youlegit

Privacy Policy

Last updated:

YouLegit is a verification and secure-handover service for marketplace transactions. This policy explains what personal information we collect, why, who we share it with, and the rights you have over it.

1. Who we are

YouLegit is operated by [LEGAL_ENTITY_NAME] (ABN [ABN]), registered at [REGISTERED_ADDRESS] (“YouLegit”, “we”, “us”, “our”). For privacy matters we act as the data controller (under the EU/UK GDPR) and APP entity (under the Australian Privacy Act 1988).

You can reach our privacy team at privacy@youlegit.com.

2. Scope

This policy applies to youlegit.com, app.youlegit.com, the YouLegit mobile applications for iOS and Android, and the YouLegit API. It does not apply to marketplaces, social platforms, or counterparties who receive a YouLegit code from a user — those services are governed by their own privacy policies.

3. What we collect

We deliberately collect the minimum information needed to run the service.

Account information

  • Email address and (where used) phone number.
  • A salted, hashed password — we never store your password in plain text.
  • Device records (model, OS version, an opaque device identifier we generate) used to bind sessions to the device that created them.

Verification information

  • A minimised attribute set returned by our identity-verification provider — typically a name-match result, document type, issuing country, and age-over flags, plus a reference identifier issued by the provider.
  • We do not store raw images of identity documents, selfie captures, or biometric templates. Those are held by the verification provider under their own retention rules and are accessed by us only when strictly required (for example, when investigating a fraud report).

Transaction information

  • YouLegit codes we have issued to your account.
  • Share-token hashes (we never store raw share tokens; the hash is salted with a server-side pepper).
  • Handover records — the parties involved, the verification request and its status, and the encrypted pickup address. Pickup addresses are encrypted at the application layer and are only decryptable while a valid, unexpired access grant exists for the requesting user.
  • Receipts of completed handovers.
  • Payment metadata returned by Stripe — typically the card brand, last four digits, expiry month/year, and a Stripe reference. We do not see or store your card number or CVC.

Operational information

  • Audit events recording security-relevant actions, written into a tamper-evident, hash-chained log.
  • Rate-limit counters, fraud and abuse signals, and block-list checks.
  • Server logs containing IP addresses, request paths, and timestamps, retained for a short window for security and debugging.

4. What we don’t collect

YouLegit does not run analytics or advertising tracking. As of the date at the top of this policy:

  • We do not set cookies on our marketing site or in the app.
  • We do not load Google Analytics, Meta Pixel, advertising SDKs, session replay, or any cross-site tracking.
  • We do not sell or rent personal information to anyone.
  • We do not build advertising profiles, and we do not share personal information for behavioural advertising.

If this ever changes — for example, if we introduce privacy-respecting product analytics — we will update this policy and, where required, ask for your consent first.

5. Why we process it

We process personal information on the following legal grounds:

  • Performance of a contract with you (GDPR Art. 6(1)(b)) — to create your account, complete identity verification, issue YouLegit codes, run handovers, and release pickup addresses on approval. Under the Australian Privacy Principles, this corresponds to the primary purpose for which we collect your information (APPs 3 and 6).
  • Compliance with a legal obligation (GDPR Art. 6(1)(c)) — including responding to lawful requests from law enforcement, satisfying financial-record-keeping rules, and meeting anti-fraud requirements imposed on our payment providers.
  • Legitimate interests (GDPR Art. 6(1)(f)) — fraud prevention, abuse detection, securing the service, maintaining the audit trail, and enforcing our Terms. We balance these against your rights and freedoms.
  • Consent (GDPR Art. 6(1)(a)) — for any optional communications you opt into. You can withdraw consent at any time.

6. Subprocessors & sharing

We rely on a small set of vetted service providers to operate YouLegit. Each processes personal information only on our instructions and is bound by a written data-processing agreement.

ProviderPurposePrimary region
StripeCard processing, customer billing portal, payment webhooksUnited States / Australia
PersonaIdentity verification (hosted document & selfie flow)United States
SendGrid (Twilio)Transactional emailUnited States
TwilioSMS fallback notifications (production only)United States
Fly.ioBackend application hostingSydney, Australia
NeonManaged PostgreSQL databaseAsia-Pacific
VercelWeb application hosting and edge deliveryGlobal edge
GitHubSource-code hosting and continuous integrationUnited States

We may also disclose information when required by law, in response to a valid subpoena, warrant, or court order, or to protect the rights, property, or safety of YouLegit, our users, or the public.

7. Counterparty disclosure

Identity protection is a core feature of YouLegit. When you approve a handover:

  • The counterparty sees your verification status and a receipt reference — enough to know you have been verified.
  • The counterparty does not see your legal name, date of birth, document number, or any other identifying attribute.

We will only disclose identifying attributes to a counterparty if you give explicit, informed consent at the time, or if we are compelled by law (for example, in response to a court-ordered lawful request).

8. Retention

  • Account data is kept while your account is active and for a reasonable period afterwards to meet legal record-keeping and dispute obligations, then deleted or anonymised.
  • Pickup addresses are deleted at the retention_delete_at timestamp set when the handover is created. This is a short window scoped to the operational lifetime of the transaction; once expired, the address ciphertext is removed by an automated job.
  • Verification attributes are kept for as long as your account is verified plus the period required to demonstrate compliance to our regulators and payment providers.
  • Audit events are retained for the audit window appropriate to their security and compliance purpose, and are append-only by design.
  • Receipts are retained to meet tax and consumer-law requirements that apply to us.

9. Your rights

Subject to the law that applies to you, you have the right to:

  • Access the personal information we hold about you (APP 12; GDPR Art. 15).
  • Correct information that is inaccurate or out of date (APP 13; GDPR Art. 16).
  • Erase information we no longer have a lawful basis to hold (GDPR Art. 17).
  • Restrict or object to certain processing (GDPR Arts. 18 and 21).
  • Portability — receive your information in a machine-readable format (GDPR Art. 20).
  • Withdraw consent at any time, where consent is the basis for processing.
  • Complain to the Office of the Australian Information Commissioner (oaic.gov.au), or to your local supervisory authority if you are in the EU or UK.

To exercise any of these rights, email privacy@youlegit.com. We will respond within 30 days, or sooner where the law requires. We may need to verify your identity before acting on your request.

10. Security

Security is built into the product, not bolted on. Specifically:

  • Passwords and share tokens are stored as salted hashes with a server-side pepper. Raw tokens never leave memory after issuance.
  • Pickup addresses are encrypted at the application layer with versioned keys, so we can rotate keys without re-encrypting old data in place.
  • Buyer approvals require a session bound to a registered device, and the mobile app gates the approval UI behind your OS-level biometric or PIN.
  • Critical actions are written to an append-only, hash-chained audit log.
  • Rate limiting and block-list checks run before any verification request can be created.
  • We deliberately do not store raw identity documents or biometric data.

No system can be made perfectly secure. If you believe your account has been compromised, contact us immediately at privacy@youlegit.com.

11. Children

YouLegit is intended for adults. We do not knowingly verify or hold accounts for anyone under 18. If you believe a minor has created an account, contact us and we will remove it.

12. International transfers

Some of our subprocessors are located outside Australia, the EU, or the UK (see section 6). When we transfer personal information overseas, we take reasonable steps to ensure that the recipient handles it consistently with APP 8, and where the GDPR applies, we rely on Standard Contractual Clauses or another lawful transfer mechanism.

13. Changes

We may update this policy as the product changes. When we do, we update the “Last updated” date at the top, and for material changes we will notify affected users by email or in-app. Continuing to use YouLegit after a change means you accept the updated policy.

14. Contact

Privacy enquiries: privacy@youlegit.com
Postal: [LEGAL_ENTITY_NAME], [REGISTERED_ADDRESS].

Questions? Email hello@youlegit.com.