Privacy - DRAFT pending counsel review 2026-05-24
This draft sets out the launch privacy posture for YRQR and campaign operators. It is not final legal advice and must be reviewed by counsel before being treated as the live privacy notice.
YRQR Ltd is the platform provider. The organisation running a campaign normally decides the campaign purpose, questions, participant notice, retention period, and reward mechanics. That organisation is expected to act as controller for campaign participation data, with YRQR acting as processor unless a signed agreement says otherwise.
Campaigns may process voice recordings, transcripts, text responses, uploaded media, scan metadata, consent timestamps, campaign stage, reward activity, language, device context, operator account details, audit logs, and optional contact details where the campaign asks for them.
Operators must choose and document the lawful basis for each campaign before launch. Common routes may include consent, legitimate interests, or contract depending on the campaign design. Special-category data, children, health, employment, or education contexts require additional review before use.
YRQR uses local Supabase Storage/Postgres on the Mac Studio launch host and selected service providers for email, payments, print fulfilment, security, observability, backups, and hosting ingress. The current launch subprocessor list is published at /subprocessors and remains subject to final DPA/SCC review.
Campaign retention must be set before launch. Participants can receive a deletion token for public submissions and can request help through the operator or YRQR support route. Erasure may remove audio, transcripts, linked response data, and identifiable metadata where legally valid.
Participants may have rights to access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where applicable. UK participants can contact the ICO if they are not satisfied with how a privacy concern is handled.
Launch hosting is designed around a UK Mac Studio host and local storage. Some service providers may process data outside the UK/EEA under their own transfer safeguards. Before a live campaign, operators should confirm the participant notice, lawful basis, retention period, reward terms, processor list, and any special-category or child-safety considerations.
Discuss a campaign privacy workflow