YPlus

Privacy Policy

Effective date: 3 June 2026 · Version 1.0

    Summary for teachers: YPlus stores your class and student data primarily on your own device. Cloud backup is optional and only activates when you create an account. We do not sell your data or your students' data to anyone, ever.
  

1. Who we are

YPlus ("we", "our", "us") is a teacher productivity application developed and operated by YPlus, based in Cyprus. Cyprus is a member state of the European Union, and this policy is written in full compliance with the General Data Protection Regulation (GDPR).

For any privacy-related questions or requests, contact us at: info@yplusapp.com

2. What data YPlus handles

2.1 Data you enter into the app

Category	Examples	Where it lives
Account information	Email address, Apple ID token	On-device + Supabase (if you sign in)
Class data	Class names, school years	On-device SQLite; Supabase if backup is active
Student records	Student names you enter	On-device SQLite; Supabase if backup is active
Attendance records	Session dates, per-student attendance marks	On-device SQLite; Supabase if backup is active

2.2 Data collected automatically

Data	Purpose
Device identifier (UUID generated by the app)	Enforcing the free-tier single-device sync limit
Sync timestamps	Resolving conflicts during cloud backup

We do not collect advertising identifiers, location data, contact lists, microphone or camera input, or any behavioural analytics.

3. Legal basis for processing (GDPR)

Contract performance (Art. 6(1)(b)): processing your account and subscription data to deliver the service you signed up for.
Legitimate interests (Art. 6(1)(f)): maintaining service security, preventing abuse, and enforcing subscription limits.
Consent (Art. 6(1)(a)): optional cloud backup. You can withdraw consent at any time by disabling backup in Settings.

4. Student data and special considerations

Student names and attendance records entered into YPlus are personal data belonging to your students. As the teacher using the app, you are the data controller for your students' data under GDPR. YPlus acts as a data processor on your behalf.

You are responsible for ensuring you have a lawful basis (e.g. school policy, institutional mandate, or legitimate interest) to record and store student attendance data. We recommend following your school's or institution's data protection policy.

Student data is never used by us for any purpose other than delivering the app's functionality to you. It is never sold, shared with advertisers, or used for profiling.

5. How we store and protect your data

On-device storage

All data is stored in an encrypted SQLite database on your device. Data stored locally is protected by the operating system's standard security (iOS Secure Enclave / Android Keystore).

Cloud backup (optional)

When you enable cloud backup, your data is replicated to Supabase, a PostgreSQL-based cloud database. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Supabase's infrastructure runs on AWS in the EU region. You can review Supabase's security posture at supabase.com/security.

Demo / anonymous mode

If you use YPlus without creating an account, no data ever leaves your device. Cloud backup is only activated when you sign in.

6. Data sharing and third parties

We do not sell your data. We share data only with the following sub-processors, to the minimum extent necessary to operate the service:

Sub-processor	Purpose	Location
Supabase Inc.	Cloud database and authentication backend	EU (AWS)
Apple Inc.	Sign in with Apple; App Store payment processing	USA (SCCs apply)
Google LLC	Google Play payment processing (Android)	USA (SCCs apply)

Standard Contractual Clauses (SCCs) govern all transfers to entities outside the EU/EEA.

7. Data retention

Local data: retained on your device until you delete it or uninstall the app.
Cloud backup data: retained as long as your account is active. You can delete all cloud data from Settings → Delete All Data, or by emailing us.
Account data: deleted within 30 days of account deletion.
Payment records: retained for 7 years as required by EU tax law.

8. Your rights under GDPR

As a data subject in the EU/EEA, you have the following rights:

Right of access (Art. 15): request a copy of your personal data.
Right to rectification (Art. 16): correct inaccurate data.
Right to erasure (Art. 17): request deletion of your data ("right to be forgotten").
Right to restriction (Art. 18): restrict how we process your data.
Right to data portability (Art. 20): receive your data in a machine-readable format.
Right to object (Art. 21): object to processing based on legitimate interests.
Right to withdraw consent: disable cloud backup at any time in Settings.

To exercise any of these rights, email us at info@yplusapp.com. We will respond within 30 days. You also have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection of Cyprus (dataprotection.gov.cy).

9. Children

YPlus is intended for use by adult teachers and educational professionals. The app is not directed at children and we do not knowingly collect personal data directly from children under the age of 16. Student names and records entered by teachers are processed on behalf of the teacher as controller (see §4).

10. In-app purchases and subscriptions

Subscription payments are processed entirely by Apple (App Store) or Google (Play Store). We do not store or process payment card details. We receive only a subscription receipt confirming your plan status.

11. Changes to this policy

If we make material changes to this policy, we will notify you via an in-app notice or email at least 14 days before the change takes effect. The "Effective date" at the top of this page will be updated. Continued use of the app after the effective date constitutes acceptance of the revised policy.

12. Contact

Data Controller

YPlus App
Cyprus
info@yplusapp.com