Craftyield — Privacy Policy

Issuing controller: ML Consulting MB · Vilnius, Republic of Lithuania · legal entity code 306991112

Version: 1.0

Effective from: 1 December 2026

Last updated: 3 July 2026

Privacy contact: support+craftyield@mlconsulting.lt

Lead supervisory authority: Valstybinė duomenų apsaugos inspekcija (VDAI), Vilnius

Data residency: Customer Data lives in the Subscribing Customer's own Apple iCloud. ML Consulting operates no server, no web portal, no App Clip surface and receives no Customer Data on its own infrastructure.

Distribution: Apple App Store (Pro at EUR 9.99 / month or EUR 79.99 / year; 2-week full-featured introductory trial)

Handmade-seller costing, tax, accounting and professional-advice disclaimer — read first

Craftyield is a private cost, inventory and profit ledger for sole-trader handmade sellers. It is NOT an accounting, bookkeeping, tax, VAT, invoicing, point-of-sale, ERP, MRP, marketplace-listing-management, marketplace-payments-reconciliation, payment-processing, banking, credit or lending product; NOT a chartered / certified accountant, tax adviser, tax agent, EA (Enrolled Agent), Steuerberater, Buchhalter, expert-comptable, dottore commercialista, contable colegiado, contador público or equivalent regulated professional; NOT a solicitor's, barrister's, notary's, Rechtsanwalt's, Notar's, avocat's, avvocato's, abogado's or licensed-conveyancer's instrument; NOT a court, tribunal, arbitrator, mediator or ombuds ruling; NOT a Qualified Trust Service Provider, eIDAS-recognised qualified electronic signature / seal / timestamp service within the meaning of Regulation (EU) 910/2014; NOT an e-invoicing platform under EU Directive 2014/55/EU or the German ZUGFeRD / XRechnung / EN 16931 standard; NOT a marketplace operator under EU Directive 2000/31/EC (E-Commerce Directive), Regulation (EU) 2022/2065 (Digital Services Act — DSA), Regulation (EU) 2019/1150 (Platform-to-Business Regulation) or Directive (EU) 2021/514 (DAC7 — Cooperation Directive on Reporting Obligations for Digital Platforms); NOT a Steuerberatungsgesetz (StBerG) registered service, ICAEW / ACCA / AICPA / CIMA / CIOT / CTA / AAT / IAB / IFA / Enrolled-Agent / CPA / chamber-of-tax-advisers registration or professional-body attestation; NOT a Land Registry, Companies House, HMRC, IRS, ATO, VMI, Bundeszentralamt für Steuern (BZSt), Finanzamt, Companies Register or Centre of Registers (Registrų centras) filing instrument; and NOT a fire alarm, intrusion alarm, gas / smoke / carbon-monoxide detector, calibrated instrument or public emergency service.

Craftyield does NOT provide accounting, bookkeeping, tax, VAT, USt, TVA, IVA, GST, HST, sales-tax, income-tax, self-employment-tax, national-insurance, PAYE, self-assessment, Kleinunternehmerregelung UStG §19, Making Tax Digital (MTD), Schedule C, Schedule SE, Form 1040, Form 1099-K, Form 1099-DA, Business Activity Statement (BAS), Instalment Activity Statement (IAS), pension, insurance, product-liability, product-safety, GPSR (EU 2023/988), REACH (EC 1907/2006), CLP (EC 1272/2008), Cosmetic Products Regulation (EC 1223/2009), CE-marking, UKCA-marking, FDA cosmetics regulation, Health Canada NHP or equivalent product-regulatory advice, opinion, determination or attestation. Every figure Craftyield displays is an estimate derived from the Subscribing Customer's own entries, computed from the disclosed formulas set out in the App's in-App formula-disclosure surface, and is labelled as an estimate for the owner's decision-making — never as advice, never as an audit-ready or tax-ready figure, never as a guarantee.

Local notifications, widgets, App Intents, Foundation Models on-device narrative-summary and per-product price-suggestion outputs (v1.1), Vision-framework on-device receipt-OCR suggestions, per-photo SHA-256 hashes, XLSX imports and exports and PDF Pack renders are advisory only. The Subscribing Customer remains the sole trader for every payment received through every marketplace, every craft fair and every direct sale — independently of the App. CALLING 112 / 999 / 911 / 000 OR THE LOCALLY APPLICABLE PUBLIC EMERGENCY NUMBER REMAINS MANDATORY whenever any person is in apparent danger of death or serious harm in a workshop or at a market (including burns from wax, resin, soap-lye or hot glass; fire; electrocution from tooling; slips, trips or falls; laceration from cutting tools; chemical exposure; anaphylaxis; or medical emergency).

At a glance — what you should know in 60 seconds

We do not sell your personal data and we never will. In fact, ML Consulting collects no Customer Data on its own infrastructure at all: Craftyield is a no-server, no-account, offline-first iPhone-and-iPad application, and every Customer Data category (Materials, PurchaseLots, Products, Recipes, Batches, Channels, Orders, OrderLines, StockAdjustments, Settings, AVFoundation receipt photographs with per-photo SHA-256 hashes captured at save, Vision-framework on-device OCR suggestion outputs, XLSX imports and exports, PDF Pack renders and — from v1.1 — Foundation Models on-device outputs) lives in the Subscribing Customer's own Apple iCloud (Core Data mirrored to CloudKit private database) on the Subscribing Customer's own iCloud quota. We do not use Subscriber Data to train, fine-tune, evaluate or benchmark any machine-learning model.

Craftyield is offline-first. Capture, browsing, editing, Batch production, Order quick-log, Pack generation, XLSX import and export, and every other operational flow work with zero connectivity; CloudKit syncs when your device is next online. If iCloud is unavailable (signed out or quota-full), the App runs fully locally with a passive banner and no work is lost.

Craftyield operates no server, no web portal, no App Clip surface, no operator dashboard, no third-party analytics SDK, no crash-reporting SDK, no advertising SDK, no attribution SDK, no tracking SDK and no live marketplace-API integration. Measurement is App Store Connect + MetricKit + on-device counters only. The App Store “Data Not Collected” privacy label reflects this. There is no ad model and there never will be. There are no streaks, no shareable moments, no marketing-style nudges and no anxiety-triggered notifications.

Craftyield is sold by subscription through the Apple App Store: Pro at EUR 9.99 per month or EUR 79.99 per year. A 2-week full-featured introductory trial applies, configured in App Store Connect. Post-trial the App is read-only with full XLSX + PDF export always available; your data is never held hostage. A single StoreKit 2 entitlement gate is the only check in the codebase and guards record creation and artifact generation. Read and export are never gated. All billing runs through Apple App Store In-App Purchase; ML Consulting operates no direct billing channel and does not use Stripe, PayPal, GoCardless or any other payment processor for Craftyield.

The App is NOT an accounting or bookkeeping product, NOT a tax adviser or Steuerberater, NOT a marketplace-listing manager, NOT a point-of-sale, NOT an ERP; NOT a Qualified Trust Service Provider under eIDAS; NOT an e-invoicing platform; NOT a marketplace operator under DAC7 / DSA / P2B; NOT a 1099-K, Schedule C, Anlage EÜR, MTD or BAS filing instrument; NOT a product-liability, GPSR, REACH, CLP, Cosmetic Products, MoCRA, NHP, TGA or CE / UKCA / FDA authority; and NOT a public emergency service. Every displayed figure is an estimate for your decision-making, computed from your own entries using the disclosed formulas in the App.

Optional Face ID / Touch ID app lock (LocalAuthentication) protects local App access on shared devices. Per-photo SHA-256 hashes captured at save time and per-Pack photo-hash manifests are operational, evidentiary anchors — they are a fingerprint, not a notarisation, not an eIDAS qualified electronic seal or timestamp, and not a certified electronic signature. Craftyield deliberately does not include an operator-side handover-signature surface; recipients receive PDFs and XLSX files through the iOS share sheet.

Material, PurchaseLot, Product, Recipe, Batch, Order, OrderLine, Channel, StockAdjustment, PDF Pack, XLSX export, receipt photograph and every other Customer Data record belongs to the Subscribing Customer. We do not share or sell this data with any third party for advertising, commercial-intelligence, marketplace-benchmarking, market-research, credit-scoring, seller-performance-scoring or claim-outcome-prediction purposes. Because Craftyield has no server, we cannot share Customer Data even if we wanted to — we never receive it.

Craftyield deliberately does NOT offer: AI accounting, bookkeeping, tax, VAT, MTD, Schedule C, Anlage EÜR, BAS, 1099-K or IR35 determinations; AI product-liability, GPSR, REACH, CLP, Cosmetic Products, MoCRA, NHP, TGA or CE / UKCA / FDA determinations; AI DSA / P2B / DAC7 / DMA marketplace-operator determinations; AI marketplace-terms interpretation; AI insurance underwriting or claims determinations; AI pricing advice or competitor-pricing recommendations beyond the disclosed cost + target-margin formula the owner sets; AI seller-performance, employability, ranking, blacklist, ban-risk, review-quality, refund-risk or chargeback-risk profiles; or AI computer-vision “detected”, “verified”, “counted”, “damage-diagnosed” or “counterfeit-flagged” verdicts. The AI helpers we do offer (Vision on-device receipt OCR as suggestions the human confirms; NaturalLanguage token-similarity fuzzy matching as suggestions; and — from v1.1 only, Apple-Intelligence-device-floor-gated in English and German — Foundation Models on-device monthly plain-language summary and per-product price suggestion) are on-device only, never autonomous, suggestion-labelled and raw input always retained.

You can exercise the full set of EU GDPR rights at any time by writing to support+craftyield@mlconsulting.lt. Our lead supervisory authority is the Lithuanian State Data Protection Inspectorate (VDAI) in Vilnius. Where the only copy of your Customer Data lives in your own iCloud, many rights are exercised through Apple (iCloud account controls, Data & Privacy portal at privacy.apple.com) rather than through ML Consulting.

Craftyield is intended for business users (B2B — sole traders paying personally) only. Users must be at least 18 years old, must be the sole trader or the sole trader's authorised delegate, and must comply with the marketplace terms, tax-authority obligations, product-safety obligations and insurance obligations of every jurisdiction in which the sole trader operates.

1. About this Privacy Policy

ML Consulting MB (“ML Consulting”, “we”, “us”, “our”) is the publisher of the Craftyield iOS / iPadOS application (the “App”), distributed exclusively through the Apple App Store. This Privacy Policy explains what personal data the App processes — and, importantly, where that data lives, which is the Subscribing Customer's own Apple iCloud rather than any server operated by ML Consulting — when you use the App: subscribe through the Apple App Store, define a Material, log a PurchaseLot manually or by capturing a receipt photograph with AVFoundation and OCRing it on-device with Vision, define a Product with a Recipe, Produce a Batch, edit a Channel, quick-log an Order, review the Dashboard, share a Monthly P&L Pack PDF / Product Cost Sheet PDF / Inventory Valuation PDF / full-data XLSX Export through the iOS share sheet, import an XLSX orders or materials workbook through the Files picker, enable the optional Face ID / Touch ID app lock, or opt in to the v1.1 Foundation Models narrative layer where your device meets the Apple Intelligence floor and your language is English or German — why we process it, the legal bases on which we rely, with whom we share it (deliberately: nobody in the data plane other than Apple, for iCloud), for how long we keep it, and the rights you have under the General Data Protection Regulation (GDPR) and other applicable privacy laws.

This Policy is written to satisfy Articles 12 to 14 of Regulation (EU) 2016/679 (the GDPR), the Republic of Lithuania Law on Legal Protection of Personal Data, Regulation (EU) 910/2014 (eIDAS) where electronic-signature claims are concerned (Craftyield issues none), Regulation (EU) 2024/1689 (the AI Act) where transparency and human-oversight obligations apply to Vision receipt-OCR, NaturalLanguage fuzzy-matching and v1.1 Foundation Models features, the EU Consumer Rights Directive 2011/83/EU as transposed into every launch market, Regulation (EU) 2022/2065 (DSA), Regulation (EU) 2019/1150 (P2B Regulation), Directive (EU) 2021/514 (DAC7) — under which Craftyield is not a reporting platform operator because it operates no server and brokers no transactions — the German BDSG, AO, HGB and GoBD principles, the UK GDPR and Data Protection Act 2018 and Making Tax Digital regime, the U.S. state and federal consumer-privacy regimes, the Australian Privacy Principles under the Privacy Act 1988 and ATO record-keeping obligations, and the Canadian PIPEDA and CRA record-keeping obligations.

Craftyield is intended for business users (B2B) only — sole-trader handmade sellers paying personally from their own pocket for a Pro subscription. This Policy should be read together with the Craftyield Terms and Conditions (Master Terms + Schedule A) published by ML Consulting MB.

2. Controller identification

We are the data controller for the processing described as “we act as controller” in section 4 of this Policy. Because Craftyield operates no server, no web portal, no App Clip surface, no account and no login, and because Customer Data lives in the Subscribing Customer's own iCloud rather than on ML Consulting infrastructure, the controller-level processing we carry out is deliberately extremely narrow — essentially, StoreKit 2 App Store Server Notifications payloads and support correspondence.

Legal name: ML Consulting MB

Legal form: Mažoji bendrija (small partnership) governed by the law of the Republic of Lithuania

Legal entity code: 306991112 (Centre of Registers of the Republic of Lithuania)

Website: https://mlconsulting.lt

Privacy contact: support+craftyield@mlconsulting.lt

ML Consulting MB has not designated a Data Protection Officer because its current processing does not meet the criteria in Article 37(1) GDPR. The privacy contact above handles all data-protection enquiries.

Our lead supervisory authority for the purposes of the GDPR's one-stop-shop mechanism (Article 56 GDPR) is the Lithuanian State Data Protection Inspectorate — Valstybinė duomenų apsaugos inspekcija (VDAI) — at L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania, telephone +370 5 271 2804, email ada@ada.lt, website vdai.lrv.lt.

3. Scope of this Policy

This Privacy Policy applies to:

the Craftyield iOS / iPadOS application published by ML Consulting MB on the Apple App Store, including the iPhone TabView capture-first surface (Dashboard, Orders, Products, Materials, More), the iPad split-view review-cockpit surface, the AVFoundation receipt-capture layer, the Vision-framework on-device OCR layer, the NaturalLanguage on-device token-similarity fuzzy-matching layer, the PDFKit + ImageRenderer Pack pipeline, the Swift Charts dashboard, the custom pure-Apple XLSXReader / XLSXWriter module, the widget surface, the App Intent surface (LogSaleIntent, AddPurchaseIntent), the BGTaskScheduler background local-notification scheduler, the LocalAuthentication optional app-lock surface, the StoreKit 2 In-App Purchase pipeline, and — from v1.1 — the optional Foundation Models narrative layer, the optional QR-label generation and scan surface, and the optional CKShare single-partner sharing surface (introduced only under an explicit decision gate);

user accounts — of which there are none. Craftyield uses ambient iCloud identity to access the Core Data / CloudKit private database; there is no account, no login, no password, no email verification and no operator dashboard;

the App's landing pages, help articles and documentation hosted on mlconsulting.lt that describe Craftyield; and

email and other communications you exchange with us about the App.

This Policy does NOT apply to the recipient side of Pack and export delivery. When you export a Monthly P&L Pack PDF, a Product Cost Sheet PDF, an Inventory Valuation PDF or a full-data XLSX Export from the iOS share sheet, the PDF or XLSX becomes a document under the recipient's control, processed by the recipient's own email server, document-management system, accounting software (DATEV, Xero, QuickBooks, FreshBooks, Sage, Wave, ELSTER, MTD bridging software or equivalent), or filing platform. ML Consulting has no visibility into and no processing role in the recipient's handling of that document.

Where Apple Inc. or its subsidiaries, or any other independent third party, processes personal data on its own account in connection with the App — for example, the Apple App Store, iCloud, CloudKit, StoreKit 2, APNs local-notification delivery, WidgetKit, App Intents, BackgroundTasks, PhotoKit, AVFoundation, Vision / VisionKit, NaturalLanguage, PDFKit, LocalAuthentication and Secure Enclave, and — from v1.1 — Core Image and Foundation Models — that party acts as a separate controller and its own privacy policy applies in addition to this Policy.

4. Our two privacy roles — controller and processor

4.1 We act as controller (deliberately narrow — Craftyield collects nothing on ML Consulting infrastructure)

We determine the purposes and means of processing for the following extremely narrow categories:

billing and payment data returned to us by App Store Server Notifications (subscription identifier, tier, trial state, renewal state, refund state, environment, transaction identifier); Apple Inc. is the merchant of record; we do not receive your payment-card data;

communications and support correspondence about the App;

device, technical and telemetry data — deliberately limited: iOS / iPadOS version, device model, App version, language and timezone, visible to us only through App Store analytics reports Apple publishes to developers and MetricKit crash and hang diagnostics if you have opted in to Diagnostics and Usage Data at the OS level; no third-party analytics SDK, no crash-reporting SDK, no attribution SDK, no advertising SDK, no tracking SDK is embedded in the App;

the internal logs we keep to comply with statutory accounting and tax retention under Lithuanian law.

4.2 We act as processor (Customer Data lives in your own iCloud — we never receive it)

Every category of Customer Data lives in the Subscribing Customer's own Apple iCloud (Core Data mirrored to CloudKit private database). Photographs and other binary assets are stored as CKAssets on the Subscribing Customer's own iCloud quota. When iCloud is unavailable (signed out or quota-full), the App runs fully locally with a passive banner and no work is lost.

The consequence for privacy roles is unusual: for these categories, ML Consulting acts as processor on the Subscribing Customer's instructions insofar as our App code and its Apple-supplied entitlements run on the Subscribing Customer's device, but ML Consulting never itself sees, receives, stores, transmits, indexes, aggregates or otherwise processes the underlying content of that Customer Data on its own infrastructure. Apple Inc., in operating iCloud and CloudKit on behalf of the Subscribing Customer, is a separate independent controller for its own iCloud-side processing.

ML Consulting does not use Subscriber Data to train, fine-tune, evaluate or benchmark any machine-learning model, and does not disclose Subscriber Data to any third-party model provider under any circumstances — because ML Consulting never receives Subscriber Data on its own infrastructure in the first place. Vision, NaturalLanguage and Foundation Models (v1.1) are Apple's on-device frameworks; their inference runs locally and their output does not leave the device as a result of the App's use.

5. Apple App Store, iOS, iPadOS, CloudKit, Vision, NaturalLanguage, Foundation Models and platform context

Because the App is delivered through the Apple App Store, runs on Apple's iOS and iPadOS platforms and stores every Customer Data category in the Subscribing Customer's own Apple iCloud rather than on any ML Consulting server, this section makes the platform inheritance explicit. There is no web portal, no App Clip surface, no operator dashboard, no Mac Catalyst app, no Android app, no watchOS companion and no visionOS surface within the scope of the App.

5.1 App Privacy details on the App Store — “Data Not Collected”

Craftyield's App Privacy details on the App Store are set to “Data Not Collected”. The App Store submission review notes explain the no-account, no-server architecture: all Customer Data lives in the customer's iCloud; the developer collects nothing.

5.2 App Tracking Transparency

Craftyield does not track you across other companies' applications and websites within the meaning of Apple's App Tracking Transparency framework. We do not request the ATT permission and we do not use the iOS Identifier for Advertisers (IDFA). The App's App Store declaration is set to “Data Not Used to Track You”. We never apply seller-performance, employability, ranking, blacklist, ban-risk, review-quality, refund-risk, chargeback-risk or marketplace-behaviour profiling.

5.3 Privacy Manifest

Craftyield ships an Apple-required Privacy Manifest (PrivacyInfo.xcprivacy) declaring the data categories the App accesses, the reasons for any use of “required reason” iOS APIs (camera for AVFoundation receipt capture; photo library for PhotoKit product-photo import; Vision and VisionKit for on-device receipt OCR; NaturalLanguage for on-device fuzzy matching; Foundation Models for the v1.1 narrative layer; PDFKit for Pack render; Keychain for short secrets; LocalAuthentication for optional app lock; BackgroundTasks for local-notification scheduling; StoreKit 2 for IAP) and the third-party SDKs the App depends on — which, deliberately, is none.

5.4 iOS sandbox, Data Protection, per-receipt SHA-256 and append-only records

On-device application data is held inside the iOS application sandbox and benefits from Apple's default Data Protection. Every AVFoundation receipt photograph captured through the App is hashed with SHA-256 at save time. Financial records (PurchaseLots, Batches, Orders and StockAdjustments) are append-only after save: corrections supersede rather than overwrite, both the superseded and the superseding record remain visible, and PDF Pack exports include a hash manifest. This is a fingerprint, not a notarisation.

5.5 Ambient iCloud identity, no account, no login, no Sign in with Apple, and the optional Face ID app lock

Craftyield deliberately has no account architecture. It does not present a login screen, does not ask for an email address or password, and does not use Sign in with Apple in v1.0. It relies on ambient iCloud identity for Core Data / CloudKit private-database access. Optional Face ID / Touch ID app lock is available through LocalAuthentication; biometric data never leaves the device and Apple does not provide us with your biometric template.

5.6 Vision framework — receipt OCR is a suggestion the human confirms; no CV verdicts

Craftyield uses Apple's Vision framework on-device for receipt-OCR text extraction and, from v1.1, for QR-code scanning of user-owned bin labels. Vision output is a labelled suggestion the recorder confirms — no computer-vision verdicts, no “detected”, “verified”, “counted”, “damage-diagnosed”, “counterfeit-flagged” or “provenance-authenticated” claims. Below a deterministic confidence threshold, the App visibly flags the affected line as low-confidence, and no PurchaseLot, no stock change and no cost change persists from any line the recorder does not confirm.

5.7 NaturalLanguage — token-similarity fuzzy matching of OCR lines to Material names

Craftyield uses Apple's NaturalLanguage framework on-device to fuzzy-match receipt-line text to the Subscribing Customer's own Material names, using deterministic token-similarity with a disclosed threshold. Suggestions only; the recorder confirms every match.

5.8 Foundation Models — v1.1 narrative layer only, English and German, device-floor gated, rule-based parity below the floor

From v1.1, Craftyield will offer an optional Foundation Models on-device narrative layer with three components: a monthly plain-language summary; per-product price suggestion from the disclosed cost + target-margin math; and anomaly narration on the disclosed flags. The layer is gated at three levels: availability (Apple Intelligence device floor), language (English and German only) and per-generation confirmation. Prompts consume derived aggregates only — never raw records. Foundation Models is Apple's on-device large-language-model framework.

5.9 AVFoundation, PhotoKit and Files — receipt capture and XLSX import from your own files

Craftyield uses AVFoundation for receipt-capture, PhotoKit only where the recorder explicitly imports an existing photograph, and the iOS Files picker for user-owned XLSX orders and materials workbook import. Craftyield does not read your Contacts, Calendar, HealthKit, HomeKit, CoreLocation, NFC, Speech or RoomPlan / LiDAR — all deliberately excluded.

5.10 Custom pure-Apple XLSXReader / XLSXWriter — no third-party SDK

The XLSX import and export layer is a custom pure-Apple module built on Foundation and Compression. There is no CSV import surface and no CSV export surface anywhere in the App — deliberately, as a binding anti-scope. The XLSX module does not phone home, does not embed telemetry, and does not use any third-party dependency.

5.11 PDFKit, Swift Charts, WidgetKit, App Intents, BackgroundTasks, StoreKit 2

Craftyield relies on several Apple frameworks: PDFKit + ImageRenderer (Monthly P&L Pack, Product Cost Sheet, Inventory Valuation, full-data XLSX Export — mandatory footers on every page); Swift Charts (dashboard); WidgetKit (Today's profit widget, Quick-log deep-link widget — best-effort refresh, no push); App Intents (LogSaleIntent, AddPurchaseIntent — Siri and Shortcuts); BackgroundTasks (BGTaskScheduler — best-effort local-notification scheduling); StoreKit 2 (Apple App Store IAP, 2-week introductory trial, localized product prices only).

5.12 CloudKit private database and CKShare (v1.1, decision-gated) — Customer Data in your own iCloud

Every category of Customer Data lives in the Subscribing Customer's own Apple iCloud, in the CloudKit private database for the Craftyield container. From v1.1, if the decision gate passes, team-of-two workspaces are implemented via CKShare: the Subscribing Customer subscribes and creates a single CKShare per company root; a single partner accepts the share link, installs the App and joins as a co-user. CloudKit and CKShare are operated by Apple Inc. under Apple's own privacy terms.

5.13 Recipients — no accounts, no App Clip, no server; Packs and XLSX travel via the iOS share sheet

Recipients — the Subscribing Customer's own accountant, tax adviser, Steuerberater, partner, market organizer, insurance broker or any other counterparty — do not have accounts in Craftyield. There is no App Clip surface and no operator dashboard. Recipients receive Pack PDFs and XLSX Exports via the iOS share sheet.

5.14 App Privacy Report

iOS 15.2 and later provide an in-operating-system App Privacy Report. Craftyield is designed so that this report shows the Apple platform domains used (App Store, iCloud, CloudKit, APNs local-only) and — deliberately — nothing else. No ML Consulting server domain, no third-party analytics domain, no advertising domain, no attribution domain and no crash-reporting domain should ever appear.

6. Key terms used in this Policy

Personal data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.

Processing — any operation performed on personal data.

Controller — the person who determines the purposes and means of processing.

Processor — a person who processes personal data on behalf of a controller.

Subscribing Customer — the sole-trader handmade seller (or, from v1.1 under CKShare, the sole trader plus one authorised partner) who took out the Craftyield Pro subscription and pays personally from her own pocket.

Material — a raw material or consumable the Subscribing Customer buys and consumes.

PurchaseLot — an append-only record of a Material purchase, capturing quantity, purchase unit, conversion factor, total price and source (manual / receipt-OCR / XLSX import); corrections supersede rather than overwrite.

Product — a product the Subscribing Customer makes and sells.

Recipe / RecipeLine — the Bill of Materials plus labor line plus overhead line for a Product; drives the live unit cost.

Batch — an append-only production record freezing a Product's unit-cost snapshot at production time; optionally schedules a cure / dry / conditioning local-notification reminder.

Channel — a sales-channel record (Etsy-style handmade marketplace, craft fair, own site, other) with editable fee-profile presets from the disclosed formula.

Order / OrderLine — an append-only sale record with per-line unit-cost snapshot frozen at entry.

StockAdjustment — an append-only manual stock correction record; historical stock is never edited.

Pack — a PDF assembled on-device by PDFKit + ImageRenderer in one of four types: Monthly P&L Pack, Product Cost Sheet, Inventory Valuation and full-data XLSX Export. Every Pack carries the mandatory footer: “Generated with Craftyield from the owner's own entries. Figures are estimates for the owner's decision-making — not accounting, tax, or legal advice. Verify fees against marketplace statements.”

Recipient — the accountant, Steuerberater, partner, market organizer, insurance broker or any other counterparty who receives a Pack PDF or XLSX Export via the iOS share sheet. Not a user of the App.

EntitlementGate — the single StoreKit 2 check that guards record creation and artifact generation; read and export are never gated.

Foundation Models layer (v1.1) — the opt-in, Apple-Intelligence-device-floor-gated, English-and-German-only on-device narrative summary and price-suggestion layer.

CKShare partner (v1.1, decision-gated) — an optional single partner the Subscribing Customer invites to co-use the workspace under CKShare.

On-device — data stored or processed locally on the Subscribing Customer's iPhone or iPad inside the iOS application sandbox.

Backend — Craftyield has none. The App's server-side surface is Apple iCloud (CloudKit) operated by Apple Inc.

Sub-processor — a third-party service provider that processes personal data on our behalf. Craftyield deliberately depends on none for its data plane.

EEA — the European Economic Area.

VDAI — Valstybinė duomenų apsaugos inspekcija, the Lithuanian State Data Protection Inspectorate.

7. Personal data we process

This section describes the data Craftyield processes. The unusual feature to hold in mind: with the narrow exceptions in section 4.1, the Customer Data below lives in the Subscribing Customer's own iCloud, not on ML Consulting infrastructure. Because Craftyield has no account architecture, we do not even hold an account identifier or an email address for you unless you email us support directly.

7.1 Account and authentication data (we act as controller — deliberately none)

Craftyield has no account architecture. It does not require Sign in with Apple in v1.0, does not present a login screen, does not ask for an email address or password, and does not hold an account identifier for you. Ambient iCloud identity is used only by Apple's CloudKit for the Subscribing Customer's private-database access. Where you email us support, we hold your email address only for the purpose of replying.

7.2 Device, technical and telemetry data (limited)

iOS / iPadOS version, device model, App version, language and timezone (visible to us only through App Store analytics reports); MetricKit crash and hang diagnostics if you have opted in at the OS level; on-device diagnostics counters surfaced only to you (nothing leaves the device). No third-party analytics SDK, no crash-reporting SDK, no attribution SDK, no advertising SDK, no tracking SDK.

7.3 Communications and support data

The content and metadata of any email, support ticket or in-app help message you send us, including any attachments.

7.4 Billing and payment data (Apple is the merchant of record)

App Store Server Notifications payloads: subscription identifier, tier, trial state, renewal state, refund state, environment, transaction identifier. We do not receive your payment-card data. There is no direct billing channel and no Stripe / PayPal / GoCardless / SEPA / bank-transfer path for Craftyield.

7.5 Customer Data (lives in your own iCloud)

Materials; PurchaseLots (append-only); Products; RecipeLines; Batches (append-only); Channels; Orders (append-only); OrderLines; StockAdjustments (append-only); Settings (base currency fixed at onboarding, labor hourly rate, overhead default, app-lock enabled); AVFoundation receipt photographs stored as CKAssets with per-photo SHA-256 hash at save; Vision on-device OCR suggestion outputs; NaturalLanguage token-similarity fuzzy-match outputs; PDF Pack renders (Monthly P&L Pack, Product Cost Sheet, Inventory Valuation, full-data XLSX Export) with mandatory footers and hash manifest; XLSX orders and materials workbooks the Subscribing Customer imports through the Files picker; and — from v1.1 — Foundation Models on-device narrative summary and price-suggestion outputs (English and German only).

7.6 CKShare partner data (from v1.1 if introduced)

Where the Subscribing Customer invites a single partner under v1.1 CKShare: the partner's name, iCloud identity as supplied to the CKShare zone by Apple, join timestamp, and any Customer Data entries the partner captures.

7.7 Recipient data (accountant, Steuerberater, partner, market organizer, insurance broker) — incidental

Where the Subscribing Customer enters a Recipient's email address into the iOS share sheet at Pack export, that address is handled by iOS Mail (or the chosen share-target app), not by Craftyield; we do not store Recipient contact data server-side (because we have no server).

7.8 Customer-of-the-Subscribing-Customer data (incidental in Orders and receipts)

Where an Order line item records an external Order ID (typically an Etsy or marketplace order reference), a customer name or a customer address: that data is Customer Data on the Subscribing Customer's iCloud. Craftyield does not send the Subscribing Customer's customer data anywhere.

7.9 Special-category and sensitive data (Article 9 GDPR — incidental)

Craftyield is not designed to collect special-category data within the meaning of Article 9 GDPR. Receipt photographs may incidentally reveal information about a supplier's identity, an invoice recipient's name or a delivery address. The Subscribing Customer is responsible for the lawful basis under Articles 6 and 9 GDPR for any special-category data she records. Biometric authentication (Face ID / Touch ID for optional app lock) is performed by Apple's LocalAuthentication framework and biometric data never leaves the device.

7.10 Location data (CoreLocation — deliberately excluded)

Craftyield does not use CoreLocation. Orders record a Channel (Etsy-style handmade marketplace, craft fair, own site, other), not a place.

7.11 What we do not collect

To remove ambiguity, Craftyield does not collect:

the contents of your Apple Contacts, the wider Apple Calendar, your photo library beyond photographs you actively import through PhotoKit, or any HealthKit / HomeKit data;

continuous background-location data or any CoreLocation data;

Speech-framework voice input; Speech is deliberately excluded from v1.0;

data from any live marketplace API (Etsy, Amazon Handmade, Not On The High Street, Folksy, Bonanza, Shopify, WooCommerce or equivalent) — live marketplace integration is deliberately excluded from v1.0;

behavioural-advertising identifiers; we do not run advertising, do not use the IDFA and do not share data with advertising networks;

analytics, attribution or crash-reporting data through any third-party SDK — Craftyield deliberately embeds none;

any seller-performance, employability, ranking, blacklist, ban-risk, marketplace-behaviour, price-competition, refund-risk, chargeback-risk or claim-outcome-prediction profile.

8. How we collect personal data

We collect personal data in three narrow ways:

1. Directly from you — when you install or use the App on iPhone or iPad, subscribe through the Apple App Store, capture a receipt through AVFoundation, import an XLSX orders or materials workbook through the Files picker, enable the optional Face ID / Touch ID app lock, opt in to the v1.1 Foundation Models narrative layer where your device and locale are eligible, opt in to v1.1 CKShare single-partner sharing (if introduced), contact support or subscribe to a communication.

2. Automatically through your use of the App — when the App generates on-device application data (deterministic engine outputs, Pack render metadata, append-only supersede-chain metadata, per-photo SHA-256 hashes, per-Pack photo-hash manifests) necessary to deliver the service; and when Apple platform services supply data linked to your action. Aside from App Store Server Notifications payloads and any support-endpoint hits, none of this data leaves the device.

3. From Apple — when the App Store delivers an In-App Purchase result through StoreKit 2 and App Store Server Notifications, when App Store analytics reports arrive, when MetricKit publishes crash and hang diagnostics if you have opted in at the OS level, and when — for CloudKit and (v1.1 gated) CKShare — Apple operates the Subscribing Customer's iCloud on the Subscribing Customer's behalf.

9. Why we process personal data and our legal bases

For each processing activity we rely on a lawful basis under Article 6(1) GDPR.

9.1 Performance of a contract (Article 6(1)(b))

Provide and operate the App on your iPhone and iPad, including the capture-first surface, the review-cockpit surface, the pure deterministic engines, on-device Vision receipt OCR, on-device NaturalLanguage fuzzy matching, on-device PDFKit + ImageRenderer Pack render, on-device pure-Apple XLSXReader / XLSXWriter, and the Core Data / CloudKit private-database sync to your own iCloud.

Process payments and manage billing through Apple App Store In-App Purchase.

Face ID / Touch ID gating of the optional app lock.

v1.1 CKShare single-partner sharing (if introduced).

Send service messages.

Provide customer support and respond to enquiries.

9.2 Consent (Article 6(1)(a))

Camera, microphone, photo-library and Files access via the iOS prompts.

Local-notification cadence.

Optional Face ID / Touch ID app lock.

v1.1 Foundation Models narrative layer enablement (where the device meets the Apple Intelligence floor and the locale is English or German).

9.3 Compliance with a legal obligation (Article 6(1)(c))

Statutory accounting and tax retention under Lithuanian law.

Respond to data-subject requests and operate the GDPR rights workflow.

Comply with legal, regulatory, tax and law-enforcement obligations.

9.4 Legitimate interests (Article 6(1)(f))

CryptoKit per-photo SHA-256 hashing and append-only supersede-chain evidence integrity.

Defend or pursue legal claims, including App Store subscription disputes, marketplace-terms disputes, insurance subrogation, product-liability investigations (GPSR / REACH / CLP / Cosmetic Products / MoCRA / NHP / TGA) and class-action investigations.

Where we rely on legitimate interests under Article 6(1)(f) GDPR, we have carried out and documented a balancing assessment. Where we rely on consent under Article 6(1)(a) GDPR, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

10. Offline-first architecture and no-server data model — Customer Data in your own iCloud

Craftyield is offline-first. Capture, browsing, product / recipe editing, batch production, order quick-log, Pack generation, XLSX import and export, and every other operational flow work with zero connectivity; on-device budgets are cold-launch under 2 seconds, quick-log sheet under 300 ms, recipe cost recompute under 100 ms, dashboard under 500 ms at 5,000 orders, OCR suggestion under 4 seconds per receipt page, XLSX parse 1,000 rows under 20 seconds and PDF Pack render under 3 seconds on an A15 device. If iCloud is unavailable, the App runs fully locally with a passive banner and no work is lost.

Craftyield operates no ML-Consulting-hosted backend. No EU-resident managed Postgres, no signed-URL object storage, no server-side AI, no private GPU boundary, no RFC 3161 trusted-timestamp authority, no third-party analytics SDK, no crash-reporting SDK. Customer Data lives in the Subscribing Customer's own iCloud, which is operated by Apple Inc. under Apple's own privacy terms and Apple's own data-residency choices for iCloud.

11. Subscribing Customers, sole-trader responsibility and Recipients

Craftyield is operated on a single-Subscribing-Customer-per-company subscription model. The Subscribing Customer — a sole-trader handmade seller paying personally from her own pocket — subscribes through the App Store, administers the workspace, records Materials, PurchaseLots, Products, Recipes, Batches, Channels, Orders, OrderLines and StockAdjustments, generates Packs and shares Pack PDFs and XLSX Exports to Recipients through the iOS share sheet.

11.1 Sole-trader accounting, tax, VAT, product-safety and consumer-protection responsibility

Every displayed figure is an estimate for the sole trader's decision-making — not accounting, tax, or legal advice. The Subscribing Customer remains the responsible person for every accounting, bookkeeping, tax, VAT / USt / TVA / IVA / GST / HST / sales-tax, income-tax, self-employment-tax, self-assessment, Kleinunternehmerregelung UStG §19, Making Tax Digital (MTD), Anlage EÜR, Anlage S, Anlage G, Schedule C, Schedule SE, Form 1040, Form 1099-K, Form 1099-DA, BAS, IAS, IR35 and off-payroll-working determination, and for every filing to HMRC, IRS, BZSt, Finanzamt, ATO, CRA, VMI and equivalent tax authorities; and for every product-liability, product-safety and product-regulatory decision under GPSR (EU 2023/988), REACH, CLP, Cosmetic Products Regulation, EU 1169/2011, U.K. Cosmetic Products Enforcement Regulations 2013, U.S. FDA cosmetics regulation and MoCRA 2022, CPSC, CCPSA and Health Canada NHP, TGA and equivalent regimes; and for every marketplace-terms decision on Etsy, Amazon Handmade, Not On The High Street, Folksy, Bonanza, Shopify, WooCommerce and equivalents.

11.2 Workshop safety, chemicals and allergens

The Subscribing Customer remains responsible for workshop health-and-safety compliance under the U.K. HSW Act 1974 and COSHH, U.S. OSHA 29 CFR §1910 general industry standards, German Arbeitsschutzgesetz and GefStoffV, Australian WHS Act 2011, Canadian OHS Act and equivalent regimes; for fire-safety; and for allergen and consumer-safety disclosure at market and on marketplace listings. Craftyield does NOT track workshop hazards, does not track chemical inventories, does not compute exposure limits, does not schedule respirator-fit testing and does not compute allergen-declaration text — its inventory scope is strictly cost-and-quantity, not safety-and-hazard.

11.3 Marketplace-terms and Platform-to-Business Regulation responsibility

The Subscribing Customer remains responsible for compliance with the terms of every marketplace on which she sells and for exercising her rights and complying with her obligations under Regulation (EU) 2019/1150 (Platform-to-Business Regulation), Regulation (EU) 2022/2065 (Digital Services Act), Directive (EU) 2000/31/EC (E-Commerce Directive) and equivalent regimes. Craftyield is not a marketplace operator, is not a platform under DAC7 / DSA / P2B / DMA, and does not broker, report or intermediate any transaction.

11.4 Consumer-protection responsibility toward the sole trader's customers

The Subscribing Customer remains the seller under EU Directive 2011/83/EU (Consumer Rights Directive), the U.K. Consumer Rights Act 2015, U.S. state UDAP / FTC Act §5, Canadian federal / provincial consumer-protection statutes, the Australian Consumer Law and equivalents. Craftyield is not the seller and is not liable to the sole trader's customers.

11.5 Recipients — no accounts, no App Clip, no server

Recipients do not have accounts in Craftyield. There is no App Clip surface and no operator dashboard. Recipients receive Pack PDFs and XLSX Exports via the iOS share sheet; once a document leaves your device, it is under the Recipient's control, processed by their own email server, DMS or accounting software.

12. Recipients of personal data

We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purpose. We do not sell personal data, and we do not “share” personal data for cross-context behavioural advertising as that term is defined under California law. We do not share or sell Material, PurchaseLot, Product, Recipe, Batch, Channel, Order, OrderLine, StockAdjustment, receipt photograph or Pack data with any third party for advertising, commercial-intelligence, marketplace-benchmarking, market-research, credit-scoring, seller-performance-scoring or claim-outcome-prediction purposes. Because Craftyield has no server, no third-party analytics SDK, no crash-reporting SDK, no advertising SDK, no attribution SDK, no tracking SDK and no direct billing channel, this list is deliberately extremely short.

Categories of recipients:

Apple Inc. and Apple Distribution International Limited — App Store distribution, App Store In-App Purchase (StoreKit 2), App Store Server Notifications, ambient iCloud identity, iCloud, CloudKit private database, CKShare zones (v1.1 if introduced), APNs local-notification delivery, WidgetKit, App Intents, BackgroundTasks, PhotoKit, AVFoundation, PDFKit, ImageRenderer, Swift Charts, LocalAuthentication and Secure Enclave, Vision framework, VisionKit (v1.1), NaturalLanguage framework, Foundation Models framework (v1.1), Core Image (v1.1), MetricKit and every other Apple platform service on which the App depends. Independent controller for App Store-side, iCloud-side and Apple-platform-side processing.

Recipients of Pack PDFs and XLSX Exports (accountant, Steuerberater, partner, market organizer, insurance broker, product-liability insurer, banker, any other counterparty) — receive Pack PDFs and XLSX Exports sent from the Subscribing Customer's iPhone or iPad via the iOS share sheet; process those documents on their own systems (email, DATEV, Xero, QuickBooks, FreshBooks, Sage, Wave, ELSTER, MTD bridging software). No Craftyield account, no App Clip, no server-side portal. Independent controllers under their own professional, contractual, marketplace-terms, insurer and confidentiality duties. Not sub-processors of ML Consulting.

Professional advisers to ML Consulting (lawyers, accountants, auditors) — legal, tax, audit and employment advice on a need-to-know basis. Independent controllers under their own duties of confidence.

Authorities, courts and regulators — where we are required by law, court order or a binding regulatory request, including the Lithuanian State Data Protection Inspectorate (VDAI), Lithuanian State Tax Inspectorate (VMI), U.K. Information Commissioner's Office (ICO), HMRC, Trading Standards, Irish Data Protection Commission (DPC), German BfDI and Land DPAs, BZSt and Finanzamt, French CNIL and DGCCRF, Italian Garante, Spanish AEPD, Australian OAIC and ATO, U.S. FTC, IRS, CPSC and state attorneys general, Canadian OPC, CRA and Health Canada, and equivalents. Independent controllers acting under their statutory powers.

Successor entity — in the context of a merger, acquisition, restructuring or sale of assets, subject to confidentiality safeguards and to the buyer continuing to honour the commitments in this Policy. Independent controller after the transaction closes.

References in the App and in this Policy to Etsy, Amazon Handmade, Not On The High Street, Folksy, Bonanza, Craftybase, Inventora, DaWanda-legacy, Zibbet-legacy, Shopify, WooCommerce, PayPal, Stripe (as marketplace payment processor), HMRC, IRS, BZSt, Finanzamt, ATO, CRA, DATEV, ELSTER, ICAEW, ACCA, AICPA, CIMA, CIOT, Steuerberaterkammer, Bundessteuerberaterkammer and equivalent tax-adviser and accountancy bodies are descriptive only. None of those bodies endorses, certifies, audits, accredits or warrants the App or any Pack, and none is a partner, sub-processor, recipient or party to this Policy by virtue of being named.

A current list of our sub-processors, together with the country in which each provider operates, is published at mlconsulting.lt/legal/sub-processors and is updated when the list changes. For Craftyield specifically, the sub-processor list is deliberately empty: Apple Inc. is an independent controller for every Apple platform service on which the App depends, and ML Consulting engages no third-party data-plane sub-processor for Craftyield.

13. International data transfers

ML Consulting MB is established in Lithuania. Because Craftyield has no server and no ML-Consulting-hosted backend, the international-transfer question turns on Apple's iCloud residency for the Subscribing Customer's Apple Account and on the App Store's processing of billing data — both of which are choices made by Apple, not by ML Consulting.

For the narrow controller-level data ML Consulting itself processes, we keep data in the European Union by default. Where personal data is transferred outside the EEA or the United Kingdom to a country that has not been the subject of an adequacy decision under Article 45 GDPR, we rely on one or more of the safeguards required by Chapter V GDPR, in particular:

European Commission adequacy decisions, including the EU-US Data Privacy Framework where the recipient is certified under it;

the European Commission's Standard Contractual Clauses (Module Two and Module Three), with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement for transfers from the United Kingdom, and supplementary measures consistent with the European Data Protection Board's recommendations;

additional technical measures including TLS 1.2 or higher for data in transit and Apple's iCloud encryption at rest, plus contractual and organisational measures appropriate to the sensitivity of sole-trader financial data; and

any other lawful transfer mechanism under Articles 46 to 49 GDPR.

14. Automated decision-making, on-device ML and Foundation Models — no backend AI

14.1 No solely-automated decisions with legal or similarly significant effects

We do not subject you to decisions producing legal effects concerning you or similarly significantly affecting you that are based solely on automated processing within the meaning of Article 22 GDPR. Where any aspect of a decision affecting you is informed by automated logic, the recorder or Subscribing Customer is meaningfully involved in the outcome.

14.2 Explicit AI exclusions

Craftyield does NOT offer:

AI accounting, bookkeeping, tax, VAT / USt / TVA / IVA / GST / HST / sales-tax / income-tax / self-employment-tax / self-assessment / Kleinunternehmerregelung / MTD / Schedule C / Anlage EÜR / Anlage S / Anlage G / BAS / IAS / 1099-K / 1099-DA / IR35 / off-payroll-working determinations, computations or advice;

AI HGB §257 / AO §146 / §147 / GoBD / Companies Act 2006 / IRC §6001 record-keeping-compliance attestations;

AI product-liability, GPSR (EU 2023/988), REACH, CLP, Cosmetic Products Regulation, EU 1169/2011, MoCRA, NHP, TGA, CPSC, CCPSA, CE / UKCA / FDA / Health-Canada determinations;

AI Digital Services Act (DSA), Platform-to-Business Regulation, DAC7 or Digital Markets Act marketplace-operator determinations;

AI marketplace-terms interpretation (Etsy, Amazon Handmade, Not On The High Street, Folksy, Bonanza, Shopify, WooCommerce and equivalents);

AI antitrust, competition-law, Kartellverbot, Bundeskartellamt, CMA, FTC or ACCC determinations;

AI sanctions / PEP / ultimate-beneficial-owner / source-of-funds / 5AMLD / 6AMLD / OFAC / EU Consolidated / U.K. OFSI determinations;

AI insurance underwriting or claims determinations by any insurer;

AI pricing advice, market-price predictions, competitor-pricing recommendations or dynamic-pricing suggestions beyond the disclosed cost + target-margin formula that the Subscribing Customer sets;

AI computer-vision “detected”, “verified”, “counted”, “damage-diagnosed”, “counterfeit-flagged”, “provenance-authenticated” or “photo-genuineness” verdicts;

AI seller-performance, employability, ranking, blacklist, ban-risk, review-quality, refund-risk, chargeback-risk, marketplace-behaviour or claim-outcome-prediction profiles; or

Any AI feature that requires transmission of Customer Data off-device to a third-party model provider. Vision, NaturalLanguage and Foundation Models are Apple's on-device frameworks; there is no ML-Consulting-hosted backend model and no Anthropic / OpenAI / Whisper / Google / Meta model in the Craftyield data plane.

14.3 On-device Vision, NaturalLanguage and PhotoKit — suggestion-only

The App uses on-device Vision framework receipt OCR, on-device NaturalLanguage token-similarity fuzzy matching, and on-device PhotoKit access. These run locally on your iPhone or iPad and the input is not transmitted to any third-party AI provider as a result of these features. Every extracted value is a labelled suggestion — the recorder confirms every line before it becomes an evidentiary PurchaseLot; below the confidence threshold, the App visibly flags the affected line, and no PurchaseLot, no stock change and no cost change persists from any line the recorder does not confirm.

14.4 v1.1 Foundation Models narrative layer — opt-in, English and German only, device-floor gated

From v1.1, Craftyield will offer an optional Foundation Models on-device narrative layer with three components: monthly plain-language summary; per-product price suggestion computed from the disclosed cost + target-margin math; and anomaly narration on the disclosed flags. The layer is gated at three levels — availability (Apple Intelligence device floor; below the floor rule-based parity is shown), language (English and German only; in other locales rule-based parity is shown) and per-generation confirmation. Prompts consume derived aggregates only — never raw records.

14.5 Deterministic on-device engines (not AI)

The core computational engines are DETERMINISTIC and not AI at all: the weighted-average-cost engine (over non-superseded lots); the fixed-in-dimension unit-conversion engine (g↔kg × 1000, ml↔l × 1000, m↔cm × 100; cross-dimension ml↔g only via the Material's user-entered density factor; absent factor → conversion refused with explanation, never guessed); the product-unit-cost engine; the fee-computation engine per Channel (base × (feePct + paymentPct) + feeFixed + paymentFixed + perOrderExtra, half-up rounding at cent applied once at order level); the profit and margin engines; the price-creep flag at 1.15 × prior weighted-average cost and total ≥ €5; the low-stock flag at manual reorder threshold; and the dashboard reconciliation invariant enforced by property-based tests. These engines are pure, unit-tested Swift code; their output is fully explainable by inspection of the code and the Customer Data.

14.6 EU AI Act readiness

We design and operate the App's on-device AI features to be compatible with applicable obligations under Regulation (EU) 2024/1689 (the AI Act), including transparency (raw input always retained alongside any structured output; the recorder always confirms; the AI-drafted suggestion carries a “Suggestion — review before use” label), logging and human-oversight requirements. None of the current AI features is, or is held out as, a high-risk AI system within the meaning of Annex III of the AI Act.

15. How long we keep personal data

We keep personal data only for as long as we need it for the purpose for which it was collected, or as required by applicable law. Because Customer Data lives in the Subscribing Customer's own iCloud, Craftyield cannot itself delete Customer Data from your iCloud — you (and Apple) do that.

Account and authentication data — none retained on ML Consulting infrastructure by default (Craftyield has no account).

Device, technical and telemetry data — where visible to us at all, retained in identifiable form for a maximum of 13 months; aggregated or anonymised data may be retained indefinitely.

Communications and support correspondence — up to 24 months from the close of the last related correspondence; longer where the matter relates to a complaint, dispute, investigation, regulatory matter or legal claim.

Billing, accounting and tax records — up to 10 years from the end of the relevant accounting period, in line with Lithuanian law.

Customer Data on the Subscribing Customer's own iCloud — retained on the Subscribing Customer's iCloud for as long as the Subscribing Customer keeps it. Post-trial the App is read-only with full XLSX + PDF export always available; data is never held hostage. On App deletion the on-device store is removed by iOS. On the Subscribing Customer's use of the “Erase all data” Settings flow, the App wipes the local store + the private CloudKit zone after typed confirmation.

v1.1 CKShare partner data (if introduced) — a partner's Customer Data entries remain in the Subscribing Customer's zone if the Subscribing Customer removes the partner. A partner leaving the share does not touch company data.

Backups (Apple iCloud backup) — Apple's iCloud backup rotation applies; ML Consulting does not operate a separate backup and does not restore deleted accounts.

16. Security and personal-data breaches

16.1 Article 32 measures

We implement and maintain appropriate technical and organisational measures to protect personal data — particularly the narrow controller-level data we hold — against unauthorised access, accidental loss, destruction, alteration or disclosure (Article 32 GDPR). For Craftyield specifically, these measures include: iOS application-sandbox isolation and Apple's default Data Protection; per-photo SHA-256 hashing of AVFoundation receipt captures at save time; append-only supersede-chain evidence integrity on PurchaseLot, Batch, Order, OrderLine and StockAdjustment; the optional Face ID / Touch ID app-lock; Keychain-scoped short secrets; watermarking and version-stamping on every Pack, mandatory disclosure and product footers on every Pack page, and a per-Pack hash manifest; the Privacy Manifest declaration; and — for the Customer Data itself — Apple's iCloud in-transit and at-rest encryption on the Subscribing Customer's own iCloud.

16.2 Notification of personal-data breaches

If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons in respect of the narrow controller-level data we hold, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach (Article 33 GDPR). Where the breach is likely to result in a high risk, we will notify the affected data subjects without undue delay (Article 34 GDPR). Because Customer Data lives in the Subscribing Customer's own iCloud, an iCloud-side security incident is handled by Apple under Apple's own breach-notification obligations.

16.3 Reporting a suspected breach to us

If you suspect a security incident or unauthorised access affecting your App Store subscription, App Store Server Notifications payloads, biometric-verification metadata or any Pack PDF or XLSX Export you generated, please notify us at support+craftyield@mlconsulting.lt without undue delay. Provide as much detail as you can; do not include passwords or other secrets in the email.

17. Your rights as a data subject

Subject to the conditions set out in the GDPR, you have the rights below. These rights are not absolute and may be restricted by law. Because Customer Data lives in your own iCloud, several of these rights are exercised most efficiently through Apple (iCloud account controls, Data & Privacy portal at privacy.apple.com) rather than through ML Consulting.

Right of access (Article 15) — confirm whether we process personal data about you and obtain a copy. Note that ML Consulting itself holds only the narrow controller-level data described in section 4.1; the bulk of your Customer Data lives in your own iCloud.

Right to rectification (Article 16) — have inaccurate personal data corrected and incomplete data completed. In the App itself, financial records are append-only after save — corrections supersede and both remain visible.

Right to erasure (Article 17) — have personal data erased where the conditions apply. For Customer Data on your own iCloud, use the App's in-Settings “Erase all data” flow.

Right to restriction of processing (Article 18) — restrict our processing while we verify contested data or deal with an objection.

Right to data portability (Article 20) — receive the data you provided in a structured, commonly-used and machine-readable format. The App provides in-Settings full-data XLSX Export at any time.

Right to object (Article 21) — object to processing based on legitimate interests on grounds relating to your particular situation, and at any time to direct marketing.

Rights related to automated decision-making (Article 22) — not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects. See section 14 and the explicit AI exclusions.

Right to withdraw consent (Article 7(3)) — where we rely on consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

Right to lodge a complaint (Article 77) — complain to our lead supervisory authority, the VDAI in Vilnius, or to the supervisory authority of the EU Member State where you habitually reside, where you work or where the alleged infringement took place.

17.1 How to exercise your rights

You can exercise the rights above by sending an email to support+craftyield@mlconsulting.lt with the words “Privacy request — Craftyield” in the subject line. For rights that concern data in your own iCloud, we may redirect you to Apple's Data & Privacy portal at privacy.apple.com.

We will respond to verifiable requests without undue delay and in any event within one month of receipt under Article 12(3) GDPR. We may extend that period by up to a further two months for complex or numerous requests.

18. Regional rights notices

18.1 Lithuania — VDAI, Labour Code, accounting and tax law

Where the Subscribing Customer operates from the Republic of Lithuania, the Republic of Lithuania Law on Legal Protection of Personal Data applies in addition to the GDPR; the Republic of Lithuania Labour Code, Law on Financial Accounting, Law on Tax Administration and Law on Value Added Tax apply independently of the App.

18.2 Germany and Austria — BfDI / Land DPAs, BDSG, AO, HGB, GoBD, UStG, Kleinunternehmerregelung, Steuerberatungsgesetz

Where the Subscribing Customer operates from Germany or Austria (the DE / AT launch storefronts), the GDPR, BDSG, Abgabenordnung (AO — including §146 record-keeping and §147 retention), Handelsgesetzbuch (HGB — including §257 retention), the GoBD principles, Umsatzsteuergesetz (UStG) including the Kleinunternehmerregelung §19 small-business threshold, Steuerberatungsgesetz (StBerG), Produkthaftungsgesetz, Chemikaliengesetz, Gefahrstoffverordnung, Kosmetikverordnung, ZUGFeRD / XRechnung / EN 16931 e-invoicing and the Austrian equivalents (BAO, UStG 1994, UGB) apply independently of the App.

18.3 United Kingdom — UK GDPR, ICO, HMRC, Making Tax Digital, Cosmetic Products Enforcement Regulations 2013, Natasha's Law

If you are in the United Kingdom, the UK GDPR and the UK Data Protection Act 2018 apply. The UK supervisory authority is the Information Commissioner's Office (ICO). The U.K. Companies Act 2006, HMRC Making Tax Digital, VAT Act 1994, General Product Safety Regulations 2005, Cosmetic Products Enforcement Regulations 2013, Food Information Regulations 2014 as amended by Natasha's Law, Consumer Rights Act 2015 and Modern Slavery Act 2015 apply independently of the App.

18.4 Republic of Ireland, France, Italy, Spain, Netherlands, Belgium and other EU Member States

Where the Subscribing Customer operates from another EU Member State, the GDPR and the relevant national data-protection, tax and consumer-protection laws apply. The relevant national data-protection authority is the supervisory authority for processing in that Member State.

18.5 United States — CCPA / CPRA, IRS 1099-K, Schedule C, CPSC, FDA / MoCRA, state marketplace-facilitator laws

If you are a California resident, the CCPA / CPRA gives you the rights described in the corresponding section. We do not sell personal information and we do not “share” personal information for cross-context behavioural advertising. The IRS 1099-K and 1099-DA regimes, IRC §6001 record-keeping obligations, IRC §6050W third-party settlement organisation reporting, state marketplace-facilitator laws (California CDTFA and equivalents), the U.S. CPSIA, FDA cosmetics regulation and MoCRA 2022, FALCPA and equivalent state laws apply independently of the App. Similar privacy rights are available in Colorado, Connecticut, Virginia, Utah, Texas, Florida, Oregon, Washington and other US states.

18.6 Canada, Australia and other jurisdictions

Where the Subscribing Customer operates from Canada (PIPEDA and provincial private-sector privacy laws; CRA record-keeping; Consumer Packaging and Labelling Act; Consumer Product Safety Act; Health Canada NHP) or Australia (Privacy Act 1988 and Australian Privacy Principles; ATO record-keeping and BAS regime; Australian Consumer Law; TGA cosmetics rules), the relevant national laws apply independently of the App. Similar frameworks apply in Switzerland (revFADP), Norway (Personopplysningsloven), Japan (APPI — deferred launch market) and other jurisdictions.

18.7 Global Privacy Control

On the App's landing pages, we honour the Global Privacy Control signal where technically feasible, treating it as an objection to non-essential cookies and a request to opt out of any “sale” or “sharing” of personal information.

19. Children

Craftyield is intended for business users (B2B) only and is not designed for use by minors. Users must be at least 18 years old and must be the sole trader (or the sole trader's authorised delegate). Apple's App Store age rating reflects the relevant minimum age. If we become aware that we have collected personal data from a child without the appropriate authorisation, we will work with the relevant Subscribing Customer to investigate and, where appropriate, erase the data.

20. Cookies and similar technologies

The Craftyield iOS / iPadOS App does not use analytics, advertising, profiling or marketing cookies. The App uses on-device storage (the iOS application sandbox, the Keychain, Core Data with CloudKit private-database mirroring, UserDefaults) to deliver its features. This is not “cookies” within the meaning of the ePrivacy Directive 2002/58/EC.

The App's landing pages on mlconsulting.lt use only strictly-necessary cookies. No analytics or advertising cookies are set. Because there is no direct billing channel and no Stripe billing pages for Craftyield, there are no third-party payment cookies to disclose either.

21. Communications

21.1 Service messages

We send transactional service messages (App Store billing notices via Apple, support replies, material change notices) on the basis of contract performance under Article 6(1)(b) GDPR. Service messages are not commercial marketing and cannot be opted out of without ceasing to use the App.

21.2 Direct marketing

Where we send commercial marketing emails about Craftyield, we rely either on (i) your prior consent under Article 6(1)(a) GDPR and Article 13 of the ePrivacy Directive, or (ii) the “soft opt-in” under Article 13(2) of the ePrivacy Directive. You may opt out at any time by clicking the unsubscribe link in any marketing email, by emailing support+craftyield@mlconsulting.lt or by updating your preferences.

21.3 Operational notifications — not tax advice, not statutory-deadline advice

Local-notification cadence, widgets, App Intent invocations and PDF Pack completeness-check flags are operational reminders configured by you. They are best-effort and depend on Apple's platform services. They are NOT tax-filing deadlines, NOT VAT-return deadlines under HMRC MTD / BZSt / Finanzamt / ATO / CRA / VMI, NOT an accountant's or Steuerberater's opinion, NOT a court order, NOT a Qualified Trust Service Provider attestation, NOT a marketplace-terms interpretation, NOT a product-safety notice under GPSR / REACH / CLP / Cosmetic Products / MoCRA / NHP / TGA, NOT a fire alarm, NOT an intrusion alarm, NOT a calibrated instrument reading and NOT a 112 / 999 / 911 / 000 dispatch. CALL 112 / 999 / 911 / 000 OR THE LOCALLY APPLICABLE PUBLIC EMERGENCY NUMBER FIRST whenever any person is in apparent danger of death or serious harm in the workshop or at a market.

22. Changes to this Policy

22.1 Routine updates

We may update this Policy from time to time, for example to reflect new features (v1.1 Foundation Models narrative layer, v1.1 QR labels, v1.1 CKShare single-partner sharing if introduced), regulatory developments, Apple platform changes (Foundation Models version updates, iOS 26+ RecognizeDocumentsRequest availability) or operational changes. The latest version is always published on the App's App Store listing and at mlconsulting.lt/craftyield/privacy.

22.2 Material changes

Where a change is material and adversely affects your rights or expectations, we will give reasonable advance notice — typically at least 30 days, unless a shorter period is required by law, by Apple App Store policy or to address a security risk — by in-app notice and, where we have your email address, by email. Non-material changes take effect on posting.

22.3 Versioning

Each version of this Policy is dated and archived. The version in force at the time of the relevant processing governs that processing. The Foundation Models model version in use at any given time (v1.1 onward) is disclosed in the App's release notes.

23. Contact us

For any question, request or complaint about this Policy or about how we process your personal data, please contact us using the details below.

Controller: ML Consulting MB

Address: Vilnius, Republic of Lithuania

Legal entity code: 306991112

Privacy contact (email): support+craftyield@mlconsulting.lt

Website: https://mlconsulting.lt

Lead supervisory authority: Valstybinė duomenų apsaugos inspekcija (VDAI), L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania · +370 5 271 2804 · ada@ada.lt · vdai.lrv.lt

Document end · Version 1.0 · Effective 1 December 2026 · Craftyield — Privacy Policy · © 2026 ML Consulting MB

© 2026. All rights reserved.