1. Who we are (data controller)
FORGE INNOVATION AND VENTURES LTD (“we”, “us”), trading as Yellobots, operates the Yellobots platform at https://yellobots.com. For the purposes of the UK GDPR and EU General Data Protection Regulation (GDPR), we act as the data controller for personal data described in this policy, unless we tell you otherwise for a specific processing activity.
Contact: privacy@yellobots.com
Registered address: Rear Of 5, Norfolk Street, Sunderland, England, SR1 1EA
2. Scope
This policy applies to:
- Visitors to our website and marketing pages
- Users who create an account or join a workspace
- Workspace members whose employers or teams use Yellobots
- Individuals who connect third-party services (e.g. Facebook Pages, LinkedIn, X, Instagram) via Composio
It does not cover third-party websites or services you access through links from our product; those have their own privacy policies.
3. Personal data we collect
Depending on how you use Yellobots, we may process:
- Account data: name, work email, password (stored hashed), workspace/company name, role
- Profile & brand data: business description, ICP, voice guidelines, channels, compliance notes you provide
- Usage & product data: calendar tasks, agent outputs, approval actions, credit usage, activity feed entries
- Integration data: OAuth tokens and connection metadata for connected social accounts (via Composio)
- Communications: support messages and data-deletion requests
- Technical data: IP address, browser/device type, session cookies, server logs
When you connect Facebook (Meta), we receive information permitted by the permissions you grant (for example Page IDs, Page access tokens, and content needed to publish on your behalf). We do not receive your Facebook password.
4. How we use data and legal bases (GDPR Article 6)
| Purpose | Typical data | Legal basis |
|---|---|---|
| Provide the service (accounts, agents, calendar, approvals) | Account, workspace, product usage | Contract (Art. 6(1)(b)) |
| Publish to connected social accounts when you approve | Tokens, post content, Page/account IDs | Contract; your instructions (Art. 6(1)(b), (a)) |
| Security, fraud prevention, abuse detection | Logs, IP, session data | Legitimate interests (Art. 6(1)(f)) |
| Transactional email (signup, invites) | Email address | Contract (Art. 6(1)(b)) |
| Legal compliance and responding to requests | Relevant account records | Legal obligation (Art. 6(1)(c)) |
| Improve the product (aggregated analytics) | Usage metrics, error logs | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, you may object (see section 9). We will balance our interests against your rights.
5. Processors and third parties
We use trusted service providers who process data on our instructions, including:
- Hosting and database providers (e.g. cloud infrastructure, MongoDB Atlas)
- Composio — OAuth and API execution for social platforms (Facebook, LinkedIn, X, Instagram)
- Google (Gemini) — AI content generation when you use planning and agent features
- Fal — image generation for Cherry (designer agent) when enabled
- Resend — transactional email
- Inngest — background job orchestration
- Meta (Facebook) — when you connect a Facebook Page and we publish via the Graph API
Each processor is bound by contractual terms requiring appropriate security and, where applicable, Standard Contractual Clauses or equivalent safeguards for international transfers.
6. International transfers
Your data may be processed in the United Kingdom, the European Economic Area, the United States, or other countries where our providers operate. Where required, we implement appropriate safeguards (such as the UK IDTA / EU Standard Contractual Clauses) and assess transfer risks.
7. Retention
We keep personal data only as long as necessary for the purposes above, including:
- Active account data: for the life of your account plus a short wind-down period
- Connected social tokens: until you disconnect the integration or delete your account
- Logs: typically up to 90 days unless needed for security investigations
- Billing/legal records: as required by applicable law
When you request erasure, we follow our User Data Deletion process, subject to lawful exceptions (e.g. unresolved disputes or legal holds).
8. Cookies and similar technologies
We use strictly necessary cookies (e.g. session authentication) to operate the service. We do not use non-essential marketing cookies without consent where required by law. You can control cookies through your browser settings; disabling essential cookies may prevent login.
9. Your rights (UK / EU GDPR)
If GDPR applies to you, you have the right to:
- Access your personal data and receive a copy
- Rectify inaccurate data
- Erase data (“right to be forgotten”) in certain circumstances
- Restrict processing in certain circumstances
- Data portability for data you provided, where processing is automated and based on contract or consent
- Object to processing based on legitimate interests or for direct marketing
- Withdraw consent at any time where processing is based on consent (without affecting prior processing)
- Lodge a complaint with a supervisory authority
To exercise rights, email privacy@yellobots.com or use our data deletion page. We respond within one month (extendable by two months for complex requests, with notice).
UK supervisory authority: Information Commissioner's Office (ICO) — ico.org.uk. EU users may contact your local data protection authority.
10. Facebook (Meta) and social login
When you connect Facebook, Meta's Privacy Policy also applies to Meta's processing. We access only the data and permissions you authorize. You can revoke access in Facebook Settings → Business integrations / Apps and websites, and disconnect in Yellobots Integrations → Titan.
11. Security
We implement technical and organisational measures appropriate to the risk, including encryption in transit (HTTPS), hashed passwords, access controls, and tenant isolation for workspace data. No method of transmission is 100% secure; please use a strong password and protect your account credentials.
12. Children
Yellobots is intended for business users aged 18+. We do not knowingly collect data from children. Contact us if you believe a child has provided personal data.
13. Automated decision-making
Our AI agents generate drafts and recommendations. Public publishing requires your explicit approval in the product. We do not make solely automated decisions with legal or similarly significant effects without human involvement in the approval flow.
14. Changes to this policy
We may update this policy from time to time. We will post the new version on this page with an updated “Last updated” date. Material changes may be notified by email or in-product notice where appropriate.