Privacy Policy

Omiwato Ventures AB (operating as Yesper) · Last updated 26 April 2026

1. Who we are

This Privacy Policy applies to Omiwato Ventures AB, registration number 559497-0450, a company registered in Sweden, operating under the brand name Yesper and the domain yesper.ai (the "Company", "we", "us", or "our"). We are the data controller for personal data we collect through our marketing website and our SaaS platform (the "Platform"), except where we process personal data on behalf of a customer as a data processor (see Section 2).

Privacy contact: legal@yesper.ai

2. Scope and our role

This policy applies to personal data we collect when you:

  • visit our public website at yesper.ai or any of its subdomains;
  • create an account or use the Platform as an end user, administrator, or customer representative;
  • contact us by email, form, or any other channel; or
  • engage with us in a sales, partnership, or recruitment context.

Our role. When personal data is contained in content uploaded by a customer to the Platform, we generally act as a data processor on that customer's behalf, and the customer acts as data controller. Such processing is governed by the data processing agreement (DPA) between us and the customer, which prevails over this Privacy Policy for that data. We act as data controller for personal data we collect in our own right, including website data, account registration data, and communications data.

3. Data we collect

Website visitors and prospects. When you visit our website, we collect:

  • Standard server log data: IP address, browser type and version, operating system, referring URL, pages visited, timestamps, language preference.
  • Form submissions: name, work email, company name, role, message, and any other information you provide voluntarily.
  • Cookie and similar technology data, where you have consented (see Section 13).

Platform users. When you create or use a Yesper account, we collect:

  • Account registration data: name, work email, organization, role, and password hash.
  • Authentication data: SSO tokens or identifiers from your identity provider (e.g. Microsoft Entra ID), session metadata.
  • Usage and telemetry data: actions taken in the Platform, features accessed, queries entered, file metadata (file names, sizes, upload times), session metadata, system performance data.
  • Customer Content: documents, queries, prompts, files, and any other data you or your organization upload, generate, or store within the Platform. Customer Content may contain personal data if you choose to include it.

Communications and support. When you email us, submit a support request, or otherwise communicate with us, we retain that correspondence and any personal data it contains.

Recruitment. If you apply for a job with us, we collect application materials (CV, cover letter, references) and any other information you choose to share.

We do not knowingly collect special category personal data (such as health, biometric, racial or ethnic origin, religious beliefs, or political opinions) unless it is contained in Customer Content uploaded by a customer.

4. How we use your data

We use personal data for the following purposes:

  • Service delivery: to operate, maintain, secure, and improve our website and Platform; to authenticate users; to provide the features and functionality you request.
  • Customer relationship management: to respond to inquiries, provide support, manage subscriptions, and deliver professional services.
  • Transactional communications: account confirmations, password resets, security alerts, and updates to legal documents.
  • Marketing: to send marketing communications where you have given consent or where we have a legitimate interest and you have not opted out. You can unsubscribe at any time.
  • Analytics: to monitor and analyze usage patterns, diagnose technical issues, and prioritize product development.
  • Aggregate insights: to produce anonymized and aggregated data that does not identify you or your organization, which we may use for internal analysis and reporting.
  • Compliance and protection: to comply with legal obligations, enforce our agreements, prevent fraud and abuse, and protect the rights, property, or safety of Yesper, our customers, or others.

We do not use Customer Content to train, fine-tune, or improve any artificial intelligence or machine learning models that are made available to third parties — including foundation models operated by our model providers — without your explicit prior written consent. Customer Content is processed solely to deliver the Platform services to you.

We do not sell personal data to third parties.

5. Legal basis for processing

We process personal data on the following GDPR legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR): when processing is necessary to perform a contract with you or to take steps at your request prior to entering into a contract — for example, account creation and Platform delivery.
  • Legitimate interests (Art. 6(1)(f) GDPR): when processing is necessary for our legitimate interests, such as improving our services, securing our infrastructure, communicating with prospective customers, and analyzing usage. We balance these interests against your rights and only rely on this basis where we have determined that our interests are not overridden.
  • Legal obligation (Art. 6(1)(c) GDPR): when processing is necessary to comply with a legal obligation, such as accounting, tax, or regulatory requirements.
  • Consent (Art. 6(1)(a) GDPR): for non-essential cookies, marketing communications, and other contexts where we expressly request your consent. You may withdraw it at any time without affecting the lawfulness of prior processing.

6. Sub-processors

To deliver the Platform we engage trusted third parties as sub-processors. Our current sub-processors are:

  • Microsoft Azure — cloud infrastructure provider, including databases, file storage, AI model hosting, messaging, and search services. All data is processed and stored on servers within the European Union (Sweden Central region).
  • Auth0 — authentication provider, used to authenticate users and integrate with identity providers. Servers within the European Union.
  • Intercom — customer support tooling, allowing users to reach support inside the application. Servers within the European Union.

A current and complete sub-processor list is published at yesper.ai/subprocessors and made available to customers on request. Customers are notified of material changes to our sub-processors in accordance with their data processing agreement.

All sub-processors are bound by written agreements requiring them to process personal data only on our documented instructions, maintain confidentiality, and implement appropriate security measures consistent with applicable law.

7. Sharing your data

We share personal data only as follows:

  • Sub-processors (Section 6): for service delivery, on our documented instructions.
  • Customer organizations: if you are an end user accessing the Platform through your employer's subscription, we share usage and account data with that organization in accordance with our agreement with them.
  • Professional advisors: lawyers, accountants, auditors, and similar advisors bound by confidentiality.
  • Business transfers: in the event of a merger, acquisition, restructuring, or sale of assets; the recipient will be required to honor this Privacy Policy or notify you of any changes.
  • Legal requirements: when required by applicable law, court order, or competent public authority, or when necessary to protect our rights, property, or safety, or those of our customers or others.

We do not share personal data with third parties for their own marketing purposes.

8. International transfers

Our primary operations and Platform infrastructure are located within the European Economic Area (EEA). Personal data is processed and stored within the EEA wherever practicable.

Where personal data is transferred outside the EEA, we ensure appropriate safeguards under GDPR Chapter V, including:

  • the European Commission's Standard Contractual Clauses (SCCs);
  • adequacy decisions, where the destination country is recognized by the European Commission as providing an adequate level of protection;
  • supplementary measures (such as encryption and pseudonymization) where necessary.

You may request a copy of the safeguards in place by contacting legal@yesper.ai.

9. Data retention

We retain personal data only as long as necessary for the purposes for which it was collected, to comply with our legal obligations, or to establish, exercise, or defend legal claims. Indicative retention periods:

Data type Retention period
Marketing website data (server logs, contact forms) Up to 24 months
Active customer account data Duration of the customer relationship
Customer Content Duration of the subscription, plus the export period specified in the applicable agreement (typically 30 days)
Closed account data Up to 12 months after closure, except where law requires longer (e.g. accounting records: 7 years under Swedish law)
Communications and support records Up to 36 months after the last interaction
Recruitment data Up to 12 months after a recruitment decision, unless you consent to longer retention

When data is no longer required, we delete or irreversibly anonymize it using reasonable technical means.

10. Your rights

Under the GDPR you have the following rights:

  • Access (Art. 15): obtain confirmation of, and a copy of, the personal data we hold about you.
  • Rectification (Art. 16): have inaccurate or incomplete data corrected.
  • Erasure (Art. 17): request deletion of your data in certain circumstances.
  • Restriction (Art. 18): request that we restrict processing of your data.
  • Portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
  • Objection (Art. 21): object to processing based on legitimate interests, or to direct marketing.
  • Withdraw consent (Art. 7(3)): where processing is based on consent.

To exercise any of these rights, contact us at legal@yesper.ai. We will respond within one month, with a possible extension of two further months for complex requests, in accordance with GDPR Art. 12. We may need to verify your identity before processing certain requests.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) or your local supervisory authority.

11. Automated decision-making

The Platform uses artificial intelligence and machine learning to assist users in their work. The outputs of these systems are intended to support — not replace — human judgment and decision-making.

We do not use personal data to make decisions that produce legal effects on you or similarly significantly affect you, within the meaning of GDPR Art. 22, without human review.

If you have questions about how AI processing in the Platform may affect you, contact legal@yesper.ai.

12. AI and the EU AI Act

We design and operate the Platform with the EU AI Act (Regulation 2024/1689) in mind. The Platform's AI features are configured to:

  • inform users when they are interacting with AI-generated content (Art. 50 EU AI Act);
  • provide source attribution and citations for AI-generated outputs where applicable;
  • support customer governance, audit, and review of AI-assisted work.

We classify the AI functionality offered through the Platform as not constituting a "high-risk AI system" under Annex III of the EU AI Act based on its current functionality and intended use. We continue to monitor the regulatory landscape and update our practices as required.

13. Cookies and similar technologies

Our website uses cookies and similar technologies for the following purposes:

  • Strictly necessary cookies: required for the website to function (security, authentication, session management). These cannot be disabled.
  • Functional cookies: remember your preferences (e.g. language).
  • Analytics cookies: help us understand how visitors use the site. These are set only with your consent.

Where required by applicable law, we will request your consent before setting non-essential cookies. You can manage your preferences through our cookie banner and through your browser settings.

The Platform itself uses session cookies and similar technologies necessary for authentication and operation; these are not optional for users of the Platform.

14. Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Measures include:

  • encryption of data in transit and at rest;
  • access controls and least-privilege principles;
  • single sign-on (SSO) integration where required;
  • segregation of customer environments (single-tenant deployment available for enterprise customers);
  • regular security testing and review;
  • incident response procedures.

The Platform is hosted on Microsoft Azure infrastructure within the EEA. Our security program is aligned with industry frameworks; certifications and attestations are available on request.

If we become aware of a personal data breach affecting your data, we will notify the relevant supervisory authority and (where required by law) you, in accordance with GDPR Art. 33–34.

No method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

15. Children

Our services are intended for use by businesses and their adult representatives. They are not directed at individuals under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently done so, contact legal@yesper.ai and we will delete it promptly.

16. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and, where appropriate and feasible, notify customers and end users by email or through the Platform.

Your continued use of our services after changes take effect constitutes your acceptance of the updated policy.

17. Contact

For questions, requests, or concerns about this Privacy Policy or our data practices:

Omiwato Ventures AB
Privacy contact: legal@yesper.ai
Postal address: Pipersgatan 14, 112 24 Stockholm, Sweden

We have not formally appointed a Data Protection Officer; the privacy contact above is the primary point of contact for all data protection matters.