Privacy Policy

Yomly

HR & Payroll software solution

Last Updated: December 2025

At Yomly, we believe privacy is a fundamental right, regardless of where you live. When you connect with Yomly, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.

Our Privacy Statement at a Glance

Before detailing our privacy programs it is useful to understand the Yomly business model and why that’s important to your privacy rights. We design our services to meet the requirements of applicable data protection laws, including the UAE PDPL and, where relevant, GDPR and UK GDPR.

About Yomly

Yomly enables enterprise HR and Payroll automation empowering Leaders, People Teams and Employees to work smarter and more effectively through our platform. This means Yomly clients including school groups, retailers, logistics and industrial firms use our applications to manage their workforces.

To learn more about Yomly products, visit Yomly.com.

The Yomly business model

We operate a Software-as-a-Service (SaaS) business model—we do not share or sell our customers’ data or monetize that data by selling advertising. Instead, we sell subscriptions to our services. Our customers retain control over the personal data that they and their authorised users upload to our services, including which data is collected, how long it is kept, and how it is used.

1. INTRODUCTION AND SCOPE

1.1 About This Privacy Policy

At Yomly (together with its affiliated companies, “Company”, “we”, “our”, or “us”), we are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy describes our practices regarding the collection, storage, use, disclosure, and protection of personal data in connection with our HR & Payroll software solution and related services.

For most processing activities, the applicable data protection law is the UAE PDPL. Where our customers upload or provide personal data relating to individuals located in the EEA or UK, those customers remain responsible for ensuring compliance with GDPR or UK GDPR, as applicable.

1.2 Scope of This Policy

This Privacy Policy applies when Yomly acts as a data controller of your personal data, including when you:

Visit our websites, mobile applications, or online platforms that link to this Privacy Policy
Interact with us as a representative of a company that has or is considering a business relationship with us (customers, partners, or suppliers)
Create or use an account offered directly by us
Register for or attend our events, webinars, or training sessions
Provide us with feedback about our products or services
Participate in recorded sales calls, product demonstrations, or online meetings with our team (such recordings are made with your knowledge and, where required by law, your consent)
Receive sales or marketing communications from us
Apply for employment with us

1.3 Data Controller and Data Processor

We operate a Software-as-a-Service (SaaS) business model for enterprise customers. Understanding our role is important for your privacy rights:

When we are the Data Controller: We determine the purposes and means of processing personal data in connection with our websites, marketing activities, customer relationship management, and direct interactions with you.

When we are the Data Processor: When you use our platform as an employee, contractor, or end user through your employer or another organization (our Customer), that organization is the data controller and we process your personal data on their behalf strictly in accordance with their instructions. If you have questions about how your organization handles your personal data within our platform, please contact your employer or the relevant organization directly.

For End Users of Our Platform: If your personal data is processed through our platform by your employer (our Customer), please be aware that we act solely as a data processor and cannot independently action requests relating to your employment data. For example, we cannot correct your payslip, amend your employment record, or delete your data without instruction from your employer. All such requests must be directed to your employer’s HR department, who will determine the appropriate action as the data controller.

2. DEFINITIONS

For the purposes of this Privacy Policy:

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Data Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.

“Special Categories of Personal Data” (also known as sensitive personal data) includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

“Services” means our HR & Payroll platform, websites, applications, and any related products, features, or services we provide.

3. PERSONAL DATA WE COLLECT

We collect personal data through various means, including directly from you, automatically through your use of our Services, and from third-party sources. The categories of personal data we collect depend on your relationship with us and how you interact with our Services.

3.1 Information You Provide Directly

3.1.1 Account Registration and Profile Information

When you create an account or register for our Services, we may collect:

Full name and title
Email address (business and/or personal)
Telephone number
Company name and job title/role
Business address
Username and password
Profile photograph
Preferences and settings

3.1.2 Customer and Prospect Information

If you are a representative of a company that has or is exploring a business relationship with us, we collect:

Business contact information
Company details and industry sector
Communication history and correspondence
Contract and billing information
Support tickets and inquiries

3.1.3 Event and Webinar Registration

When you register for events or webinars, we may collect:

Registration details and dietary preferences
Emergency contact information (for in-person events)
Accessibility requirements
Payment information (where applicable)
Feedback and survey responses

3.1.4 Communications and Feedback

When you communicate with us or provide feedback, we collect:

Content of your communications
Feedback, testimonials, and reviews
Survey responses
Customer support interactions (which may be recorded)

3.2 Information Collected Automatically

When you access our websites or use our Services, we automatically collect certain technical and usage information:

3.2.1 Device and Technical Information

IP address and general geographic location
Device type, operating system, and browser type
Unique device identifiers
Screen resolution and language settings
Mobile network information (for mobile devices)

3.2.2 Usage Information

Pages visited and features used
Time spent on pages and interaction patterns
Referring and exit pages
Date and time stamps of access
Clicks, scrolls, and navigation paths
Search queries within our Services

3.2.3 Cookies and Similar Technologies

We use cookies, pixels, web beacons, and similar tracking technologies to collect information about your browsing activities. Please see Section 12 (Cookies and Tracking Technologies) for more details.

3.3 Information from Third-Party Sources

We may receive personal data about you from other sources, including:

Business partners and resellers
Event co-sponsors and organizers
Data enrichment providers
Publicly available sources (company websites, professional networks, press releases)
Social media platforms (when you interact with us through these channels)
References provided by your organization

3.4 Special Categories of Personal Data

We generally do not intentionally collect special categories of personal data (sensitive personal data) unless:

You have given explicit consent for specific purposes
Processing is necessary to comply with employment law obligations
Processing is necessary for reasons of substantial public interest
Processing is required to establish, exercise, or defend legal claims

When we do process special categories of data, we apply enhanced security measures and strictly limit access.

3.5 Payroll and HR Data (Processed on Behalf of Customers)

When our Customers use our platform’s payroll and HR modules, we process personal data on their behalf as a data processor. The Customer is the data controller and determines what data is uploaded to our platform. This data may include:

3.5.1 Employee Identification and Contact Data

Full name, date of birth, nationality, and gender
National ID, passport, or residency permit details
Home address and contact information
Emergency contact details
Photographs for identification purposes

3.5.2 Employment and Payroll Data

Employment contract details, job title, and department
Start date, employment status, and work location
Salary, wages, and compensation details
Bank account details for salary payments
Tax identification numbers and tax-related information
Social security, pension, and gratuity contributions
Bonuses, commissions, and allowances
Deductions (loans, advances, garnishments)

3.5.3 Time and Attendance Data

Clock-in and clock-out records
Location data (where geolocation features are enabled by the Customer)
Leave balances and absence records
Shift schedules and working hours

3.5.4 Government and Regulatory Compliance Data

Wage Protection System (WPS) file data for UAE compliance
End-of-service benefit calculations
Data required for government reporting and labour law compliance
Visa and work permit information

Important: We process this data solely on the instructions of our Customers and in accordance with our Master Services and/or Data Processing Agreement. We do not determine the purposes for which this data is processed – that responsibility lies with the Customer as the data controller. If you are an employee whose data is processed through our platform, please refer to your employer’s privacy notice for information about how your data is used.

4. PURPOSES AND LEGAL BASES FOR PROCESSING

We process your personal data for specific, explicit, and legitimate purposes. Under applicable data protection laws, we must have a lawful basis for processing your personal data. The following table outlines our processing purposes and corresponding legal bases:

4.1 Service Delivery and Account Management

Purpose: To provide, maintain, and improve our Services; manage your account; authenticate your identity; and deliver requested features and functionality.

Legal Basis: Performance of a contract with you or taking steps at your request prior to entering into a contract; our legitimate interests in operating our business.

4.2 Customer Support and Communications

Purpose: To respond to your inquiries; provide customer support and technical assistance; send service-related communications and updates.

Legal Basis: Performance of a contract; our legitimate interests in providing quality customer service.

4.3 Marketing and Promotional Communications

Purpose: To send you marketing communications about our products, services, events, and promotions; personalize marketing content; conduct market research.

Legal Basis: Your consent (where required by law); our legitimate interests in promoting our business (where permitted by law, such as for existing customers or B2B marketing).

4.4 Analytics and Service Improvement

Purpose: To understand how our Services are used; analyze trends and user behavior; improve user experience; develop new features and products.

Legal Basis: Our legitimate interests in improving our Services; your consent (for certain analytics cookies).

4.5 Security and Fraud Prevention

Purpose: To protect the security of our Services and data; detect and prevent fraud, abuse, and unauthorized access; investigate suspicious activity.

Legal Basis: Our legitimate interests in protecting our business and users; compliance with legal obligations.

4.6 Legal Compliance and Protection of Rights

Purpose: To comply with applicable laws and regulations; respond to legal requests and judicial proceedings; establish, exercise, or defend legal claims; protect our rights and the rights of others.

Legal Basis: Compliance with legal obligations; our legitimate interests in protecting our legal rights.

Important Note: We will notify customers of governmental or law enforcement requests for customer data unless legally prohibited from doing so.

4.7 Research and Development

Purpose: To conduct research and analysis; develop new products and services; create aggregated or anonymized data for statistical purposes.

Legal Basis: Our legitimate interests in improving our offerings; your consent (where required).

5. YOUR DATA SUBJECT RIGHTS

We are committed to facilitating the exercise of your rights under applicable data protection laws. Depending on your location and the laws that apply to you, you may have some or all of the following rights regarding your personal data.

5.1 Important Note: Controller vs. Processor Responsibilities

When we are the Data Controller: The rights described in this Section 5 apply directly to you when we act as the data controller, for example, when you interact with our websites, receive marketing communications from us, or engage with us as a customer representative or business contact. You may exercise these rights by contacting us directly using the details provided in Section 17.

When we are the Data Processor: If you are an end user of our platform through your employer or another organisation (our Customer), your employer is the data controller and is responsible for responding to your data subject requests. In these circumstances:

You should direct any requests to access, correct, delete, or otherwise exercise your rights regarding your personal data to your employer’s HR department or designated privacy contact
Your employer, as the data controller, will determine how to respond to your request in accordance with their own privacy policies and applicable law
We will assist our Customers (as data controllers) in responding to valid data subject requests in accordance with our Master Services/Data Processing Agreement and applicable law
We will not act on requests received directly from end users without authorisation from the relevant Customer, except where required by law

If you are unsure whether we act as a controller or processor in relation to your personal data, please contact us and we will help direct your inquiry appropriately.

5.2 Right to Be Informed (Transparency)

What this means: You have the right to receive clear, transparent, and easily understandable information about how we collect, use, and protect your personal data.

How we fulfill this right:

This Privacy Policy provides comprehensive information about our data processing practices
We provide privacy notices at the point of data collection where appropriate
We notify you of material changes to our privacy practices
We make privacy information available in clear, plain language

What you can do: If you require additional information about how we process your data, please contact us using the details provided in Section 17.

5.3 Right of Access

What this means: You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to access that personal data along with certain supplementary information.

Information you can request:

Confirmation of whether we process your personal data
A copy of your personal data in a commonly used format
The purposes of processing
The categories of personal data concerned
The recipients or categories of recipients to whom data has been disclosed
The retention period or criteria used to determine retention
The existence of your other data protection rights
The source of the data (if not collected directly from you)
The existence of automated decision-making, including profiling

How to exercise this right: Submit an access request by contacting us at the details provided in Section 17. We will respond within the timeframe required by applicable law (typically 30 days, extendable in complex cases).

Note: We may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse to act on such requests where permitted by law.

5.4 Right to Rectification

What this means: You have the right to have inaccurate personal data corrected and incomplete personal data completed.

What you can request:

Correction of factual inaccuracies in your personal data
Completion of incomplete personal data, including by providing a supplementary statement
Updating of outdated information

How to exercise this right: For account-related information, you may update your data directly through your account settings where available. For other requests, contact us using the details in Section 17.

Our commitment: We will investigate and, where appropriate, rectify your personal data without undue delay. If we have disclosed the inaccurate data to third parties, we will inform them of the rectification where feasible.

5.5 Right to Erasure (Right to Be Forgotten)

What this means: You have the right to request the deletion of your personal data in certain circumstances.

Circumstances where this right applies:

The personal data is no longer necessary for the purpose for which it was collected
You withdraw your consent (where consent was the legal basis for processing)
You object to the processing and there are no overriding legitimate grounds
The personal data has been unlawfully processed
The personal data must be erased to comply with a legal obligation
The personal data was collected in relation to the offer of information society services to a child

Exceptions: We may not be able to comply with your request if processing is necessary for:

Exercising the right of freedom of expression and information
Compliance with a legal obligation
Reasons of public interest in the area of public health
Archiving purposes in the public interest, scientific research, or statistical purposes
The establishment, exercise, or defense of legal claims

How to exercise this right: Submit an erasure request by contacting us. We will respond within the timeframe required by law.

5.6 Right to Restriction of Processing

What this means: You have the right to request that we limit the way we use your personal data in certain circumstances.

Circumstances where this right applies:

You contest the accuracy of your personal data (restriction applies while we verify accuracy)
The processing is unlawful but you prefer restriction over erasure
We no longer need the personal data but you require it for legal claims
You have objected to processing (restriction applies pending verification of our legitimate grounds)

What restriction means: When processing is restricted, we will only store your personal data and will not process it further except with your consent, for the establishment, exercise, or defense of legal claims, for the protection of another person’s rights, or for reasons of important public interest.

Our commitment: We will inform you before lifting any restriction on processing.

5.7 Right to Data Portability

What this means: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.

Conditions for this right:

The processing is based on your consent or on a contract
The processing is carried out by automated means

What you can request:

A copy of your personal data in a standard electronic format (e.g., CSV, JSON, XML)
Direct transmission of your personal data to another controller, where technically feasible

Scope: This right applies to personal data you have actively provided to us, as well as personal data generated through your use of our Services.

How to exercise this right: Submit a portability request by contacting us. We will provide your data in a commonly used format within the statutory timeframe.

5.8 Right to Object

What this means: You have the right to object to processing of your personal data in certain circumstances.

5.8.1 Objection to Processing Based on Legitimate Interests

You may object to processing carried out on the basis of our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims.

5.8.2 Objection to Direct Marketing

You have an absolute right to object to processing for direct marketing purposes at any time. Once we receive your objection, we will stop processing your personal data for direct marketing without exception.

How to opt out of marketing:

Click the “unsubscribe” link in any marketing email
Update your communication preferences in your account settings
Contact us directly using the details in Section 17

5.8.3 Objection to Processing for Research or Statistical Purposes

You may object to processing for scientific, historical research, or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

5.9 Right Not to Be Subject to Automated Decision-Making and Profiling

What this means: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Our current practices: We do not currently make decisions based solely on automated processing that produce legal or similarly significant effects on individuals. Our Services may use automated tools to assist human decision-makers, but humans remain involved in decisions that significantly affect you.

If we were to implement such processing, you would have the right to:

Obtain human intervention
Express your point of view
Obtain an explanation of the decision
Contest the decision

Exceptions: Automated decision-making may be permitted where it is necessary for entering into or performing a contract, authorized by law, or based on your explicit consent. In such cases, we will implement suitable safeguards to protect your rights and freedoms.

Our commitment: If we introduce automated decision-making or profiling that significantly affects you, we will provide specific information about the logic involved, the significance, and the envisaged consequences, and we will ensure mechanisms are in place for you to exercise your rights.

5.10 Right to Withdraw Consent

What this means: Where we rely on your consent as the legal basis for processing your personal data, you have the right to withdraw that consent at any time.

Important notes:

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal
Withdrawal of consent is as easy as giving consent
Withdrawal may limit your ability to use certain features of our Services

How to withdraw consent: You may withdraw consent through your account settings, by contacting us, or by following the specific instructions provided when consent was obtained.

5.11 Right to Lodge a Complaint

What this means: If you believe we have not handled your personal data properly or have not responded adequately to your requests, you have the right to lodge a complaint with a supervisory authority.

How to lodge a complaint:

Contact us first using the details in Section 17 so we can try to resolve your concern
If you remain unsatisfied, you may lodge a complaint with the relevant data protection authority

Relevant authorities may include:

For EU residents: Your local Data Protection Authority or the authority where our EU establishment is located
For UK residents: The Information Commissioner’s Office (ICO)
For UAE residents: The UAE Data Office
For all others: local Data Protection Authority

Our commitment: We take all complaints seriously and will investigate and respond to concerns in a timely manner.

5.12 Exercising Your Rights

How to submit a request:

Email: privacy@yomly.com
Mail: 50th Floor, Business Central Towers, Dubai Media City, Dubai, UAE, PO Box 214909

Verification: To protect your privacy and security, we may need to verify your identity before fulfilling your request. This may involve asking you to provide certain information or documentation.

Authorized agents: You may authorize another person to submit a request on your behalf. We may require written authorization and verification of both your identity and the agent’s authority.

Response times: We will respond to your request within the timeframe required by applicable law:

GDPR/UK GDPR: Within one month (extendable by two additional months for complex requests)
UAE PDPL: Within the timeframes specified by applicable regulations

No fee: We will not charge you a fee to exercise your rights, except where requests are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse to act.

Non-discrimination: We will not discriminate against you for exercising your privacy rights. You have the right to equal service and pricing regardless of whether you exercise your rights.

6. DATA SHARING AND DISCLOSURE

We may share your personal data with the following categories of recipients:

6.1 Affiliated Companies

We may share personal data with our parent company, subsidiaries, and affiliates for purposes consistent with this Privacy Policy, including customer support, marketing, technical operations, and business management.

6.2 Service Providers

We engage third-party service providers to perform services on our behalf. These providers may include:

Hosting and cloud infrastructure providers
Customer relationship management and support platforms
Payment processors and billing services
Email and communication service providers
Analytics and performance monitoring services
Security and fraud prevention services
Marketing and advertising partners
Professional advisors (legal, audit, consulting)

Our service providers are contractually required to protect your personal data and may only use it to provide services to us.

6.3 Business Partners

We may share personal data with partners that offer complementary services, resellers, and distributors, to the extent you consent to such sharing or where permitted by applicable law.

6.4 Event Sponsors and Co-Organizers

When you participate in events we sponsor or co-organize, we may share your registration information with event partners, sponsors, and organizers for event management and follow-up purposes, with your consent where required.

6.5 Your Organization

If you are a representative of a customer or partner organization, we may share relevant information with your organization, such as training completion records, event attendance, or support requests.

6.6 Legal and Regulatory Disclosure

We may disclose personal data if we believe in good faith that such disclosure is necessary to:

Comply with applicable laws, regulations, or legal processes
Respond to requests from government authorities
Enforce our terms and agreements
Protect our rights, privacy, safety, or property, or that of our customers or others
Investigate fraud or security issues

6.7 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you and provide choices regarding your personal data as required by applicable law.

6.8 With Your Consent

We may share your personal data with other third parties when we have your explicit consent to do so.

7. INTERNATIONAL DATA TRANSFERS

We may transfer, store, and process personal data outside the UAE where necessary to provide our Services. When we do so, we ensure such transfers comply with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”), including the use of contractual safeguards, adequacy assessments, or other mechanisms permitted by the UAE Data Office.

Our Services may include personal data relating to individuals located in the European Economic Area (“EEA”) or the United Kingdom (“UK”) where such data is uploaded or provided by our customers acting as data controllers. In these situations, our customers remain responsible for ensuring a lawful basis for processing and an appropriate international transfer mechanism under the GDPR or UK GDPR, as applicable.

We do not rely on EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or other EU/UK-specific transfer mechanisms unless expressly required under our agreement with a customer.

7.1 Your Rights Regarding International Transfers

You may request additional information about the international transfer measures applicable to your personal data by contacting us using the details provided in Section 17.

8. DATA SECURITY

We implement and maintain appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

8.1 Security Measures

Our security measures include:

Encryption of data in transit and at rest using industry standard protocols
Access controls, strong authentication mechanisms and least-privilege access
Network and infrastructure security, including firewalls, endpoint protection and vulnerability management
Security monitoring and incident response procedures
Secure development practices, including code reviews and change management controls
Regular security assessments, including internal reviews and external audits
Employee security training and awareness programs
Physical security controls for our facilities
Vendor and subprocessor due diligence, including security assessments and contractual safeguards

8.2 Industry Certifications

We maintain industry-recognized security certifications and comply with applicable security standards, including:

ISO/IEC 27001 Information Security Management System (ISMS)

8.3 Data Breach Response

In the event of a personal data breach, we have procedures in place to:

Detect and respond to breaches promptly
Assess the risk to affected individuals
Notify supervisory authorities and affected individuals as required by law
Document breaches and remediation actions

8.4 Your Responsibilities

While we take steps to protect your personal data, security is a shared responsibility. You are responsible for:

Maintaining the confidentiality of your account credentials
Using strong, unique passwords where password-based authentication is used
Ensuring secure configuration and management of any federated identity or Single Sign-On (SSO) integrations
Restricting and managing administrator privileges within your organization
Notifying us immediately of any unauthorized access or security concerns
Keeping your contact information up to date

9. DATA RETENTION

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements.

9.1 Retention Criteria

We determine appropriate retention periods based on:

The nature and sensitivity of the personal data
The purposes for which we process the data
The duration of our relationship with you
Applicable legal, regulatory, or contractual requirements
Statute of limitations periods for potential legal claims

9.2 Typical Retention Periods

Account and profile information: retained for the duration of your account and a limited period thereafter to comply with legal obligations and support recordkeeping requirements.
Customer relationship and administrative data: retained for the duration of the business relationship and a reasonable period thereafter for legitimate business and legal purposes.
Marketing data: retained until you withdraw consent or opt out, after which it is added to a suppression list to ensure your preferences are honored.
Support and operational data: retained for a limited period after resolution to analyze performance and improve our Services.
Financial records: As required by applicable tax and accounting laws.
Legal and compliance records: As required to fulfill legal obligations
Log files and security-related data: retained for a limited period to ensure the security and proper functioning of our Services.

9.3 Anonymization and Deletion

When personal data is no longer needed, we will securely delete or anonymize it. Anonymized data, which cannot be used to identify you, may be retained for analytical and statistical purposes.

10. ARTIFICIAL INTELLIGENCE, MACHINE LEARNING, AND AUTOMATED DECISION-MAKING

10.1 Use of AI and Machine Learning in Our Services

Our Services may incorporate artificial intelligence (AI) and machine learning (ML) capabilities to assist Customers with analytics, recommendations, workflow automation, and operational insights. These features are designed to augment human decision-making, not replace it.

Examples of AI-assisted features may include:

Predictive analytics and workforce insights
Automated data validation and error detection
Smart recommendations for HR and payroll processes
Natural language processing for search and reporting

10.2 Human Oversight and Customer Control

We are committed to maintaining meaningful human oversight over AI-assisted features within our Services:

Customers retain full control over how AI-assisted features are configured, enabled, or disabled within their tenant
AI-generated recommendations or insights are presented as suggestions to support human decision-makers, not as final determinations
Customers and their authorised administrators can review, override, or reject AI-assisted outputs at any time
We do not use AI to make decisions that produce legal or similarly significant effects on individuals without human review

10.3 Customer Data and AI Training

We are transparent about how Customer data is used in relation to AI and ML:

We do not use Customer personal data to train general-purpose AI or ML models that would be used across other customers without explicit consent
Any AI or ML features within our Services operate on Customer data solely to provide and improve the Services for that specific Customer
Aggregated, anonymised, or de-identified data may be used to improve our Services generally, but only where it cannot be linked back to any individual or Customer
We will notify Customers of any material changes to how AI features process their data

10.4 Automated Decision-Making

We do not currently make decisions based solely on automated processing that produce legal effects or similarly significant effects on individuals. Where our Services include automated features that assist with decisions (such as flagging anomalies, generating recommendations, or automating routine tasks), these are designed to support, not replace, human judgment.

If we introduce features involving solely automated decision-making that significantly affects individuals, we will:

Provide clear information about the logic involved and the significance of the processing
Implement appropriate safeguards, including the right to obtain human intervention
Enable individuals to express their view and contest automated decisions
Obtain explicit consent where required by applicable law

10.5 Future Development

As AI and ML capabilities evolve, we are committed to:

Adopting responsible AI principles that prioritise fairness, transparency, and accountability
Providing Customers with clear documentation on AI-assisted features and their limitations
Maintaining compliance with emerging AI regulations and industry standards
Engaging in ongoing review of our AI practices with input from privacy and ethics perspectives

11. CHILDREN’S PRIVACY

Our Services are not directed at individuals under the age of 16 (or the applicable age of majority in your jurisdiction), and we do not knowingly collect personal data from children.

If we learn that we have collected personal data from a child without appropriate consent, we will take steps to delete that information as soon as possible. If you believe we may have collected information from a child, please contact us immediately using the details in Section 17.

12. THIRD-PARTY LINKS AND SERVICES

Our Services may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our Services.

This Privacy Policy applies only to our Services and does not cover the practices of third parties, including those that may provide content, advertising, or functionality within our Services.

13. COOKIES AND ANALYTICS

We use a limited number of cookies and analytics tools on our website to understand how visitors interact with our Services and to improve user experience.

13.1 Essential Cookies

Our website uses essential cookies that are necessary for the basic operation of the site, such as maintaining your session and enabling core functionality. These cookies do not collect personal data for marketing purposes and cannot be disabled.

13.2 User Behaviour Analytics

We use user behaviour analytics tools to understand how visitors interact with our website and platform and to improve user experience. These tools may collect information about your device, browser, and interactions with our platform, including mouse movements, clicks, scrolling behaviour, pages visited, and time spent on pages. Some tools may also create session recordings of your website usage.

How We Use This Information: This data helps us analyse user behaviour patterns, identify usability issues, and optimise our website’s and platform design and functionality.

Legal Basis: We process this data based on our legitimate interest in improving our Services.

Data Retention: Analytics data is retained in accordance with the retention periods specified by the relevant analytics provider, after which it is automatically deleted.

Current Analytics Providers: For details of the specific analytics tools we use, please refer to our subprocessor list, available upon request by contacting us at privacy@yomly.com

13.3 Your Choices

You can control analytics tracking through the following methods:

Enable “Do Not Track” in your browser settings.
Adjust your browser settings to block or delete cookies

Note: Disabling essential cookies may affect the functionality of our website.

14. SUBPROCESSORS

When we act as a data processor on behalf of our Customers (as described in Section 1.3), we may engage third-party service providers to assist in delivering our Services. These service providers act as “subprocessors” under applicable data protection laws.

14.1 Subprocessor Engagement

We maintain strict requirements for engaging subprocessors:

We conduct due diligence on each subprocessor’s security and privacy practices before engagement
We enter into written agreements with subprocessors that impose data protection obligations substantially similar to those in our Data Processing Agreement with Customers
Subprocessors are only authorized to process Customer personal data to the extent necessary to provide services to us
We remain liable to our Customers for the performance of our subprocessors’ obligations

14.2 Subprocessor List

We maintain a current list of subprocessors that may process personal data on behalf of our Customers. This list includes:

The name and location of each subprocessor
A description of the processing activities performed
The categories of personal data processed

The current subprocessor list is available upon request. Customers may request a copy of the subprocessor list by contacting us at privacy@yomly.com. The subprocessor list may also be provided as an annex to our Data Processing Agreement.

14.3 Notification of Changes

We will notify Customers of any intended changes to our subprocessors, including the addition or replacement of subprocessors, in accordance with the terms of our Data Processing Agreement. This notification will provide Customers with a reasonable opportunity to object to such changes where contractually agreed.

14.4 Customer Responsibilities

Our Customers, as data controllers, are responsible for ensuring they have a lawful basis to transfer personal data to us and for informing their employees and other data subjects about the use of subprocessors as part of their own privacy notices.

15. UAE DATA PROTECTION

If you are located in the United Arab Emirates, you may have additional rights under the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. We process your personal data in accordance with this law and the implementing regulations issued by the UAE Data Office.

16. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

Post the updated Privacy Policy on our website with a new effective date
Notify you by email or through our Services where appropriate
Obtain your consent where required by law

We encourage you to review this Privacy Policy periodically to stay informed about our data practices.

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy, to the extent permitted by applicable law.

17. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Privacy Team

Yomly

Email: privacy@yomly.com

Address: 50th Floor, Business Central Towers, Dubai Media City, Dubai, UAE, PO Box 214909

We aim to respond to all inquiries within a reasonable timeframe and in accordance with applicable legal requirements.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority as described in Section 5.11.

— End of Privacy Policy —