Security and Trust
Your words and your information are handled with care. Here is how we protect what matters to you.
Version 2.1.0Last Updated
Company: Y.O.D.O. Ltd (Company No. 15736034)
Registered Office: 42 Mayfair Gardens, Southampton, SO15 2TW, United Kingdom
ICO Registration: ZC015883 (Data Protection Lead: Mrs Theodosia Kouraki) · View our ICO certificate (PDF)
EU Representative under Article 27 EU GDPR: Christina-Eloiza Kouraki, Marasli 29, Athens 10676, Greece, email eloizakouraki@yahoo.gr.
Contact: info@yodo.ltd
This Security Policy Summary explains, in plain English, how Y.O.D.O. protects accounts and personal data. It should be read alongside our Terms and Conditions and Privacy Policy.
We aim to use appropriate technical and organisational measures. No system is perfectly secure.
1. What we protect
We design Y.O.D.O. to protect:
- Account access and identity
- Contact lists (Delegates, Recipients, Special Delegates where available)
- Message content (including attachments)
- Verification steps and related evidence
- Billing and subscription events (processed via our payment provider)
- System integrity and availability
2. Access controls and verification
2.1 Email verification
We require email verification to activate key account functions. This helps reduce fraud and helps us reliably send service notices.
2.2 Phone verification
We require phone verification for Account Holders and Delegates to help reduce account abuse and protect sensitive actions.
2.3 Step-up authentication
For higher-risk actions (for example starting certain Status Check paths, Care Pause requests, or Passing verification steps), we may require an additional security step (such as a one-time code).
2.4 Identity verification (Persona)
Identity verification is required only in limited situations, including:
- •A Delegate (or an enabled solicitor or notary Special Delegate) submitting a Passing report and uploading a death certificate, and
- •A Recipient accessing a delivered Message.
Persona verifies the identity of the person completing the step (not the authenticity of the death certificate).
3. Encryption and secure handling
We use measures designed to protect data in transit and at rest, including:
- Encryption in transit (for example HTTPS/TLS)
- Encryption at rest for Message content and personal data stored in our databases
- Access controls to restrict internal access to what is needed
- Secure storage and operational safeguards
- Partner accounts show Account Holder names and current status only. Private messages, Check-in content, location, health and billing data are not accessible from a Partner account.
We also design the Service so that:
- Delegates do not have access to Message content
- Messages remain sealed until the Passing verification step is completed
- Recipients only access Messages after identity verification
4. Monitoring, logs, and fraud prevention
We maintain security and access logs for:
- Detecting suspicious activity
- Investigating incidents
- Maintaining service reliability
- Dispute handling and fraud prevention
We aim to minimise the data in logs and keep them only for as long as needed, as described in our Privacy Policy.
We may use automated systems to flag anomalies (for example unusual login behaviour), but we do not rely solely on automated decision-making where it would have legal or similarly significant effects, without appropriate human review.
5. Third-party providers and operational security
We use selected providers to deliver the Service (such as hosting, security, email delivery, identity verification, and payments). Current providers are listed in our Subprocessor List, which includes providers such as:
We have data processing agreements or equivalent contractual protections in place with our subprocessors where required by applicable data protection law. We periodically review and test our security measures, including through independent assessments where appropriate.
6. What you must do to stay safe
You are responsible for:
- Using a strong, unique password not used on any other service (consider using a password manager)
- Keeping your email address and phone number up to date
- Protecting access to your email inbox and phone (because they may receive security codes and service notices)
- Logging out of the Service when using shared or public devices
- Reporting suspected account compromise promptly
If you suspect your account has been compromised, contact info@yodo.ltd. We may automatically end inactive sessions for security.
7. Security incidents and notifications
If we become aware of a security incident that affects your personal data, we will assess it and take appropriate steps. Where required by law, we will notify the ICO within 72 hours of becoming aware of a qualifying breach under Article 33 UK GDPR, and the Hellenic Data Protection Authority where EEA users are affected; we will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms under Article 34 UK GDPR / EU GDPR.
We may also take protective actions such as:
- Suspending access
- Requiring password reset
- Limiting features temporarily
- Requiring additional verification
8. Practical safety note
Y.O.D.O. is designed for communication support. It is not:
- A medical monitoring system
- An emergency service
If someone is in immediate danger, contact emergency services.
9. Reporting a security vulnerability
If you believe you have found a security vulnerability in our Service, please contact us at info@yodo.ltd with a description of the issue. We ask that you do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and respond. We will acknowledge reports promptly and keep you informed of our progress.
10. Changes to this summary
We may update this Security Policy Summary from time to time and will update the "Last Updated" date when we do.