Legal

Data Processing Agreement

This DPA explains roles, processing details, security measures and GDPR assistance for data handled through Yuusk.

Last updated: May 2026 · Effective upon account registration

This Data Processing Agreement ("DPA") forms part of the agreement between you and Yuusk and explains how personal data is processed through the yuusk.com platform. For ordinary member use, Yuusk generally acts as an independent data controller because we determine the purposes and means of operating the membership service, safety review, payments, support and communications.

Where a business customer, network partner or other controller uses Yuusk under documented instructions and asks us to process personal data on its behalf, this DPA also sets out the processor terms required by GDPR Article 28. This DPA should be read together with our Terms of Service and Privacy Policy.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of GDPR.

"Processing" means any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, use, disclosure, or deletion.

"Data Controller" means Yuusk, which determines the purposes and means of processing personal data.

"Data Subject" means the registered member whose personal data is processed through the platform.

"Sub-Processor" means any third party engaged by Yuusk to process personal data on its behalf.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

2. Roles of the Parties

For member accounts, support tickets, profile review, payments, safety systems and platform analytics, Yuusk acts as a data controller. You are the data subject whose data is processed to provide the Service.

If a separate written agreement states that Yuusk processes personal data on behalf of another controller, that controller determines the lawful purpose and documented instructions. In that case, Yuusk acts as processor only for the processing expressly covered by that agreement.

3. Processing Details

  • Subject matter: operation of a private membership platform, profile review, messaging, support, payments, safety and account administration.
  • Duration: for the lifetime of the account or agreement, plus retention periods required for security, legal, accounting or dispute-resolution purposes.
  • Data subjects: visitors, registered members, applicants, paying members, support contacts and persons included in reports or moderation records.
  • Data categories: account data, profile data, photos and media, messages, support tickets, payment metadata, device/IP data, preferences, reports and moderation records.
  • Special category data: information such as gender, preferences, nationality or content that may imply sensitive characteristics where voluntarily provided by the member.

4. Nature and Purpose of Processing

Yuusk processes personal data for the following purposes:

  • Creating and managing member accounts;
  • Facilitating connections and communication between members;
  • Verifying member identity and email addresses;
  • Ensuring platform safety and preventing fraudulent or abusive behaviour;
  • Providing customer support and responding to enquiries;
  • Analysing usage patterns to improve service quality and performance;
  • Sending transactional emails (verification codes, account notifications);
  • Complying with applicable legal obligations.

Categories of personal data processed include: name, email address, date of birth, gender, profile photo, self-description, spoken languages, nationality, height, body type, and other optional profile fields provided by the member. We also process technical data including IP address, browser type, device type, and pages visited.

5. Documented Instructions

Where Yuusk acts as processor, we process personal data only on documented instructions from the controller, including instructions contained in the applicable agreement, product settings and lawful support requests. If an instruction appears to violate applicable data protection law, we will inform the controller unless legally prohibited.

Yuusk may process data without further instruction where required by Union or Member State law, where necessary to protect the Service, or where acting as an independent controller for member safety, fraud prevention, accounting, legal claims or platform administration.

6. Confidentiality

Personnel with access to personal data are required to handle it confidentially and only for authorised purposes. Internal access is limited by role and business need. We train relevant team members on privacy, security and appropriate handling of member data.

7. Technical and Organisational Security

Yuusk implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher;
  • Password security: passwords are stored using bcrypt with a work factor of 12 — plain-text passwords are never stored or logged;
  • Access control: internal access to personal data is restricted to authorised personnel on a need-to-know basis, with audit logging;
  • Infrastructure security: servers are hosted in hardened environments with firewalls, intrusion detection, and regular security patching;
  • Session management: sessions are cryptographically signed and expire after a configurable period of inactivity;
  • Vulnerability management: we conduct regular reviews and apply security patches promptly.
  • Operational review: profile, support and moderation tooling is access-controlled and intended to reduce unnecessary exposure of member data.
  • Backups: production data may be backed up for resilience and restored only for operational, security or disaster-recovery purposes.

8. Sub-Processors

Yuusk engages the following categories of sub-processors to deliver the Service. All sub-processors are bound by data processing agreements that require them to protect personal data to at least the standard required under GDPR:

  • Cloud hosting providers — for server infrastructure and data storage;
  • Email delivery services (e.g., Resend) - for sending transactional emails such as verification codes and account notifications;
  • Payment processors (a secure third-party payment provider) — for paid memberships, renewals, cancellations, invoices, refunds and disputes;
  • Anti-abuse providers — for spam prevention, bot protection and security checks;
  • CDN and DNS services (e.g., Cloudflare) — for secure and fast content delivery and DDoS mitigation;
  • Analytics providers — for anonymised usage data and platform performance monitoring (only where you have consented to analytics cookies).

We will notify you of material changes to our sub-processor list by posting updates to this page. To receive advance notice of changes, contact us at [email protected].

Where Yuusk acts as processor, we remain responsible for ensuring sub-processors are bound by written terms that provide substantially similar data protection obligations to those in this DPA.

9. Cross-Border Transfers

Some of our sub-processors are located outside the European Economic Area (EEA). Where personal data is transferred internationally, we rely on one or more of the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • The adequacy decisions of the European Commission for certain third countries;
  • Other recognised transfer mechanisms under Article 46 of GDPR.

Details of specific transfer mechanisms can be provided upon written request to [email protected].

10. Data Subject Rights

Yuusk will assist you in exercising your rights under GDPR (Articles 15–22), including rights to access, rectification, erasure, restriction, portability, and objection. Requests should be submitted to [email protected]. We will respond within the statutory timeframe of 30 days (extendable to 90 days in complex cases, with prior notice).

For data erasure requests, please see our dedicated Data Deletion page.

11. Records, Audits and DPIA Assistance

Where required by law, Yuusk maintains records of processing activities, security controls, sub-processor categories and relevant internal access controls. If Yuusk acts as processor for a controller, we will make information reasonably necessary to demonstrate compliance available upon written request, subject to confidentiality, security and protection of other customers' data.

We will provide reasonable assistance with data protection impact assessments, prior consultations and security questionnaires where the processing context requires it and where the requested assistance is proportionate to the Service.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, Yuusk will notify you without undue delay and, in any case, within 72 hours of becoming aware of the breach (where feasible). Notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

If Yuusk acts as processor, we will notify the controller without undue delay after becoming aware of a personal data breach affecting controller personal data and will provide reasonable cooperation for investigation, containment and legally required notices.

13. Retention and Deletion

Personal data is retained for as long as your account is active or as required to fulfil the purposes described in this DPA. Upon account deletion:

  • Active profile and account data is removed within 30 days;
  • Residual data in encrypted backups is overwritten within 90 days;
  • Records subject to legal retention obligations may be kept for up to 6 years.

See our Data Deletion page for full details on how to submit a deletion request.

Where Yuusk acts as processor, personal data will be returned or deleted at the end of the applicable service according to the controller's documented instructions, unless retention is required by law, security, fraud prevention, accounting obligations or legal claims.

14. Governing Law

This DPA is governed by and construed in accordance with applicable data protection law, including GDPR and any implementing national legislation. The parties submit to the exclusive jurisdiction of competent courts for any dispute arising under this DPA.

15. Contact

For any data processing enquiries or to exercise your rights under this DPA:

Legal entity

Yuusk LLC
1201 Geneva, 1, place des Alpes, Switzerland
Switzerland

Questions about data processing? Contact us — we reply within 2 business days.