Privacy Policy
Last updated: 17 July 2026
This Privacy Policy explains how Emre Bal ("Yamgi", "we", "us") collects, uses, and protects personal data when you use the Yamgi platform. We act as the data controller for the account data described below.
1. Data we collect
- Account data: your name, email address, password (stored hashed), and organisation details you provide on signup.
- Billing data: subscription plan and payment status. Card details are handled by our payment processor and are not stored by us.
- Content data: the menus, images, prices, and business information you upload.
- Usage data: log data, device and browser information, and aggregated analytics about how menus are viewed (for example, scan counts and approximate location at country level).
2. How we use data
We use personal data to: provide and operate the service; authenticate you and secure accounts; process subscriptions and payments; provide analytics to you about your menus; communicate service and support messages; and comply with legal obligations.
Where you choose to use AI features, we send the relevant content — including menu text and any images you submit — to our AI sub-processor to generate optional suggestions such as item descriptions, translations, and image analysis. AI suggestions are generated automatically, may be inaccurate, and are provided for you to review and edit before publishing.
3. Legal bases
Where the GDPR or Turkey's KVKK applies, we process personal data on the bases of: performance of our contract with you; our legitimate interests in operating and improving the service; your consent where required (for example, before setting any non-essential cookies); and compliance with legal obligations.
4. Cookies
We use only a small number of cookies that are necessary for the service to work. We do not use advertising cookies or third-party tracking cookies, and our menu analytics are aggregated and measured on our own servers. Because of this, a cookie notice — rather than a consent banner — applies to our use of cookies.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
Session cookie (e.g. better-auth.session_token) | Keeps you signed in to the admin dashboard | About 7 days | Strictly necessary |
PARAGLIDE_LOCALE | Remembers your language preference | About 1 year | Functional |
You can delete or block cookies at any time through your browser settings. Blocking the session cookie will prevent you from signing in; blocking the language cookie will reset your language preference on each visit. If we ever introduce non-essential cookies, we will ask for your consent first.
5. Sharing and sub-processors
We share personal data with the service providers below, who process it only on our behalf and under data-protection obligations:
| Provider | Purpose | Privacy policy |
|---|---|---|
| Cloudflare | Application hosting, image storage (R2), transactional email delivery, bot protection (Turnstile), and AI request routing (AI Gateway) | https://www.cloudflare.com/privacypolicy/ |
| Neon | Managed PostgreSQL database hosting | https://neon.tech/privacy-policy |
| Polar | Subscription billing and payment processing | https://polar.sh/legal/privacy |
| Google (Gemini) | AI-assisted content generation — item descriptions, translations, and analysis of images you submit — when you use AI features | https://policies.google.com/privacy |
| OpenFreeMap | Map tiles for the location picker; processes your IP address to serve map data | https://openfreemap.org/privacy/ |
We do not sell personal data. We may disclose data where required by law or to protect our rights and the safety of users. We may update this list as our providers change; material changes will be notified as described in section 11.
6. International transfers
Your account and content data are stored in our database hosted in the European Union (Frankfurt, Germany). Some providers — in particular our hosting and email infrastructure (Cloudflare) — operate global networks and may process limited data, such as request metadata, in other countries. Where data is transferred outside your region, we rely on appropriate safeguards such as the EU Standard Contractual Clauses or an adequacy decision.
7. Data retention
We keep personal data only for as long as needed for the purposes described above:
- Account and content data: for as long as your account is active. After you close your account, we delete or anonymise it within a reasonable period.
- Billing records: for the period required by applicable tax and accounting law.
- Server and security logs: for a limited period, then deleted.
- Menu analytics: kept in aggregated or anonymised form.
8. Your rights
Subject to applicable law, you may request access to, correction of, deletion of, or a copy of your personal data, and you may object to or restrict certain processing or withdraw consent (without affecting processing already carried out). To exercise these rights, contact us at [email protected]; we aim to respond within 30 days.
If you are in the EEA or UK, these rights arise under the GDPR (Articles 15–22) and you may complain to your local supervisory authority. If you are in Turkey, you have the equivalent rights under the KVKK and may complain to the Personal Data Protection Authority (KVKK).
9. Security
We use technical and organisational measures to protect personal data, including encryption in transit, hashed passwords, and access controls. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
10. Children
Yamgi is intended for businesses and is not directed at children. We do not knowingly collect personal data from children.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by a reasonable means, and the "last updated" date will reflect the latest version.
12. Contact
For privacy questions or to exercise your rights, contact us at [email protected].