YOLO HAPPYYour China Travel Companion
Legal

Privacy Policy

Last Updated: June 29, 2026  ·  Effective Date: June 29, 2026

1. Introduction

Chengdu Yuliu Technology Co., Ltd. ("Yuliu Tech", "we", "us", or "our"), a company registered in Chengdu, Sichuan Province, People's Republic of China, operates the YOLO HAPPY iOS mobile application (the "App"). We are committed to protecting your privacy and processing your personal data in a transparent, lawful, fair, and necessary manner.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the App, and describes your rights under applicable data protection laws.

1.1 Applicable Laws

This Privacy Policy is prepared in accordance with, among others:

1.2 Data Controller

ItemDetail
Data ControllerChengdu Yuliu Technology Co., Ltd. (成都预流科技有限公司)
Registered AddressNo. 14, 1/F, Building 1, No. 299 Ronghua North Road, Chengdu Hi-tech Zone, Sichuan Province, 610094, P.R. China
Privacy Contactchengduyuliutech@163.com
User Supportsupport@yolohappy.app

If you do not agree with this Privacy Policy, please do not use the App.

2. Data We Collect

2.1 Information You Provide

CategoryExamplesPurposeLegal Basis (GDPR)Legal Basis (PIPL)
Account InformationDisplay name, email address, authentication tokens (Apple Sign In / Google Sign In / email registration)Account creation, authentication, account securityArt. 6(1)(b) — Contract performanceArt. 13(1)(ii) — Necessary for contract
Profile DataAvatar, nationalityPersonalized travel recommendations, visa eligibility detection, pre-trip checklist customizationArt. 6(1)(b) — Contract performanceArt. 13(1)(ii) — Necessary for contract
Itinerary DataDestination city, travel dates (arrival/departure), travel preferences, itinerary details (activities, notes)AI-assisted itinerary planning, trip reminders, pre-trip checklist generationArt. 6(1)(b) — Contract performanceArt. 13(1)(ii) — Necessary for contract
Customer Support CommunicationsChat messages, uploaded imagesGenius Bar support services, service quality improvementArt. 6(1)(f) — Legitimate interestsArt. 13(1)(ii) — Necessary for contract
Purchase InformationSubscription status, purchase history (processed via RevenueCat and Apple App Store; we do not directly collect credit card numbers or payment credentials)In-app purchase fulfillment, subscription management, refund processingArt. 6(1)(b) — Contract performanceArt. 13(1)(ii) — Necessary for contract

2.2 Automatically Collected Information

CategoryExamplesPurposeLegal Basis
Device InformationDevice model, OS version, language preferencesApp compatibility, bug fixes, UX optimizationContract performance (Art. 6(1)(b) GDPR / Art. 13(1)(ii) PIPL)
Crash & Performance DataAnonymized crash logs and performance diagnostics via Apple MetricKit system frameworkApp stability and bug fixesLegitimate interests (Art. 6(1)(f) GDPR)
Content PreferencesFavorited attractions, downloaded audio guides, content mode selectionPersonalized experience, offline access supportContract performance (Art. 6(1)(b) GDPR / Art. 13(1)(ii) PIPL)

Important: This App does NOT integrate any third-party remote analytics or tracking SDKs (e.g., Firebase Analytics, Google Analytics, Facebook SDK, Adjust, Amplitude, Mixpanel, Shence, Youmeng). Client-side os.log is Apple's native local logging only. We do not profile you or conduct automated behavioral predictions.

2.3 Permission-Based Data

PermissionPurposeRequired?
Push NotificationsTrip reminders, pre-trip checklist alerts, customer support message notificationsOptional (revocable in system settings)
Photo Library (Write)Saving shared itinerary card imagesOptional
Photo Library (Read)Uploading profile avatar; sending images in support chatOptional
Background AudioContinuing audio guide playback when the App is in the background or device is lockedOptional

This App does NOT request access to: camera, microphone, location, contacts, or Bluetooth.

3. How We Use Your Data

We use your personal data only for the purposes stated in this Privacy Policy and only where a valid legal basis exists:

Processing ActivityData InvolvedLegal Basis
Creating and managing your accountAccount InformationContract performance (Art. 6(1)(b) GDPR / Art. 13(1)(ii) PIPL)
AI-assisted itinerary generationItinerary Data, Profile DataContract performance
Providing audio guides and city guide contentDevice info, Content PreferencesContract performance
Visa eligibility detection and pre-trip checklistsNationality, destination, stay durationContract performance
Processing in-app purchases and subscriptionsAnonymized purchase tokensContract performance
Providing Genius Bar customer supportSupport communicationsContract performance
Sending push notificationsDevice Push TokenYour separate consent (Art. 6(1)(a) GDPR / Art. 13(1)(i) PIPL)
App stability monitoring (crash diagnostics)Anonymized MetricKit dataContract performance

If we need to use your personal data for purposes not covered in this Policy or for new business scenarios, we will obtain your consent separately.

4. AI Content Generation

The App uses artificial intelligence (AI) to generate travel itineraries, audio guide content, and other materials. This section provides transparency disclosures required under PIPL Art. 24 (automated decision-making), GDPR Art. 22, and relevant AI regulations.

4.1 How We Use AI

DimensionDetail
Data sent to AIText only (destination cities, travel dates, preference keywords, assistant dialogue messages). The App does NOT upload your photos or images for AI analysis
AI Service ProviderVolcengine Ark LLM API (Beijing, China node, ark.cn-beijing.volces.com)
Data flowUser iOS device → Supabase Edge Function (US West) → Volcengine Ark (Beijing, China) → AI-generated results returned
AI output typeItinerary suggestions, guide information, travel phrase translations — informational travel references only
AI trainingWe do NOT use your personal data to train AI models. Volcengine is contractually prohibited from using your inputs to train its general-purpose models

4.2 AI Accuracy Disclaimer

AI-generated content may contain inaccuracies, omissions, or outdated information. AI itineraries and guide content are for travel reference only and do NOT constitute legal advice, visa decision-making basis, or official information. You should independently verify critical information through official channels, including but not limited to:

4.3 Non-AI Alternatives

You may use the App without any AI processing. The following non-AI paths are available:

5. How We Share Your Data

We do NOT sell your personal data. We share data only under the following circumstances:

5.1 Data Processors (Service Providers)

We engage the following service providers to process data on our behalf. Under PIPL Art. 21 and GDPR Art. 28, processing agreements specify the purpose, duration, method, data categories, protective measures, and respective rights and obligations:

ProviderServiceData ProcessedProcessing LocationDPA Status
SupabaseBackend database (PostgreSQL), authentication, file storage, Edge FunctionsAccount info, profiles, itineraries, support chat records, avatar filesUS West (us-west-1)Covered by Supabase DPA (accepted via Terms of Service)
Volcengine Ark (ByteDance)AI text inference (itinerary, assistant dialogue, chat translation)User text input (destination, dates, preference keywords, dialogue) — does NOT include name, email, or nationalityBeijing, ChinaDPA pending signature
RevenueCatIn-app purchase receipt validation, subscription managementAnonymous user ID, purchase tokens (transaction ID, product ID, subscription expiry) — no PIIUnited StatesIntegration in progress; DPA coverage to be confirmed
Apple (APNs)Push notification deliveryDevice push tokenApple global infrastructureCovered by Apple Developer Agreement
CloudflareWorkers edge hosting (shared itinerary pages, marketing site, CMS)Standard server access logs (CDN/security purposes only)Global edge networkCovered by Cloudflare Terms of Service

5.2 Independent Data Controllers

The following third parties process your data as independent data controllers — please refer to their respective privacy policies:

Third PartyFunctionData Involved
Apple (Sign in with Apple)Third-party loginApple user identifier, email (if you authorize sharing)
Google (Google OAuth)Third-party loginGoogle account identifier, email
Apple App Store / StoreKitIn-app purchasesTransaction receipts, subscription status

5.3 Legal Compliance

We may disclose your data where required by law, court order, or governmental regulation, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 Business Transfers

If Yuliu Tech is involved in a merger, acquisition, or asset sale, your personal data may be transferred as part of that transaction. We will notify you of the identity and contact details of the recipient and require the recipient to continue honoring this Privacy Policy. Any change in processing purposes or methods will require renewed consent.

6. International Data Transfers

6.1 Storage Locations and Transfer Paths

Your data is stored at and transferred through the following locations:

Data TypePrimary Storage/Processing LocationProvider
Core business data (accounts, itineraries, preferences, support chats)US West (AWS us-west-1, Supabase Cloud)Supabase
Media files (avatars, audio guides)Same as above (Supabase Storage)Supabase
AI inference requests (text)Beijing, China (Volcengine Ark API)Volcengine
Shared itinerary pages, email confirmation, password resetCloudflare Workers global edge networkCloudflare

Full transfer paths:

  1. General business data: User iOS device (global) → HTTPS → Supabase (US West, us-west-1)
  2. AI features: User iOS device → Supabase Edge Function (US West) → Volcengine Ark (Beijing, China) → results returned
  3. Apple/Google sign-in: Device ↔ Identity provider ↔ Supabase Auth
  4. Push notifications: Supabase/backend → Apple APNs → User device
  5. In-app purchases: Device ↔ Apple App Store; subscription validation via RevenueCat (US) → write-back to Supabase

6.2 GDPR Transfer Safeguards (Art. 44–49)

For transfers outside the EEA, we rely on:

6.3 PIPL Cross-Border Transfer Rules (Art. 38–39)

Under PIPL Art. 38, we implement the following safeguards for cross-border data transfers:

Under PIPL Art. 39, we inform you of:

Separate Consent: Under PIPL Art. 39, cross-border transfer of personal information requires your separate consent. We will request this consent via a dedicated consent screen when you first use the App. You may withdraw this consent at any time, though this will not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal may result in certain features (such as AI itinerary planning) becoming unavailable.

7. Data Retention

We retain your personal data only as long as necessary for the stated purposes:

Data CategoryRetention PeriodDeletion Mechanism
Account data (auth.users)Immediately deleted upon account deletiondelete-account Edge Function removes Supabase Auth user
Associated business data (profiles, itineraries, favorites, checklist progress, support sessions)Immediately deleted upon account deletionON DELETE CASCADE database constraints
User avatar files (avatars/{userId}/)Immediately deleted upon account deletionStorage directory cleaned synchronously
Supabase platform backups7–30 days (depending on plan tier)Infrastructure-level backups, not business-accessible
Apple IAP transaction recordsRetained by Apple per Apple Privacy PolicyApple manages as independent controller
RevenueCat transaction logsPer RevenueCat data retention policyTo be confirmed upon integration completion
Statutory retention (e.g., accounting records)No less than 10 years (PRC Accounting Law)Separable from personal account data; can be anonymized

Account deletion path: App → Profile → Settings → Delete account → Confirmation → Immediate effect. Deleted accounts and all associated cloud data are permanently removed and cannot be recovered. Local App cache must be manually cleared via Settings → Clear Cache or by uninstalling the App.

8. Your Rights

8.1 GDPR Rights (EU/EEA Users)

RightGDPR ArticleHow to Exercise
Right of accessArt. 15Email request or view profile in App
Right to rectificationArt. 16Edit profile in App Settings
Right to erasureArt. 17Delete account in App Settings or email request
Right to restrictionArt. 18Email request
Right to data portabilityArt. 20Email request (JSON/CSV export)
Right to objectArt. 21Adjust preferences in App Settings or email
Right to withdraw consentArt. 7(3)Revoke in App notification/privacy settings
Right not to be subject to automated decision-makingArt. 22App has no solely automated decisions producing legal or similarly significant effects; non-AI mode available

8.2 PIPL Rights (All Users)

RightPIPL ArticleDescription
Right to know and decideArt. 44Know the processing rules and decide whether to consent
Right to restrict or refuse processingArt. 44Restrict or refuse processing of your personal data (unless otherwise provided by law)
Right to access and copyArt. 45Access and obtain a copy of your personal data
Right to data portabilityArt. 45Transfer your data to another designated processor
Right to rectificationArt. 46Correct or complete inaccurate or incomplete data
Right to deletionArt. 47Request deletion under specified circumstances
Right to explanationArt. 48Request explanation of processing rules
Rights of next-of-kinArt. 49After death, next-of-kin may exercise certain rights for their own legitimate interests

8.3 CCPA/CPRA Rights (California Residents)

Response Time: We will respond to your requests within 30 calendar days. If more time is needed due to complexity, we will notify you within the 30-day period with an explanation.

Identity Verification: Before acting on your request, we verify your identity by:

Contact for exercising rights:

8.4 Right to Complain

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the competent data protection authority in China, your EU member state, or another jurisdiction with regulatory authority. We encourage you to first contact us through the channels above so we can address your concerns directly.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

Security LayerMeasures
TransmissionHTTPS/TLS 1.3 encryption for all network communications
StorageAES-256 encryption at rest (Supabase); Row Level Security (RLS) per-user access control
AuthenticationApple Sign In, Google OAuth, email+password (Supabase Auth managed)
Access ControlLeast privilege principle; role-based access for administrative functions
Data IsolationLogical isolation of each user's data via unique user ID (UUID)
MonitoringSupabase audit logs; MetricKit crash monitoring

No method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

10. Data Breach Notification

In the event of a personal data breach, we will:

  1. Immediately take remedial measures: Identify and contain the breach, assess impact scope
  2. Notify supervisory authorities: Within the statutory timeframes under PIPL Art. 57 and GDPR Art. 33 (within 72 hours of becoming aware under GDPR)
  3. Notify affected users: Without undue delay if the breach is likely to result in high risk to your rights and freedoms
  4. Document and archive: Maintain a complete record of the breach facts, impact assessment, and remedial measures

11. Children's Privacy

The App is intended primarily for adult international travelers visiting China and does not contain functionality specifically directed at minors.

We have set an appropriate age rating in App Store Connect.

12. Cookies and Tracking Technologies

13. Third-Party Links

The App may contain links to third-party websites or services (e.g., official visa application portals, transportation booking platforms). We are not responsible for the privacy practices of these third parties. We recommend reviewing their respective privacy policies before providing any personal data.

14. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by:

Your continued use of the App after changes take effect constitutes acceptance. If you disagree, you must stop using the App and delete your account.

15. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

ChannelDetail
Data Protectionchengduyuliutech@163.com
User Supportsupport@yolohappy.app
Mailing AddressChengdu Yuliu Technology Co., Ltd.
No. 14, 1/F, Building 1, No. 299 Ronghua North Road
Chengdu Hi-tech Zone, Sichuan Province, 610094, P.R. China
Attn: Data Protection Officer