Yard Guild

Effective 2026-05-25

Privacy policy

This page is intentionally plain. Your operator account on Yard Guildis yours; the renter records you store about your customers are theirs. Here's how we treat both.

Note: This document is a starter template suitable for a v1 launch. Before serving customers in a regulated industry or processing large-scale renter data, have a privacy lawyer in your jurisdiction review.

1. Who we are

Yard Guild is operated from Sydney, NSW, Australia. Contact details are at hello@yardguild.com.

2. What we collect — operator data

When you (the yard operator) sign up, we collect:

  • Email address, given name, family name
  • Country, timezone, tax identifier (ABN / NZBN / VAT / EIN if you provide it)
  • Yard name, optional address, alert email, optional SMS number
  • Inventory you create (asset names, daily rates, photos)
  • Subscription state (tier, status, billing dates)
  • Audit logs of significant actions taken in your tenant

3. What we collect — renter data (your customers)

When you create a contract for one of your renters, we store the data you type in:

  • Renter name, email, phone (if provided)
  • Contract details (period, assets, rental amount, bond amount)
  • Waiver signature (image + IP + timestamp)
  • Bond record (payment method note, reference number, ID-sighted indicator — never the ID photo itself)
  • Condition photos uploaded by you at check-in/out

You are the data controller for renter data. Yard Guild is the data processor — we hold and operate on this data on your behalf, governed by our Terms.

4. Where it lives

All tenant data — contracts, waivers, asset photos, reports — is hosted in AWS Sydney (ap-southeast-2), Australia, regardless of the country you operate in.

Email (inbound + outbound transactional) is routed via AWS SES in ap-southeast-1 (Singapore). Static marketing assets are served from CloudFront edge locations globally.

5. Sub-processors

  • Amazon Web Services — hosting, storage, email (per regions above)
  • PayPal — subscription billing for the Yard Guild SaaS fee
  • Cognito — authentication (AWS sub-service)
  • Unsplash — default asset photos (no PII passed to them; URL fetch only)

We use Google Analytics 4 to understand how the marketing site is used (aggregate page views and traffic sources). We don't use ad-trackers or session-replay tools, and we never send your account data to Google.

6. How we use the data

  • Run the service — process contracts, send notifications, render reports
  • Bill your subscription via PayPal
  • Send transactional email + SMS you've opted into (overdue alerts, weekly summary, due-back SMS)
  • Detect abuse and meet legal obligations (audit logs, fraud prevention)

We don't use your data — or your renters' data — to train any AI model. We don't sell or share it with marketers.

7. Retention

  • While your subscription is active: indefinitely
  • After you delete your account: a 90-day grace period (cancelable), then operational data (assets, contracts, bonds, photos, staff, settings) is purged
  • Signed waivers: retained 7 years (injury/damage liability defence), then deleted
  • Audit logs (account-level actions): 7 years for tax-residency compliance, then deleted
  • Email forwarder S3 bucket (operator inbox): 30-day lifecycle, auto-purged
  • Lambda + API logs: 7 days, auto-rotated

8. Your rights

Depending on where you're based, you can:

  • Access — see what we hold about you (covered by /counter/, plus we'll send a full export on request)
  • Correct — edit any field from /counter/settings
  • Export — download all your data as CSV from /counter/reports, or request a full JSON dump
  • Delete — close your account from /counter/settings; operational data is purged after a cancelable 90-day grace (signed waivers + audit logs are kept for their 7-year legal window, then deleted)
  • Object to processing — relevant under GDPR (UK/IE) and CCPA (US-CA)
  • Lodge a complaint with your local privacy regulator (OAIC AU, OPC NZ, ICO UK, DPC IE, OPC CA, FTC US)

Send privacy requests to privacy@yardguild.com. We respond within 30 days (often faster).

9. Cookies

We use one session cookie set by AWS Cognito to keep you signed in, and Google Analytics sets its own cookies (e.g. _ga) to measure site usage. We use no advertising cookies.

10. Children

Yard Guildis for adult business operators. The service isn't designed for anyone under 18, and we don't knowingly collect data about minors. (Your renters' ages aren't something we track at all.)

11. Changes to this policy

If we change anything material, we'll email all active subscribers at least 30 days before it takes effect. Less-material changes (typo fixes, new sub-processors at the same risk level) are versioned at the top of this page; the "Effective" date reflects the most recent update.

12. Contact

privacy@yardguild.com for anything specific. For general queries: hello@yardguild.com.