations and supply chain.
- Modern slavery. We comply with the Modern Slavery Act 2015, conduct due diligence on our supply chain to identify and mitigate the risk of modern slavery and human trafficking, and notify customers if we become aware of any modern slavery in our supply chain.
- Anti-bribery. We comply with the Bribery Act 2010 and applicable anti-corruption laws, maintain procedures to prevent bribery and corruption, and notify customers of any breach or suspected breach.
14. Changes to this policy
We may update this policy from time to time. When we make material changes we will update the "last updated" date at the top of this page.
Contact us
If you have any questions about this policy or how we handle personal data, please get in touch at hello@youda.co, or write to us at Youda Ltd, 30 St Giles, Oxford, OX1 3LE.