Privacy Policy
Legal
Learn how Yulai collects, uses, and protects your data. Your privacy matters to us.
Overview
At Yulai, your privacy is not just a policy, it is a core value. We are built on the principle of Trust and Transparency, guaranteeing responsible data usage and maximum privacy protection. This policy explains how we collect, use, and protect your information. Last updated: May 2026.
What We Collect
We collect only the information necessary to provide personalized recommendations. This includes: taste preferences captured during onboarding (six flavor dimensions: spicy, sweet, savory, sour, bitter, and umami), cuisine preferences and cuisine ranking, dietary restrictions such as allergies and religious requirements, behavioral interaction signals (which restaurants you save, visit, like, dislike, or view, used to refine your taste profile over time), basic account information (email, name), and location data (only with your explicit permission). We follow a strict data minimization principle, meaning we never collect more than what is needed to deliver our service.
How We Use Your Data
Your data is used exclusively to create your personalized Food Fingerprint and deliver tailored restaurant recommendations. Our AI analyzes your preferences to match you with restaurants that truly fit your taste. We show you exactly how your data improves your recommendations, building trust through visibility into how our system works for you.
Data Sharing and B2B Insights
We never sell your individual data. When we provide insights to restaurant partners, they receive only anonymized, aggregated trends. For example, restaurants might learn that "35% of local diners prefer spicy food" but they will never know that you specifically have this preference. Our anonymization protocols strip all personally identifiable information before any data leaves our system. Your individual profile remains completely private.
Third-Party Services and Data Sources
To provide our service, we use the following third-party services: Firebase Authentication (Google) for secure login and account management, OpenStreetMap and Nominatim for restaurant location data and geocoding, and Google Maps Platform for location services in our mobile application. Restaurant location data is sourced from OpenStreetMap contributors and is licensed under the Open Database License (ODbL). We do not scrape or use data from proprietary platforms such as Yelp, TripAdvisor, or Google Reviews. All third-party services are GDPR-compliant and process data according to their respective privacy policies.
Your Control
You maintain full control over your data through granular permission settings. You can choose exactly what information to share and adjust these preferences at any time. Account deletion is handled entirely within the app. Go to Settings → Account → Delete Account. No email or external form is required. Our user data portability feature allows you to export your complete profile whenever you want, ensuring you always have access to your own information. Location access is entirely optional and can be disabled at any time in your device settings.
Your Rights
You have the right to access all personal data we hold about you, correct any inaccurate information, request deletion of your data (right to erasure, exercisable directly in the app via Settings → Account → Delete Account), export your data in a portable machine-readable format (right to data portability), and opt out of specific data processing activities. You can also contact us at any time to exercise these rights. We will respond to all requests within 30 days as required by GDPR.
Data Retention
We retain your personal data only for as long as necessary to provide our services. Active account data is retained while your account exists. Upon account deletion, all personal data is permanently removed from our systems within 30 days. Anonymized aggregate data used for analytics may be retained indefinitely as it cannot be traced back to individuals. Backup copies are purged within 90 days of deletion.
GDPR Compliance
Yulai is fully GDPR-compliant from day one. For users in the European Economic Area, we provide explicit consent mechanisms for all data collection, data portability enabling profile export anytime, the right to erasure (the right to be forgotten), transparent data processing practices, and clear documentation of how your data is used. We obtain explicit user consent before collecting any information and maintain complete transparency about our data practices. Our legal basis for processing is consent (Article 6(1)(a)) and legitimate interest for service improvement (Article 6(1)(f)).
Data Security
We implement industry-standard security measures including encryption at rest and in transit (TLS 1.3) for all sensitive information. Your taste profiles and dietary restriction data are protected with the same rigor as financial information. We use secure authentication through Firebase with support for multi-factor authentication. We regularly review and update our security practices to ensure your data remains safe.
Subscriptions and Payment Data
If you subscribe to Yulai+, your payment is processed by Apple App Store or Google Play (depending on your platform). Yulai does not directly receive or store your full payment card details. We receive only a subscription confirmation token and your subscription status from the app store. Transaction records (subscription ID, amount, and date) are retained for legal compliance purposes as outlined in our data retention policy.
Data Breach Notification
In the unlikely event of a data breach affecting your personal information, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Notification will be sent to the email address associated with your account. We maintain an incident response plan and conduct regular security audits to minimize the risk of unauthorized access to your data.
Children's Privacy
Yulai is not intended for users under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately and we will delete the information.
Contact
For privacy-related questions, data requests, or concerns, please contact us at [email protected]. For general inquiries, contact [email protected]. Our Data Protection Officer can be reached at [email protected]. We are committed to responding to all inquiries within 30 days as required by GDPR.