Privacy Policy

Controller: Yopeso GmbH, Königstraße 31, 70173 Stuttgart, Germany

Privacy contact: contact@yopeso.com

Last updated: 16 March 2026

1. Scope and relationship to other notices

This Privacy Policy explains how Yopeso GmbH (“Yopeso”, “we”, “us”) processes personal data in connection with the operation of www.yopeso.com and related communications. It applies to visitors, business contacts, clients’ representatives, suppliers, candidates and other individuals whose personal data is processed in the contexts described below.This Policy is drafted to meet the transparency requirements under Articles 12–14 GDPR and relevant EU ePrivacy requirements. It is designed for direct publication and regulatory inspection.This Policy should be read together with our Cookie Policy, which provides detailed information about cookies and similar technologies, the categories used on this website, and how consent is obtained and managed via our Consent Management Platform (CMP).

2. Controller and contact details

The controller responsible for processing personal data under this Privacy Policy is Yopeso GmbH, Königstraße 31, 70173 Stuttgart, Germany.For privacy-related matters, including requests to exercise data subject rights, you may contact us at contact@yopeso.com. General enquiries can be addressed to info@yopeso.com.

3. Data Protection Officer

Yopeso has appointed a Data Protection Officer (DPO). The DPO may be contacted for questions relating to this Privacy Policy, the lawfulness of processing activities, and the exercise of rights under the GDPR.DPO contact details: contact@yopeso.com

4. Categories of personal data we process

Depending on how you interact with us, we may process different categories of personal data. We aim to keep processing proportionate and relevant to the purpose for which the data is collected.

Website usage and device data (cookie-related):

- Online identifiers (e.g., cookie IDs, consent identifiers, pseudonymous visitor identifiers).
- Interaction events on the website (e.g., pages visited, clicks, downloads, referral information, timestamps).
- Device and browser attributes (e.g., browser type, operating system, language settings).
- Security and integrity signals where required for fraud prevention and service protection.

Contact and business communication data:
- Name, professional contact details (work email, phone number if provided), company, job title.
- The content of messages and attachments you send to us and our responses.
- Internal case handling notes strictly required to respond to and manage the request.

Marketing and engagement data (where applicable and subject to consent where required):

- Consent status and preference information (cookie-level and, where applicable, communications preferences).
- Email engagement events (opens, clicks, bounces) where email engagement tracking is enabled.
- Scoring/grading outputs derived from engagement behaviour and interaction history.

Recruitment data (candidates):

- CV/resume information (education, employment history, skills), contact details and application materials.
- Interview scheduling information, interview notes and evaluation records.
- Communications with the candidate throughout the recruitment process.

5. Sources of personal data

We collect personal data directly from you when you submit forms, contact us by email, apply for a job, or otherwise communicate with us.

Where you consent to non-essential cookies, we collect certain information from your browser/device through cookies and similar technologies. This includes pseudonymous identifiers and interaction events that help us understand website usage and support marketing attribution.

In a B2B context, we may also process limited professional information that is publicly available or shared in a business context (e.g., professional profile information), but only where proportionate and necessary for the purpose pursued.

6. Purposes of processing and legal bases

We process personal data for the purposes set out below. Where a processing activity requires consent (in particular for non-essential cookies and cookie-based marketing/profiling), we do not process such data unless consent has been obtained and can be withdrawn at any time.

6.1 Website operation and security

Purpose: To ensure the proper functioning of the website, maintain security, prevent abuse, and ensure service reliability. This may involve the use of strictly necessary cookies and security-related logging.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) and the ePrivacy ‘strictly necessary’ exemption for necessary cookies.

6.2 Responding to enquiries and handling contact requests

Purpose: To respond to enquiries, provide requested information, and manage communications with potential or existing business contacts.

Legal basis: Pre-contract steps/contract (Art. 6(1)(b)) where applicable, and otherwise legitimate interests (Art. 6(1)(f)) in responding to business communications.

Operational note: Messages submitted via website contact channels are handled primarily via email workflows and may also be recorded in internal systems used to manage communications and ensure timely responses, depending on operational needs.

6.3 Business relationship management (clients, suppliers, partners)

Purpose: Contract delivery, account management, service provision, project communications, and administrative requirements.

Legal basis: Contract (Art. 6(1)(b)), legal obligations where applicable (Art. 6(1)(c)), and legitimate interests (Art. 6(1)(f)) for operational continuity.

6.4 Recruitment

Purpose: To evaluate applications, conduct recruitment processes, and communicate with candidates.

Legal basis: Pre-contract steps (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)) in running recruitment.
Where a candidate opts in to be considered for future roles after a recruitment process ends, we rely on consent (Art. 6(1)(a)).

6.5 Statistics (analytics) – Google Analytics 4 (GA4) (consent-based)

Purpose: To understand how visitors interact with the website through aggregated reporting and online identifiers, to improve content and performance.

Legal basis: Consent (Art. 6(1)(a) GDPR) combined with applicable ePrivacy requirements for prior consent.

Key control: GA4 analytics scripts/cookies are blocked by default and are activated only after the user opts in to Statistics (analytics) cookies via the CMP.

Retention: GA4 user/event data retention is configured to 14 months.

6.6 Marketing and profiling – Salesforce Marketing Cloud Account Engagement (Pardot) (consent-based

Purpose: Marketing attribution, lead generation, communication optimisation and performance measurement. This includes recording website interactions (e.g., page visits, clicks and downloads) and, where applicable, associating such interactions with an identified individual once they submit a form or click a tracked email link.

This processing includes profiling features such as scoring and grading based on engagement signals. Email engagement tracking (opens/clicks/bounces) is enabled where relevant to the marketing communication flows.

Legal basis: Consent (Art. 6(1)(a) GDPR) combined with applicable ePrivacy requirements for prior consent.

Key control: Marketing/profiling scripts and cookies are blocked by default and are activated only after the user opts in to Marketing cookies via the CMP.


6.7 Marketing communications (B2B) – operating model
Depending on the specific communication context and applicable rules, Yopeso may rely on either (i) consent-based marketing communications, or (ii) a limited legitimate interest basis for B2B communications, always with a clear opt-out mechanism. Where consent is required (including for cookie-based tracking), we rely on consent and honour withdrawals promptly.

7. Cookies, consent management and withdrawal

We use Cookiebot as our Consent Management Platform (CMP). The CMP provides the cookie banner and preference centre, enabling you to accept, reject or manage cookie categories.

Non-essential cookies (Statistics and Marketing) are blocked by default. We do not place non-essential cookies or execute related scripts unless and until you provide consent via the cookie banner or Cookie Settings.

You can withdraw your consent at any time via Cookie Settings. Withdrawal takes effect prospectively and does not affect the lawfulness of processing performed before the withdrawal.Consent evidence: Consent logs are retained by the CMP for up to 12 months due to platform constraints. Export of consent evidence is available and may be retained in a restricted internal archive where necessary for compliance defence or audit purposes.Please see more details in our Cookie Policy.

8. Profiling and automated decision-making

Where you consent to marketing/profiling cookies, Pardot processing can evaluate engagement behaviour (including scoring and grading). This constitutes profiling within the meaning of Art. 4(4) GDPR.

We do not use this website tracking and scoring/grading to make automated decisions that produce legal effects or similarly significant effects on individuals. The primary purpose is marketing attribution and communication management.

9. Recipients, processors and disclosures

We do not sell personal data. We disclose personal data only where necessary for the purposes described in this Policy.

Personal data may be accessible to authorised personnel within Yopeso on a need-to-know basis.

We also use service providers acting on our behalf under appropriate contractual safeguards. These include, in particular:

- Cookiebot (Usercentrics) – consent management platform and consent logging.
- Google Analytics 4 – website analytics (statistics cookies, consent-based).
- Salesforce Marketing Cloud Account Engagement (Pardot) – marketing automation, profiling, attribution (consent-based).

Other categories of technical service providers (e.g., website hosting, security tooling, email systems) may be used for operation of the website and communications. A detailed list is maintained in Yopeso’s internal vendor file and can be provided to supervisory authorities upon request.

We may disclose data to competent authorities or third parties where required by law, court order or to protect rights and security.

10. International transfers and access

For this implementation, relevant services are configured for EU/EEA infrastructure where applicable. Based on the project confirmations for the current setup, support access does not occur from outside the EEA.

If the processing model changes in the future (e.g., non‑EEA access, new sub-processors or different hosting models), Yopeso will ensure appropriate safeguards are applied in accordance with GDPR requirements (including contractual safeguards under applicable DPAs/SCCs where required) and will update this Privacy Policy accordingly.

11. Retention

We retain personal data only for as long as necessary for the purposes described in this Policy, and thereafter as required by applicable legal obligations or for the establishment, exercise or defence of legal claims.

Retention depends on the context and category of data. Key parameters include:

- GA4 analytics data retention configured to 14 months for relevant analytics identifiers and events.
- Marketing/profiling data (Pardot) retention configured within platform settings and internal retention rules; anonymous visitor data is typically limited while identified prospect activity is retained in line with the sales/communication cycle and reviewed periodically.
- Consent logs retained up to 12 months within the CMP, with export/archival possible where needed for compliance defence.

Recruitment retention: candidate data is retained for a limited period after conclusion of a recruitment process, and longer only where the candidate has consented or where legally required. Business communication data is retained for as long as necessary to manage the relationship and maintain appropriate records of correspondence.

12. Security measures

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

These measures include, as appropriate to the nature of the processing and the risk involved:

- role-based access controls and least-privilege access management;
- authentication controls and internal authorisation procedures;
- encryption in transit (including TLS/SSL where applicable);
- logging, monitoring and security review measures proportionate to the relevant systems and processing activities;
- confidentiality obligations applicable to personnel with access to personal data;
- vendor and processor due diligence, including contractual safeguards where third-party service providers process personal data on our behalf;
- procedures designed to support the identification, assessment, containment and remediation of security incidents.

Access to personal data is restricted to persons who need such access for legitimate business, operational, legal or compliance purposes and who are subject to appropriate confidentiality and security obligations.

Although we apply security measures appropriate to the level of risk, no method of transmission over the internet and no electronic storage system can be guaranteed to be completely secure. For this reason, while we take reasonable steps to protect personal data, we cannot guarantee absolute security. In the event of a personal data breach, we will act in accordance with applicable law, including assessment, remediation, and notification obligations where required.

13. Your rights

Subject to the conditions, scope and limitations set out in the GDPR and applicable national law, you have the right to request:

- access to your personal data and information about how it is processed;
- rectification of inaccurate or incomplete personal data;
- erasure of personal data where the legal requirements are met;
- restriction of processing in the situations stipulated by law;
- data portability, where processing is based on consent or contract and carried out by automated means;
- objection to processing carried out on the basis of legitimate interests, on grounds relating to your particular situation; and
- withdrawal of consent at any time, where processing is based on consent.

Where you withdraw consent, such withdrawal will apply only for the future and will not affect the lawfulness of processing carried out before the withdrawal. In relation to cookies and similar technologies, you may manage or withdraw your consent at any time via the Cookie Settings link available on the website.

If you wish to exercise any of your rights, you may contact us at contact@yopeso.com. We may request information necessary to verify your identity before responding to your request, where this is required to protect personal data from unauthorised disclosure.

You also have the right to lodge a complaint with a competent data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. Where Yopeso GmbH acts as controller, the competent supervisory authority may also be the authority responsible for our place of establishment in Germany.

14. Complaints

If you consider that the processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with a competent supervisory authority.

This right exists without prejudice to any other administrative or judicial remedy available to you. In particular, you may lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or the place of the alleged infringement. Where Yopeso GmbH acts as controller, a complaint may also be addressed to the supervisory authority competent for our place of establishment in Germany.

Before lodging a complaint, you may also contact us directly at contact@yopeso.co. While you are not required to do so, this may allow us to review and address your concerns more promptly and efficiently where appropriate.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities or legal requirements. The latest version will always be published on our website with an updated “Last updated” date.
To top of the page