YBuffet
Built for founders, investors, and providers to win faster!

Legal

EU / Global Privacy Addendum

Last updated: March 7, 2026

This Addendum is addressed to users in the European Economic Area (EEA), United Kingdom, and Switzerland. It supplements YBuffet's main Privacy Policy with the specific disclosures required by GDPR Articles 13 and 14. In the event of conflict between this Addendum and the main Privacy Policy, this Addendum controls for EEA/UK/Swiss users.

1. Identity and Contact Details of the Controller

Data Controller: YBuffet Inc.

Address: San Francisco, California, USA

Contact: grow@ybuffet.com

EU Representative: YBuffet is in the process of appointing a representative in the EU/EEA as required by GDPR Article 27. Until appointed, please direct all GDPR-related inquiries to grow@ybuffet.com. We will respond within one (1) calendar month as required by GDPR Article 12.

Data Protection Officer (DPO): YBuffet does not currently meet the mandatory DPO thresholds under GDPR Article 37 (we do not carry out large-scale systematic monitoring of individuals or process special category data at scale). Privacy matters are overseen by our compliance team at grow@ybuffet.com.

2. Purposes and Legal Bases for Processing

The following table sets out each processing activity, its purpose, and the applicable GDPR legal basis under Article 6 (and Article 9 for special category data):

Legitimate Interests Assessment: Where we rely on legitimate interests (Art. 6(1)(f)), we have assessed that our interests do not override your fundamental rights and freedoms. You have the right to object to this processing at any time by contacting grow@ybuffet.com.

Withdrawal of Consent: Where processing is based on consent (Art. 6(1)(a)), you may withdraw consent at any time by using account settings or contacting grow@ybuffet.com. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

3. Recipients and Categories of Recipients

We share personal data with the following categories of recipients, each subject to GDPR-compliant Data Processing Agreements:

4. International Data Transfers

YBuffet is established in the United States, which is not subject to an EU adequacy decision for general data transfers. We rely on the following safeguards for transfers of EEA/UK personal data to the USA and other third countries:

Standard Contractual Clauses (SCCs): European Commission Decision 2021/914 (Controller-to-Processor Module 2) for all transfers to our US-based processors

UK International Data Transfer Agreements (IDTAs) for transfers of UK personal data

Swiss Standard Data Protection Clauses (SDPCs) for transfers of Swiss personal data

You may obtain a copy of the applicable SCCs or IDTAs by contacting grow@ybuffet.com. We also conduct transfer impact assessments (TIAs) to assess the level of protection in destination countries.

EU-US Data Privacy Framework: To the extent our processors are certified under the EU-US Data Privacy Framework, we may additionally rely on adequacy decisions related to that framework where applicable.

5. Your Rights Under GDPR

As an EEA/UK/Swiss data subject, you have the following rights. We will respond to all requests within one (1) calendar month (extendable by two months for complex or numerous requests, with notice to you):

Verification: We may need to verify your identity before responding to requests. We will not use verification information for any purpose other than identity verification.

No Fees: We will not charge a fee for responding to requests unless they are manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline to act.

6. EU/EEA Supervisory Authorities

You have the right to lodge a complaint with the supervisory authority of your member state of habitual residence, place of work, or place of alleged infringement:

7. Data Security Measures

We implement appropriate technical and organizational measures (TOMs) under GDPR Article 32, including:

Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)

Access controls: role-based access, principle of least privilege, multi-factor authentication for internal systems

Regular security assessments and penetration testing

Data minimization: collecting only what is necessary for each purpose

Pseudonymization of analytics and AI training data

Incident response procedures with 72-hour supervisory authority notification

Vendor due diligence: all processors screened for adequate security practices and subject to DPAs

8. Data Protection Impact Assessments (DPIAs)

We conduct Data Protection Impact Assessments (DPIAs) under GDPR Article 35 where processing is likely to result in high risk, including:

New AI features involving large-scale profiling or automated decision-making

New systematic monitoring of users

Processing of sensitive/special category data at scale

New international transfer arrangements

DPIAs are conducted before new high-risk processing activities commence. Results are available to supervisory authorities upon request.

9. Record of Processing Activities (RoPA)

YBuffet maintains a Record of Processing Activities (RoPA) as required by GDPR Article 30. This internal document records all processing activities, including purposes, categories of data subjects, data categories, recipients, transfers, retention periods, and security measures. The RoPA is available to supervisory authorities upon request.

10. Updates to This Addendum

This Addendum may be updated to reflect changes in our processing activities or applicable law. Material changes will be communicated with at least 30 days advance notice. The current version is always available at ybuffet.com/legal/eu-privacy-addendum.

Last updated: March 7, 2026 | YBuffet Inc. | grow@ybuffet.com