SOAR
日本語← Home

Privacy Policy

Last updated: May 17, 2026

YugaStyle (the "Operator") regards the protection of users' personal information and privacy as a serious responsibility in connection with "SOAR", a business-management service for freelancers (the "Service", including the web version and the iOS app). This Privacy Policy (this "Policy") clearly explains the types of information the Operator collects, the purposes of use, how it is managed, and the rights of users. By using the Service, the user is deemed to have agreed to this Policy. This English version is provided for reference; in the event of any discrepancy, the Japanese version shall prevail.

1. Scope

This Policy applies to the Service's website (soar.o3shy.com), the iOS app, and all related features and pages. External services that the Service integrates with (Supabase, Apple Inc., Vercel, Google LLC, etc.) are governed by their respective privacy policies.

This Policy complies with Japan's Act on the Protection of Personal Information and related guidelines.

2. Types of Information Collected

The Operator collects and stores the following information.

(1) Account Information

  • Email address (used for account registration and login authentication)
  • Nickname (optional; only if set by the user)
  • Age range (optional; broad bands such as "20s", "30s")
  • Work category (optional; e.g., creative, engineer)

(2) Business Data

🔐 About Encryption of Business Data

iOS app (Free plan): If you use the Free plan, business data such as projects, invoices, expenses, and rate tables is stored solely on your device (local database). It is not transmitted to the Operator's servers (local-first architecture).

iOS app (Premium plan) / Web version: Sensitive business data such as client names, transaction amounts, project names, invoice amounts, expenses, and notes is encrypted on the device using AES-256-GCM before being transmitted to the server. The encryption key is derived on the device from the user's password (Argon2id key derivation) and is never transmitted to or stored on the server, database, or by the Operator. As a result, no third party, including the Operator, can technically decrypt the business data (end-to-end encryption).

* If you lose your password, the encrypted business data cannot be decrypted. Please store your password securely, for example using a password manager.

The following business information entered by the user into the Service is stored.

  • Project name, client name, transaction amount, status, deadline, expected payment date
  • Invoice details (issue date, expected payment date, amount, notes, etc.)
  • Revenue calendar records (date, amount, notes, etc.)
  • Fixed and variable expense records (category, amount, month, etc.)
  • Rate table details (work type, unit price, unit, etc.)

(3) Payment Information

Payment for the Premium plan is processed solely through Apple In-App Purchase (IAP) within the iOS app. The Web version is exclusively for Premium subscribers; there is no standalone billing or payment on the Web version.

Apple Inc. (App Store In-App Purchase / IAP)

  • Premium plan billing within the iOS app is processed through Apple's In-App Purchase (IAP) system. Credit card information, Apple ID, etc. are never transmitted to or stored on the Operator's servers.
  • The Operator only stores the transaction ID, subscription identifier, and purchase status issued by Apple.
  • For receipt validation and purchase-status verification, purchase receipts are queried against Apple's servers.

(4) Access Information

  • IP address (automatically recorded as part of Supabase authentication logs)
  • Browser type, OS version, app version, device model (reference information for service improvement)
  • Service usage date/time and operation logs

(5) Advertising Identifiers (iOS app, Free plan only)

  • iOS IDFA (Identifier for Advertisers). Used for ad delivery and ad-performance measurement.
  • On iOS, it is obtained and used only when the user grants permission via App Tracking Transparency (ATT). If not permitted, only non-personalized ad delivery is performed.
  • The Operator does not store these identifiers itself; they are passed to Google LLC (AdMob) for ad delivery.
  • Premium subscribers are not shown ads, and advertising identifiers are not used for them.

3. Purposes of Use

Collected information is used only for the following purposes. It will not be used for any other purpose.

  • Providing and operating the Service, improving features, and developing new features
  • User authentication and account management
  • Payment processing and subscription management for paid plans (Apple IAP)
  • Responding to user inquiries and support requests
  • Sending important notices about the Service (outages, changes, etc.)
  • Detecting and preventing unauthorized access and misuse
  • Sending reminder notifications for deadlines and expected payment dates (iOS app)
  • Aggregating and analyzing usage (statistical use in a non-identifiable form)

4. Provision to Third Parties

The Operator will not provide, disclose, or sell users' personal information to third parties, except in the following cases.

  • When prior consent has been obtained from the user
  • When disclosure is required by law, by a court, the police, or an administrative agency
  • When urgently necessary to protect a person's life, body, or property

Subcontractors / External Services Used

The Service entrusts data processing to the following external services. Data is processed in accordance with each company's privacy policy.

Supabase, Inc.Database & user authentication (Web version, iOS app (Premium plan))

Handles storage of user data and authentication processing. Based in San Francisco, USA. SOC 2 Type II and GDPR compliant.

Apple Inc.In-app purchase & distribution (iOS app only)

Handles app distribution via the App Store and subscription billing via In-App Purchase (IAP). Receipt validation is also performed via Apple Inc.

Vercel, Inc.Website hosting (Web version only)

Handles delivery of the SOAR website. Based in Delaware, USA.

Google LLC (AdMob)Mobile ad delivery (iOS app (Free plan only))

Handles in-app ad delivery and performance measurement. Processes the advertising identifier (IDFA). Based in California, USA.

5. Security Measures

The Operator implements the following technical and organizational safety measures to protect users' personal information from unauthorized access, leakage, loss, and tampering.

Technical Safety Measures

  • Encryption in transit: The Service uses TLS (HTTPS) for all communications to prevent eavesdropping and tampering.
  • Row Level Security (RLS): The database is configured with Row Level Security so that each user can access only their own data. Accessing other users' data is technically impossible.
  • Protection of credentials: Passwords are hashed and stored within Supabase's system; no one, including the Operator, can view plaintext passwords.
  • Access-key management: Administrative database access keys are managed securely as environment variables and are not included in any source code (e.g., GitHub repository).
  • Multi-factor authentication: The Operator's Supabase account uses multi-factor authentication (MFA) to prevent unauthorized login.
  • Encryption at rest: Supabase's database and storage are stored encrypted with AES-256.
  • Local-first (iOS app, Free plan): If you use the Free plan, business data is stored solely in the device's local database and is not transmitted to the server. This structurally eliminates the risk of server-side information leakage by third parties.
  • End-to-end encryption of business data (Web version / iOS Premium plan): Business data such as project names, client names, transaction amounts, invoice information, and expenses is encrypted on the device using AES-256-GCM before being transmitted to the server. The encryption key is derived on the device from the user's password (Argon2id) and is never transmitted to or stored on the server, database, or by the Operator. As a result, even with direct access to the server or database, no third party, including the Operator, can technically decrypt the contents of the business data. This is true end-to-end encryption, and even the Operator cannot view the user's business data.
  • Session-token protection (iOS app): Session tokens are stored encrypted in the device's secure storage using the iOS Keychain. Uninstalling the app completely removes the token from the device.

Organizational Safety Measures

  • The Operator does not view or use users' business data (projects, invoices, revenue, expenses, etc.) other than for technical support and maintenance purposes.
  • Database access is recorded and retained as logs, used to deter and detect access for unintended purposes.
  • No administrative access rights are granted to third parties.
* No safety measure can guarantee complete security over the internet. In the unlikely event of a security incident, we will promptly notify users and work to minimize damage.

6. Data Retention Period

User data is retained for the following periods.

  • All data is retained while the account is active.
  • For the iOS app Free plan (local storage), business data is deleted from the device immediately when the user uninstalls the app or resets the data within the app.
  • Upon request for account deletion, all personal data will be deleted within a reasonable period (in principle, within 30 days).
  • Information subject to a statutory retention obligation may be retained for the period prescribed by the applicable law.
  • Apple IAP purchase history follows Apple's data-retention policy.

7. Cookies and Session Management

Web version: Cookies are used for session management of user authentication. These are necessary for the basic functionality of the Service and are not used for advertising purposes or third-party tracking. You can disable cookies in your browser settings, but doing so may prevent login to the Service from working correctly.

iOS app:Cookies are not used. Instead, the user-authentication session token is stored encrypted in the device's secure storage using the iOS Keychain. Uninstalling the app completely removes the token from the device.

8. App Permissions and Tracking Authorization (iOS app only)

The iOS app may request the following permissions/authorizations. Each can be freely granted or denied by the user and changed at any time later in the iOS Settings screen.

Notifications

Used to display reminders such as the day before deadlines and expected payment dates as local notifications. The basic features of the app remain available even if not permitted.

App Tracking Transparency (ATT)

For ad optimization, tracking authorization may be requested based on Apple's App Tracking Transparency (ATT) framework. Only if permitted is the IDFA (advertising identifier) used for ad delivery. If denied, non-personalized ad delivery is performed. Premium subscribers are not shown ads.

This app does not access sensitive permissions such as camera, microphone, location, contacts, or photo library.

9. Advertising (iOS app, Free plan only)

In the iOS app Free plan, ads are displayed using "Google AdMob", an ad-delivery platform provided by Google LLC, to support service operation. Premium subscribers are not shown ads.

  • The advertising identifier (IDFA) may be used for displaying, delivering, and measuring the effectiveness of ads.
  • In accordance with App Tracking Transparency (ATT), the advertising identifier is used only if the user grants permission.
  • SKAdNetwork (Apple's privacy-friendly ad-measurement framework) is used in combination.
  • The Operator does not collect or store advertising identifiers. The identifiers are processed by Google LLC.

For details on how Google AdMob handles data, please see the Google Privacy Policy (https://policies.google.com/privacy).

10. Use by Minors

The Service is not intended for use by persons under 13 years of age. The Operator does not intentionally collect personal information of persons under 13, and if it becomes apparent that such information has been collected, it will be deleted promptly.

11. International Data Transfers

Supabase, Apple Inc., Vercel, and Google LLC (AdMob), which the Service uses, are companies based in the United States, and user data may be processed and stored on servers outside Japan (mainly the United States). Each company operates under an appropriate data-protection framework, and the Operator has confirmed that these subcontractors implement appropriate safety measures.

12. User Rights

Users have the following rights regarding their personal information.

  • Disclosure request: The right to confirm the content of their personal information held by the Operator
  • Correction/addition: The right to request correction or addition of inaccurate personal information
  • Deletion request: The right to request deletion of personal information (account deletion)
  • Suspension of use: The right to request suspension of use if use for unintended purposes is determined

Please contact the support desk below by email for these requests. After identity verification, we will respond within a reasonable period (in principle, within two weeks).

13. Changes to this Policy

This Policy may be revised in the event of legal amendments, changes to the Service, or other necessity. For significant changes, we will notify users in advance via a notice on the Service or by email. The revised Policy takes effect from the time it is posted on this page.

14. Contact

For questions about this Policy, or requests to disclose, correct, or delete personal information, please contact the desk below.

YugaStyle

SOAR Operator

Email: soar.info2026@gmail.com

* Replies to inquiries are, in principle, made within two weeks.