Digital Services Act - Transparency Labels and Markings
Effective Date: February 26, 2026
Service Provider
YukiSoftware OÜ
Estonian Company Registration Number: 16687784
1. Service Classification
1.1 Primary Categories
- Service Type: Personal data management and productivity application
- Main Purpose: Automated extraction and organization of structured insights from user emails and calendar data (travel itineraries, financial transactions, delivery tracking, calendar events)
- User Interface Type: Mobile application (iOS, Android) and web portal
- User Base: Individual consumers in the EU and worldwide
1.2 Data Handling Categories
- Primary: Email inbox data (read-only access via Gmail API)
- Secondary: Calendar events, contacts, account authentication data
- Processing Method: On-device where possible; cloud processing via OpenAI API for natural language understanding
- Data Retention: Derived insights stored indefinitely; raw email data deleted after processing
2. Risks and Risk Mitigation Measures
2.1 Systemic Risks Identified
Data Privacy & Security
Risk: Unauthorized access to sensitive user personal data (emails, financial info, travel plans)
Mitigation:
- End-to-end encryption for data in transit (TLS 1.3+)
- PostgreSQL with AES-256 encryption at rest via Supabase
- Row-Level Security (RLS) policies enforcing user data isolation
- No raw email bodies stored permanently; only extracted insights retained
- Annual security audits and penetration testing
- GDPR compliance with user data deletion on account termination
Third-Party Data Sharing
Risk: Inadvertent sharing of personal data with unauthorized third parties
Mitigation:
- Data Processing Agreements (DPA) with all processors (OpenAI, Sentry, PostHog, Cloudflare, Microsoft Clarity)
- No data sale or commercial sharing with third parties
- Limited third-party integrations with explicit user consent
- Regular audits of third-party data access
AI/ML Model Training Risks
Risk: User data being used to train or improve AI models without consent
Mitigation:
- Explicit contractual prohibition with OpenAI against model training on customer data
- No model fine-tuning or custom training on user data
- Clear privacy policy disclosing AI processing methods
- User opt-out mechanisms for AI-powered features (email extraction)
Authentication & Authorization Vulnerabilities
Risk: Unauthorized account access or privilege escalation
Mitigation:
- OAuth 2.0 with Google and Apple Sign-In (no password storage)
- Secure token management with refresh token rotation
- Session management with automatic expiration
- Two-factor authentication ready (future enhancement)
Illegal Content or Activities
Risk: Platform used for facilitating illegal activities (fraud, phishing, etc.)
Mitigation:
- Terms of Service prohibiting illegal use
- Abuse reporting mechanism in app and web portal
- Account suspension and law enforcement cooperation procedures
- No user-generated content moderation required (personal data only)
2.2 Content Moderation Measures
As a personal data management tool, Yuki does not host user-generated content, forums, or social features. Therefore, traditional content moderation is not applicable.
- Abuse Reporting: Users can report abuse via email (support@yukihq.com) or in-app contact form
- Takedown Requests: GDPR subject access requests and deletion requests are processed within 30 days
- DMCA/Copyright: No user-uploaded media; copyright concerns handled on a case-by-case basis
3. Service Provider Information
Legal Entity
YukiSoftware OÜ
Registration Number
16687784 (Estonia)
Principal Place of Business
Tallinn, Estonia
Contact for DSA Inquiries
compliance@yukihq.com
4. User Rights & Remedies
- Data Access: Users can download their data via account settings or request a complete data export
- Data Deletion: Users can delete their account and all associated data at any time
- Correction: Users can update their profile information in account settings
- Withdrawal of Consent: Users can disconnect Gmail, Calendar, and Contacts integrations at any time
- Complaint Handling: Support requests are processed within 5 business days; formal complaints can be escalated to supervisory authorities
5. Additional Information
This document is provided in accordance with Article 24 of the Digital Services Act (2022/1957/EU) and is updated regularly as our service and risk profile evolves.
Last Updated: February 26, 2026