Privacy Policy

YieldKey is a product operated by Capital Orbit Group Ltd ("we", "us", "our"), a company registered in England and Wales (company number 15345537), with registered office at 3rd Floor, 86–90 Paul Street, London, EC2A 4NE.

For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018), Capital Orbit Group Ltd is the data controller for personal data we collect through this website (yieldkey.ai and yieldkey.co.uk) and for personal data we process about our customers.

When YieldKey processes personal data on behalf of our business customers (for example, the contact details and enquiry content of their property prospects, leads, or guests), we act as a data processor. Our customers remain the controller of that data and the terms of our processing are set out in our Data Processing Agreement.

For any privacy or data protection questions, requests, or complaints:

• Email: privacy@yieldkey.ai
• Post: Data Protection, Capital Orbit Group Ltd, 3rd Floor, 86–90 Paul Street, London, EC2A 4NE

We aim to respond to all privacy requests within 30 days, as required by UK GDPR.

a) Information you give us directly

When you fill in our contact form, book a demo, join a waitlist, or email us, we collect:

• Your name
• Your work email address
• Your company name and role (where provided)
• The product you're enquiring about (Reply, Host, or Source)
• The content of your message to us

b) Information collected automatically when you use this website

• Basic technical information (IP address, browser type, device type, referring URL)
• How you use the site (pages viewed, time on page, navigation paths) — only where you have given consent or it is strictly necessary for the site to function
• Information stored in cookies (see our Cookie Policy)

c) Information when you become a customer

If you sign up as a YieldKey customer, we additionally collect:

• Billing details (handled by our payment processor — we do not store full card numbers)
• Account credentials
• Configuration data you provide to set up the product (your scripts, qualification rules, CRM details)
• Usage data about how you and your team use the product

d) Personal data of your prospects, leads, and guests (when you're a customer)

When you use YieldKey, the AI processes communications with people contacting your business — typically property prospects, tenants, buyers, sellers, landlords, or short-term rental guests. The data passing through our system includes their names, contact details, enquiry content, and any information they share in the course of their interaction with you.

You are the controller of this data. We are your processor. We only process it on your documented instructions and under the terms of our Data Processing Agreement.

We do not use your personal data to train general-purpose AI models. AI models that handle communications inside YieldKey are configured for your specific operation and customers' instructions only.

YieldKey is an AI-powered product. As part of normal use, the system uses AI models to:

• Draft responses to inbound property enquiries
• Qualify and categorise leads against your stated criteria
• Prioritise messages and route them to the right team member
• Generate summaries and recommendations for your team

These activities may involve automated processing as defined in UK GDPR Article 22. We design the product so that meaningful human review remains available at every stage — your team can override, approve, or change any AI-generated reply or decision.

Where data subjects (for example, a property prospect who contacted your agency) want to:

• Obtain human review of an automated decision
• Express their point of view
• Contest a decision

they can do so by contacting either you (as their primary point of contact) or us at privacy@yieldkey.ai. We will route the request to the controller (you, our customer) for resolution.

We never sell your personal data. We share it only with the following categories of recipients:

a) Sub-processors who help us operate the product:

• AI model providers: Anthropic (Claude API), OpenAI — used for natural language generation and understanding
• Cloud hosting: Lovable, Cloudflare (later: AWS or Vercel)
• Email infrastructure: Resend or Postmark (transactional email)
• Payment processing: Stripe (billing data only)
• Analytics: Plausible or similar privacy-friendly analytics (where used, with consent)
• CRM integrations: Reapit, Alto, Salesforce, HubSpot, Pipedrive, Monday — these are conduits for data we process on your behalf, under your instruction

We maintain a current list of sub-processors and notify customers of changes as required by UK GDPR Article 28(2). The current list is available on request at privacy@yieldkey.ai.

b) Professional advisers: Lawyers, accountants, auditors, and insurers, where reasonably necessary.

c) Authorities: Where we are required by law to disclose information to UK courts, regulators, or law enforcement.

d) In a business transaction: If Capital Orbit Group Ltd is acquired, merged, or restructured, personal data may transfer as part of that transaction. We will notify you in advance where required.

Some of our sub-processors are based outside the UK, primarily in the United States (for example, Anthropic, OpenAI, Stripe).

Where we transfer personal data outside the UK, we rely on one or more of the following safeguards:

• UK adequacy regulations — where the destination country has been recognised by the UK Government as providing an adequate level of data protection
• International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses
• Other appropriate safeguards as defined in UK GDPR Articles 46–47

Copies of the relevant transfer documentation are available on request.

Under UK GDPR you have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure — ask us to delete your data ("right to be forgotten") where applicable
• Restriction — ask us to limit how we use your data while a question is resolved
• Portability — receive your data in a structured, commonly used, machine-readable format
• Objection — object to processing based on legitimate interests, including direct marketing
• Withdraw consent — for any processing based on consent, at any time
• Not be subject to solely automated decisions that produce legal or similarly significant effects on you, where applicable under Article 22

To exercise any of these rights, contact us at privacy@yieldkey.ai.

If we hold personal data about you that was provided by one of our customers (for example, you contacted a letting agency that uses YieldKey), please contact that organisation in the first instance, as they are the controller of that data. We will support them in fulfilling your request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority:

• Website: https://ico.org.uk
• Phone: 0303 123 1113

We would, however, appreciate the opportunity to address your concerns directly before you contact the ICO.

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include:

• Encryption of data in transit (TLS) and at rest where supported by infrastructure
• Access controls and least-privilege principles for our team
• Sub-processor due diligence and contractual data protection commitments
• Logging and monitoring of access to systems holding personal data
• Regular review of our security practices

If we ever become aware of a personal data breach affecting your data, we will notify you and the ICO as required by UK GDPR (within 72 hours where the breach is likely to result in a risk to your rights and freedoms).

YieldKey is a business-to-business service. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact privacy@yieldkey.ai and we will delete it.

We may update this policy from time to time to reflect changes in our practices, legal requirements, or product features. The current version, with its effective date, will always be published at this URL. For material changes affecting our customers, we will provide reasonable advance notice by email.