This is the privacy notice for Yiontech LTD, trading as YionStack. It explains how we, as the data controller, collect and use personal data about people who interact with our website, our product, and our company. Personal data your business processes about its own end-users sits under your privacy notice and our Data Processing Agreement.
Yiontech LTD is registered with the UK Information Commissioner's Office under reference ZC013988 (registered 15 October 2025, current registration expires 14 October 2026). For controller identity see the company information page.
30-second summary
ICO guidance recommends a layered approach — the answers up here, the full detail below. Read what you need.
Visitors to yionstack.co.uk, prospects, account holders, and the people who run a YionStack business. End-users your business processes (your customers, employees) are governed by your privacy notice + our DPA.
Account details (name, email, business name), what you type into the product, billing details handled by Stripe, basic usage telemetry, and anything you upload while using the platform.
To deliver YionStack, charge for it, support you when you ask, keep the lights on (security, fraud-prevention), comply with our own legal duties, and — if you opt in — measure marketing.
Account data: while your account is open, then 30 days. Statutory records (invoices, tax): 6 years. Marketing: until you opt out. Anything else: documented per-purpose below.
Yiontech LTD (Companies House 16519666), trading as YionStack, is a company registered in England and Wales. We are the data controller for the personal data described in this notice. You can reach us on privacy@yionstack.co.uk for any data-protection enquiry. We are not currently required to appoint a statutory Data Protection Officer; the address above is the operational data-protection point of contact.
We split the data we hold into three buckets:
Every UK GDPR processing activity needs a lawful basis. Annex A below lists every purpose with the data we use, the basis we rely on, and the retention we apply. Where we rely on legitimate interests we have done a balancing test; the outcome is summarised in the matrix and we will share the full assessment on request.
Where we ask for consent (analytics, marketing) we use plain-English opt-in, no pre-ticked boxes, and an obvious way to withdraw. Withdrawal does not affect any prior lawful processing.
Most personal data we hold comes directly from you. Where it does not (for example we look you up on Companies House when you onboard a Ltd company, or we receive a referral), Article 14 UK GDPR requires us to tell you. The third-party sources we routinely use are:
We do not sell personal data and we do not share it with brokers. Personal data is shared only with:
We host primarily in the UK. Where a Sub-processor processes personal data outside the UK or EEA we use the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum. For US Sub-processors we additionally rely on the UK extension to the EU-US Data Privacy Framework where they self-certify. The full safeguard for each transfer is in our sub-processor register and DPA Annex 3.
Some of our own functions — currently customer support and related in-product support access, and operational / platform support where needed — are carried out by Yiontech personnel and contractors located outside the UK. Where this involves transferring personal data outside the UK, we rely on the UK International Data Transfer Agreement and have carried out a Transfer Risk Assessment for the destination country (which is named in those documents; further countries would be added to our sub-processor register with notice). We also apply supplementary technical and organisational measures, including: data stays on UK / EEA infrastructure and is accessed record-by-record through the product (no bulk export); encryption of data in transit and at rest; strict role-based access and row-level data isolation so a person only ever sees data for the businesses or systems their role covers; full access logging; data minimisation; managed-device controls; and a written data-protection and confidentiality undertaking from every such person. You can ask us for a copy of the relevant safeguard (and the destination country) by emailing privacy@yionstack.co.uk.
Retention is set per-purpose in Annex A below. The headline rules:
We implement technical and organisational measures appropriate to the risk: encryption in transit and at rest, business isolation enforced at the data layer, audit trails on every action, least-privilege access for personnel, documented incident response, daily backups with tested restore. Annex 2 of our DPA lists every control in detail.
Under UK GDPR you have specific rights. The cards below are live — clicking one composes a real email. We acknowledge within 5 working days and respond in full within one calendar month (extendable by two further months for complex requests, with notice).
See the rights centre below this section.
YionStack is sold to UK businesses and is not directed at children. Where our education customers process learner data — including children — they are the controller for that data and we are the processor under our DPA. We support our education customers in meeting their duties under the ICO Age-Appropriate Design Code (the “Children's Code”).
We use a minimal set of strictly-necessary cookies and storage entries to make the site work, and (with your consent) limited analytics. The full inventory and live preference controls are on the Cookie policy.
YionStack lets you connect your own email mailbox — Gmail / Google Workspace, Microsoft 365 / Outlook, or any other IMAP provider — so your mail appears inside YionStack and you can read, send and reply to it from within the product. Connecting a mailbox is always optional, is started by you, and nothing is accessed until you approve it on the provider's own consent screen.
When you connect a Google (Gmail / Google Workspace) account, we request these scopes:
We use this data solely to provide these mailbox features to you — showing your mail, letting you send and reply, and generating AI-assisted summaries and draft replies that are shown only to you and your business. We do not sell it, do not use it for advertising, do not use it to train generalised AI models, and do not transfer it to third parties except the sub-processors needed to operate the service (listed in our sub-processor register) or where the law requires it.
Limited Use. YionStack's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Microsoft 365 / Outlook connections use the equivalent Microsoft Graph delegated permissions (Mail.Read, Mail.Send, User.Read, offline_access) for the same purposes. IMAP connections use the credentials you provide, stored encrypted, to read and send your mail.
You can disconnect a mailbox at any time inside YionStack (Email → Connected accounts), which revokes our access immediately. You can also revoke access from your Google Account permissions page (or the equivalent Microsoft account page).
We update this notice when our processing changes or when guidance from the ICO requires it. The version number and effective date at the top change with every material update. For substantive changes that affect you we notify account holders by email at least 14 days before the change takes effect.
Tell us first — we'd rather hear it and fix it. If we cannot resolve your concern, you have the right to complain to the Information Commissioner's Office, the UK's data-protection regulator. Their helpline is 0303 123 1113 and they accept online complaints.
Rights centre
These are the rights you have under UK GDPR Articles 15–22 (and Article 7(3) for consent withdrawal). Each button opens a pre-filled email to our privacy team. If you're an existing customer, you can also raise most of these from inside the product.
Get a copy of the personal data we hold about you, and the supporting information.
Have inaccurate data corrected, or incomplete data completed.
"Right to be forgotten" — have your data deleted in the cases UK GDPR allows.
Limit our processing in specific circumstances — for example while a rectification request is in flight.
Receive your data in a structured, machine-readable format and transmit it elsewhere.
Object to processing based on legitimate interests, or to direct marketing — at any time, no reason needed.
Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
Where we rely on consent, withdraw it at any time. Withdrawal does not affect prior lawful processing.
We respond within one calendar month. Identity verification may be requested before we act on a request, in line with ICO guidance and Article 12(6).
Annex A
Every processing activity, with the data we use, the Article 6(1) lawful basis we rely on, and how long we keep it.
| Purpose | Data | Lawful basis | Retention |
|---|---|---|---|
| Provide the YionStack product | Account details, configuration, in-product activity | Performance of contract Art. 6(1)(b) | While your account is open |
| Take payment, issue invoices | Billing email, last 4 digits of card (held by Stripe), VAT number | Performance of contract Art. 6(1)(b) | 6 years (Companies Act 2006, HMRC) |
| Provide support when you ask | Support correspondence, screenshots you send, business context | Performance of contract Art. 6(1)(b) | 3 years from last contact |
| Secure the service, detect abuse | IP, device, sign-in events, failed-auth events, audit log | Legitimate interests Art. 6(1)(f) | 12 months · 35 days for backups |
| Comply with our own legal duties | Whatever the law requires us to keep — accounting, regulator requests | Legal obligation Art. 6(1)(c) | As required by the law that mandates it |
| Measure usage (if you opted in) | Pseudonymous page views, feature usage, no third-party cookies | Consent Art. 6(1)(a) | Until you withdraw consent · 13 months max |
| Send marketing (if you opted in) | Marketing email, what you clicked, opt-in source | Consent Art. 6(1)(a) | Until you unsubscribe |
| Defend / pursue legal claims | Whatever is relevant to the claim | Legitimate interests Art. 6(1)(f) | Limitation period for the relevant claim |
Where we rely on legitimate interests (Art. 6(1)(f)) we have completed a Legitimate Interests Assessment. Email privacy@yionstack.co.uk for the assessment for any specific purpose.
Plain-English glossary
For all rights requests, queries about this notice, and Legitimate Interests Assessments. Two working days to acknowledge.
Company No. 16519666, England & Wales. ICO registration ZC013988 (registered 15 October 2025, expires 14 October 2026). Full company record on Companies House.
ico.org.uk · helpline 0303 123 1113. Independent regulator that enforces UK data-protection law.