Skip to main content

Overview

Yuno is committed to protecting the privacy and security of personal and financial data. This page outlines how Yuno handles data privacy, complies with major regulations (including GDPR and LGPD), and provides tools for you to manage your customers’ data rights.

Regulatory Compliance

RegulationRegionStatus
GDPREuropean Union / EEACompliant
LGPDBrazilCompliant
PCI DSSGlobalLevel 1 Certified
SOC 2 Type IIGlobalCertified
Yuno acts as a data processor under GDPR and LGPD. You, the merchant, are the data controller. This means you determine the purposes and means of processing personal data, while Yuno processes it on your behalf according to your instructions and applicable regulations.

Data Processing

What Data Yuno Processes

Data CategoryExamplesPurposeRetention
Payment dataCard tokens, transaction amountsPayment processingPer retention policy
Customer identifiersEmail, name, document numberTransaction associationPer retention policy
Device dataIP address, browser info, device IDFraud prevention, 3DS90 days
Transaction recordsPayment IDs, status, timestampsReconciliation, compliance7 years (regulatory)

What Yuno Does NOT Store

  • Raw card numbers (PANs) are encrypted in the PCI-compliant vault
  • CVV/CVC codes are never stored (used only for real-time authorization)
  • Passwords or authentication credentials

Data Residency

Yuno processes and stores data in secure data centers with regional presence:
RegionData Center LocationApplicable Data
AmericasUS, BrazilLATAM merchant data
EuropeEU (Frankfurt)EU merchant data
If your business is subject to data residency requirements (e.g., EU data must stay within the EU), contact Yuno support to confirm your data processing region before going live.

Data Retention Policies

Data TypeDefault RetentionConfigurableRegulatory Minimum
Transaction records7 yearsNoRequired by financial regulations
Customer PII3 years after last transactionYesVaries by jurisdiction
Device/session data90 daysNoN/A
Audit logs5 yearsNoRequired for compliance
Vaulted card tokensUntil customer deletionYesN/A

Customer Data Rights

Yuno provides API endpoints to help you fulfill customer data rights under GDPR and LGPD:

Right to Access (Data Export)

curl --request GET \
  --url https://api.y.uno/v1/customers/{customer_id}/data-export \
  --header 'X-Api-Key: YOUR_API_KEY'

Right to Deletion (Data Erasure)

curl --request DELETE \
  --url https://api.y.uno/v1/customers/{customer_id} \
  --header 'X-Api-Key: YOUR_API_KEY'
Customer deletion removes personal data but retains anonymized transaction records as required by financial regulations. Vaulted payment methods are permanently deleted and cannot be recovered.

Right to Rectification

curl --request PATCH \
  --url https://api.y.uno/v1/customers/{customer_id} \
  --header 'Content-Type: application/json' \
  --header 'X-Api-Key: YOUR_API_KEY' \
  --data '{
    "email": "updated-email@example.com",
    "name": "Updated Name"
  }'

Data Processing Agreement (DPA)

A Data Processing Agreement is required under GDPR when Yuno processes personal data on your behalf. Yuno provides a standard DPA that covers:
  • Scope and purpose of data processing
  • Data security measures
  • Sub-processor management
  • Breach notification procedures
  • Data subject rights assistance
Request a copy of Yuno’s Data Processing Agreement through your account manager or via the Yuno Dashboard under Settings > Legal > Data Processing Agreement.

Best Practices

  • Minimize data collection: Only send personal data to Yuno that is necessary for payment processing.
  • Implement data deletion workflows: Build customer-facing tools to handle deletion requests promptly.
  • Review sub-processors: Regularly review Yuno’s sub-processor list (available in the DPA) for compliance.
  • Use tokenization: Leverage Yuno’s tokenization to avoid storing sensitive data on your servers.
  • Document your data flows: Maintain a record of processing activities (ROPA) that includes Yuno as a data processor.