Cookie Policy
Last updated: May 23, 2026
Minimal by design
Yellsy uses only cookies and browser storage that are strictly necessary to deliver the service. We do not use advertising cookies, social media trackers, or behavioral profiling technologies. No consent banner is required for strictly necessary cookies under the ePrivacy Directive.
1. Introduction and Scope
This Cookie Policy explains how Yellsy LLC, a company registered in the United States, uses cookies, browser storage, and similar technologies on yellsy.com and its related interfaces. It forms part of our broader Privacy Policy, which you should read alongside this document for a complete understanding of how we handle your data.
This policy applies to all visitors and registered users of the Platform, regardless of their location. Where specific rights apply to residents of the European Economic Area or the state of California, these are noted explicitly.
2. What Cookies Are
Cookies are small text files placed on your device by a website when you visit it. They allow the site to recognize your device on subsequent visits or across page navigations within the same session. Cookies have an expiry date: session cookies are deleted when you close your browser, while persistent cookies remain on your device for a defined period or until you delete them manually.
In addition to cookies, websites can use other browser storage mechanisms such as localStorage and sessionStorage. Unlike cookies, data stored in localStorage is never automatically transmitted to our servers with each request. It stays on your device and is only read when your browser explicitly requests it via JavaScript. This distinction matters for your privacy, and we explain exactly what we store and why in Section 4 below.
We also embed third party scripts (Cloudflare, hCaptcha, Stripe) that may set their own cookies for security and fraud prevention. These are described in full in Section 5.
3. Legal Basis for Cookie Use
For users located in the European Economic Area, our use of cookies is governed by the ePrivacy Directive (2002/58/EC, as amended) and the GDPR. Every cookie and storage item we use falls into the category of strictly necessary, meaning it is essential for the platform to function as you have requested. Under Article 5(3) of the ePrivacy Directive, strictly necessary cookies do not require your prior consent.
✓ Performance of a Contract — Art. 6(1)(b) GDPR
Your session tokens and authentication storage are necessary to keep you logged in while you search for flights, review your bookings, and complete payment. Without them, the service cannot function.
✓ Legitimate Interests — Art. 6(1)(f) GDPR
Cloudflare, hCaptcha, and Stripe cookies serve our legitimate interest in protecting the platform and its users from fraud, automated attacks, and unauthorized transactions. These interests do not override your fundamental rights.
We do not use cookies that require consent under the ePrivacy Directive. If this changes in the future, we will introduce a consent mechanism and obtain your explicit agreement before setting any non-essential trackers.
4. What We Store and Where
4.1 Authentication Tokens (Browser localStorage)
When you log in, Yellsy stores two tokens in your browser's localStorage: a short-lived access token (valid for 2 hours) and a refresh token (valid for 30 days). These tokens are sent to our servers as HTTP Authorization headers, not as cookies. This design avoids the cross-site request forgery risk that comes with cookie-based authentication. Both tokens are cleared automatically when you log out or when they expire.
4.2 Infrastructure and Payment Cookies
A small number of cookies are set by the security and payment infrastructure we depend on. These are described in the full inventory table below. They are all strictly necessary and none of them is used for advertising or behavioral profiling.
| Name | Provider | Purpose | Duration | Type | Where |
|---|---|---|---|---|---|
| yellsy-auth | Yellsy LLC | Stores your JWT access token to keep you logged in across page navigation. Sent via HTTP Authorization header, not as a cookie. | 2 hours | Strictly Necessary | localStorage |
| yellsy-refresh | Yellsy LLC | Stores a refresh token that silently renews your session without requiring you to log in again. | 30 days | Strictly Necessary | localStorage |
| __cf_bm | Cloudflare | Bot management cookie that distinguishes automated traffic from human visitors, protecting the platform from malicious scripts. | 30 minutes | Strictly Necessary | Cookie |
| __cf_clearance | Cloudflare | Set after a browser challenge is passed. Prevents you from being challenged again on subsequent requests within the same session. | 30 minutes | Strictly Necessary | Cookie |
| h-captcha-* | Intuition Machines (hCaptcha) | Anti-bot verification on registration and contact forms. Prevents automated form submissions without exposing you to advertising profiling. | Session | Strictly Necessary | Cookie |
| __stripe_mid | Stripe Inc. | Fraud prevention within the payment checkout flow. Helps Stripe detect suspicious activity before processing your card. | 1 year | Strictly Necessary | Cookie |
| __stripe_sid | Stripe Inc. | Session identifier for the Stripe payment iframe. Ensures your payment session is linked correctly during checkout. | 30 minutes | Strictly Necessary | Cookie |
5. Third Party Technologies
Cloudflare (United States)
Our platform is protected by Cloudflare's network infrastructure. When you connect to yellsy.com, your request passes through Cloudflare's servers, which set cookies to distinguish human visitors from automated bots. Cloudflare does not use this data for advertising. Their privacy practices are described at cloudflare.com/privacypolicy.
hCaptcha — Intuition Machines Inc. (United States)
We use hCaptcha on registration and contact forms to prevent automated submissions. hCaptcha is a privacy-respecting alternative to reCAPTCHA and does not build advertising profiles. Cookies it sets are cleared at the end of your session. Their privacy policy is available at hcaptcha.com/privacy.
Stripe Inc. (United States)
Payment processing is handled by Stripe through a securely embedded payment form (iframe). Stripe sets cookies within that iframe for fraud detection and session continuity. These cookies are isolated to the Stripe iframe and are not accessible to our own JavaScript. Stripe's cookie and privacy practices are detailed at stripe.com/privacy.
6. Optional Analytics and Advertising Technologies
At the present time, Yellsy does not deploy any optional cookies for analytics or advertising purposes. All cookies currently active on the platform are strictly necessary, as described in Section 4. However, we may in the future introduce optional tracking technologies — including analytics scripts, advertising pixels, and behavioral measurement tools — to better understand how users interact with our platform and to measure the performance of our marketing campaigns. We want to be transparent about this possibility so that you are never surprised by changes to our cookie practices.
Our commitment: No optional cookie or tracking technology will ever be activated on your device without your explicit and informed consent. If we introduce any of the categories below, a consent banner will appear on your first visit and will allow you to accept or decline each category individually. You will be able to change your preferences at any time from within your account settings.
Categories we may introduce in the future
Analytics and Audience Measurement
Consent required before activationScripts such as Google Analytics, Plausible, or equivalent tools that measure page visits, traffic sources, session duration, and user journeys across the platform. All data collected under this category would be aggregated and used solely to improve the platform experience.
Advertising and Retargeting Pixels
Consent required before activationPixels from platforms such as Meta (Facebook), Google Ads, TikTok, or LinkedIn that allow us to measure the effectiveness of paid advertising campaigns and, where you consent, to show you relevant ads outside of our platform based on your visit.
Behavioral Tracking and Personalization
Consent required before activationTechnologies that observe how you navigate the platform — including pages visited, features used, and search patterns — in order to personalize your experience or surface more relevant travel offers.
Social Media Integration Scripts
Consent required before activationEmbedded scripts from platforms such as Meta, X (Twitter), or Pinterest that may track your activity across our site and link it to your social media profile, typically for social sharing or login functionality.
When any of these categories are activated, the cookie inventory table in Section 4 will be updated to list each technology by name, provider, purpose, and duration, along with a link to the relevant provider privacy policy. You will be notified by email at least thirty (30) days before any optional category goes live.
7. Analytics
7.1 Server-Side Analytics
Yellsy uses or may use server-side analytics tools to measure platform performance and understand how our service is used in aggregate. Unlike client-side analytics, these tools process data entirely on our servers and do not write any cookie or identifier to your device. No consent banner is required for server-side analytics under the ePrivacy Directive, since they do not access or store information on your terminal equipment.
Data processed through server-side analytics may include anonymized IP addresses, page paths, referral sources, session durations, and API response times. This data is aggregated and does not produce a profile linked to you as an identifiable individual. Where IP addresses are processed, they are truncated or hashed before any retention. The full details of this server-side processing are covered in our Privacy Policy.
7.2 Client-Side Analytics (Optional — Consent Required)
If we introduce client-side analytics tools in the future — for example scripts that observe which pages attract the most interest or measure conversion rates from marketing campaigns — these will fall under the optional Analytics category described in Section 6. They will set cookies or identifiers on your device and will not be activated until you have explicitly consented through the cookie preference panel.
8. Do Not Track Signals
Some browsers send a Do Not Track (DNT) signal to websites, requesting that they refrain from tracking your browsing activity. At present, since Yellsy only uses strictly necessary cookies, your DNT preference does not materially change our behavior — there is nothing optional to disable.
If and when we introduce optional analytics or advertising technologies, we will honor DNT signals by treating them as equivalent to a refusal of consent for those categories. In practice, this means that a browser sending a DNT signal will be treated as if you had selected "decline all optional cookies" in the consent panel, with no further action required from you.
9. International Data Transfers
Yellsy LLC is based in the United States. The third party providers whose cookies appear on our platform — Cloudflare, hCaptcha, and Stripe — are also US-based companies. If you are accessing the platform from the European Economic Area, your data (including data processed in connection with their cookies) is transferred to the United States.
These transfers are made on the basis of Standard Contractual Clauses approved by the European Commission, or equivalent transfer mechanisms recognized under applicable data protection law. Each provider maintains their own data transfer documentation, which is accessible through the privacy links listed in Section 5.
10. Managing Your Cookie Settings
Required for the platform to function. Every cookie and storage item listed in this policy is strictly necessary. Disabling them will prevent you from logging in, completing a booking, processing a payment, or submitting any form on the Platform. You may exercise this right through your browser, but doing so means the core service will not be available to you.
You have the right to control cookies through your browser settings. Below are the paths for the most common browsers:
Chrome
Settings → Privacy and Security → Cookies
Firefox
Options → Privacy and Security → Cookies
Safari
Preferences → Privacy → Manage Website Data
Edge
Settings → Cookies and Site Permissions
Opera
Settings → Advanced → Privacy and Security
Brave
Settings → Privacy and Security → Cookies
Clearing localStorage
Your authentication tokens are stored in localStorage, not in cookies, and are therefore not affected by browser cookie controls. To clear them, open your browser's developer tools (press F12), navigate to Application → Local Storage → yellsy.com, and delete the entries. Logging out from within the platform also clears them automatically.
11. Retention of Cookie Data
Cookie lifetimes are listed in the inventory table in Section 4. Session cookies are deleted when you close your browser. Persistent cookies expire on the date shown in the table. Data collected in connection with third party cookies is retained according to each provider's own retention policies, which are accessible through the links in Section 5. We do not retain cookie data on our own servers beyond what is recorded in server access logs, which are kept for a maximum of 90 days for security and diagnostic purposes.
12. Changes to This Policy
We will update this Cookie Policy if we introduce new technologies, change our providers, or if legal requirements evolve. Any material change will be reflected on this page with a revised date at the top. We encourage you to review this policy periodically. If we ever introduce optional cookies that require your consent, we will present a clear banner and will not set those cookies until you have explicitly agreed.
13. Contact
If you have any questions about how Yellsy uses cookies or browser storage, or if you would like to exercise any data protection rights described in our Privacy Policy, please reach out to us.
Yellsy LLC
United States
Email: contact@yellsy.com
We aim to respond to all privacy-related inquiries within 72 hours.
Questions? Contact us