Privacy Policy
Last updated: 1 May 2026
YUGI Group Limited ("YUGI", "we", "us", "our") provides the YUGI app — a discovery and booking platform that helps parents find baby and toddler activities and visit family-friendly venues with confidence. This policy explains what personal data we collect when you use YUGI, how we use it, who we share it with, and the rights you have under UK data protection law.
We've tried to write this in plain English. If anything is unclear, please email us at eva@yugiapp.ai — we'd rather explain than have you wonder.
1. Who we are
The data controller for the personal data we process is:
YUGI Group Limited
Company number: 16318935
Registered office: 167 Sandbanks Road, Poole BH14 8EJ, United Kingdom
Email: eva@yugiapp.ai
We are registered with the UK Information Commissioner's Office (ICO). [Our ICO registration number will be added here once registration is confirmed.]
2. The data we collect
Information you give us directly
- Account information when you sign up: your name, email address, and a password. (We don't store your password — we use Firebase Authentication, which stores a hashed version we can't read.)
- Profile information if you choose to add it: profile photo, the number of children you have and their approximate ages (this lets us show you age-appropriate classes), your home postcode or area.
- Booking information: which classes you book, when, and any notes you add to a booking (e.g. allergies, accessibility needs).
- Payment information: when you book a paid class, we use Stripe to process your payment. We never see or store your full card number — Stripe handles that. We store a reference (Stripe customer ID) so we can link your bookings to your payments.
- Communications: anything you send us via the in-app contact form, email, or feedback prompts.
Information we collect automatically when you use the app
- Device location: if you grant location permission, we use your device's location to show classes and venues near you. You can revoke this at any time in your phone's settings — the app will still work, you'll just need to type a location manually.
- Behavioural events: which venues you check, which classes you view or book, and when. We use this to improve the app and to build aggregated insights about what parents need (this is the "parent mobility intelligence" we're building YUGI around). You can opt out of this in the app's privacy settings.
- Technical information: device type, operating system version, app version, IP address (used briefly for security and diagnostic purposes), crash reports.
Information we receive from third parties
- Firebase Auth (Google): sign-in metadata and authentication tokens.
- Stripe: payment confirmations, refund status, and (for providers) Stripe Connect onboarding status.
Information about children
We collect the number of children you have and their approximate ages (e.g. "0-1", "2-3"). We don't collect children's names, photos, or other identifying information about them. The ages are used solely to filter age-appropriate classes for you. We do not directly process data from children under 13.
3. Data about activity providers
If you sign up as a class provider, we additionally collect: business name, business address, contact phone number, descriptions and photos of your classes, your Stripe Connect account ID and bank/payout details (held by Stripe, not by us), and — when this feature ships — verification documents such as DBS certificates, qualifications, and insurance evidence.
We use this information to operate the platform, verify your eligibility to provide classes to families, and pay out the proceeds of bookings. Verification documents are stored encrypted at rest and accessed only by authorised YUGI staff for verification purposes.
4. Why we use your data, and the legal basis
Under UK GDPR, every use of personal data must have a lawful basis. Here's how we map our uses:
| What we do | Lawful basis |
|---|---|
| Create and manage your account; deliver bookings; provide customer support | Contract performance — we need this data to provide the service you signed up for |
| Process payments and pay out provider earnings | Contract performance + legal obligation (tax/accounting) |
| Show you classes and venues near you (when location permission granted) | Consent — you can withdraw this in your phone settings |
| Track in-app events to improve the app | Consent — you can opt out in the app's privacy settings |
| Send you transactional emails (booking confirmations, support replies) | Contract performance |
| Send you optional marketing emails (only if you've opted in) | Consent — you can unsubscribe at any time |
| Detect fraud, abuse, and security threats | Legitimate interests — keeping the platform safe for parents and providers |
| Comply with legal requests, court orders, or regulatory obligations | Legal obligation |
| Verify provider identity (DBS, qualifications, insurance) | Legitimate interests — child safety and platform trust |
5. Who we share your data with
We never sell your personal data. We share it only with the service providers we need to run YUGI, and only the minimum needed for them to do their job.
Service providers that handle your personal data
These providers process your personal data on our behalf, under contract, with appropriate safeguards in place:
- Firebase Authentication (Google LLC) — sign-in and account security
- MongoDB Atlas (MongoDB Inc.) — our primary database
- Railway (Railway Corp.) — application hosting
- Stripe (Stripe Payments UK Ltd.) — payment processing and provider payouts
- Resend (Resend Inc.) — transactional email delivery (booking confirmations, support replies)
- Apple Push Notification Service — for sending push notifications
Service providers that do not receive your personal data
To enrich venues with accessibility information, look up addresses and opening hours, generate AI-assisted class listings, and show weather forecasts on venue cards, we use third-party APIs (including AI services, mapping services, and weather services). We send only venue names, addresses, and coordinates to these services — never your name, email, location, booking history, or any other personal data.
Legal disclosures
We may also disclose your data when legally required (e.g. responding to a court order or regulatory request), or where necessary to investigate fraud, protect our rights, or protect the safety of users.
6. International transfers
Some of our service providers (notably Stripe, Anthropic, and Google) are based in the United States or process data globally. Where data is transferred outside the UK, we rely on the appropriate safeguards — typically the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or adequacy decisions made by the UK government.
7. How long we keep your data
- Account data: while your account is active, plus 30 days after you delete it (to allow account recovery), then deleted.
- Booking records and payment data: 7 years after the booking, to comply with UK tax and accounting obligations.
- Behavioural event data: 24 months in identifiable form, then either deleted or fully aggregated (so it can no longer be linked to you).
- Provider verification documents: while you're an active provider on the platform, plus 7 years after you leave (to defend against safeguarding complaints).
- Support correspondence: 3 years.
- Marketing consent records: until you unsubscribe, plus a record of the unsubscribe for 3 years.
If you delete your account, we will delete or anonymise everything except what we're legally required to keep.
8. Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you
- Rectify any inaccurate or incomplete data
- Erase your data (subject to legal retention rules above)
- Restrict or object to certain uses
- Portability — receive your data in a machine-readable format
- Withdraw consent at any time, where consent is the lawful basis
- Complain to the UK Information Commissioner's Office (ICO) at ico.org.uk if you believe we've handled your data improperly
To exercise any of these rights, email eva@yugiapp.ai with the subject line "Data request". We'll respond within one month.
9. Security
We protect your data with industry-standard measures: encrypted connections (HTTPS/TLS), encrypted storage at rest, hashed passwords (handled by Firebase), restricted access controls, rate limiting, and regular security review. Payment card data is never stored on our servers — Stripe handles that.
No system is perfectly secure, but we take this seriously. If we ever discover a personal data breach that affects you, we'll notify you and the ICO as required by law.
10. Children
YUGI is intended for use by adults (parents, guardians, and class providers). It is not directed at children. We do not knowingly collect personal data from anyone under the age of 13. If you believe a child has given us personal data without a parent's permission, please contact eva@yugiapp.ai and we will delete it.
11. Changes to this policy
If we make significant changes to this policy, we'll notify you in the app or by email before the changes take effect. Smaller clarifications will be posted here with an updated "Last updated" date at the top.
12. Contact us
For privacy questions, data requests, or anything else covered by this policy:
Email: eva@yugiapp.ai
Post: YUGI Group Limited, 167 Sandbanks Road, Poole BH14 8EJ, United Kingdom
If you're not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office: ico.org.uk.