Yaalu Help

Appearance

Yaalu Privacy Policy

Last updated: 29 January 2026

Effective date: 29 January 2026

1. Overview

This Privacy Policy explains how Yaalu ("we", "us", or "our") collects, uses, stores, discloses, and protects personal information through our mobile application ("app") and websites at yaalu.app, yaalu.au, and yaalu.com.au (together, the "services").

Yaalu is a community directory app that connects the Sri Lankan expatriate community in Australia with local Sri Lankan-owned businesses, services, community events, and marketplace listings.

We are committed to complying with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We take your privacy seriously and have designed our services to collect only the information necessary to provide a useful community experience.

By using our services, you agree to the collection and use of your personal information as described in this policy. If you do not agree, please do not use our services.

2. Information We Collect

We collect different types of information depending on how you use our services.

2.1 Account and profile information

When you create an account, we collect:

  • Email address — required for account creation and communication.
  • Display name — the name shown to other users.
  • Profile photo — either uploaded by you or provided by your sign-in provider (Google or Apple).
  • City — your city of residence (e.g., Melbourne, Sydney), used to show you relevant local content.
  • WhatsApp number (optional) — if you choose to provide it, used to enable direct contact for marketplace listings.
  • Language preference — your choice of English, Sinhala, or Tamil for the app interface.
  • Notification preferences — your choices about receiving push notifications, email notifications, in-app notifications, platform offers, and message reply alerts.

2.2 Authentication information

We use Firebase Authentication (provided by Google) to manage sign-in. You can create an account using:

  • Email and password
  • Google Sign-In
  • Apple Sign-In
  • Email link (passwordless sign-in)

When you sign in through Google or Apple, we receive your email address, display name, and profile photo URL from those providers. We store a unique authentication identifier (Firebase UID) to link your account. We do not store your passwords — these are managed entirely by Firebase Authentication.

2.3 Content you create

When you use our services, you may create content that includes personal information:

  • Business listings — business name, description, category, address, phone number, email, website, social media links (Facebook, Instagram, TikTok, YouTube), photos, and opening hours. Listings may also include Google Places data such as ratings and reviews.
  • Community events — event title, description, dates, venue name and address, organiser name, contact details, ticket information, and event images.
  • Marketplace listings — listing title, description, pricing, photos, item condition, delivery options, location (suburb, state), and seller information.
  • Messages — text messages, images, and offers exchanged with other users through our in-app messaging feature.

2.4 Location information

We collect location information to show you nearby businesses, events, and listings:

  • GPS location — with your permission, we access your device's GPS to determine your current location. We use a short timeout for GPS requests and cache your location for up to 5 minutes to reduce repeated lookups.
  • Last known position — we may use your device's last known GPS position (if recent) for faster results.
  • Profile city — the city you set in your profile is used as a fallback location.
  • Default fallback — if no other location is available, we default to Melbourne, Australia.

Your location is used only for search relevance and distance calculations. We do not continuously track your location in the background.

2.5 Device and technical information

To deliver push notifications and maintain app functionality, we collect:

  • Device token — a Firebase Cloud Messaging (FCM) token used to send push notifications to your device.
  • Device platform — whether you are using iOS, Android, or the web version.
  • Device identifier — a device ID used to manage notification delivery.
  • App version — the version of the Yaalu app you are using.
  • Device permissions — to upload photos for listings or profile pictures, we request access to your device's camera or photo library. You can revoke this permission at any time in your device settings. We only access the specific images you choose to upload.

2.6 Rewards and wallet information

If you participate in our rewards programme, we track:

  • Points balance — your current reward points.
  • Golden tickets — special reward tokens.
  • Lifetime points — your total points earned over time.
  • Wallet transactions — a ledger of points credited or debited, including descriptions and related activities.
  • Scan limits — daily scan usage for QR code features.

This is an internal points system only. No real money, credit card numbers, bank accounts, or financial payment data is collected or processed.

2.7 Usage information

We record timestamps for:

  • Account creation and last update.
  • Last login.
  • Message send times and read receipts.
  • Notification delivery and read status.
  • Content creation and modification dates.

2.8 Information we do NOT collect

Yaalu does not collect:

  • Payment card or bank account information (our rewards system uses points only, not real currency).
  • Biometric data (fingerprints, face scans, etc.).
  • Health or medical information.
  • Government-issued identification numbers.
  • Information through third-party analytics SDKs (we do not use Google Analytics, Mixpanel, Amplitude, or similar services).
  • Information through advertising trackers (we do not use Facebook Pixel or similar tracking technologies).
  • SMS or phone call logs.

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Providing and improving our services

  • Creating and managing your user account.
  • Displaying business listings, community events, and marketplace listings relevant to your location and preferences.
  • Enabling in-app messaging between users for marketplace and business enquiries.
  • Delivering push notifications, email notifications, and in-app notifications based on your preferences.
  • Operating the rewards and wallet system.
  • Displaying content in your preferred language (English, Sinhala, or Tamil).

3.2 Personalisation and relevance

  • Using your location to show nearby businesses, events, and listings.
  • Sorting search results by distance from your current or profile location.
  • Presenting content relevant to your city.

3.3 Safety and security

  • Verifying user accounts.
  • Enforcing our terms of use, including the ability to block conversations and flag inappropriate content.
  • Restricting admin portal access to authorised personnel.
  • Detecting and preventing misuse of our services.

3.4 Communication

  • Sending service-related notifications (e.g., message replies, platform offers, account updates).
  • Responding to your enquiries or support requests.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We share information only in the following limited circumstances:

4.1 With other users

When you use Yaalu, certain information is visible to other users:

  • Your display name and profile photo are visible in marketplace listings, messages, and community interactions.
  • Business listing details (name, address, contact information, photos, social links) are publicly visible within the app.
  • Community event details (title, venue, organiser information) are publicly visible.
  • Marketplace listing details (title, description, pricing, location suburb, seller information) are publicly visible.
  • If you enable WhatsApp contact on your profile, your WhatsApp number will be visible to users viewing your marketplace listings.

Please be aware that any information you include in a public listing (business, event, or marketplace) can be read, collected, and used by others. We encourage you to exercise caution when deciding what personal information to disclose publicly. We are not responsible for the actions of other users or third parties who access publicly available information.

4.2 With service providers

We use the following third-party service providers to operate our services. These providers process data on our behalf and are bound by their own privacy policies:

ProviderServiceData Shared
GoogleUser authentication & notificationsEmail, profile data, device tokens
GoogleMaps & location servicesLocation coordinates, address data
MicrosoftCloud database & infrastructureApplication data, user profiles
CloudflareContent delivery & media storageUploaded photos and images

4.3 For legal reasons

We may disclose your information if required to do so by law, regulation, legal process, or enforceable government request, or if we believe in good faith that disclosure is necessary to:

  • Comply with applicable law or a court order.
  • Protect the rights, property, or safety of Yaalu, our users, or the public.
  • Detect, prevent, or address fraud, security, or technical issues.

4.4 Business transfers

If Yaalu is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

5. Data Storage and Security

5.1 Where your data is stored

  • Primary database: Microsoft Azure Cloud Services, hosted in Australia.
  • Photos and images: Cloudflare (global content delivery network).
  • Authentication data: Google Cloud Platform (global infrastructure).

5.2 How we protect your data

We implement appropriate technical and organisational measures to protect your personal information, including:

  • All data in transit is encrypted using HTTPS/TLS.
  • Authentication is managed by Firebase Auth, which handles password hashing and secure token management.
  • Internal user identifiers are never exposed to external clients; we use separate public-facing identifiers.
  • Admin portal access is restricted to authorised personnel.
  • Database access uses secure connection strings and role-based access controls.

While we take reasonable steps to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

5.3 Data retention

We retain your personal information for as long as your account is active or as needed to provide our services:

  • Account data: Retained for the life of your account. When you request deletion, your account is deactivated and your data will be permanently removed within 30 days of receiving a verified request, subject to any legal obligations we may have to retain certain records.
  • Messages: Retained for the life of the conversation to maintain conversation history and context.
  • Wallet transactions: Retained as an auditable ledger of your rewards activity.
  • Business listings, events, and marketplace listings: Retained for the life of the listing. Removed listings are deactivated and permanently deleted within 30 days.
  • Device tokens: Retained while valid and automatically invalidated when they fail to deliver notifications.

6. Your Rights

Under the Australian Privacy Principles, you have the following rights regarding your personal information:

6.1 Access

You have the right to request access to the personal information we hold about you. You can view and update most of your information directly within the app (profile, preferences, listings). For a complete copy of your data, contact us using the details in Section 11.

6.2 Correction

You have the right to request correction of any personal information we hold that is inaccurate, incomplete, out of date, or misleading. You can update your profile information, business listings, events, and marketplace listings directly within the app at any time.

6.3 Deletion

You may request deletion of your account and associated personal information. Upon receiving a verified deletion request:

  • Your account will be deactivated.
  • Your public profile information will no longer be visible to other users.
  • We will process permanent deletion of your data within 30 days of receiving a verified request, subject to any legal obligations we may have to retain certain records.

Note that some information may persist in our backups for a limited period and that anonymised or aggregated data that can no longer identify you may be retained.

6.4 Notification preferences

You can control what notifications you receive at any time through your app settings, including toggling:

  • Push notifications
  • Email notifications
  • In-app notifications
  • Platform offers
  • Message reply notifications

You can also disable all notifications using the master toggle.

6.5 Location permissions

You can control location access through your device's operating system settings at any time. If you deny location permission, the app will fall back to your profile city or a default location. Core app features will continue to work, but search results may be less relevant to your actual location.

6.6 Complaints

If you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us using the contact details in Section 11. We will respond to your complaint within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

7. Cookies and Tracking Technologies

7.1 Mobile app

The Yaalu mobile app does not use cookies. We do not use any third-party analytics SDKs, advertising trackers, or behavioural tracking tools.

7.2 Websites

Our websites (yaalu.app, yaalu.au, yaalu.com.au) may use essential cookies strictly necessary for website functionality, such as maintaining session state. We do not use advertising cookies, tracking pixels, or third-party analytics on our websites.

7.3 Firebase Cloud Messaging

Firebase Cloud Messaging uses device tokens (not cookies) to deliver push notifications. These tokens are device-specific identifiers and do not track your browsing activity.

8. Children's Privacy

Yaalu is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us using the details in Section 11, and we will take steps to delete that information promptly.

9. Overseas Disclosure of Personal Information

In accordance with Australian Privacy Principle 8 (Cross-border disclosure of personal information), we inform you that your personal information may be disclosed to overseas recipients through our use of third-party service providers:

  • Google (Firebase Authentication, Firebase Cloud Messaging, Geocoding API, Places API) — headquartered in the United States, with global data centre infrastructure.
  • Cloudflare (R2 image storage) — headquartered in the United States, with a global network of data centres.
  • Microsoft (Azure CosmosDB, Azure Blob Storage) — our primary database is hosted in an Australian Azure region, but Microsoft is headquartered in the United States.

These providers are subject to their respective privacy policies and data protection obligations. We take reasonable steps to ensure that overseas recipients handle your personal information in accordance with the Australian Privacy Principles.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our services, legal requirements, or operational practices. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy.
  • Notify you through the app (via in-app notification or push notification) if the changes are significant.
  • Post the updated policy on our websites.

We encourage you to review this policy periodically. Your continued use of our services after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our handling of your personal information, please contact us at:

Yaalu Email: privacy@yaalu.app

You may also contact the Office of the Australian Information Commissioner (OAIC) if you have concerns about how we handle your personal information:

Office of the Australian Information Commissioner Website: www.oaic.gov.au Phone: 1300 363 992 Post: GPO Box 5218, Sydney NSW 2001

12. Definitions

  • Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, as defined in the Privacy Act 1988 (Cth).
  • Australian Privacy Principles (APPs) means the principles set out in Schedule 1 of the Privacy Act 1988 (Cth).
  • Services means the Yaalu mobile application and websites at yaalu.app, yaalu.au, and yaalu.com.au.

This policy applies to all users of Yaalu's services in Australia. For questions about this policy, please contact privacy@yaalu.app.

Yaalu - Connecting Sri Lankan community in Australia

© 2025 Yaalu. All rights reserved.