Privacy Policy
Last updated: March 2026
1. Introduction
YugoInc ("Company," "we," "us," or "our") operates the YugoDMS dealership management platform (the "Service") at app.yugodms.com. This Privacy Policy describes how we collect, use, store, share, and protect personal information when you use our Service.
YugoDMS is a B2B SaaS platform used by automotive dealerships to manage their operations. As such, we process two categories of personal information:
- Subscriber Data: Information about dealership staff who use the platform (names, email addresses, roles, login credentials).
- Customer Data: Information about dealership customers that Subscribers enter into the platform (names, addresses, financial information, vehicle data). This data is owned by the Subscriber and processed by us on their behalf.
2. Information We Collect
2.1 Subscriber Information
When you register for and use the Service, we collect:
- Full name, email address, and phone number
- Dealership name, address, and dealer license number
- Billing and payment information (credit card numbers, bank account details)
- Login credentials and authentication tokens
- IP addresses, browser type, device information, and usage logs
- Role and access level within the platform
2.2 Customer Data (Processed on Behalf of Subscribers)
Subscribers may enter the following types of customer information into the Service. This data is owned by the Subscriber, and we process it as a data processor:
- Identity Information: Full name, date of birth, Social Security Number (SSN), driver's license number and state, government-issued ID copies
- Contact Information: Home address, mailing address, email address, phone numbers (home, mobile, work)
- Financial Information: Income, employment details, bank account information, credit scores, credit reports, payment history, loan balances
- Vehicle Information: VIN, make, model, year, mileage, title information, registration details, GPS location data
- Transaction Records: Purchase agreements, loan documents, payment receipts, insurance information, trade-in details
- Communication Records: SMS messages, email correspondence, voice call recordings (with consent), notes and comments
- Compliance Records: OFAC screening results, credit bureau reports, identity verification results
2.3 Automatically Collected Information
- Server logs (IP addresses, request timestamps, response codes)
- Browser type, operating system, and device identifiers
- Pages visited, features used, and time spent on the Service
- Error reports and performance metrics
- Cookies and similar tracking technologies (see our Cookie Policy)
3. How We Use Information
We use the information we collect for the following purposes:
- Providing, operating, and maintaining the Service
- Processing payments and managing subscriptions
- Authenticating users and enforcing access controls
- Providing customer support and responding to inquiries
- Sending transactional communications (billing notices, security alerts, service updates)
- Improving the Service through analytics and usage patterns (using aggregated, anonymized data)
- Detecting and preventing fraud, abuse, and security threats
- Complying with legal obligations and responding to lawful requests
- Enforcing our Terms of Service and other agreements
4. How We Store and Protect Information
4.1 Encryption
- At Rest: Sensitive data (SSN, driver's license numbers, financial credentials) is encrypted using AES-256-GCM encryption via pgcrypto at the database level.
- In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
- Credential Storage: Portal credentials (e.g., floor plan lender logins) are encrypted with pgp_sym_encrypt and can only be decrypted by service-level database roles.
4.2 Access Controls
- Role-based access control (RBAC) with defined access levels (admin, manager, sales, user)
- Multi-factor authentication (MFA) available and recommended for admin accounts
- Session management with automatic timeout
- Audit logging of all data access and modifications
4.3 Infrastructure Security
- Hosted on secured infrastructure with firewalls and intrusion detection
- Regular security assessments and vulnerability scanning
- Automated backups with encrypted storage
- Content Security Policy (CSP) headers, CSRF protection, and rate limiting
5. Multi-Tenant Data Isolation
YugoDMS operates as a multi-tenant platform where multiple dealerships share the same infrastructure. We enforce strict data isolation through:
- Row Level Security (RLS): Database-level policies ensure that every query is automatically scoped to the authenticated tenant. No tenant can access another tenant's data through the application.
- Tenant-Scoped APIs: All API requests include tenant identification and are validated against the authenticated user's permissions.
- Isolated Storage: Document uploads and file storage are logically separated by tenant identifier.
- Audit Trail: All cross-tenant access by platform administrators is logged for compliance and security review.
6. Third-Party Services
We integrate with the following categories of third-party services to provide the Service. Data shared with these providers is limited to what is necessary for their specific function:
| Category | Purpose | Data Shared |
|---|---|---|
| Payment Processors | Process customer payments (Stripe, Fiserv, CardConnect, Global Payments) | Payment card data, transaction amounts, customer name |
| Credit Bureaus | Credit reporting and inquiries (Equifax, Experian, TransUnion via 700Credit) | SSN, name, address, account history |
| GPS Tracking | Vehicle location tracking (Traccar) | Device identifiers, GPS coordinates |
| Voice AI | AI-powered phone calls (Retell.ai) | Phone numbers, call recordings, conversation transcripts |
| Communications | SMS and phone calls (Twilio) | Phone numbers, message content |
| Transactional email delivery (Resend) | Email addresses, message content | |
| Skip Trace | Customer contact lookup (TLO, IDI) | Name, SSN, address, phone number |
| OFAC Screening | Sanctions compliance screening | Name, date of birth, address |
| Mapping | Address autocomplete (Google Places API) | Partial address input |
| Cloud Storage | Document and photo storage (Cloudflare R2) | Uploaded files (documents, photos) |
We require all third-party providers to maintain appropriate security measures and to process data only as instructed by us. We do not sell personal information to third parties.
7. Your Rights (CCPA / GDPR)
Depending on your jurisdiction, you may have the following rights regarding your personal information:
7.1 California Consumer Privacy Act (CCPA)
If you are a California resident, you have the right to:
- Know: Request disclosure of the categories and specific pieces of personal information we have collected about you.
- Delete: Request deletion of your personal information, subject to certain exceptions.
- Opt-Out: Opt out of the sale of your personal information. Note: we do not sell personal information.
- Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
7.2 General Data Protection Regulation (GDPR)
If you are located in the European Economic Area (EEA), you have the right to:
- Access: Obtain a copy of your personal data.
- Rectification: Correct inaccurate or incomplete personal data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Portability: Receive your personal data in a structured, machine-readable format.
- Restriction: Restrict the processing of your personal data in certain circumstances.
- Objection: Object to the processing of your personal data.
7.3 Exercising Your Rights
To exercise any of these rights, you may:
- Email us at [email protected]
- Use the data export feature in your account settings
- Submit a request through our customer portal
We will respond to verified requests within 30 days (CCPA) or without undue delay and within one month (GDPR). We may need to verify your identity before processing your request.
Note for Dealership Customers: If you are a customer of a dealership that uses YugoDMS, your data is controlled by the dealership (the Subscriber). Please contact your dealership directly to exercise your privacy rights regarding the data they have entered into the platform. We will assist the dealership in fulfilling your request.
8. Data Retention
We retain personal information for the following periods:
| Data Type | Retention Period | Basis |
|---|---|---|
| Subscriber account data | Duration of subscription + 30 days | Contract performance |
| Customer records (entered by Subscriber) | Duration of subscription + 30 days | Contract performance |
| Payment/billing records | 7 years | Tax and legal compliance |
| Credit bureau reporting records | 7 years | FCRA compliance |
| OFAC screening results | 10 years | BSA/AML compliance |
| Audit logs | 3 years | Security and compliance |
| Server/access logs | 90 days | Security monitoring |
| Communication records (SMS/email) | Duration of subscription + 30 days | TCPA compliance / dispute resolution |
After the applicable retention period, data is permanently deleted from our systems and backups within 30 days, except where longer retention is required by law.
9. Cookie Usage
We use cookies and similar technologies to operate the Service. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.
10. Children's Privacy
The Service is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected personal information from a child under 13, we will promptly delete that information. If you believe we may have collected information from a child under 13, please contact us at [email protected].
11. International Data Transfers
The Service is operated from the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to the transfer of your information to the United States, where data protection laws may differ from those in your jurisdiction.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email or through the Service. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.
13. Contact Information
If you have any questions about this Privacy Policy, want to exercise your privacy rights, or have a complaint about our data practices, please contact us: