YuvoGet started

Privacy Policy

How we handle your data.

Plain language, not a wall of legalese. The summary: we store the data you put into Yuvo so the service works. We never sell it. You can export or delete it any time.

Last updated: 15 July 2026

01. Who runs Yuvo

Yuvo is operated by the team behind Yuvo. References in this policy to “we”, “us”, or “our” mean Yuvo. References to “you” mean the venue owner or administrator using Yuvo to run their venue.

Yuvo does not directly serve consumers (captains booking a slot). Captains interact with the venue’s own booking page, and the venue is the data controller for any captain personal data Yuvo stores on the venue’s behalf.

02. What data we collect

From venue owners (you): name, email, phone, GSTIN, business address, the venue details you enter (name, address, pitches, pricing), and the staff or co-owners you invite. We store this in Supabase (project godnsvqthnncjgeqwlti) on Postgres in the region you sign up in.

From your captains and customers: name, phone (we normalize to E.164 at the database boundary), booking history, payment records, and any messages you send through Yuvo’s WhatsApp tooling. Captains are stored under your ground_id and never read by Yuvo staff in normal operation.

From your website visitors: the enquiry form on this site captures name, phone or email, and a message. We do not run third-party analytics on this site at the moment. (If we add it later, this policy will say so before it goes live.)

03. What we do not collect

  • We do not read or store payment card details. Payments run through your own Razorpay account (or UPI / QR); Yuvo sees only the payment id and status.
  • We do not log captain WhatsApp message content. The AI backstop drafts messages in your tenant; the send happens through your device’s WhatsApp client (wa.me deep link). We never hold the message after it’s been delivered to the wa.me handoff.
  • We do not sell or rent personal data to anyone, ever. The list of captains is yours, not ours.

04. Why we hold it

  • To provide the service — to surface bookings, follow-ups, invoices, and tournaments to you and your staff.
  • To enforce tenancy — every row is scoped to your ground_id by row-level security, so you cannot see another venue’s data and they cannot see yours.
  • To comply with Indian tax law — invoices, GST, and TDS records are kept for the statutory period (currently 8 years for GST).

05. Who else sees it

  • Supabase (database + auth), AWS SES (transactional email), Vercel (hosting), Cloudflare (DNS + edge). Each acts as a data processor under a written agreement.
  • If you have an outcome-fee billing relationship, a Stripe or Razorpay invoice may reference your business name and GSTIN.
  • If you contact support, the message is held in our Slack workspace with the rest of the support queue, scoped to the Yuvo team.
  • We do not share data with law enforcement unless we receive a valid, court-ordered request. We will tell you if we receive one for your data, unless the order itself prohibits it.

06. How long we keep it

Active data stays in your tenant as long as your account is open. On cancellation, we retain your tenant data for 90 days in case you change your mind, then delete it. Tax records (invoices, TDS) are retained for the statutory period even after cancellation.

Enquiry form submissions stay in our database until you ask for them to be removed; we use them only to respond to your inquiry, not for marketing.

07. Your rights

  • Export. At any time, from Settings, you can download your bookings, customers, captains, and invoices as CSV.
  • Delete. You can delete your account from Settings. We delete your tenant data within 90 days, except for tax records we are required to keep.
  • Correct. Edit anything from the relevant screen in the app. There is no field you can see that you cannot change.
  • Ask us anything. Email privacy@getyuvo.com and we respond within 30 days.

08. Security

  • HTTPS everywhere. Auth cookies are signed with HttpOnly + Secure in production.
  • Database access is gated by Postgres row-level security on every table — no code path reads across tenants.
  • Service-role access is reserved for the admin console and is itself gated by an ADMIN_EMAILS allowlist.
  • We will publish a security disclosure policy at /contact and acknowledge responsible disclosures within 48 hours.

09. Changes to this policy

If we change anything material — a new data category, a new processor, a new retention period — we email every active venue owner at least 14 days before the change takes effect. The “updated” date at the top of this page moves when that happens.