Privacy Policy

Last updated: March 7, 2026

YBuffet Inc. ('YBuffet,' 'we,' 'us,' or 'our') is committed to protecting your privacy globally. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use ybuffet.com and our related Platform and services. This Policy applies to all users worldwide. By creating an account or using the Platform, you agree to this Privacy Policy.

Users in specific jurisdictions have additional rights described in Section 7 and Appendix A (Global Jurisdiction Supplement).

1. Information We Collect

Information you provide directly:

Account registration data: name, email address, password, date of birth, and profile information

Profile details: company name, role, bio, location, service descriptions, pricing, availability, and portfolio materials

Communications through the Platform, including forum posts, direct messages, and reviews

AI interactions: prompts, questions, files, and other inputs you submit to our AI-powered features, as well as the responses generated

Payment information processed through our third-party payment processor (we do not store full card numbers)

Identity verification documents, where required for certain features

Information you share when contacting us for support or feedback

Information collected automatically:

Log data: IP address, browser type, pages visited, time spent, and referring URLs

Device information: hardware model, operating system, and unique device identifiers

Usage data: features used, searches performed, and interactions with other users and content

General location based on IP address; precise location only with your explicit permission

Mobile advertising identifiers (IDFA on Apple devices, GAID on Android devices), where applicable

Cookies and similar tracking technologies (see our Cookie Policy)

Information from other sources:

If you sign in using a third-party service (e.g., Google or LinkedIn), we may receive your public profile information and email

Information about you from other users, such as if you are mentioned in a forum post, review, or complaint

2. How We Use Your Information

We use the information we collect to:

Provide, operate, and improve the Platform and its features

Match builders with service providers based on needs, budget, timing, and location

Power AI-driven features, using your inputs and interactions in aggregate or de-identified form to improve recommendations

Process transactions and send related notices

Send administrative communications, including updates to our policies

Send marketing communications (you can opt out at any time via the unsubscribe link in any email)

Analyze usage patterns and conduct research to improve the Platform experience

Verify your identity or age where required

Prevent fraud, enforce our policies, and comply with legal obligations

3. Legal Bases for Processing (Global)

We process personal data on the following legal bases, which apply across jurisdictions as indicated:

4. How We Share Your Information

We do not sell your personal data. We may share your information in the following circumstances:

With other users: profile information, service listings, forum posts, and ratings are visible to other Platform users as intended by the Platform's design

With service providers: we use third-party vendors for hosting (Vercel), payment processing (Stripe), email delivery (Resend), and analytics (Google Analytics), subject to confidentiality obligations and, where required, Data Processing Agreements

For business transfers: if YBuffet is acquired or merged, user data may transfer to the new entity with advance notice to users

For legal compliance: to respond to lawful requests, court orders, or to protect the rights and safety of YBuffet and its users

With your consent: for any other purpose with your explicit permission

Information you voluntarily include in public posts, including any contact details you choose to share, is visible to all Platform users and may be indexed by third-party search engines. YBuffet is not responsible for how third parties access, collect, or use information you choose to make publicly available on the Platform.

5. International Data Transfers

YBuffet is based in the United States. If you are located outside the United States, your personal data will be transferred to and processed in the United States, which may not offer the same level of data protection as your home jurisdiction.

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we rely on the following transfer mechanisms:

Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs (2021 version) for transfers of personal data from the EEA to third countries, including the United States, with our service providers.

Adequacy Decisions: Where the European Commission has issued an adequacy decision for a recipient country, we may transfer data on that basis.

For users in Brazil, we comply with LGPD Article 33 transfer requirements by ensuring adequate protections are in place with our sub-processors.

For users in China, we comply with PIPL cross-border transfer requirements. See Appendix A for China-specific provisions.

For users in other jurisdictions, we ensure equivalent protections through contractual safeguards with our processors and sub-processors.

6. Data Retention

We retain your personal data only as long as necessary for the purposes described in this Policy, or as required by law:

You may request deletion of your account and associated data at any time by contacting grow@ybuffet.com or through your account settings. Certain data may be retained beyond these periods where required by law, active legal proceedings, or fraud prevention purposes.

7. Automated Decision-Making Technology (ADMT)

YBuffet uses automated decision-making technology (ADMT) in the following ways:

Provider matching: our platform uses automated algorithms to rank and surface service providers based on budget, location, timing, category, and ratings. This does not produce legally significant decisions but may affect provider visibility.

AI Agent recommendations: our planned AI Agent feature will use automated processing to generate startup plans and provider recommendations. You are not required to follow these recommendations, and human review is available for significant decisions.

Content moderation: automated tools may flag content for potential policy violations. Flagged content is reviewed by our team before enforcement action is taken.

EU/EEA users: Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our current ADMT does not produce such effects. If this changes, we will update this section and obtain any required consent.

California users: Under CPRA, you have the right to opt out of certain ADMT uses. To exercise this right, contact grow@ybuffet.com. We will respond within 45 days.

8. Your Rights

Depending on your location, you have the following rights regarding your personal data. See also Appendix A for jurisdiction-specific details and contact points.

To submit a request, use your account settings or contact grow@ybuffet.com. You may also designate an authorized agent by providing written authorization. We do not discriminate against users for exercising their privacy rights.

9. Do Not Track and Global Privacy Control

Do Not Track (DNT): YBuffet does not currently respond to DNT browser signals because there is no industry-standard protocol for how platforms should respond. We disclose this in accordance with California Online Privacy Protection Act (CalOPPA) requirements.

Global Privacy Control (GPC): YBuffet recognizes and honors GPC signals as a valid opt-out of the sale or sharing of your personal information, as required under California CPRA. If your browser sends a GPC signal, we treat it as a request to opt out of data sharing for cross-context behavioral advertising.

10. Data Security and Breach Notification

We implement industry-standard technical and organizational measures to protect your personal data, including encryption in transit and at rest, access controls, and regular security assessments. No method of transmission over the internet is 100% secure.

Data Breach Notification: In the event of a data breach that affects your personal information, YBuffet will notify affected users without undue delay and, where required by law:

EU/EEA/UK (GDPR): within 72 hours of becoming aware of the breach, to the relevant supervisory authority; without undue delay to affected individuals where the breach is likely to result in high risk

Brazil (LGPD): within a reasonable time to the ANPD and affected individuals

Canada (PIPEDA): as soon as feasible where there is real risk of significant harm

China (PIPL): immediately to relevant authorities and affected individuals

California (CCPA) and other US states: as required by applicable state breach notification law

Notification will describe the nature of the breach, data affected, steps we are taking, and steps you can take to protect yourself. If you suspect your account has been compromised, contact us immediately at grow@ybuffet.com.

11. AI Features and Data

YBuffet's planned AI Agent feature will process inputs you provide to generate recommendations and connect you with relevant service providers. Inputs and outputs may be used in aggregate or de-identified form to train, test, and improve our AI systems. We do not use personally identifiable AI interaction data to train models without your consent. You are responsible for not submitting sensitive personal information through AI interfaces.

EU/EEA Users: AI-generated outputs that produce significant effects are subject to your right under GDPR Article 22. See Section 7 above.

12. Children and Minors

The Platform is not directed to individuals under the age of 18 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will promptly delete it and terminate the account. If you believe a user of the Platform is underage, please contact us at grow@ybuffet.com.

Note: The EU's age of digital consent varies by member state (13-16 years). The UK GDPR sets it at 13. Brazil LGPD protects minors under 18 with heightened requirements.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or prominent notice on the Platform at least 30 days before the changes take effect. Your continued use after the effective date constitutes acceptance. If you do not agree to material changes, you may close your account before the effective date.

14. Contact and EU Representative

YBuffet Inc., San Francisco, California, USA

Privacy inquiries: grow@ybuffet.com

EU Representative: YBuffet is in the process of appointing an EU representative as required under GDPR Article 27. In the interim, EU/EEA users may direct all data protection inquiries to grow@ybuffet.com. We will respond to GDPR-related requests within one (1) month.

Data Protection Officer: YBuffet does not currently meet the thresholds requiring mandatory appointment of a Data Protection Officer under GDPR Article 37. Privacy oversight is handled by our compliance team reachable at grow@ybuffet.com.

Appendix A: Global Jurisdiction Supplement

This Appendix provides jurisdiction-specific information supplementing the main Privacy Policy.

A1. European Economic Area, United Kingdom, and Switzerland (GDPR / UK GDPR)

Legal Framework: The General Data Protection Regulation (GDPR) (EU) 2016/679 applies to our processing of your personal data. UK users are covered by the UK GDPR and Data Protection Act 2018. Swiss users are covered by the revised Federal Act on Data Protection (revFADP) effective September 1, 2023.

Lawful Bases: See Section 3 of the main Policy for our lawful basis table. Where we rely on legitimate interests, you have the right to object at any time.

Your GDPR Rights:

Access (Art. 15): receive a copy of your data within 1 month (extendable to 3 months for complex requests)

Rectification (Art. 16): correct inaccurate data without undue delay

Erasure (Art. 17): 'right to be forgotten' subject to legal retention requirements

Restriction (Art. 18): pause processing in certain circumstances

Portability (Art. 20): receive your data in machine-readable format

Object (Art. 21): object to processing based on legitimate interests or for direct marketing (absolute right for marketing)

Automated decisions (Art. 22): not be subject to solely automated decisions with legal or significant effects without human review

Supervisory Authorities: You have the right to lodge a complaint with your local data protection authority. Key authorities include:

Ireland: Data Protection Commission (dataprotection.ie) - lead authority for many US tech companies

Germany: Federal Commissioner for Data Protection and Freedom of Information (bfdi.bund.de)

France: CNIL (cnil.fr)

Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)

UK: Information Commissioner's Office (ico.org.uk)

Switzerland: Federal Data Protection and Information Commissioner (edoeb.admin.ch)

International Transfers: Personal data transferred from the EEA/UK to the USA is protected by Standard Contractual Clauses (SCCs) per European Commission Decision 2021/914. You may request a copy of applicable SCCs by contacting grow@ybuffet.com.

A2. Brazil (LGPD - Lei Geral de Protecao de Dados)

Legal Framework: Brazil's General Data Protection Law (Law No. 13,709/2018, as amended) governs the processing of personal data of individuals located in Brazil.

Legal Bases: We process Brazilian user data on the following LGPD bases: consent, contract performance, legal obligation, legitimate interests, and protection of life and physical safety as applicable.

Your LGPD Rights:

Confirmation of whether your data is processed

Access to your personal data

Correction of incomplete, inaccurate, or outdated data

Anonymization, blocking, or deletion of unnecessary or excessive data

Data portability to another service provider

Deletion of data processed with your consent

Information about third parties with whom we share your data

Information about the possibility of not providing consent and the consequences

Revocation of consent at any time

Supervisory Authority: Autoridade Nacional de Protecao de Dados (ANPD) - anpd.gov.br

Data Officer Contact: grow@ybuffet.com. We will respond to LGPD requests within 15 days.

A3. Canada (PIPEDA and Provincial Laws)

Legal Framework: The Personal Information Protection and Electronic Documents Act (PIPEDA) governs our collection, use, and disclosure of personal information in Canada. Quebec residents are additionally covered by Quebec's Law 25 (Act Respecting the Protection of Personal Information in the Private Sector), which has stricter requirements effective September 2023. British Columbia residents are covered by PIPA BC; Alberta residents by PIPA AB.

CASL (Canadian Anti-Spam Legislation): We comply with CASL requirements for commercial electronic messages. You will only receive marketing emails from us based on express or implied consent as defined under CASL, and you may unsubscribe at any time.

Quebec Law 25 Specifics:

We conduct privacy impact assessments (PIAs) before implementing new personal information processing activities

You have the right to data portability (effective September 2024)

You have the right to be de-indexed from search results in certain circumstances

Automated decision-making that significantly affects you requires disclosure and human review on request

Supervisory Authority: Office of the Privacy Commissioner of Canada (OPC) - priv.gc.ca

Quebec: Commission d'acces a l'information du Quebec (cai.quebec.ca)

We will respond to PIPEDA requests within 30 days.

A4. China (PIPL - Personal Information Protection Law)

Legal Framework: China's Personal Information Protection Law (PIPL), effective November 1, 2021, applies to the processing of personal information of individuals located in China.

Local Representative: As required by PIPL Article 53, YBuffet is in the process of designating a domestic representative or agency within China to handle personal information protection matters. Contact grow@ybuffet.com for current contact information.

Sensitive Personal Information: Under PIPL, sensitive personal information (biometrics, financial information, location, etc.) requires separate, specific consent. We minimize collection of sensitive data and obtain specific consent where required.

Cross-Border Transfers: Transfer of Chinese users' personal data outside China is subject to PIPL Chapter 3 requirements. We will obtain separate consent for cross-border data transfers as required, and will not transfer data prohibited from leaving China.

Your PIPL Rights:

Know, decide, and restrict/refuse processing of your personal information

Access and copy your personal information

Correct or supplement inaccurate information

Request deletion of personal information in circumstances defined by PIPL

Request explanation of automated decision-making rules that affect you

Supervisory Authority: Cyberspace Administration of China (CAC) - cac.gov.cn

We will respond to PIPL requests promptly as required by applicable Chinese regulations.

A5. Singapore (PDPA - Personal Data Protection Act)

Legal Framework: Singapore's Personal Data Protection Act 2012 (as amended 2020) applies to the processing of personal data of individuals in Singapore.

Your PDPA Rights: You have the right to access and correct your personal data. You also have the right to data portability and withdrawal of consent. We will respond within 30 days.

Data Breach Notification: We will notify the Personal Data Protection Commission (PDPC) within 3 calendar days of discovering a notifiable breach. Affected individuals will be notified without undue delay.

Supervisory Authority: Personal Data Protection Commission (PDPC) - pdpc.gov.sg

A6. Japan (APPI - Act on Protection of Personal Information)

Legal Framework: Japan's Act on the Protection of Personal Information (APPI, as amended 2022) applies to the handling of personal information of individuals in Japan.

Third-Party Provision: We will not provide your personal information to third parties without your consent, except as permitted under APPI (e.g., outsourcing, business succession, joint use with notice).

Your APPI Rights: You have the right to request disclosure, correction, addition, deletion, cessation of use, and cessation of third-party provision of your personal information. We will respond within 2 weeks.

Supervisory Authority: Personal Information Protection Commission (PPC) - ppc.go.jp

A7. Australia (Privacy Act 1988 / Australian Privacy Principles)

Legal Framework: Australia's Privacy Act 1988 and the 13 Australian Privacy Principles (APPs) govern the handling of personal information of Australian users.

Overseas Disclosure: Before disclosing personal information to overseas recipients, we take reasonable steps to ensure the recipient does not breach the APPs, or you consent to the disclosure with awareness of the risks.

Your APP Rights: You have the right to access and correct personal information we hold about you. Requests will be responded to within 30 days.

Supervisory Authority: Office of the Australian Information Commissioner (OAIC) - oaic.gov.au

A8. South Africa (POPIA - Protection of Personal Information Act)

Legal Framework: South Africa's Protection of Personal Information Act 4 of 2013 (POPIA) applies to the processing of personal information of data subjects in South Africa.

Information Officer: YBuffet's Information Officer for POPIA purposes is contactable at grow@ybuffet.com.

Your POPIA Rights: You have the right to be notified of the collection of your personal information, to access it, to correct or delete it, and to object to processing. We respond within 30 days.

Supervisory Authority: Information Regulator - inforegulator.org.za