Privacy Notice
Last updated: 16 March 2026
1. Introduction
This Privacy Policy explains how Nusho (“we,” “us,” or “our”) collects, processes, stores, and protects personal data when users access or use our website, platform, services, communication channels, or other related features.
The processing of personal data is carried out in accordance with applicable data protection laws, in particular:
the European Union General Data Protection Regulation (GDPR),
the UK GDPR and the UK Data Protection Act 2018,
the Swiss Federal Act on Data Protection (nFADP),
the applicable data protection laws of individual U.S. states, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA),
as well as other applicable international data protection regulations.
This Privacy Policy applies to all users outside the DACH region (Germany, Austria, and Switzerland).
A separate German-language Privacy Policy applies to users within the DACH region.
2. Controller
Nusho (business unit of PP Path Provider)
Owner: Mina Massoudy
Goebenstraße 10
50672 Cologne
Germany
Email: support@yumi.com
Website: yumiassistant.com
No Data Protection Officer has been appointed, as this is not legally required.
Processing on behalf of business customers (data processing agreement / processor relationship)
Where Nusho processes personal data on behalf of its business customers, in particular in connection with the setup, configuration, or operation of communication channels (e.g. WhatsApp, messaging, or voice systems) used by those customers to communicate with their own end customers, such processing is carried out as data processing on behalf of a controller within the meaning of Art. 28 GDPR or comparable international data protection provisions.
In such cases, the respective business customer acts as the controller within the meaning of the applicable data protection laws and determines the purposes and means of the processing of personal data.
In particular, the business customer is responsible for determining the legal basis for processing the personal data of its end customers, ensuring compliance with applicable data protection, communications, and marketing laws, and properly informing data subjects about the processing of their personal data.
In these cases, Nusho processes personal data solely on the basis of the documented instructions of the respective business customer and on the basis of a concluded data processing agreement pursuant to Art. 28 GDPR.
3. Categories of Personal Data
Depending on how you use our website and services, we may process the following categories of personal data:
Identity data: e.g. name and, where applicable, company affiliation.
Contact data: e.g. email address or telephone number.
Account data: e.g. login credentials for your user account (including encrypted passwords), as well as role and permission assignments.
Transaction data: e.g. information relating to subscriptions or invoices. Payment processing may be carried out through external payment service providers (e.g. Stripe).
Communication data: e.g. the content of messages sent to us via email, WhatsApp, telephone, contact forms, or other communication channels.
Usage data: e.g. information about logins, features used, system interactions, and activities within the platform.
Technical data: e.g. IP address, device and browser information, operating system, access times, and server log files.
Voice interaction data: e.g. audio content and metadata from incoming calls, where voice systems or AI-based voice processing are used.
We do not sell personal data within the meaning of applicable data protection laws.
4. How We Use Personal Data
We process personal data for the following purposes:
operation, provision, and maintenance of our website and platform
creation and management of user accounts
provision of our contractual services and subscriptions
payment processing and invoicing
handling inquiries and providing customer service and support
carrying out onboarding processes and configuring services
processing incoming calls, including automated voice and AI-assisted functions
carrying out internal administrative and process automations
ensuring the security, stability, and integrity of our systems
compliance with legal and regulatory obligations
5. Legal Bases for Processing
Personal data is processed on the basis of the following legal grounds under Art. 6 GDPR, depending on the specific purpose of the processing:
contractual necessity (Art. 6(1)(b) GDPR / equivalent international standards)
legal obligation (Art. 6(1)(c) GDPR)
legitimate interests (Art. 6(1)(f) GDPR)
6. Hosting and Website Operation
Our website is hosted by an external hosting service provider. The hosting provider supplies the technical infrastructure required for the operation, provision, and security of our website.
In the course of hosting, so-called server log files may be processed. In particular, the following data may be collected:
IP address of the requesting device
date and time of access
pages or files accessed
amount of data transferred
browser type and browser version
operating system used
referrer URL (previously visited page)
This data is processed in order to ensure the stable and secure operation of the website, analyze technical problems, and maintain system security.
The legal basis for this processing is Art. 6(1)(f) GDPR (legitimate interest in the secure and functional provision of our website).
7. Server Log Files
When our website is accessed, information is automatically processed in so-called server log files. This data is collected automatically by the system.
In particular, the following data may be processed:
IP address of the requesting device
date and time of access
pages or files accessed
amount of data transferred
browser type and browser version
operating system used
referrer URL (previously visited page)
device and system information
The processing is carried out to ensure system security, for technical administration, and for error analysis.
The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the security and stability of our IT systems).
8. Cookies and Tracking
Our website currently does not use any cookies or tracking technologies that require consent.
No analytics or marketing tracking services are used.
The website uses only technically necessary processing required for the operation and provision of the website.
The legal basis is Art. 6(1)(f) GDPR (legitimate interest in the technically error-free operation of the website).
9. Contact Forms and Onboarding Forms
If you contact us via a form on our website or submit information as part of an onboarding process, we process the personal data you provide.
This may in particular include the following data:
identity data (e.g. name)
contact data (e.g. email address or telephone number)
information related to onboarding or the use of our services
technical metadata (e.g. time of submission)
The processing is carried out in order to handle your inquiry, communicate with you, and prepare or provide our services.
The legal bases are:
Art. 6(1)(b) GDPR (contract or pre-contractual measures)
Art. 6(1)(f) GDPR (legitimate interest in the efficient handling of inquiries)
Form data may be processed by an external technical service provider acting as a processor pursuant to Art. 28 GDPR.
10. User Accounts
Use of certain features of our platform may require the creation of a user account.
In particular, the following personal data may be processed:
name
email address
company affiliation (where applicable)
login data (including encrypted passwords)
onboarding information
usage data related to account use
This data is processed for the following purposes:
authentication and login
management of roles and access rights
provision of our contractual services
support with onboarding and configuration
communication related to the user account
The legal basis is Art. 6(1)(b) GDPR (performance of a contract or implementation of pre-contractual measures).
11. Subscriptions and Payment Processing (Stripe)
For payment processing, we use the payment service provider:
Stripe Payments Europe Ltd.
1 Grand Canal Street Lower
Dublin 2, Ireland
If you make a payment or take out a paid subscription, payment information is transmitted directly to Stripe and processed there. The data processed may in particular include:
payment information (e.g. payment method, transaction data)
technical identification data
IP address
device and transaction metadata
Stripe processes this data under its own responsibility as an independent controller within the meaning of the GDPR.
The legal basis for the processing is Art. 6(1)(b) GDPR (processing for the performance of a contract or for the implementation of pre-contractual measures in connection with payment processing).
12. CRM and Communication System
We use a professional CRM and communication platform to organize our business processes and communicate with users and business customers.
This platform is used in particular for:
customer relationship management
communication via email, SMS, or WhatsApp
appointment scheduling
processing form inquiries
internal process automations
processing incoming calls (including AI-assisted functions)
In particular, the following categories of personal data may be processed:
identity and contact data
communication data
interaction data
contract and usage data
The legal bases for processing are:
Art. 6(1)(b) GDPR (performance of a contract or implementation of pre-contractual measures)
Art. 6(1)(f) GDPR (legitimate interest in the efficient organization of customer communication and business processes)
Art. 6(1)(a) GDPR (consent), where optional marketing or communication measures are carried out
The provider of the platform processes data solely as a processor pursuant to Art. 28 GDPR.
Where personal data is transferred to countries outside the European Union or the European Economic Area, this is done on the basis of the Standard Contractual Clauses (SCCs) approved by the European Commission, together with additional technical and organizational safeguards.
12.1 Communication with the End Customers of Our Business Customers
Our platform enables business customers to communicate with their own customers or prospects via messaging channels such as WhatsApp.
In these cases, Nusho provides only the technical infrastructure for the communication.
Where personal data of end customers is processed, this is done solely as processing on behalf of the respective business customer pursuant to Art. 28 GDPR.
The respective business customer remains the controller for this data processing and is in particular responsible for:
determining the purposes and means of the processing,
obtaining and documenting valid consent or another legal basis,
complying with applicable data protection, consumer protection, and telecommunications laws,
the content, timing, and recipients of the communication sent.
Nusho does not make any independent decisions regarding communication purposes, target groups, or message content.
13. Communication via WhatsApp (WhatsApp Business API)
If you contact us via the WhatsApp messaging service, we process personal data transmitted in the course of that communication.
This may in particular include:
telephone number
message content
communication timestamps
technical communication metadata
The service provider is:
Meta Platforms Ireland Ltd.
4 Grand Canal Square
Dublin 2, Ireland
It cannot be ruled out that personal data may also be transferred to the United States in connection with the use of WhatsApp. In such cases, the data transfer is based on the Standard Contractual Clauses of the European Commission.
The legal bases for processing are:
Art. 6(1)(b) GDPR (handling inquiries or implementing pre-contractual measures)
Art. 6(1)(f) GDPR (legitimate interest in efficient customer communication)
Art. 6(1)(a) GDPR (consent), where WhatsApp is used for marketing or proactive communication purposes
13.1 WhatsApp Consent (Opt-In) and Documentation
The use of WhatsApp for marketing, advertising, or other proactive messages takes place only if the data subject has previously given explicit and verifiable consent.
Alternatively, communication may take place where messages serve exclusively to provide a requested service (e.g. transactional messages or service notifications).
Consent may in particular be given in the following ways:
active contact initiated by the user via WhatsApp (e.g. by sending the first message),
explicit opt-in outside WhatsApp (e.g. via a form or corresponding declaration of consent),
confirmation within WhatsApp (e.g. by replying “YES” or entering a confirmation code).
To document consent, the following consent-related metadata may be processed and stored:
telephone number
date and time of consent
date and time of confirmation (where required)
source of consent (e.g. form, QR code, or chat initiation)
version and language of the consent text
opt-out or unsubscribe events
The legal basis for this processing is Art. 6(1)(a) GDPR (consent).
Consent may be withdrawn at any time with future effect, for example by sending a corresponding unsubscribe message (e.g. “STOP”).
14. Automated Processing of Incoming Calls (Voice AI)
We use an automated telephone system with AI-assisted voice processing to answer incoming calls and handle inquiries.
During a call, the spoken audio is processed in real time in order to identify the content of the inquiry and respond accordingly. As a rule, we do not record calls. No audio recordings are stored and no full transcripts are created.
In particular, the following data may be processed in connection with call handling:
caller’s telephone number
call metadata (e.g. date and time of the call, duration, forwarding or routing information)
conversation notes or outcome information (e.g. appointment request, requested time period, subject of the inquiry, callback request, or booking status)
The processing is carried out for the following purposes:
handling incoming inquiries
appointment booking or appointment management
forwarding inquiries to responsible staff
supporting customer service
ensuring the security and stability of our telephone systems
The legal bases for processing are:
Art. 6(1)(b) GDPR (handling inquiries in connection with existing or requested services)
Art. 6(1)(f) GDPR (legitimate interest in the efficient handling of customer inquiries and in stable and secure communication systems)
Conversation notes or outcome information are stored only for as long as necessary for the stated purposes and in accordance with the retention periods set out in Section 19.
15. Internal Process Automation
To support our internal business processes, we use a technical platform for workflow automation.
Within the scope of these automations, only such personal data is processed as is necessary for the respective process.
The processing is carried out in particular for organizing internal workflows, managing customer relationships, and efficiently providing our services.
The legal bases for processing are:
Art. 6(1)(b) GDPR (performance of a contract or implementation of pre-contractual measures)
Art. 6(1)(f) GDPR (legitimate interest in the efficient organization of our business processes)
16. Employee Accounts of Business Customers
Business customers may create user accounts within our platform for their employees.
In particular, the following personal data may be processed:
name
email address
assigned role or access rights
usage data related to use of the platform
The processing is carried out to provide platform functions, manage access rights, and organize the use of our services within a customer company.
The legal basis is Art. 6(1)(b) GDPR (performance of a contract or implementation of pre-contractual measures).
17. Mandatory Provision of Personal Data
Certain personal data is required in order to use our services, for example to create a user account, communicate with us, or process payments.
If this data is not provided, certain functions of our website or platform may not be available, or we may be unable to provide the requested services.
18. International Data Transfers
When using external service providers or communication services, it may be necessary to transfer personal data to recipients outside the European Union or the European Economic Area.
Where such a transfer takes place, we ensure that an adequate level of data protection is maintained.
This is ensured in particular through:
entering into the Standard Contractual Clauses (SCCs) approved by the European Commission
additional technical and organizational safeguards
selection of service providers offering appropriate data protection guarantees
19. Retention Period
We store personal data only for as long as necessary for the respective purposes of processing or as required by statutory retention obligations.
Typical retention periods may in particular include:
contract and billing data: up to 10 years (statutory retention obligations under commercial and tax law)
data related to user accounts: until the account is deleted or the business relationship ends
communication or support data: only as long as necessary to handle the inquiry or document the communication
20. Rights of Data Subjects
Under the General Data Protection Regulation, you have the following rights:
right of access to the personal data we process about you (Art. 15 GDPR)
right to rectification of inaccurate or incomplete data (Art. 16 GDPR)
right to erasure of personal data (Art. 17 GDPR)
right to restriction of processing (Art. 18 GDPR)
right to data portability (Art. 20 GDPR)
right to object to certain processing activities (Art. 21 GDPR)
Where processing is based on your consent, you may withdraw that consent at any time with future effect.
You also have the right to lodge a complaint with a competent data protection supervisory authority regarding the processing of your personal data.
Where we process personal data as a processor on behalf of a business customer, requests to exercise your rights should generally be directed to the respective business customer as controller. We support the controller in this regard within the scope of legal obligations.
21. Data Security
We implement appropriate technical and organizational measures to protect personal data against loss, manipulation, unauthorized access, or unauthorized disclosure.
These measures include in particular:
encryption of data transmission using SSL/TLS
access restrictions and authorization concepts
firewalls and security monitoring
regular system updates and security checks
secure storage and server environments
22. Changes to This Privacy Policy
We reserve the right to amend this Privacy Policy if legal, technical, or organizational requirements change.
An update may be made in particular due to:
changes in legal or regulatory requirements
introduction of new functions or services
adjustments to internal processes or technical systems
changes to service providers used or to international data transfers
The current version of the Privacy Policy is available on our website at all times.
Where changes have a material impact on your rights or on the processing of your personal data, we will inform you appropriately, for example by means of a notice on our website or, where possible, by email or through our platform.
The updated version enters into force upon its publication on our website.
Where processing is based on your consent and the purpose of processing changes materially, we will obtain new consent where required.