Data Processing Agreement (DPA)

YOYU LTD
Last Updated: 01/02/2026

This Data Processing Agreement (“DPA”) forms part of the YoYu Provider Service Agreement between YOYU LTD and the Provider and governs the processing of Personal Data by YOYU LTD on behalf of the Provider in connection with the Provider’s use of the YoYu platform.

A1. PURPOSE AND SCOPE

YoYu processes Provider personal data for the following purposes:

  • Creating and managing Provider accounts and profiles
  • Displaying Provider information on the YoYu website
  • Processing subscription and verification payments
  • Conducting verification checks
  • Communicating with Providers and managing service-related enquiries
  • Maintaining website security, performance, and analytics

This DPA is to be read together with the YoYu Privacy Policy.

A2. ROLES OF THE PARTIES

In most circumstances:

  • The Provider acts as the Data Controller of the personal data they submit to YoYu.
  • YoYu acts as a Data Processor when processing such data solely to operate the platform and provide contracted services.

YoYu may also act as a Data Controller for certain processing activities necessary to operate its business, including:

  • Website analytics and performance monitoring
  • Account administration and compliance
  • Fraud and security monitoring
  • Payment processing (in conjunction with Stripe and applicable laws)

Where YoYu acts as Controller, processing is governed by the YoYu Privacy Policy.

A3. TYPES OF PERSONAL DATA PROCESSED

YoYu may process the following categories of Provider personal data:

  • Name, contact details, and business information
  • Qualifications, registrations, and verification documents
  • Professional profile content, biography, and images
  • Payment and subscription records
  • Communication logs and correspondence
  • Website usage and analytics data
  • Any additional content voluntarily submitted by the Provider

YoYu does not intentionally seek to process special category data, but may do so where it is voluntarily provided by the Provider.

A4. PROCESSING INSTRUCTIONS

YoYu will:

  • Process personal data only for the purposes set out in this DPA and the Agreement
  • Not process personal data for incompatible purposes without a lawful basis
  • Follow documented instructions from the Provider unless required by law to act otherwise

A5. CONFIDENTIALITY

YoYu ensures that individuals authorised to process personal data:

  • Are subject to appropriate confidentiality obligations
  • Receive training in data protection and information security
  • Access personal data only where necessary for the performance of their duties

A6. SECURITY MEASURES

YoYu implements appropriate technical and organisational measures to protect personal data, including:

  • Encrypted data transmission (SSL/HTTPS)
  • Secure hosting infrastructure
  • Role-based access controls
  • Regular backups and monitoring
  • Intrusion detection and prevention measures
  • Data minimisation and restricted access on a need-to-know basis

A7. SUB-PROCESSORS

YoYu may engage third-party sub-processors for hosting, payment processing, analytics, and communication services, including:

  • Stripe (payment processing)
  • Website hosting providers
  • Email and communication platforms
  • Analytics platforms (e.g., Google Analytics)

YoYu ensures all sub-processors operate under GDPR-compliant agreements. Providers will be notified of material changes to the list of core sub-processors via updates to YoYu’s policies or website.

A8. INTERNATIONAL TRANSFERS

Where personal data is transferred outside the UK, YoYu will ensure that appropriate safeguards are in place, such as:

  • UK Standard Contractual Clauses (SCCs)
  • UK Addendum / IDTA
  • Adequacy regulations or decisions

A9. DATA RETENTION

YoYu retains Provider personal data:

  • For the duration of the Provider’s active account or subscription; and
  • For up to 6 years after account closure to comply with legal, regulatory, and accounting obligations; and
  • Verification documents for approximately 12 months or until renewal, whichever is sooner.

Data is deleted or anonymised when it is no longer required for the purposes for which it was collected.

A10. PROVIDER RIGHTS

Under UK GDPR, Providers have the right to:

  • Access their personal data
  • Rectify inaccurate or incomplete data
  • Request erasure, where applicable
  • Restrict processing in certain circumstances
  • Obtain a copy of their data in a portable format
  • Object to certain types of processing
  • Withdraw consent, where processing is based on consent

Requests to exercise these rights should be sent to info@yoyu.life.

A11. DATA BREACH NOTIFICATION

In the event of a personal data breach affecting Provider data, YoYu will:

  • Notify the Provider without undue delay once aware of the breach
  • Provide information about the nature of the breach and steps taken or proposed to address it
  • Cooperate with the Provider in relation to any necessary notifications to data protection authorities or affected individuals, where required by law

A12. TERMINATION AND DATA DELETION

Upon termination of the Provider’s relationship with YoYu:

  • Public provider profile data will be removed from the website
  • Retained data will be limited to that which is necessary to meet legal, regulatory, and accounting obligations
  • All other personal data will be securely deleted or anonymised in line with YoYu’s retention policies

 

For all contractual, operational, or data protection matters, please contact:

Email: info@yoyu.life
Address: YoYu Limited, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ