Plain-language summary: YieldGuard collects your email to provide the service. We do not sell your data. We store the minimum information needed to operate. You have full rights under GDPR to access, correct, or delete your data.
01 Who We Are
YieldGuard ("we", "us", "our") is a DeFi yield monitoring service accessible at yieldguard.app. The service is operated by an individual developer based in Romania, European Union.
As an EU-based operator, we are subject to the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and all applicable Romanian data protection law.
Contact for data matters: privacy@yieldguard.app
02 Data We Collect
Data you provide directly:
- Email address — required for account creation and magic link authentication
- Google account name and email — only if you choose Google OAuth login
- Alert preferences — Telegram chat ID and alert thresholds you configure
- Payment data — if you subscribe to a paid plan, payment is processed by Stripe. We do not store card numbers or banking details on our servers.
Data collected automatically:
- Login timestamps — date and time of authentication events
- IP address — logged by our server infrastructure (Hetzner VPS) for security purposes
- Basic usage data — which features are accessed, stored in server logs
Data we do NOT collect:
- Wallet addresses or on-chain transaction history
- Precise device fingerprinting
- Behavioral tracking for advertising
03 How We Use Your Data
- Authentication — sending magic links and verifying Google OAuth tokens
- Service delivery — displaying your personalized dashboard, storing alert settings
- Alerts — forwarding yield opportunity notifications to your configured Telegram
- Billing — managing subscription status via Stripe; your email is shared with Stripe for invoice purposes
- Security — detecting abuse, unauthorized access, and rate-limiting requests
- Transactional email — sending magic link emails from noreply@yieldguard.app via Resend
We do not use your data for advertising, behavioral profiling, or sale to third parties.
04 Legal Basis (GDPR Art. 6)
- Art. 6(1)(b) — Contract performance: processing your email and preferences is necessary to provide the service you signed up for
- Art. 6(1)(c) — Legal obligation: retaining billing records as required by Romanian fiscal law (minimum 5 years for invoices)
- Art. 6(1)(f) — Legitimate interest: server logs and IP retention for security and abuse prevention (retained max 30 days)
05 Data Storage & Security
User data is stored in a SQLite database on a Hetzner VPS located in Germany (EU). The server runs Ubuntu with access restricted by SSH key authentication.
Specific measures in place:
- HTTPS enforced on all endpoints (Caddy reverse proxy with automatic TLS)
- Database not exposed to public internet
- Magic link tokens are single-use and expire after 15 minutes
- Passwords are not stored — authentication is passwordless
No system is 100% secure. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority (ANSPDCP — Romanian DPA) within 72 hours as required by GDPR Art. 33.
06 Third-Party Services
- Resend (resend.com) — transactional email delivery. Receives your email address to send magic links. Privacy policy: resend.com/privacy
- Google OAuth (Google LLC) — optional login method. Subject to Google's Privacy Policy. We receive only your email and display name.
- Stripe (Stripe Inc.) — payment processing for paid plans. We share your email with Stripe; card data never touches our servers. Stripe is PCI-DSS Level 1 certified. Privacy policy: stripe.com/privacy
- Telegram (Telegram Messenger Inc.) — alert delivery. You provide your own chat ID; we send notifications to your Telegram bot.
- DeFiLlama (open-source) — public API used to fetch APY data. No personal data is shared with DeFiLlama.
- Cloudflare Pages — frontend hosting. Cloudflare may log request metadata per their privacy policy: cloudflare.com/privacypolicy
All third-party processors used by YieldGuard are either EU-based or covered by Standard Contractual Clauses (SCCs) for GDPR compliance.
07 Your Rights Under GDPR
As an EU/EEA resident, you have the following rights (GDPR Chapter III):
- Art. 15 — Access: request a copy of all personal data we hold about you
- Art. 16 — Rectification: correct inaccurate data
- Art. 17 — Erasure ("right to be forgotten"): request deletion of your account and all associated data
- Art. 18 — Restriction: request that we limit processing of your data
- Art. 20 — Portability: receive your data in a machine-readable format (JSON)
- Art. 21 — Object: object to processing based on legitimate interest
To exercise any right, email privacy@yieldguard.app. We will respond within 30 days as required by GDPR Art. 12(3).
You also have the right to lodge a complaint with the Romanian supervisory authority: ANSPDCP (dataprotection.ro).
08 Cookies
YieldGuard uses only strictly necessary cookies and browser localStorage:
- Session token — stored in localStorage, identifies your login session. No expiry set; cleared on logout.
- No analytics cookies — we do not use Google Analytics, Hotjar, or any behavioral tracking cookies
- No advertising cookies
Because we use only strictly necessary cookies, no cookie consent banner is required under EU ePrivacy Directive (Directive 2002/58/EC as amended).
09 Children's Privacy
YieldGuard is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us at privacy@yieldguard.app and we will delete the account.
10 Changes to This Policy
We may update this policy when we add new features, integrate new third parties, or when legal requirements change. Material changes will be communicated by email to registered users at least 14 days before they take effect.
The "Last updated" date at the top of this document reflects the most recent revision. The previous version is available on request.