Skip to content
Yoto Developers

Developer Security & Data Protection Policy

About this policy

Section titled “About this policy”

By accessing or using the Yoto API, you acknowledge your responsibilities set out below and agree to handle Yoto Data in a secure, lawful and responsible way. These commitments apply in addition to the Yoto API Terms of Service.

For the purposes of this policy, “Yoto Data” means any information, content, metadata, identifiers, logs, usage data or other materials that you access, receive or generate through the Yoto API. It includes any personal data relating to Yoto users that is made available to you through the API, as well as any information relating to Yoto’s products, services, systems or operations.

Your data protection promises

Section titled “Your data protection promises”

You confirm that:

  • You will only use Yoto Data for the legitimate, disclosed functions of your app. You will not access or process Yoto Data for any unrelated, undisclosed or incompatible purpose.

  • You will keep your handling of Yoto Data to the minimum necessary for your app to operate, and you will only retain such data for as long as it is genuinely required.

  • You also confirm that you will respect the privacy of Yoto users. This includes not attempting to infer, reconstruct or otherwise obtain personal data about users beyond what the API explicitly provides. Where your app collects or processes any personal data, you will explain this clearly to users in a transparent and accessible way.

  • Your processing of Yoto Data will comply with applicable data protection and privacy laws.

Your security practices

Section titled “Your security practices”

You also confirm that:

  • You will maintain reasonable and appropriate security measures to protect Yoto Data and your development environment.

  • You will ensure that the devices and accounts you use for development are password-protected, and that multi-factor authentication is enabled wherever it is offered.

  • You will protect Yoto API keys and credentials at all times. They must not be published, hard-coded in public repositories, or shared with unauthorised parties. If you suspect that a key or credential may have been compromised or misused, you will notify us promptly at security@yotoplay.com.

  • Where you store Yoto Data, you will use safe, reputable services and apply appropriate protections such as encryption of data at rest and in transit.

  • You will keep your development environment reasonably up to date, using trusted libraries and monitoring for known security issues.

  • You also confirm that you will not intercept, modify or interfere with Yoto services, systems or data belonging to any other party. Any communication with the Yoto API will use secure HTTPS connections.

Incident response

Section titled “Incident response”

If you become aware of any data breach, leak, loss, unauthorised access or other security incident involving Yoto Data or Yoto API credentials, you must notify us at security@yotoplay.com as soon as reasonably possible and no later than 48 hours after becoming aware of the incident. You agree to cooperate with Yoto in any follow-up investigation or remediation activity.

If your access ends

Section titled “If your access ends”

You understand that Yoto may suspend or revoke your API access at any time if there are concerns about compliance or security. If your access ends for any reason, you will securely delete all Yoto Data in your possession and will confirm completion if requested.