Privacy Policy
Daloomy (“we”, “us”, or “the Company”) is committed to protecting your personal information. This Privacy Policy describes how we collect, use, disclose, and protect information about you when you use our mobile application and related services (collectively, the “Service”). It is established and disclosed pursuant to applicable laws including the Korean Personal Information Protection Act (PIPA), the U.S. Children’s Online Privacy Protection Act (COPPA), and best practices aligned with the EU General Data Protection Regulation (GDPR).
This is a 1.0.0-draft pending legal review. A finalized v1.0 will replace this document upon completion of review.
1. Purposes of Processing
We process personal information for the following purposes. Information is not used for purposes other than those stated below; if processing purposes change, we will obtain separate consent in accordance with applicable law.
| Purpose | Description |
|---|---|
| Service provision | Account registration, authentication, AI-generated journal creation, photo / calendar / location-based context processing, journal storage and retrieval |
| Notifications | Daily journal reminders, weekly / monthly summary alerts |
| Payment & subscription | Paid subscription processing, subscription status, refund handling (post-launch) |
| Customer support | Inquiry handling, dispute resolution, service improvement |
| Marketing (optional consent) | Notification of new features and events via email / push |
| Legal compliance | Compliance with applicable laws including consumer protection statutes |
2. Categories of Personal Information We Process
a. Required Information (necessary for service use)
- At sign-up: email address, password (stored as a hash)
- Automatically collected: IP address, device identifier, device model and OS version, device timezone, device language, app version, service usage history (access logs, screen navigation)
- For push notifications: APNS (Apple Push Notification Service) / FCM (Firebase Cloud Messaging) device tokens
b. Sensitive Information (separate consent required)
The following categories may reveal mental health, lifestyle patterns, or other sensitive aspects, and are therefore classified as sensitive information subject to separate explicit consent:
- Journal content: Text written by the user or generated by AI on behalf of the user. Because it may indicate mental health, emotional state, relationships, religion, or political views, we treat it as sensitive.
- Photos and photo metadata (EXIF): Photos attached to journals, plus EXIF metadata extracted from them — including GPS coordinates, capture timestamp, and camera information. We expressly disclose that GPS coordinates embedded in photo files are extracted and used as journal context.
- Location data: GPS coordinates from your device (with your consent), or places you manually enter as visited.
- Calendar data: Event titles, locations, and start / end times read from your device calendar (with your consent).
c. Payment Information (applicable post-launch of subscriptions)
- Apple In-App Purchase / Google Play Billing transaction IDs, subscription status, payment timestamps
- We do not store direct payment credentials such as card numbers; payment processing is handled by Apple / Google’s payment systems.
d. Optional
- Marketing communications consent (optional)
3. Specific Disclosure: EXIF GPS Coordinate Extraction
When you attach photos to journals, we extract the following information from the photo’s EXIF metadata:
- GPS latitude and longitude coordinates recorded at the time of capture
- Capture timestamp
- Camera model used to take the photo (where available)
EXIF data is stored alongside photo pixels in your device’s photo library. When you attach a photo, this metadata is transmitted to our servers along with the photo. We use the location coordinates to provide context to AI-generated journals (e.g., “where you spent your day”). If you do not want EXIF location processed, you may disable photo location storage in your device settings, or refrain from attaching photos in our app.
4. Retention and Use Periods
We retain personal information only for the period required by applicable law or by the consent obtained at the time of collection.
| Category | Retention Period |
|---|---|
| Account information (email, journals, settings) | Deleted immediately upon account deletion (cloud photos within 30 days) |
| Payment / subscription records | 5 years (Korean Consumer Protection in E-Commerce Act, Article 6) |
| Photo originals (Premium subscribers) | 1 year (deleted upon subscription end or account deletion) |
| Automatically collected logs (access logs, IP) | 3 months (Korean Communications Privacy Protection Act, Article 15-2) |
| Anti-abuse device identifiers | 1 year |
After account deletion, all personal information except items subject to statutory retention is completely deleted within 30 days.
5. Disclosure to Third Parties
We process your personal information only within the purposes stated in Section 1 and disclose it to third parties only with your consent or as required by law (PIPA Articles 17 and 18, applicable U.S. and EU law).
We do not currently share your personal information with third parties. All external services we use are operated under “data processing entrustment” as described in Section 6 below.
6. Data Processing Entrustment
We entrust the following service providers with processing of personal information necessary for service operation.
| Processor | Purpose | Categories Processed | Country |
|---|---|---|---|
| Cloudflare, Inc. | Photo storage (R2 Object Storage), API server (Workers), web hosting (Pages), content delivery | Photos, EXIF, journal content (in transit), IP, device identifiers | USA / globally distributed edge |
| Supabase Inc. | User authentication, database operation | Email, password hashes, journal content, settings, location, calendar metadata | USA or EU (region selectable) |
| OpenAI, L.L.C. | AI inference for journal generation | Photos (resized), EXIF location, schedule / location text, journal generation prompts | USA |
| Apple Inc. | APNS push notifications | APNS device tokens | USA |
| Google LLC | FCM push notifications | FCM device tokens | USA |
| Expo, Inc. | Push notification infrastructure | Push payload routing | USA |
Specific Notice: OpenAI Does Not Train on Your Data
We have verified that under OpenAI’s API data usage policy (effective March 1, 2023, for the OpenAI Platform API), your data is not used to train OpenAI’s models. We maintain organization-level data sharing as opt-out. If this policy changes, we will immediately update this Privacy Policy and notify you.
7. International Data Transfers
We transfer personal information internationally as follows.
| Recipient | Country | Method | Categories | Retention |
|---|---|---|---|---|
| Cloudflare, Inc. | USA (globally distributed edge) | Network transmission upon service use | As listed in Section 6 | Until termination of entrustment |
| Supabase Inc. | USA or EU | Network transmission upon service use | As listed in Section 6 | Until termination of entrustment |
| OpenAI, L.L.C. | USA | Network transmission upon AI generation request | Photos (resized), EXIF location, text context | Discarded immediately after API call (per OpenAI’s 30-day deletion policy) |
| Apple Inc. / Google LLC / Expo, Inc. | USA | Push notification dispatch | Push tokens and payloads | Discarded immediately upon dispatch |
You may refuse consent to international transfers under PIPA Article 28-8. Refusal may result in limited service availability.
8. Your Rights
You have the right to:
- Access personal information we hold about you
- Request correction of inaccurate information
- Request deletion
- Request restriction of processing
- Request data portability (export in transferable format)
You may exercise these rights via written request, telephone, email ([email protected]), or in-app settings (Account → Permissions / Delete). We will respond within 7 business days. You may exercise rights through a legal representative or an authorized agent by submitting the appropriate authorization document.
We may limit your rights as permitted by PIPA Article 35(4) and 37(2). In such cases, we will inform you of the reasons without delay.
9. Children’s Information
a. United States (COPPA)
We do not knowingly collect personal information from children under 13 years of age as defined by the Children’s Online Privacy Protection Act (COPPA). Accounts identified as belonging to children under 13 will be deleted immediately. If you believe we have collected information from a child under 13, please contact [email protected].
b. Korea (PIPA)
For users in Korea, our service is available to users age 14 and older. We do not collect information from children under 14. Accounts identified as such will be deleted immediately.
You will be required to confirm your age during sign-up. We are not responsible for consequences resulting from false age representations.
10. Security Measures
We implement the following measures pursuant to PIPA Article 29 and industry best practices.
a. Administrative
- Designation of a Personal Information Protection Officer with periodic review
- Minimization of personnel with access to personal information; tiered access controls
- Periodic security training under internal policy
b. Technical
- Encryption at rest: Supabase encryption at rest (AES-256), Cloudflare R2 default object encryption
- Encryption in transit: HTTPS / TLS 1.2+ enforced
- Password protection: bcrypt hashing; plaintext passwords are never stored
- Access control: Row Level Security (RLS) policies ensure users access only their own data
- API domain isolation: API server (
api.daloomy.com) is separated from the web service (daloomy.com) into distinct origins, providing Same-Origin Policy isolation, explicit CORS controls, and isolation between marketing trackers and user data - Audit logging: Authentication, payment, and sensitive-data change events retained at least 3 months
- Backup and recovery: Daily automated backups, disaster recovery procedures
c. Physical
- We do not operate our own data centers. We rely on the physical security policies of our processors (Cloudflare, Supabase).
11. Automatically Collected Information and Opt-Out
a. Categories
- IP address, device identifiers, app version, OS version, screen navigation history (app usage logs), access timestamps
b. Method
- Information is automatically collected as you launch and use the app.
- Our mobile app does not directly use web cookies. However, our website (
daloomy.com) may introduce marketing analytics cookies in the future; we will explicitly disclose such cookies in this Privacy Policy if and when introduced.
c. Opt-Out
- Automatic collection is essential for service operation; opting out means you cannot use the service.
- To opt out, please discontinue use of the app or delete your account.
12. Right to Refuse Consent and Consequences
You have the right to refuse consent to processing of your personal information. The consequences are as follows:
| Consent Item | Consequence of Refusal |
|---|---|
| Required (email, password, etc.) | Cannot register or use the service |
| Sensitive (photos / EXIF / location / calendar / journal content) | AI auto-generation features limited; reduced context |
| Marketing notifications (optional) | No effect on service. You will not receive feature / event announcements |
| International transfers | Some services (AI generation, cloud storage) may be limited |
13. Reporting Privacy Violations
If you believe your personal information has been compromised, you may contact the following authorities (Korea):
- Personal Information Protection Commission (PIPC): privacy.go.kr / Tel 182
- Korea Internet & Security Agency (KISA) Privacy Violation Report Center: privacy.kisa.or.kr / Tel 118
- Supreme Prosecutors’ Office Cyber Investigation Division: spo.go.kr / 02-3480-3573
- National Police Agency Cyber Investigation Bureau: ecrm.cyber.go.kr / Tel 182
For users in the United States, you may report concerns to the Federal Trade Commission (FTC) at https://reportfraud.ftc.gov.
14. Personal Information Protection Officer
We have designated the following person responsible for personal information matters and resolving complaints from data subjects.
- Officer: Founder (Title)
- Contact: [email protected]
- Response time: Within 7 business days
You may contact our Personal Information Protection Officer for any inquiries, complaints, or remedies related to your personal information.
15. Changes to This Policy
This Privacy Policy is effective on the date of publication. If we make material changes, we will notify you at least 7 days before the changes take effect via the page (daloomy.com/legal/en/privacy) and in-app notice.
For material changes that affect your rights, we will require explicit re-consent through an in-app Splash Gate before continued service use.
Effective Date: May 6, 2026 (Draft 1.0.0) Contact: [email protected]