Privacy Policy

This Privacy Policy explains how YouFi Ltd ("YouFi", "we", "us") collects, uses, and protects your personal data when you interact with our website at youfi.io and the YouFi closed alpha service. It applies to personal data processed under the UK General Data Protection Regulation (UK GDPR, retained in the Data Protection Act 2018) and, where you are in the EU/EEA, the EU General Data Protection Regulation (Regulation (EU) 2016/679).

01Who we are

The data controller for personal data collected via youfi.io is:

• Legal name: YouFi Ltd
• Company number: 12931597 — registered in England and Wales
• Registered office: 57 Westbourne Terrace, Reading, RG30 2RP, United Kingdom
• Privacy and general contact: [email protected]

We are not required to appoint a Data Protection Officer at this stage of operations under Article 37 UK GDPR / EU GDPR.

02What data we collect

2.1 When you join the waitlist

• Your email address
• The CTA you clicked (e.g. "hero", "pricing", "cta") — used to understand which page sections drive sign-ups
• Your IP-derived country (from Cloudflare's cf-ipcountry header) — used for aggregate geographic insight, never linked to your identity
• Your browser user agent string
• The date and time of your submission

2.2 When you sign in for closed alpha access

Authentication is handled by Clerk, Inc. (see Section 4). We receive your email address and a user identifier from Clerk. We do not receive or store your password.

2.3 When you consent to analytics

If you accept analytics cookies, we receive event data via PostHog (US region) including page views, button clicks, session duration, and session replay recordings of your interactions with the page (cursor movements, clicks, scroll behaviour, page state) so we can diagnose usability issues and bugs. PostHog masks all text inputs by default. We do not record passwords or form values. If you decline analytics, no analytics data — including session replay — is collected.

2.4 What we don't collect

We do not collect financial information, wallet addresses, private keys, transaction data, payment information, or any data about your trading activity from the public landing page.

03Why we collect it and our legal basis

Purpose	Data used	Legal basis (Art. 6 GDPR)
Contact you about YouFi alpha access	Email address, source tag, submission date	Consent (Art. 6(1)(a)) — given via the checkbox on the waitlist form
Authenticate alpha testers	Email + user identifier (via Clerk)	Performance of contract (Art. 6(1)(b)) — to provide access to the service you signed up for
Aggregate website analytics (only if you consent)	Pseudonymous event data, page views, browser info	Consent (Art. 6(1)(a) UK GDPR / EU GDPR) — given via the cookie banner; for cookies specifically, Reg. 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) also requires consent
Security and abuse prevention	IP-derived country, user agent	Legitimate interests (Art. 6(1)(f)) — to detect and prevent abuse of the waitlist form

How to withdraw consent:

• For waitlist emails: reply "unsubscribe" to any YouFi email, or email [email protected].
• For analytics cookies: click the "Manage cookies" link in the website footer to re-open the cookie banner and change your choice. Your decision takes effect immediately.

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. We have assessed our legitimate interest in basic abuse-prevention logging (IP-country, user agent) and concluded that the interest does not override your fundamental rights — this assessment is available on request.

04Who we share it with

We use the following processors to operate the YouFi alpha. Each is bound by a written data processing agreement.

Processor	Purpose	Region
Cloudflare, Inc.	Hosting, CDN, DDoS protection	Global (US/EU edge)
Clerk, Inc.	Authentication	United States
Resend, Inc.	Transactional email delivery	United States
Notion Labs, Inc.	Internal waitlist record-keeping	United States
PostHog Inc.	Aggregate analytics (only with your consent)	United States

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

05International transfers

Cloudflare, Clerk, Resend, Notion, and PostHog process some personal data outside the United Kingdom and the European Economic Area (typically in the United States). These transfers rely on the following safeguards, depending on the jurisdiction of the data subject:

5.1 For UK data subjects (UK GDPR Art. 46)

• UK–US Data Bridge — the UK extension to the EU–US Data Privacy Framework, in force from 17 October 2023 (Data Protection (Adequacy) (United States of America) Regulations 2023). Provides an adequacy decision where the recipient is certified under the framework.
• UK International Data Transfer Agreement (IDTA) — effective 21 March 2022, replacing the EU SCCs for UK-to-third-country transfers. Supplemented by a Transfer Risk Assessment where required.

5.2 For EU/EEA data subjects (EU GDPR Art. 46)

• EU–US Data Privacy Framework certification — Commission Implementing Decision (EU) 2023/1795. Provides an adequacy decision where the recipient is certified.
• Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) — supplemented by a Transfer Impact Assessment where required.

You can request copies of the safeguards in place for any specific transfer by contacting us at [email protected].

Analytics data via PostHog is transferred to the United States and protected by the UK–US Data Bridge / EU–US Data Privacy Framework where the recipient is certified, supplemented by the UK IDTA or EU SCCs as applicable. Analytics is only enabled if you consent via the cookie banner.

06How long we keep your data

Data	Retention period
Waitlist email	24 months from submission, or until you unsubscribe — whichever is earlier
Alpha account data (via Clerk)	For the duration of your account, plus 30 days after deletion request
Analytics events (if consented)	13 months (PostHog default)
Security logs	90 days

07Your rights under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15) — request a copy of the personal data we hold about you
• Right to rectification (Art. 16) — correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten", Art. 17) — request deletion of your data
• Right to restriction of processing (Art. 18) — limit how we use your data
• Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
• Right to object (Art. 21) — object to processing based on legitimate interests
• Right not to be subject to automated decision-making (Art. 22) — we don't do this; see Section 9
• Right to withdraw consent at any time, without affecting prior lawfulness of processing

To exercise any of these rights, email [email protected]. We will respond within one month (Art. 12(3) GDPR).

08Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. Because YouFi Ltd is established in the United Kingdom, the lead supervisory authority for our processing is:

• Information Commissioner's Office (ICO)
• Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
• Phone: 0303 123 1113
• Website: ico.org.uk

EU/EEA residents: you may also lodge a complaint with the supervisory authority of your country of residence. A list is maintained at edpb.europa.eu.

09Automated decision-making

We do not carry out automated decision-making or profiling that produces legal effects or similarly significant effects concerning you within the meaning of Article 22 GDPR.

10Cookies and similar technologies

10.1 Strictly necessary (no consent required)

Authentication session cookies set by Clerk when you sign in. These are essential for the service to function and are exempt from consent under Reg. 6(4) of the Privacy and Electronic Communications Regulations 2003 (PECR, UK) and Article 5(3) of the ePrivacy Directive 2002/58/EC (EU).

10.2 Analytics (consent required)

PostHog cookies are only set if you click "Accept" in the cookie banner. With your consent, this includes session replay recordings of your interactions with the page so we can diagnose usability issues and bugs (text inputs are masked by default — see Section 2.3 for details). You can change your choice at any time by clicking Manage cookies in the website footer, which re-opens the banner; declining stops further analytics collection and opts you out of session replay. We may also receive your IP address briefly during analytics initialisation. PostHog is hosted in the United States — see Sections 4 and 5 for details of the safeguards that apply to that transfer.

10.3 What we don't use

We do not use advertising cookies, cross-site tracking, third-party advertising pixels, social-media tracking pixels, or fingerprinting.

11Changes to this policy

We may update this policy as the YouFi alpha evolves. We will post the new policy here with an updated "Last updated" date and, where required by law, notify you by email.

12Contact us

Questions, data subject requests, or concerns about this policy:

• Email: [email protected]
• Post: YouFi Ltd, 57 Westbourne Terrace, Reading, RG30 2RP, United Kingdom