Privacy Policy

Great Yellow Limited

1. Scope of this Policy

This Privacy Policy sets out how Great Yellow Limited ("Great Yellow", "we", "us") processes personal data for which it acts as controller under the UK GDPR and Regulation (EU) 2016/679 (the EU GDPR). It applies to the Great Yellow data platforms and the website at https://greatyellow.earth/.

Where a customer or organisation uploads personal data or organisation data, Great Yellow processes that data solely as a processor, on the customer’s documented instructions and under the Data Processing Addendum. Such processing is not governed by this Policy; data subjects should contact the customer as controller.

2. Controller and contacts

Controller:
Great Yellow Limited, registered in England and Wales (company number 14839098), registered office at 18 Ferry Road, London, SW13 9PR, United Kingdom.

Privacy contact:
privacy@greatyellow.earth
 
Data Protection Officer:
Harry Forman – harry.forman@greatyellow.earth.

EU representative (Art. 27):
Katherine Ma –  kat.ma@greatyellow.earth

3. Personal data we process

  • Identity and account data: username, display name, email address.
  • Authentication data: identity provider tokens and SSO metadata (issuer, subject claim, expiry).
  • Access control data: mappings of user accounts to authorised programmes.
  • Technical and security data: IP address, user agent, session identifiers, authentication and access timestamps.

We do not process special category data (Art. 9), criminal offence data (Art. 10), or precise location data beyond IP-derived geolocation used for security.

Personal data is collected directly from data subjects on account creation and authentication, and from identity providers where SSO is used.

4. Purposes and lawful bases

Purpose
Lawful basis (UK / EU GDPR)
Authentication and access control
Performance of a contract (Art. 6(1)(b))
Platform security, fraud prevention, audit logging
Legitimate interests (Art. 6(1)(f))
Service performance and operational improvements
Legitimate interests (Art. 6(1)(f))
Statutory record-keeping (tax, accounting, audit)
Legal obligation (Art. 6(1)(c))
Responding to data subject requests
Legal obligation (Art. 6(1)(c))

Where processing relies on legitimate interests, Great Yellow has carried out a balancing test confirming that its interests are not overridden by the rights and freedoms of data subjects. A summary is available on request.

5. Cookies and analytics

Great Yellow uses strictly necessary cookies for session management and authentication. No advertising or third-party analytics cookies are deployed. For more information on the Great Yellow Cookies Policy please reach out to privacy@greatyellow.earth. Service analytics (API latency, error rates, aggregated request volumes) are generated server-side and are not linked to identified users.

6. Recipients and sub-processors

Great Yellow discloses personal data to: (i) sub-processors providing infrastructure and authentication services, namely Cloudflare, Inc. (hosting, compute, edge security), Clerk Inc. (authentication and identity management) [including: Google, HubSpot, Notion, Slack, Microsoft] (ii) professional advisers (legal, accounting, audit) where reasonably required; and (iii) competent authorities, regulators, and courts where disclosure is required by law or to establish, exercise, or defend legal claims. A current list of sub-processors can be accessed by reaching out to privacy@greatyellow.earth.

7. International data transfers

Where personal data is transferred outside the UK or EEA, Great Yellow relies on: adequacy regulations or decisions; the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses for UK-origin transfers; and the EU Standard Contractual Clauses (Decision (EU) 2021/914) for EEA-origin transfers. Cloudflare, Inc. and Clerk Inc. are established in the United States; transfers to these processors are subject to these safeguards, supplemented by encryption and access controls. A current list of international data transfer can be accessed by reaching out to privacy@greatyellow.earth.

8. Data retention

Data Category
Retention period
Account and authentication data
Account duration, plus 12 months for recovery and audit
Session and security logs
30 days
Operational and compliance records
Up to 7 years (HMRC and statutory requirements)
Programme Data processed as processor
As instructed by the customer in the relevant contract

On expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised.

9. Data security

Great Yellow implements appropriate technical and organisational measures under Art. 32, including encryption in transit (TLS 1.2 or above) and at rest, role-based access control on least-privilege principles, centralised audit logging of authentication and privileged actions, periodic vulnerability testing, and security review of integrations. Hosting is in the UK and other jurisdictions assessed as providing equivalent protection.

10. Personal data breach notification

Where Great Yellow acts as controller, Great Yellow will notify the Information Commissioner’s Office of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware (Art. 33). Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, affected data subjects will be notified without undue delay (Art. 34). Where Great Yellow acts as processor, breach notification to the controller is governed by the Data Processing Addendum.

11. Automated decision-making and profiling

Great Yellow does not subject data subjects to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects (Art. 22).

12. Children’s data

The data platform services are not directed at, and are not intended for use by, individuals under 16. Great Yellow does not knowingly collect personal data from individuals under 16. If such data is identified, it will be deleted without undue delay.

13. Data subject rights

Subject to applicable law, data subjects have the following rights in respect of personal data for which Great Yellow is controller: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), objection (Art. 21), and withdrawal of consent where processing is based on consent (Art. 7(3)). Requests should be submitted to privacy@greatyellow.earth. Great Yellow will respond within one month of receipt, subject to extension under Art. 12(3).

Data subjects may also lodge a complaint with the Information Commissioner’s Office: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom (ico.org.uk). Where Great Yellow acts as processor, requests should be directed to the customer organisation as controller.

14. Changes to this Policy

Great Yellow may update this Policy from time to time. Material changes will be notified by via email to account holders and users of the data platform services. The current version is published on the Great Yellow website https://greatyellow.earth/.

For questions about this Policy, contact privacy@greatyellow.earth.

Interested?

Let's talk.

Talk to our team about how we can support your Landscape Recovery ambitions.

Get in touch