Chengdu Yuliu Technology Co., Ltd. ("Yuliu Tech", "we", "us", or "our"), a company registered in Chengdu, Sichuan Province, People's Republic of China, operates the YOLO HAPPY iOS mobile application (the "App"). We are committed to protecting your privacy and processing your personal data in a transparent, lawful, fair, and necessary manner.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the App, and describes your rights under applicable data protection laws.
This Privacy Policy is prepared in accordance with, among others:
| Item | Detail |
|---|---|
| Data Controller | Chengdu Yuliu Technology Co., Ltd. (成都预流科技有限公司) |
| Registered Address | No. 14, 1/F, Building 1, No. 299 Ronghua North Road, Chengdu Hi-tech Zone, Sichuan Province, 610094, P.R. China |
| Privacy Contact | chengduyuliutech@163.com |
| User Support | support@yolohappy.app |
If you do not agree with this Privacy Policy, please do not use the App.
| Category | Examples | Purpose | Legal Basis (GDPR) | Legal Basis (PIPL) |
|---|---|---|---|---|
| Account Information | Display name, email address, authentication tokens (Apple Sign In / Google Sign In / email registration) | Account creation, authentication, account security | Art. 6(1)(b) — Contract performance | Art. 13(1)(ii) — Necessary for contract |
| Profile Data | Avatar, nationality | Personalized travel recommendations, visa eligibility detection, pre-trip checklist customization | Art. 6(1)(b) — Contract performance | Art. 13(1)(ii) — Necessary for contract |
| Itinerary Data | Destination city, travel dates (arrival/departure), travel preferences, itinerary details (activities, notes) | AI-assisted itinerary planning, trip reminders, pre-trip checklist generation | Art. 6(1)(b) — Contract performance | Art. 13(1)(ii) — Necessary for contract |
| Customer Support Communications | Chat messages, uploaded images | Genius Bar support services, service quality improvement | Art. 6(1)(f) — Legitimate interests | Art. 13(1)(ii) — Necessary for contract |
| Purchase Information | Subscription status, purchase history (processed via RevenueCat and Apple App Store; we do not directly collect credit card numbers or payment credentials) | In-app purchase fulfillment, subscription management, refund processing | Art. 6(1)(b) — Contract performance | Art. 13(1)(ii) — Necessary for contract |
| Category | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Device Information | Device model, OS version, language preferences | App compatibility, bug fixes, UX optimization | Contract performance (Art. 6(1)(b) GDPR / Art. 13(1)(ii) PIPL) |
| Crash & Performance Data | Anonymized crash logs and performance diagnostics via Apple MetricKit system framework | App stability and bug fixes | Legitimate interests (Art. 6(1)(f) GDPR) |
| Content Preferences | Favorited attractions, downloaded audio guides, content mode selection | Personalized experience, offline access support | Contract performance (Art. 6(1)(b) GDPR / Art. 13(1)(ii) PIPL) |
Important: This App does NOT integrate any third-party remote analytics or tracking SDKs (e.g., Firebase Analytics, Google Analytics, Facebook SDK, Adjust, Amplitude, Mixpanel, Shence, Youmeng). Client-side
os.logis Apple's native local logging only. We do not profile you or conduct automated behavioral predictions.
| Permission | Purpose | Required? |
|---|---|---|
| Push Notifications | Trip reminders, pre-trip checklist alerts, customer support message notifications | Optional (revocable in system settings) |
| Photo Library (Write) | Saving shared itinerary card images | Optional |
| Photo Library (Read) | Uploading profile avatar; sending images in support chat | Optional |
| Background Audio | Continuing audio guide playback when the App is in the background or device is locked | Optional |
This App does NOT request access to: camera, microphone, location, contacts, or Bluetooth.
We use your personal data only for the purposes stated in this Privacy Policy and only where a valid legal basis exists:
| Processing Activity | Data Involved | Legal Basis |
|---|---|---|
| Creating and managing your account | Account Information | Contract performance (Art. 6(1)(b) GDPR / Art. 13(1)(ii) PIPL) |
| AI-assisted itinerary generation | Itinerary Data, Profile Data | Contract performance |
| Providing audio guides and city guide content | Device info, Content Preferences | Contract performance |
| Visa eligibility detection and pre-trip checklists | Nationality, destination, stay duration | Contract performance |
| Processing in-app purchases and subscriptions | Anonymized purchase tokens | Contract performance |
| Providing Genius Bar customer support | Support communications | Contract performance |
| Sending push notifications | Device Push Token | Your separate consent (Art. 6(1)(a) GDPR / Art. 13(1)(i) PIPL) |
| App stability monitoring (crash diagnostics) | Anonymized MetricKit data | Contract performance |
If we need to use your personal data for purposes not covered in this Policy or for new business scenarios, we will obtain your consent separately.
The App uses artificial intelligence (AI) to generate travel itineraries, audio guide content, and other materials. This section provides transparency disclosures required under PIPL Art. 24 (automated decision-making), GDPR Art. 22, and relevant AI regulations.
| Dimension | Detail |
|---|---|
| Data sent to AI | Text only (destination cities, travel dates, preference keywords, assistant dialogue messages). The App does NOT upload your photos or images for AI analysis |
| AI Service Provider | Volcengine Ark LLM API (Beijing, China node, ark.cn-beijing.volces.com) |
| Data flow | User iOS device → Supabase Edge Function (US West) → Volcengine Ark (Beijing, China) → AI-generated results returned |
| AI output type | Itinerary suggestions, guide information, travel phrase translations — informational travel references only |
| AI training | We do NOT use your personal data to train AI models. Volcengine is contractually prohibited from using your inputs to train its general-purpose models |
AI-generated content may contain inaccuracies, omissions, or outdated information. AI itineraries and guide content are for travel reference only and do NOT constitute legal advice, visa decision-making basis, or official information. You should independently verify critical information through official channels, including but not limited to:
You may use the App without any AI processing. The following non-AI paths are available:
offline mode, returning offline help guidanceWe do NOT sell your personal data. We share data only under the following circumstances:
We engage the following service providers to process data on our behalf. Under PIPL Art. 21 and GDPR Art. 28, processing agreements specify the purpose, duration, method, data categories, protective measures, and respective rights and obligations:
| Provider | Service | Data Processed | Processing Location | DPA Status |
|---|---|---|---|---|
| Supabase | Backend database (PostgreSQL), authentication, file storage, Edge Functions | Account info, profiles, itineraries, support chat records, avatar files | US West (us-west-1) | Covered by Supabase DPA (accepted via Terms of Service) |
| Volcengine Ark (ByteDance) | AI text inference (itinerary, assistant dialogue, chat translation) | User text input (destination, dates, preference keywords, dialogue) — does NOT include name, email, or nationality | Beijing, China | DPA pending signature |
| RevenueCat | In-app purchase receipt validation, subscription management | Anonymous user ID, purchase tokens (transaction ID, product ID, subscription expiry) — no PII | United States | Integration in progress; DPA coverage to be confirmed |
| Apple (APNs) | Push notification delivery | Device push token | Apple global infrastructure | Covered by Apple Developer Agreement |
| Cloudflare | Workers edge hosting (shared itinerary pages, marketing site, CMS) | Standard server access logs (CDN/security purposes only) | Global edge network | Covered by Cloudflare Terms of Service |
The following third parties process your data as independent data controllers — please refer to their respective privacy policies:
| Third Party | Function | Data Involved |
|---|---|---|
| Apple (Sign in with Apple) | Third-party login | Apple user identifier, email (if you authorize sharing) |
| Google (Google OAuth) | Third-party login | Google account identifier, email |
| Apple App Store / StoreKit | In-app purchases | Transaction receipts, subscription status |
We may disclose your data where required by law, court order, or governmental regulation, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.
If Yuliu Tech is involved in a merger, acquisition, or asset sale, your personal data may be transferred as part of that transaction. We will notify you of the identity and contact details of the recipient and require the recipient to continue honoring this Privacy Policy. Any change in processing purposes or methods will require renewed consent.
Your data is stored at and transferred through the following locations:
| Data Type | Primary Storage/Processing Location | Provider |
|---|---|---|
| Core business data (accounts, itineraries, preferences, support chats) | US West (AWS us-west-1, Supabase Cloud) | Supabase |
| Media files (avatars, audio guides) | Same as above (Supabase Storage) | Supabase |
| AI inference requests (text) | Beijing, China (Volcengine Ark API) | Volcengine |
| Shared itinerary pages, email confirmation, password reset | Cloudflare Workers global edge network | Cloudflare |
Full transfer paths:
For transfers outside the EEA, we rely on:
Under PIPL Art. 38, we implement the following safeguards for cross-border data transfers:
Under PIPL Art. 39, we inform you of:
Separate Consent: Under PIPL Art. 39, cross-border transfer of personal information requires your separate consent. We will request this consent via a dedicated consent screen when you first use the App. You may withdraw this consent at any time, though this will not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal may result in certain features (such as AI itinerary planning) becoming unavailable.
We retain your personal data only as long as necessary for the stated purposes:
| Data Category | Retention Period | Deletion Mechanism |
|---|---|---|
Account data (auth.users) | Immediately deleted upon account deletion | delete-account Edge Function removes Supabase Auth user |
| Associated business data (profiles, itineraries, favorites, checklist progress, support sessions) | Immediately deleted upon account deletion | ON DELETE CASCADE database constraints |
User avatar files (avatars/{userId}/) | Immediately deleted upon account deletion | Storage directory cleaned synchronously |
| Supabase platform backups | 7–30 days (depending on plan tier) | Infrastructure-level backups, not business-accessible |
| Apple IAP transaction records | Retained by Apple per Apple Privacy Policy | Apple manages as independent controller |
| RevenueCat transaction logs | Per RevenueCat data retention policy | To be confirmed upon integration completion |
| Statutory retention (e.g., accounting records) | No less than 10 years (PRC Accounting Law) | Separable from personal account data; can be anonymized |
Account deletion path: App → Profile → Settings → Delete account → Confirmation → Immediate effect. Deleted accounts and all associated cloud data are permanently removed and cannot be recovered. Local App cache must be manually cleared via Settings → Clear Cache or by uninstalling the App.
| Right | GDPR Article | How to Exercise |
|---|---|---|
| Right of access | Art. 15 | Email request or view profile in App |
| Right to rectification | Art. 16 | Edit profile in App Settings |
| Right to erasure | Art. 17 | Delete account in App Settings or email request |
| Right to restriction | Art. 18 | Email request |
| Right to data portability | Art. 20 | Email request (JSON/CSV export) |
| Right to object | Art. 21 | Adjust preferences in App Settings or email |
| Right to withdraw consent | Art. 7(3) | Revoke in App notification/privacy settings |
| Right not to be subject to automated decision-making | Art. 22 | App has no solely automated decisions producing legal or similarly significant effects; non-AI mode available |
| Right | PIPL Article | Description |
|---|---|---|
| Right to know and decide | Art. 44 | Know the processing rules and decide whether to consent |
| Right to restrict or refuse processing | Art. 44 | Restrict or refuse processing of your personal data (unless otherwise provided by law) |
| Right to access and copy | Art. 45 | Access and obtain a copy of your personal data |
| Right to data portability | Art. 45 | Transfer your data to another designated processor |
| Right to rectification | Art. 46 | Correct or complete inaccurate or incomplete data |
| Right to deletion | Art. 47 | Request deletion under specified circumstances |
| Right to explanation | Art. 48 | Request explanation of processing rules |
| Rights of next-of-kin | Art. 49 | After death, next-of-kin may exercise certain rights for their own legitimate interests |
Response Time: We will respond to your requests within 30 calendar days. If more time is needed due to complexity, we will notify you within the 30-day period with an explanation.
Identity Verification: Before acting on your request, we verify your identity by:
Contact for exercising rights:
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent data protection authority in China, your EU member state, or another jurisdiction with regulatory authority. We encourage you to first contact us through the channels above so we can address your concerns directly.
We implement appropriate technical and organizational measures to protect your personal data:
| Security Layer | Measures |
|---|---|
| Transmission | HTTPS/TLS 1.3 encryption for all network communications |
| Storage | AES-256 encryption at rest (Supabase); Row Level Security (RLS) per-user access control |
| Authentication | Apple Sign In, Google OAuth, email+password (Supabase Auth managed) |
| Access Control | Least privilege principle; role-based access for administrative functions |
| Data Isolation | Logical isolation of each user's data via unique user ID (UUID) |
| Monitoring | Supabase audit logs; MetricKit crash monitoring |
No method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
In the event of a personal data breach, we will:
The App is intended primarily for adult international travelers visiting China and does not contain functionality specifically directed at minors.
We have set an appropriate age rating in App Store Connect.
os.log for local logging and Apple MetricKit for crash/performance diagnosticsThe App may contain links to third-party websites or services (e.g., official visa application portals, transportation booking platforms). We are not responsible for the privacy practices of these third parties. We recommend reviewing their respective privacy policies before providing any personal data.
We may update this Privacy Policy from time to time. For material changes, we will notify you by:
Your continued use of the App after changes take effect constitutes acceptance. If you disagree, you must stop using the App and delete your account.
For questions, concerns, or requests regarding this Privacy Policy or our data practices:
| Channel | Detail |
|---|---|
| Data Protection | chengduyuliutech@163.com |
| User Support | support@yolohappy.app |
| Mailing Address | Chengdu Yuliu Technology Co., Ltd. No. 14, 1/F, Building 1, No. 299 Ronghua North Road Chengdu Hi-tech Zone, Sichuan Province, 610094, P.R. China Attn: Data Protection Officer |