Privacy Policy

Yeou Saju

Last Updated: March 31, 2026

Yeou Saju is operated by Four Pillars Labs, Inc., a Delaware corporation with its registered office at 1111B S Governors Ave, Suite 91742, Dover, Delaware 19904, United States ("we," "us," or "our"). We operate the Yeou Saju mobile application (the "App"), a Saju (Four Pillars of Destiny) reading service provided for entertainment purposes only. This Privacy Policy explains how we handle your information when you use our App.

For the purposes of the EU/UK GDPR, Four Pillars Labs, Inc. is the data controller of personal data processed in connection with the App.

We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, Singapore Personal Data Protection Act (PDPA), Malaysia Personal Data Protection Act 2010, Hong Kong Personal Data (Privacy) Ordinance (PDPO), U.S. state privacy laws (including CCPA/CPRA and COPPA), Canada's PIPEDA and Quebec's Law 25, and the Australian Privacy Act 1988.


1. Information We Collect

We collect two distinct categories of information:

1a. Account Data (Stored)

The following information is collected and stored to operate your account and deliver the service:

  • Email address — used for account authentication, delivery of reading results, payment notifications, and service communications
  • Nickname — used to personalize your experience (not your real name)

1b. Reading Input Data (Session Only — Not Stored)

The following information is collected temporarily during your session solely to generate your Saju reading. This data is processed in real time and is never written to any database or persistent storage:

  • Gender
  • Date of birth
  • Time of birth (if known)
  • Time zone / place of birth

Once your reading is generated and delivered, this data is permanently discarded.

If you purchase a paid reading, payment is processed through Stripe (for international card payments) and Toss Payments (as the payment gateway). We do not directly collect, store, or have access to your full payment details (e.g., credit card numbers).

Information We Do NOT Collect

  • Government-issued identification numbers
  • Precise geolocation data
  • Biometric data
  • Social media account credentials

2. How We Use Your Information

Email Address

Your email address is used for the following purposes only:

  • Account authentication: Sending verification codes to confirm your identity
  • Reading delivery: Sending your completed Saju reading results
  • Payment notifications: Sending transaction confirmations and receipts
  • Service communications: Sending essential notices related to your account or the service

We do not use your email address for marketing communications unless you separately and explicitly opt in.

Reading Input Data

Your birth details are processed solely in real time to generate your personalized reading. Specifically:

  • Reading generation: Birth details are processed transiently to produce your reading
  • No profiling or automated decision-making: We do not use your data for profiling, behavioral analysis, or automated decisions that produce legal or similarly significant effects

3. Data Storage and Retention

What We Store

DataStoredRetention Period
Email addressYesUntil account deletion, or 7 years if associated with a payment record
NicknameYesUntil account deletion
Payment transaction recordsYes (via payment processor)7 years (legal obligation under applicable financial regulations)
Email delivery logsYes (via AWS SES)90 days
Reading input data (birth details, time zone)NoNot retained — discarded after session

Account Deletion

Upon account deletion, your email address and nickname are permanently deleted, except where retention is required by law (e.g., payment records). You may request account deletion at any time by contacting us at help@ysaju.com.


For users in the European Economic Area (EEA), the United Kingdom, and other jurisdictions that require a legal basis for processing personal data, we rely on the following:

  • Contract performance (GDPR Art. 6(1)(b)): Processing your email address and nickname is necessary to provide the service, deliver your reading, and manage your account.
  • Consent (GDPR Art. 6(1)(a)): By entering your birth details and tapping "Next," you consent to the transient processing of your data for the purpose of generating your reading.
  • Legal obligation (GDPR Art. 6(1)(c)): Retention of payment records as required by applicable financial laws.
  • Legitimate interest (GDPR Art. 6(1)(f)): For basic service functionality such as fraud prevention and security.

Where your birth details are used in the context of philosophical or belief-based analysis, this may constitute special category data under GDPR Article 9. We obtain your explicit consent before processing such data.

You may withdraw your consent at any time by discontinuing use of the App. As reading input data is never stored, withdrawal of consent does not require any deletion of stored data relating to your reading inputs.

EU/UK Representative

As Four Pillars Labs, Inc. is established in the United States and offers services to individuals in the EU and UK, we are required under Article 27 of the GDPR and UK GDPR to designate a representative in the EU and the UK. Information regarding our designated representative will be made available upon request at help@ysaju.com.


5. International Data Transfers

Our App infrastructure operates in the following regions:

ServiceProviderRegion
App hosting & session processingGoogle Cloud Runasia-northeast1 (Tokyo, Japan)
Account data storageSupabaseap-northeast-2 (Seoul, Republic of Korea)
Email deliveryAWS SESap-northeast-2 (Seoul, Republic of Korea)

Your data is processed in Japan and/or the Republic of Korea depending on the operation. Although we are a U.S. (Delaware) corporation, the personal data we directly store (account data) is not held on servers located in the United States. Payment transaction data may be processed by our payment processors in accordance with their respective infrastructure — in particular, Stripe processes card payment data primarily in the United States (see Section 6). If you access the App from outside Japan or Korea, your data will be transferred internationally.

  • EEA / EU users: Four Pillars Labs, Inc. is established in the United States, which is not subject to a general adequacy decision. However, the personal data we collect is stored and processed exclusively in Japan and the Republic of Korea (which has received an EU adequacy decision in December 2021). For data processed in Japan via Google Cloud Run, and for payment transaction data processed by Stripe in the United States, we rely on Standard Contractual Clauses or equivalent safeguards under Article 46 GDPR. To the extent any personal data is accessed by personnel located in the United States for support or administrative purposes, we likewise rely on Standard Contractual Clauses.
  • UK users (UK GDPR): The UK has adopted an adequacy decision for the Republic of Korea (SI 2022/1213), permitting lawful transfers of data stored in Korea (Supabase, AWS SES). For data processed via Google Cloud Run in Japan, for payment transaction data processed by Stripe in the United States, and any access from the United States, we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
  • Australian users (APP 8): We take reasonable steps to ensure that data processed in Korea and Japan meets standards comparable to the Australian Privacy Principles. Payment transaction data processed by Stripe in the United States is subject to Stripe's own privacy framework; we take reasonable steps to ensure equivalent protection under APP 8.
  • Canadian users (PIPEDA / Law 25): Data is transferred to and processed in Korea and Japan. Payment transaction data processed by Stripe in the United States is governed by Stripe's privacy framework and applicable cross-border safeguards. Quebec residents are hereby notified that their data may be transferred outside Quebec, and equivalent protection measures are in place.
  • Singapore / Hong Kong users: We ensure cross-border transfers comply with the PDPA and PDPO respectively, including applicable contractual protections. Payment transaction data processed by Stripe may be transferred to and processed in the United States in accordance with applicable cross-border transfer requirements.

Since reading input data is never stored, cross-border data transfer of such data occurs only transiently during session processing.


6. Data Sharing and Third Parties

We do not sell, rent, or share your personal information with third parties for their own purposes.

We share limited data with the following service providers, solely to operate the App:

Service ProviderPurposeData SharedRegion
Google Cloud RunApp hosting & session processingTransient session data (not stored)asia-northeast1 (Tokyo, Japan)
SupabaseAccount data storageEmail address, nicknameap-northeast-2 (Seoul, Korea)
AWS SESEmail deliveryEmail address, email contentap-northeast-2 (Seoul, Korea)
StripeInternational card payment processingPayment transaction data onlyPer Stripe's infrastructure (primarily United States)
Toss PaymentsPayment processing (international gateway)Payment transaction data onlyRepublic of Korea

All service providers are bound by data processing agreements that restrict them from using your data for any purpose other than providing services to us.

Sub-Processor Privacy Policies


7. Children's Privacy

We take children's privacy seriously. Our App is not intended for children under the minimum age specified by applicable law:

JurisdictionMinimum AgeRequirement
United States (COPPA)13Verifiable parental consent required under 13
European Union / Germany16Parental consent required under 16
United Kingdom13Parental consent required under 13
Canada (general)13Parental consent required under 13
Canada (Quebec)14Parental consent required under 14
Malaysia18Parental consent required under 18
Singapore13Parental consent required under 13
Australia15Consent capacity assessed individually under 15
Hong Kong18Age-appropriate approach required under 18

If we become aware that we have processed data from a child below the applicable minimum age without proper parental consent, we will take prompt steps to address the situation. Since we do not store reading input data, no deletion of stored data would be required in relation to reading inputs.


8. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

  • Right of access: Request confirmation of whether we process your personal data and, if so, obtain a copy.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure ("right to be forgotten"): Request deletion of your account data. Reading input data is never stored and therefore cannot be subject to a deletion request.
  • Right to restrict processing: Request that we limit the processing of your data.
  • Right to data portability: Receive your data in a structured, commonly used format.
  • Right to object: Object to data processing based on legitimate interests.
  • Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of processing performed prior to withdrawal.
  • Right to non-discrimination: (California, USA) We will not discriminate against you for exercising your privacy rights.

How to Exercise Your Rights

To exercise any of these rights, please contact us at help@ysaju.com. We will respond within the timeframe required by applicable law (generally 30 days, or 45 days for CCPA requests).

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority:

  • EU/EEA: Your national data protection authority (list available at edpb.europa.eu)
  • UK: Information Commissioner's Office (ICO) — ico.org.uk
  • Singapore: Personal Data Protection Commission (PDPC)
  • Malaysia: Department of Personal Data Protection (JPDP)
  • Canada: Office of the Privacy Commissioner (OPC), or Commission d'accès à l'information du Québec (CAI) for Quebec residents
  • Australia: Office of the Australian Information Commissioner (OAIC)
  • Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD)

9. Cookies and Tracking Technologies

Our App does not use cookies for tracking or advertising purposes. If we use cookies or similar technologies in the future, we will update this policy and obtain your consent where required by law.


10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS/SSL.
  • Encryption at rest: Account data stored in Supabase is encrypted at rest using AES-256.
  • Access controls: Row-level security (RLS) is enforced on our database so that users can only access their own data.
  • Minimal retention: Reading input data is never written to storage, significantly reducing the risk of data breach involving sensitive information.

In the event of a data breach affecting any stored account data, we will notify the relevant data protection authorities and affected individuals within the timeframes required by applicable law (e.g., 72 hours under GDPR; 72 hours to the Commissioner and 7 days to affected individuals under Malaysia's PDPA 2010 as amended).


11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of material changes by posting the updated policy in the App and updating the "Last Updated" date at the top. For significant changes, we will provide prominent notice (e.g., in-app notification) and, where required by law, obtain your renewed consent.


12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your information, please contact us:

Four Pillars Labs, Inc. Email: help@ysaju.com Phone: +1 (839) 274-3653 Address: 1111B S Governors Ave, Suite 91742, Dover, Delaware 19904, United States


13. Entertainment Disclaimer

Yeou Saju provides Saju (Four Pillars of Destiny) readings based on traditional East Asian philosophical interpretation. All content is provided for entertainment purposes only and does not constitute financial, medical, legal, psychological, or any other form of professional advice.

We make no claims regarding the scientific validity, accuracy, or predictive power of our readings. Please consult qualified professionals before making important life decisions.


14. Jurisdiction-Specific Provisions

For California Residents (CCPA/CPRA)

  • Categories of personal information collected: Identifiers (nickname, email address); characteristics of protected classifications (gender — session only, not stored); commercial information (payment transaction records via Stripe / Toss Payments). We do not sell or share your personal information as defined under the CCPA.
  • Right to know, delete, correct, and opt out of sale: See Section 8. We do not sell personal information. Deletion rights apply to stored account data (email address, nickname).

For Quebec Residents (Law 25)

  • We provide this Privacy Policy in English and French (where applicable).
  • Your data may be transferred to servers outside Quebec (Google Cloud Run, Supabase — Montreal region where possible). We take reasonable steps to ensure equivalent protection applies.
  • You may request a privacy impact assessment summary for any cross-border transfer of your data.

For German Users (BDSG / GDPR)

  • Where your birth data is processed in connection with a philosophical belief-based analysis, we treat this as special category data (GDPR Art. 9) and obtain your explicit consent prior to processing.

For Malaysian Users (PDPA 2010)

  • We provide data collection notices in both English and Bahasa Malay.
  • We have appointed a Data Protection Officer as required under the 2024 amendments (effective June 1, 2025).

For Australian Users (Privacy Act 1988)

  • We comply with the Australian Privacy Principles (APPs). Under APP 8, we take reasonable steps to ensure any overseas processing of your data (Google Cloud Run — Tokyo, Japan; Supabase / AWS SES — Seoul, Republic of Korea) meets APP standards.
  • You may request access to or correction of your stored account data at any time by contacting help@ysaju.com.

For Singapore Users (PDPA)

  • You may withdraw consent for data processing at any time by contacting us. We will process your withdrawal within a reasonable timeframe and inform you of any consequences.
  • Account data is stored in the Seoul region (Supabase — ap-northeast-2, AWS SES — ap-northeast-2). App session processing occurs via Google Cloud Run (asia-northeast1, Tokyo).

For Hong Kong Users (PDPO)

  • You have the right to request access to and correction of your personal data held by us.
  • We will not use your personal data for direct marketing without your explicit consent.

This Privacy Policy is provided in English. Where translations are provided for convenience, the English version shall prevail in case of any inconsistency.