YOZORA
Privacy Policy
Quick summary
- We collect your email, first name, travel preferences, push token, and which deals you view or tap.
- We use this to send you a daily digest of flight deals and personalise what we show you.
- We store data with Supabase; we share booking clicks with our affiliates Travelpayouts and Trip.com.
- We do not sell your personal information.
- You can delete your account permanently at any time from inside the app (Profile → Delete account). If you no longer have the app installed, email us from your registered email address — instructions in Section 9.
- We earn affiliate commission when you book through our links. The price you pay is the same either way.
1. Who we are
Yozora ("Yozora", "the app") is a mobile flight-deal app for travellers in Australia. The app is operated by an individual sole trader based in Australia:
Ross King (sole trader)
ABN: 11 323 425 692
Contact: ross.king781@gmail.com
Throughout this policy, "we", "us", and "our" refer to Ross King in his capacity as the operator of Yozora. Ross King is the data controller for the personal information described below. The app is primarily targeted at Australian users but is distributed via the Google Play Store globally.
2. Information we collect
2.1 Information you provide directly
| What | When | Why |
|---|---|---|
| Email address | Sign-up | To create your account, send the daily digest, contact you about your account |
| Password | Sign-up | Stored hashed (never in plain text) so you can sign in |
| First name | Sign-up | To address you by name in the app |
| Travel preferences | Onboarding + Profile | To filter and rank deals: AU origins, Asian destinations, Sleep Score and savings thresholds, cabin class, digest time, timezone |
| Mode selection | In-app (Save / Restful / Premium) | To filter deals to your chosen style of travel |
| Subscription tier | If you upgrade to Premium | To unlock Premium-only features |
2.2 Information collected automatically
- Push notification token — issued by Apple or Google so we can send notifications.
- Engagement events — which deals we notified you about, which you tapped, when you archived a deal from your Inbox.
- Post-flight feedback (optional) — your ratings of flights you took. You choose whether to provide this.
- Server logs — IP address, timestamps, and basic device/OS info for security and diagnostics. Retained up to 30 days.
2.3 What we do not collect
- Your location
- Your contacts, photos, microphone, camera, calendar, or SMS
- Your phone number
- Your payment card details — Google Play handles Premium subscription payments
- Sensitive information (health, race, religion, sexual orientation, etc.)
- Information about children under 16
3. How we use your information
- Run your account — sign you in, remember preferences.
- Send you a daily flight-deal digest filtered to your preferences and timezone.
- Rank deals using our Sleep Score algorithm.
- Power your Inbox so you can find deals again later.
- Improve the Sleep Score algorithm using aggregated, de-identified post-flight feedback.
- Contact you about your account, error fares, or important policy changes.
- Comply with legal obligations.
We do not use your information for advertising profiles or sell it to data brokers.
Legal bases (for users in the EU/UK):
- Contract — to deliver the service you signed up for.
- Legitimate interests — to improve and secure the app.
- Consent — for push notifications, which you can revoke at any time.
4. Push notifications
Your device receives a push token from Apple Push Notification Service (APNs) or Google Firebase Cloud Messaging (FCM). We pass it to Expo's Push Notification Service for delivery. You can revoke notification permission at any time in your device's system settings, or change cadence in Profile → Notifications.
We use notifications for the daily deal digest, urgent error-fare alerts, and account-related messages only. Never marketing or third-party promotions.
5. Who we share your information with
5.1 Supabase Inc. (USA) — backend hosting
All your account data is stored in our Supabase project. Privacy policy: supabase.com/privacy.
5.2 Expo (USA) — push notifications
Your push token is shared with Expo's Push Notification Service for delivery. Privacy policy: expo.dev/privacy.
5.3 Travelpayouts (Cyprus) — flight data + affiliate redirects
We pull flight prices from their API (server-to-server, no personal data sent). When you tap a deal, your click may be redirected through Aviasales which records the click against our marker; they may receive your IP and device info at click time. Privacy policy: travelpayouts.com/privacy_policy.
5.4 Trip.com (Singapore / China) — booking partner
If a deal is fulfilled by Trip.com, you're redirected to their site to complete the booking. Their privacy policy applies once you're there. Privacy policy: trip.com/privacy.
5.5 Google Play Billing — subscriptions
Premium subscriptions are processed by Google Play Billing. We receive subscription status only — never payment card details. Privacy policy: policies.google.com/privacy.
5.6 Future providers
We plan to add the following providers and will update this policy before doing so:
- RevenueCat (USA) — subscription state management.
- Sentry (USA) — crash reporting. Technical crash data only.
- PostHog (USA / EU) — aggregated usage analytics tied to a random installation ID, never your email.
5.7 Categories we will never share with
- Advertising networks
- Data brokers
- Anyone offering us money for your data
5.8 Legal disclosures
We may disclose your information if compelled by a valid legal request. Where lawfully possible, we will notify you first.
6. International data transfers
Our backend providers may store or process data in the US, EU, Singapore, or other countries. By using Yozora, you understand your data may be transferred internationally. We rely on Standard Contractual Clauses or equivalent mechanisms where required by law.
7. How long we keep your information
| Data | Retention |
|---|---|
| Account (email, name, preferences) | Until you delete your account |
| Engagement events (Inbox, clicks) | Until you delete your account or archive |
| Post-flight feedback | Until you delete your account; aggregated copies may be kept indefinitely |
| Push notification token | Until you sign out or revoke permission |
| Server logs | Up to 30 days |
| Aggregated / anonymised analytics | Indefinitely (cannot be re-identified) |
When you delete your account, removal is immediate from active systems. Backup snapshots are overwritten on their normal rotation (within 30 days).
8. Children's privacy
Yozora is not intended for children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with information, please contact ross.king781@gmail.com and we will delete it.
9. Your rights
9.1 Access and correction
View and edit your personal information at any time in Profile within the app. For anything not editable in the app, email ross.king781@gmail.com and we'll respond within 30 days.
9.2 Deletion
- In the app — Profile → Danger zone → Delete account. Deletion is immediate.
- By email — if you no longer have the app installed, email ross.king781@gmail.com from your registered account email address with the subject line "Delete my account". We will verify the request and complete the deletion within 30 days, usually within 24 hours. Instructions are also published at rossboe.github.io/yozora-legal/delete-account.html.
Deletion removes your profile and all associated data (preferences, inbox, push tokens, feedback) from our active systems. It cannot be undone.
9.3 Data portability (GDPR / UK GDPR)
If you're in the EU, UK, or another jurisdiction with similar laws, email ross.king781@gmail.com for a JSON export of your data within 30 days.
9.4 Object, restrict, or withdraw consent
- Withdraw notification consent in Profile → Notifications → None or at the OS level.
- Object to legitimate-interest processing by emailing ross.king781@gmail.com.
- Restrict processing while a complaint is being investigated.
9.5 Complaints
We'd appreciate you contacting us first at ross.king781@gmail.com so we can try to resolve it directly.
9.6 California residents (CCPA)
You have the right to know what personal information we collect, the right to delete it, and the right not to be discriminated against for exercising these rights. We do not sell personal information as defined under the CCPA.
10. Security
- All app-to-backend traffic is encrypted via TLS.
- Passwords are hashed by Supabase — never stored in plain text.
- Database access is governed by Row-Level Security policies so users can only access their own data.
- Backend admin access requires strong authentication.
No internet-connected service is 100% secure. If a breach affects your personal information, we will notify you in line with the Notifiable Data Breaches scheme under the Australian Privacy Act.
11. Cookies and tracking
The Yozora mobile app does not use cookies (a web technology). It uses local encrypted storage to keep you signed in between launches. We do not use third-party advertising SDKs, tracking pixels, or cross-app identifiers. We do not participate in Google's Advertising ID system.
12. Affiliate disclosure
Yozora earns commission when you book a flight through a deal link. Travelpayouts and Trip.com pay us commission on bookings originating from our affiliate markers. The price you pay is the same whether or not you came via Yozora. We disclose this in compliance with Australian Consumer Law and ACCC guidance.
13. Changes to this policy
When we make material changes, we will update the "Last updated" date, push a notification in the app drawing your attention to the change, and where required by law, give you advance notice and an opportunity to delete your account before changes take effect.
14. Contact us
Ross King (sole trader, operator of Yozora)
ABN: 11 323 425 692
Email: ross.king781@gmail.com
Location: Australia
We aim to respond to all privacy enquiries within 30 days.