Privacy Policy and Data Protection Notice

1. Who We Are and How to Reach Us

2. Legal Bases for Processing

We process your personal data only when a recognized legal basis applies. We do not collect data speculatively or beyond what is genuinely necessary.

The legal bases below are drawn from the GDPR framework and apply directly to the processing of personal data belonging to users located in the European Economic Area. For users outside the EEA, these same principles guide our data practices under applicable US and international privacy laws.

3. Personal Data We Collect

We collect only the data that is strictly necessary to deliver the travel concierge services you request. Below is a transparent breakdown of each category:

4. How We Use Your Data

Your data is used exclusively to operate the Platform and deliver the travel services you have requested. We do not use your data for purposes incompatible with those disclosed here.

• →Service delivery: account management, price monitoring, automated booking execution, and booking confirmation notifications.
• →Identity and document transmission: forwarding your passport data and personal identifiers to airline and hotel booking systems as required to issue valid travel documents.
• →Security and fraud prevention: detecting unauthorized access attempts, brute force protection, IP based login alerts, and chargeback fraud analysis.
• →Legal and regulatory compliance: financial record keeping, dispute resolution evidence, and fulfillment of statutory obligations.
• →Transactional communications: sending one-time passwords, booking confirmations, price alert notifications, and security alerts. We do not send marketing emails without your explicit prior consent.
• →Platform improvement: aggregated and anonymized usage analytics to improve the reliability, speed, and quality of our automated services.

5. Data Sharing and Third Party Transmissions

Yellsy LLC does not sell, rent, or lease your personal data to any marketing broker, advertising network, or data aggregator. To execute your travel packages, our platform acts as a technological intermediary and must transmit your data to the following verified partners, under strict contractual and security obligations:

We never sell your personal data. Ever.

6. International Data Transfers

Travel booking inherently requires cross-border data flows. When you request a booking through Yellsy LLC, your personal identifiers may be transmitted to, stored in, and processed by partners located outside your country of residence, including countries that may not offer the same level of data protection as your home jurisdiction. By confirming a purchase, you grant Yellsy LLC an explicit mandate to execute these international transfers solely for the purpose of delivering your travel contracts. For EEA users, all transfers to countries that do not offer adequate data protection are governed by Standard Contractual Clauses approved by the European Commission, or equivalent safeguards under applicable data protection law. Our Data Processing Agreement, available at yellsy.com/legal/dpa, governs our processor relationships in detail.

7. Data Retention

We retain your personal data only for as long as is necessary to fulfill the purpose for which it was collected, to handle potential post travel claims, or to comply with mandatory legal obligations. The following retention periods apply:

Once retention periods expire, your personal data is automatically anonymized or securely and permanently purged from our operational database systems.

8. Security and Encryption

Yellsy LLC enforces a strict security protocol with no exceptions. All user data is encrypted and access is controlled on a strict need to know basis. Below are the technical measures we maintain:

9. Automated Processing and Decision-Making

Yellsy LLC operates an automated booking platform. When you activate the autobook feature, our systems make automated decisions to select and confirm travel offers on your behalf, based on the preferences and budget you have explicitly defined. These automated decisions directly affect your financial commitments. EEA users hold the specific right under Art. 22 GDPR to request human review of any automated booking decision, to express their point of view, and to contest the outcome. We voluntarily extend this same right to all users worldwide. To request a human review, contact us at contact@yellsy.com. You may also disable the autobook feature at any time through your dashboard settings, which will require your manual approval before any booking is confirmed.

10. Your Privacy Rights

The rights you hold depend on where you are located. Regardless of jurisdiction, Yellsy LLC is committed to honoring every request in a timely and transparent manner.

11. Cookies and Tracking Technologies

Yellsy LLC uses only strictly necessary cookies required for session management, authentication, and platform security. We do not use advertising cookies, behavioral tracking pixels from other websites, or third party profiling technologies. No cookies are placed on your device for marketing purposes without your explicit prior consent. For a complete description of the cookies we use, their purpose, and their duration, please refer to our Cookie Policy.

12. Children's Privacy

The Platform is not directed at persons under the age of eighteen (18). Yellsy LLC does not knowingly collect personal data from minors. If you are a parent or guardian and believe that a minor has provided us with personal information without your consent, please contact us immediately at contact@yellsy.com and we will take prompt action to delete that information from our systems.

13. Security Incident Notification

In the unlikely event of a personal data breach likely to result in a high risk to your rights and freedoms, Yellsy LLC will notify affected users without undue delay and no later than seventy-two (72) hours after becoming aware of the breach. For EEA users, this commitment reflects our obligations under Art. 34 GDPR; we apply the same seventy-two hour notification window voluntarily to all users worldwide. The notification will describe the nature of the breach, the categories of data involved, the likely consequences, and the measures taken or proposed to address it. Where required by applicable law, we will also notify the competent supervisory authority within the same timeframe.

14. Modifications to This Policy

Yellsy LLC reserves the right to update or revise this Privacy Policy at any time to reflect changes in our data practices, new regulatory requirements, or updated API integrations. When material changes are made, we will notify you by email at least thirty (30) days before the revised policy takes effect. The "Last updated" date at the top of this page will always reflect the most current version. Your continued use of the Platform after the effective date of any update constitutes your acceptance of the revised policy. If you do not agree with a material change, you have the right to close your account before the effective date.

15. Contact and Data Requests

For any question regarding this Privacy Policy, to exercise a data protection right, or to report a concern, please contact us through the following channel. We are genuinely committed to responding promptly and transparently.