Privacy Policy

Last updated: March 9, 2026

1. Data Controller

Yellowhak OÜ acts as Data Controller for the personal data of its Clients (business contact persons) and website visitors. When Yellowhak OÜ accesses or processes client systems, networks, or data during cybersecurity engagements (Red Teaming, penetration tests, AI security audits), Yellowhak OÜ acts as Data Processor under a Data Processing Agreement (DPA) signed with each Client.

2. Scope of Application

This Policy applies to the processing of personal data in connection with: (i) the engagement of cybersecurity consulting services from Yellowhak OÜ; (ii) browsing the website yellowhak.com; (iii) communication with our sales, support, or legal teams. It does not cover the privacy practices of third-party tools or platforms used during engagements.

3. Data We Collect

3.1 Data you provide directly

• Contact data: full name, company name, corporate email, phone number, and country submitted through assessment request forms.
• Engagement data: scope documents, network diagrams, credentials provided for authorized testing, and communications related to ongoing projects.
• Billing data: invoicing address, tax identification (VAT/NIF/RUC). We do not store credit card data; payments are processed by third-party payment providers.

3.2 Data generated through usage

• Usage data: pages visited, links clicked, session duration, and referral sources on yellowhak.com.
• Technical data: IP address, browser type and version, operating system, timezone, and device identifiers.
• Audit logs: access records, form submissions, and security events.

4. Purposes of Processing

• Service delivery: managing engagement requests, conducting authorized security assessments, and delivering reports.
• Communication: sending engagement updates, invoices, and — with your consent — marketing communications.
• Security: detecting, investigating, and preventing unauthorized access or abuse of our systems.
• Continuous improvement: analyzing anonymized usage patterns to improve our website and services.
• Legal compliance: fulfilling applicable tax, accounting, and legal obligations.
• Internal research: Yellowhak OÜ may use anonymized and aggregated engagement data to improve internal tools and methodologies. Client-specific findings are never shared without explicit consent.

5. Recipients and International Transfers

5.1 Sub-processors

Yellowhak OÜ may share data with cloud infrastructure providers (e.g., AWS, Google Cloud) located in the EEA or with adequate safeguards, payment processors, email service providers, and analytics tools — all under contracts with appropriate data protection clauses.

5.2 International Transfers

When data is transferred outside the European Economic Area (EEA) to countries without an adequate level of protection, Yellowhak OÜ ensures appropriate safeguards through: (i) Standard Contractual Clauses approved by the European Commission; (ii) adequacy decisions; or (iii) other GDPR-accepted safeguards. You may request a copy of these safeguards by writing to legal@yellowhak.com.

6. Retention Period

Personal data is retained for the duration of the business relationship and, thereafter, for the period required by applicable law (e.g., 7 years for billing records under Estonian tax law). Engagement data (reports, findings) is retained for 2 years post-engagement unless otherwise agreed in the DPA. Data processed on behalf of Clients during engagements is returned or deleted within 30 days of engagement completion.

7. Your Rights under the GDPR (EU/EEA Clients)

• Access (Art. 15): Obtain confirmation of whether we process your data and a copy thereof.
• Rectification (Art. 16): Correct inaccurate or incomplete data.
• Erasure / Right to be Forgotten (Art. 17): Request deletion of your data when no longer necessary or when you withdraw consent.
• Restriction (Art. 18): Request restriction of processing in certain circumstances.
• Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format.
• Objection (Art. 21): Object to processing based on legitimate interest, including direct marketing.
• Automated decisions (Art. 22): Not be subject to decisions based solely on automated processing that produce significant legal effects.
• Withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, send your request to legal@yellowhak.com with the subject "Exercise of GDPR Rights". We will respond within 30 days (extendable by 60 days in complex cases, with notification). You also have the right to file a complaint with the Estonian Data Protection Authority (AKI) at www.aki.ee or with the supervisory authority of your habitual place of residence.

8. Your Rights under Law 29733 (Clients in Peru)

• Access: Know what personal data is held by Yellowhak OÜ, its purpose, and origin.
• Rectification: Update, modify, or complete your data when it is partial, inaccurate, or erroneous.
• Cancellation: Request deletion of your data when it is no longer necessary for its original purpose, or when you withdraw your consent.
• Objection: Object to the processing of your data in the cases provided by Law 29733.

To exercise these rights, send your request to legal@yellowhak.com with the subject "Exercise of Rights — Law 29733 Peru". We will respond within 20 business days. In case of disagreement, you may contact the National Authority for Personal Data Protection (Ministry of Justice and Human Rights of Peru).

9. Cookies and Tracking Technologies

yellowhak.com uses first-party and third-party cookies. Essential cookies are necessary for site functionality and cannot be disabled. Analytics and preference cookies require your prior, informed, and free consent, which you can manage through the cookie banner or by writing to legal@yellowhak.com.

10. Minors

YellowHak services are not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data, please contact us immediately for deletion.

11. Security

Yellowhak OÜ implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or accidental alteration, including: encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls (RBAC), multi-factor authentication (MFA), regular security audits, and incident response plans.

12. Breach Notification

In the event of a security breach affecting personal data, Yellowhak OÜ will notify the competent supervisory authority within 72 hours of becoming aware, pursuant to Art. 33 GDPR. Where the breach poses a high risk to the rights and freedoms of data subjects, Yellowhak OÜ will also notify the affected individuals without undue delay (Art. 34 GDPR).

13. Modifications

Yellowhak OÜ may update this Privacy Policy periodically. Material changes will be notified by email or prominent notice on the website with at least 30 days' advance notice.

14. Contact and DPO

For any inquiry, rights exercise, or complaint related to this Privacy Policy: Email (DPO): legal@yellowhak.com — Entity: Yellowhak OÜ — Address: Harju maakond, Tallinn, Lasnamäe linnaosa, Lõõtsa tn 5, 11415, Estonia — EU Supervisory Authority: Estonian Data Protection Authority (AKI) — www.aki.ee — Peru Supervisory Authority: Dirección de Protección de Datos Personales, Ministry of Justice and Human Rights.