Your stuff is yours.

Last updated 19 May 2026

yolo. is built around a single promise: even we can't read your private bucket lists or messages. This page describes what we collect, how we use it, who else sees it, and the controls you have. Read it.

The short version

If you only read one paragraph, read this.

• We don't sell your data. Ever. Not to advertisers, not to data brokers, not to AI training pipelines.
• Your private content is end-to-end encrypted. Direct messages and YOLOs you share to your Inner or Close circles are encrypted on your device before they leave. Our servers see ciphertext only.
• Public content is public. Anything you post with the Public audience can be seen by anyone, indexed by search engines, and shared off-platform.
• You can leave clean. Account deletion cascades through your YOLOs, your bucket list, your friends graph, and your messages within 14 days. Backups age out within 90.
• We're a South African company (Code Op (Pty) Ltd, Cape Town) hosting in the United States (Google Cloud, us-central1). If that matters to you, see International transfers below.

What we collect

Identity & account

• Sign-in identifier: the email associated with the Apple ID or Google account you signed in with. Apple's "Hide My Email" relay addresses are supported.
• Profile fields you choose to set: handle (@something), display name, profile photo, bio.
• Region: a 2-letter country code (e.g. ZA, US) sent by your device on first launch from your system locale. Used for product analytics and to localise prices in the booking flows. Never shown to other users.
• Preferred currency: ISO-4217 code (e.g. USD, ZAR). Drives the prices the app displays in Stays / Flights. You can change it in Settings → Region.

Content you post

• Public & followers-only YOLOs: text, photos, videos, captions, audience selection, "with" tags, location (only at the precision you choose — see below), the linked Discover constellation if any.
• Bucket list entries: things you want to do. If you mark a bucket entry as private, it's encrypted on your device (see E2E below).
• Comments & reactions ("cheers") you leave on others' YOLOs.
• Location: only at the precision you choose at post time. yolo. never collects continuous background location. Stripping EXIF GPS metadata from uploaded photos happens server-side before storage.

Encrypted content

The following are end-to-end encrypted on your device before being sent. Our servers store ciphertext only and cannot read them. See End-to-end encryption for the technical specifics.

• Direct messages (1:1 and group chats)
• YOLOs shared to your Inner or Close circle only
• Bucket list entries marked private

Device & technical

• Device identifiers: a yolo.-internal device ID (random UUID generated on your device), iOS/Android OS version, device model class (e.g. "iPhone 15 Pro" — not a serial number), app version, locale.
• FCM / APNs push token: needed to deliver notifications. Rotates when you reinstall.
• App Check / App Attest token: Apple's App Attest (iOS) or Google Play Integrity (Android) prove your app binary is genuine. We don't see the underlying device key.
• Public cryptographic keys for your devices (used to route encrypted DMs to the right device). The corresponding private keys never leave your device.
• Crash reports: stack traces and minimal context if the app crashes. No personal content is attached. Powered by Firebase Crashlytics.

Usage

• Last-active timestamp: rough "when you were last using the app" signal, written at most once every 5 minutes. Used internally for product analytics and to target re-engagement push (see How we use it).
• Booking funnel signals: if you click through to a Stays or Flights partner from a Discover constellation, we log the click + the partner + the linked YOLO. If you complete a booking we log the booking reference, total amount, and currency.
• Reports you file: if you report a YOLO, profile, or comment, your user ID is attached to the report. The target of the report never sees who reported them.

Things we do NOT collect

• Your contact book or address book.
• Your photo library beyond what you explicitly attach to a post.
• Your continuous location (GPS while the app is closed / in the background).
• Third-party advertising identifiers inside the yolo. app (the app contains no ads and no in-app ad SDKs). Our marketing website uses ad-measurement pixels — see Website analytics & advertising pixels.
• Browsing history outside the app.
• Sensitive special-category data (race, religion, health, biometrics, sexual orientation) — unless you choose to disclose it in your own posts. We don't infer it.

How we use it

To run yolo.

• Deliver your content to the audience you chose.
• Route notifications to your devices.
• Sync your bucket list, messages, and reactions across your devices.
• Power the Discover tab: AI-generated travel/experience suggestions from a generative model (Google Gemini, hosted via Vertex AI). Discover queries are processed with the words you typed; we don't attach your identity to the prompts sent to the model.
• Power Stays / Flights search through Duffel and Nuitée/LiteAPI: when you search, your search parameters (dates, location, passenger count) are sent to the partner. Your account identifier is NOT sent unless you choose to book.

To improve yolo.

• Aggregated analytics: daily/monthly active users, most-used features, retention cohorts. Aggregated only — never individually identifying.
• A/B tests of UX changes (you may be in a treatment group; we don't infer personality from the bucket).
• Re-engagement push notifications if you've been dormant for 30+ days. You can mute these in Settings → Notifications.

To keep yolo. safe

• Trust & safety: investigating reports, enforcing the Community Guidelines, suspending accounts that violate the Terms.
• Spam, fraud, and abuse detection. We may run lightweight pattern checks on public content (e.g. duplicate-post detection, link-blast detection). We never run such checks on E2E content.
• Audit logging of moderation actions: when an admin suspends a user or removes a post, we log who did it, when, and why, and retain it for accountability.

What we DON'T use it for

• We don't sell your data.
• We don't train third-party AI models on your content. Public content posted to yolo. is not piped to any external model trainer.
• We don't run advertising inside the app. There are no ads in the yolo. app, and there is no plan to introduce them. (We do advertise yolo. itself — our marketing website uses ad-measurement pixels to see which campaigns bring people to it; see Website analytics & advertising pixels.)
• We don't share your contact book or social graph with external networks for matching.

Website analytics & advertising pixels

This applies to our marketing website (the pages under yolo-app.io) — not the yolo. app, which contains no ad SDKs. To understand which campaigns bring people to the site, our marketing pages use:

• Google Ads (gtag) — measures conversions from Google ad clicks and reads a click identifier (gclid) from the landing URL so a Play Store install can be attributed to the ad that drove it.
• Meta Pixel — measures visits and conversions from Meta (Facebook/Instagram) ads. It loads only after you accept marketing cookies in the consent banner; if you decline, or haven't chosen, it never loads and no data is sent to Meta.

These pixels see standard web request data (IP address, browser/user-agent, the page URL, and a pixel-set cookie) for the marketing site only. You can withdraw consent at any time by clearing this site's cookies/local storage, which re-shows the banner on your next visit. We do not use these pixels to build advertising profiles from anything you do inside the app, and we don't upload your app activity to Meta or Google for ad targeting.

How we share it

Service providers (sub-processors)

The vendors who run parts of yolo.'s infrastructure on our behalf, under contracts that bind them to the same protections we offer you:

Other people on yolo.

• Your public content is visible to everyone who opens the app or visits a shared link, and may be indexed by search engines.
• Your followers-only content is visible to people who follow you.
• Your Friends Circle, Close, and Inner content is visible only to users you've explicitly added to that ring. The Inner ring caps at ~10 people on purpose; if you add an 11th, the oldest member is suggested for removal.
• If you tag someone (with), that person can see they were tagged. If your YOLO is restricted, only audience members + the tagged people see it.

Legal compliance

We may disclose data when required by valid legal process. We:

• Require a court order or equivalent for content disclosure where the law allows us to;
• Cannot decrypt E2E content for anyone, including ourselves and law enforcement;
• Publish an annual transparency report listing the volume and category of requests received (commitment effective at v1 launch);
• Notify you of legal requests for your data when not legally prohibited from doing so.

Business transfers

If Code Op (Pty) Ltd is acquired, merged, or sold, your data may be transferred as part of the transaction. We will notify you in-app at least 30 days before the transfer takes effect, giving you time to export and delete if you'd prefer not to come along.

End-to-end encryption

This is the defensible claim: even we can't read your private bucket lists or messages. Here's how it works.

What's encrypted end-to-end

• Direct messages (1:1 and group)
• YOLOs shared to your Close or Inner circles only
• Bucket list entries you mark private

What's NOT encrypted end-to-end

• Public posts (the whole point is they're public)
• Followers-only and Friends Circle posts (visible to enough people that E2E adds latency without adding privacy)
• Profile fields (handle, name, avatar, bio)
• Booking confirmations (we have to share these with Duffel / Nuitée to deliver service)

The crypto, briefly

Per ADR-002 in our open architecture record:

• Identity keys: Ed25519 keypair generated on-device, derived from a 32-byte secret held in the Apple Secure Enclave (iOS) or Android StrongBox / Keystore. Private key never leaves the device.
• 1:1 messages: Signal Protocol (X3DH + Double Ratchet), with post-quantum hardening via PQXDH enabled day one.
• Group messages: Messaging Layer Security (MLS RFC 9420).
• Sealed sender: for 1:1 DMs, the message envelope hides the sender from our servers — we route ciphertext without knowing who it came from.
• App Attest / Play Integrity proves your app binary hasn't been tampered with before key registration succeeds.
• Local-database encryption (SQLCipher on Android, encrypted SwiftData on iOS) so a compromised lockscreen doesn't expose decrypted content at rest.

What we never store

• Decrypted message contents — we literally cannot, the keys are on your phone
• Private bucket entry contents (same reason)
• Your encryption private keys

Your controls

Audience controls (per-YOLO)

Every YOLO carries an audience setting that limits who can see it. You can change it any time after posting:

Privacy settings (account-level)

In Settings → Privacy you can flip any of these (see ADR-006 for the full model):

• Discoverable — hides you from search and friend suggestions entirely
• Allow exact-handle search — friends who know your @handle can still find you even if Discoverable is off
• Profile policy — public / friends only / nobody (nobody = stub card only)
• DM policy — anyone / friends / nobody
• Follow policy — anyone / friends / nobody
• Mention policy — anyone / friends / nobody
• Inspire policy — controls whether others can add a derivative of your YOLO to their own bucket
• Read receipts — on / off (off blinds you to receipts from others too)

Block, mute, report

• Block a user from any profile, DM, or comment ••• menu. Blocked users cannot see your content, follow you, message you, or know you blocked them.
• Mute hides someone's content from your feed without blocking them.
• Report any YOLO, profile, or comment from the same menu. Reports go to the trust & safety team. The target is never told who reported them.

Data export

You can request a copy of all your yolo. data — public content, account profile, friend graph, bucket entries (with private entries flagged but not decrypted server-side), booking history, and a summary of reports you've filed — at any time from Settings → Account → Download my data. Delivered as a ZIP within 14 days. Free, unlimited.

Account deletion

From Settings → Account → Delete account. The deletion cascade:

Immediate

Your account is signed out everywhere, hidden from feeds and search, and entered a soft-deletion state.

Within 14 days

All your YOLOs, comments, reactions, bucket entries, friend edges, and messages are hard-deleted from Firestore. Other people's messages to you in 1:1 threads remain (we can't selectively delete their copy of a ciphertext they hold).

Within 90 days

Backups age out. Aggregated analytics retain a counter that you existed but no identifying data.

Indefinite

Records of moderation actions taken against you for serious violations (CSAM, threats of violence) are retained for compliance reasons.

How long we keep it

How we protect it

• In transit: TLS 1.3 only. Certificate pinning on iOS + Android against our API host.
• At rest: Firestore + GCS encrypted at rest with Google-managed keys (AES-256). Private content is additionally E2E encrypted before it reaches them.
• Identity: Firebase Identity Platform with Apple Sign-In and Google Sign-In. We never see or store passwords.
• App integrity: Apple App Attest (iOS) and Google Play Integrity (Android) gate API access to genuine, untampered builds.
• Local data: the iOS/Android app stores cached data encrypted with hardware-bound keys (Secure Enclave / StrongBox / Keystore).
• Access controls: only a small number of Code Op staff can access the production database, and only with audit logging. They cannot read E2E content because the keys aren't on the server.
• Vulnerability disclosure: email security@codeop.io. We aim to acknowledge within 72 hours.
• Annual third-party security review commitment from public-launch onwards.

No system is perfect. If we discover a breach affecting your data we will notify you in-app and by email within 72 hours of confirmation, and notify the regulators required by law (the South African Information Regulator under POPIA, supervisory authorities under GDPR where applicable, the relevant US state AG under state breach laws).

Regional rights

European Union & United Kingdom (GDPR / UK GDPR)

Under the General Data Protection Regulation, you have the right to:

• Access the personal data we hold about you (use Data Export).
• Rectify inaccurate data (edit your profile).
• Erase your data ("right to be forgotten") — use Account Deletion.
• Restrict processing — contact us at privacy@codeop.io.
• Port your data to another service (Data Export delivers in a structured format).
• Object to processing for analytics or re-engagement.
• Withdraw consent at any time. Note: withdrawal does not affect the lawfulness of processing before withdrawal.
• Complain to your supervisory authority. For Ireland (typical for EU users): dataprotection.ie. For the UK: ico.org.uk.

Our legal bases for processing: contract (to deliver yolo. as you signed up for), legitimate interest (analytics, abuse prevention), consent (push notifications, optional features), legal obligation (tax, law enforcement requests).

California (CCPA / CPRA)

California residents have the right to know what we collect, to delete it, to correct it, to opt out of "sale" or "sharing" of personal information, and to be free from discrimination for exercising these rights. We never sell your personal information, and we don't use anything you do inside the yolo. app for cross-context behavioural advertising. The one exception is our marketing website: if you accept marketing cookies there, the Meta Pixel and Google Ads tag may "share" standard web-visit data for ad measurement under CPRA's broad definition. Declining the consent banner (or not accepting it) opts you out — that banner is our "Do Not Sell or Share" control for the site. See Website analytics & advertising pixels.

South Africa (POPIA)

Code Op (Pty) Ltd is the responsible party under the Protection of Personal Information Act. The Information Officer is the company's registered Information Officer at our Cape Town address. You may lodge a complaint with the Information Regulator if you believe your rights have been infringed.

Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act)

We honour comparable rights to access, correction, and deletion for users in these and other jurisdictions on request. Contact privacy@codeop.io.

Children & teens

yolo. is not for users under 13 (under 16 in some EU countries, where the GDPR digital-consent age has not been lowered). Accounts that we determine belong to under-age users are terminated and the underlying data deleted within 14 days.

For 13- to 17-year-old users:

• Discoverability is OFF by default; followers grow only through explicit follow-backs and contacts.
• DMs default to "friends only".
• Some Discover constellations involving age-restricted activities (e.g. drink-focused experiences) are filtered.

If you are a parent or guardian and believe your child has signed up despite the age gate, email privacy@codeop.io and we will remove the account.

International transfers

yolo. is hosted in the United States (Google Cloud, region us-central1). If you are outside the US, your data is transferred there. We rely on:

• The EU–US Data Privacy Framework for transfers from the EU/EEA to the US (Google Cloud is certified).
• Standard Contractual Clauses (SCCs) for transfers to countries without an adequacy decision.
• For South Africa, we operate as the Responsible Party processing data on your behalf and apply equivalent protections regardless of geography.

Changes to this policy

We update this policy when we add features that change data flows, when laws change, or when we just realise something here is unclear. For material changes that affect your rights, we will notify you in-app at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

The version history will be available at github.com/Code-Op-PTY-LTD/yolo-app.io once the repo is public; until then, mail us if you want to see prior versions.

Contact us

General privacy questions

privacy@codeop.io

Security & vuln disclosure

security@codeop.io

Trust & safety reports

safety@codeop.io

Data Protection Officer (EU)

dpo@codeop.io

Postal mail

Code Op (Pty) Ltd · Cape Town, South Africa · full registered address available on request