Privacy Policy

DongHyuck Yang ("we," "us," or "our") respects your privacy and is committed to protecting your personal data in compliance with applicable data protection laws, including the Korean Personal Information Protection Act (PIPA).

1. Information We Collect

[Required Information]

• Social login identifier: unique ID from your Google, Apple, or Kakao account
• Device identifier: a UUID generated by the app
• Platform information: operating system (Android/iOS)

[Optional Information]

• Push notification token (when you enable notifications)
• Calendar event data: event titles, times, locations (read from device only, not sent to server)
• AI calendar analysis: event data sent to Google Gemini API for briefing generation (immediately deleted after analysis, not stored on our servers or by Google)
• Language preference (when changed in app settings)
• Feedback content and contact info (when you submit feedback)

[Automatically Collected]

• Access logs: login/logout timestamps, IP address, device info (retained for 3 months per the Protection of Communications Secrets Act)
• Error diagnostic logs: error messages, stack traces, OS version, app version, screen info
• Advertising data: advertising ID, device info, and ad interaction data via Google AdMob (banner and rewarded ads, non-personalized ads only)
• Advertising identifier: We may collect your device's advertising identifier for non-personalized ad delivery. We request your prior consent through the tracking consent feature provided by the operating system. Declining has no effect on your ability to use the service.
• IP address: automatically collected by server infrastructure when submitting feedback

Collection Methods: Social login (Google, Apple, Kakao) APIs, auto-generated in-app (device identifiers), automatic collection via SDKs (AdMob), and advertising identifier consent request via the operating system's tracking transparency feature.

2. How We Use Your Information

• Account creation, authentication, and management
• Providing AI calendar briefing service
• Sending morning briefings, preparation reminders, and push notifications
• Error detection and service stability
• Service improvement through analytics
• Displaying advertisements: banner ads and rewarded ads (non-personalized). One free briefing generation is provided per day; subsequent regenerations may require watching a rewarded ad.
• Responding to support inquiries

3. Data Retention

• We delete all server-side personal data immediately upon account deletion. Linked social login (Google, Apple, Kakao) app connections are also revoked.
• Feedback data is retained for 1 year from submission, then deleted.
• Error diagnostic logs are retained for 6 months from collection, then automatically deleted.
• Access logs (login/logout timestamps, IP address, device info) are retained for 3 months as required by the Protection of Communications Secrets Act, then automatically deleted. Access logs are retained for the full 3-month period even after account deletion.

4. Third-Party Sharing

• We do NOT sell your personal information.
• We do NOT share your data with third parties except when you give explicit consent, when required by law or legal process, or with service providers (see Section 5).

5. Service Providers (Data Processing Delegation)

We delegate personal data processing to the following service providers to operate HaruBrief:

• Supabase (USA): Database hosting — Data delegated: user account info, consent records, access logs / Retention: deleted immediately upon account deletion (access logs retained 3 months)
• Cloudflare (USA): Server infrastructure — Data delegated: authentication session tokens / Retention: deleted immediately after processing
• Expo (USA): Push notification delivery — Data delegated: push tokens, device identifiers / Retention: previous tokens deleted upon renewal
• Google / Apple / Kakao: Social login authentication — Data delegated: OAuth authentication tokens / Retention: app connection revoked upon account deletion
• Google AdMob (USA): Advertisement delivery (banner and rewarded ads) — Data delegated: advertising ID, device info (non-personalized ads only) / Retention: per Google's data retention policy
• Google Gemini (USA): AI calendar analysis — Data delegated: calendar event data / Retention: deleted immediately after analysis, not stored on our servers or by Google

All service providers are supervised to process personal data securely in accordance with applicable data protection laws. We have executed Data Processing Addendums (DPAs) with each provider, and Google Cloud Data Processing Addendum applies to all Google services. For overseas data transfers, users are notified herein, and the above providers maintain appropriate technical and organizational security measures.

6. Cross-border Data Transfer

Pursuant to Article 28-8 of the Korean Personal Information Protection Act (PIPA), we transfer personal data overseas as follows for the provision of our Service:

We implement the following safeguards for cross-border data transfers:

• All data is encrypted in transit using HTTPS/TLS.
• Google Cloud Data Processing Addendum (CDPA) applies, ensuring transferred data is not used for AI model training.
• Data Processing Agreements (DPAs) have been executed with each recipient.
• You may refuse consent to cross-border transfers; however, refusal may limit access to certain features such as AI calendar analysis.

7. Data Destruction

Personal data whose purpose of collection has been achieved shall be destroyed without delay.

• Electronic files are deleted using methods that make recovery impossible.
• Calendar event data sent for AI analysis is deleted immediately after processing and is not stored on our servers.

8. Your Rights

You have the right to:

• Access your personal data
• Request correction of inaccurate data
• Request deletion of your data
• Request restriction of processing
• Withdraw consent at any time

Exercise these rights via Settings > Account in the app or through in-app feedback. We will respond within 10 days of receiving your request.

9. Data Security

• Encryption of sensitive data at rest and in transit (TLS/HTTPS)
• Minimal access controls with admin API access logging
• Biometric data processed locally on-device only (never sent to servers)

10. Children's Privacy

The Service is not directed at children under 14. We do not knowingly collect personal information from children under 14. If we become aware that personal information of a user under 14 has been collected, we will promptly delete it.

11. Cookies

As a mobile application, HaruBrief does not use web cookies.

12. Data Protection Officer

For privacy inquiries, please use the in-app feedback feature.

• Officer: DongHyuck Yang
• Email: n016yoyo@gmail.com

13. Remedies for Rights Infringement

For privacy complaints in Korea, you may contact the following organizations:

• KISA Privacy Center (privacy.kisa.or.kr / 118)
• Personal Information Dispute Mediation Committee (www.kopico.go.kr / 1833-6972)
• Supreme Prosecutors' Office Cyber Investigation Division (www.spo.go.kr / 1301)
• National Police Agency Cyber Bureau (ecrm.police.go.kr / 182)

14. Changes to This Policy

We may update this Policy and will notify you through the app before changes take effect.