Privacy Policy
Effective Date: May 1, 2026 · Version: 1.0.0
The Habitate team complies with the Personal Information Protection Act and relevant laws,
and establishes and discloses this Privacy Policy
to process users' personal information lawfully and safely.
Table of Contents
- Article 1 Purpose, Items, and Retention Period of Personal Information Processing
- Article 2 Status of Personal Information Files
- Article 3 Provision of Personal Information to Third Parties
- Article 4 Standards for Additional Use and Provision
- Article 5 Consignment of Personal Information Processing
- Article 6 Cross-Border Transfer of Personal Information
- Article 7 Procedures and Methods for Destroying Personal Information
- Article 8 Rights and Obligations of Data Subjects and Legal Representatives
- Article 9 Measures to Ensure Safety of Personal Information
- Article 10 Installation, Operation, and Opt-Out of Automatic Collection Devices
- Article 11 Personal Information Protection Officer
- Article 12 Department Receiving and Processing Access Requests
- Article 13 Remedies for Infringement of Data Subject's Rights
- Article 14 Changes to the Privacy Policy
Overview
Habitate (hereinafter "Company") operates the mobile service "Habitate" (hereinafter "Service"), which supports habit tracking and goal achievement through gamification.
In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and discloses this Privacy Policy to guide the procedures and standards for processing data subjects' personal information and to promptly and smoothly handle related complaints.
This policy is effective from May 1, 2026.
Article 1 Purpose, Items, and Retention Period of Personal Information Processing
The Company collects and processes the minimum personal information necessary for the following purposes. Personal information shall not be used for any purpose other than the following, and if the purpose changes, necessary measures such as obtaining separate consent shall be taken in accordance with Article 18 of the Personal Information Protection Act.
① Membership Registration and Account Management
The service is provided through email/password authentication and social login (Google, Apple, Kakao, GitHub).
| Category | Items Collected | Purpose | Legal Basis | Retention Period |
|---|---|---|---|---|
| Email/Password Registration | [Required] Email address, nickname, password (encrypted) [Auto-generated] Member unique identifier (UUID), registration date | Member identification, service provision, identity verification, fraud prevention | PIPA Article 15(1)4 (Contract performance) | Until membership withdrawal (destroyed within 30 days of withdrawal) |
| Social Login (Google/Apple/Kakao/GitHub) | [Provided info — varies by provider] Email address (if available), social provider's unique ID, nickname (if available) [Auto-generated] Member unique identifier (UUID), registration date | Providing easy login via social account, member identification | PIPA Article 15(1)4 (Contract performance) | Until membership withdrawal (destroyed within 30 days of withdrawal) |
| Password Reset | Email address | Sending password reset email after identity verification | PIPA Article 15(1)4 (Contract performance) | Immediately destroyed after processing (reset link: 1 hour after issuance) |
② Service Use (Gamification Features)
Features for goal setting, quest completion, reward system, and virtual space customization are provided.
| Category | Items Collected/Generated | Purpose | Legal Basis | Retention Period |
|---|---|---|---|---|
| Goal Management | [User input] Goal title, start date, end date, status (in progress/completed/archived) [Auto-generated] Total days, completed days, weekly reward data (JSON) | Setting/managing personal goals and calculating achievement rate | PIPA Article 15(1)4 | Until membership withdrawal |
| Quest Management | [User input or AI-generated] Quest title, description, category (daily/weekly/monthly), difficulty (easy/normal/hard), days of the week [Auto-generated] Reward values (EXP/gold, JSON) | Creating/managing quests and calculating completion rewards | PIPA Article 15(1)4 | Until membership withdrawal |
| Quest Log | [Auto-recorded] Completion date, completion status [Optional — not yet implemented] Evidence image URL | Managing quest completion history and generating statistics | PIPA Article 15(1)4 | Until membership withdrawal |
| User Game Stats | [Auto-generated/updated] Level, experience points (EXP), gold, created/updated timestamps | Providing gamification elements (level-up, rewards) | PIPA Article 15(1)4 | Until membership withdrawal |
| Virtual Space (Room) Management | [User settings] Space name, primary space designation [Auto-recorded] Furniture placement data (JSON), wallpaper/floor setting IDs, sort order | Saving and restoring personalized virtual spaces | PIPA Article 15(1)4 | Until membership withdrawal |
| Inventory & Items | [Auto-recorded] Item IDs owned, acquisition date, quantity, context data (JSON) | Managing acquired items and supporting placement in virtual spaces | PIPA Article 15(1)4 | Until membership withdrawal |
③ AI Quest Generation Service
AI-based quest recommendations and image generation using the Google Gemini API.
| Category | Items Processed | Purpose | Legal Basis | Retention Period |
|---|---|---|---|---|
| AI Quest Generation | [Info provided for AI processing] Goal title, quest category, difficulty settings [AI-generated output] Quest title/description (text), AI-generated images (PNG, stored in Supabase Storage) | Automatically generating custom quest ideas and item images | PIPA Article 15(1)4 | AI-generated images: permanently stored in item catalog (item data retained after withdrawal) Processing prompts: immediately deleted after AI processing |
※ AI Processing Notes
· Please be careful not to include sensitive personal information such as names, contact details, or national ID numbers in goal titles.
· During AI processing, the relevant text is sent to Google Gemini API servers (located in the US). Please refer to Article 6 (Cross-Border Transfer) for details.
· AI-generated images may be registered in the public item catalog.
④ Retention Required by Law
Information that must be retained under relevant laws shall be retained for the period required by those laws.
| Items | Applicable Law | Retention Period |
|---|---|---|
| Records of contracts or withdrawal of offers | Act on Consumer Protection in Electronic Commerce, Article 6 | 5 years |
| Records of payment and supply of goods | Act on Consumer Protection in Electronic Commerce, Article 6 | 5 years |
| Records of consumer complaints or dispute resolution | Act on Consumer Protection in Electronic Commerce, Article 6 | 3 years |
| Communication confirmation data (login records, access IP, etc.) | Protection of Communications Secrets Act, Article 41 | 3 months |
| Records related to service use disputes | Internal policy (for dispute resolution purposes) | Until dispute resolution |
Article 2 Status of Personal Information Files
The Company operates personal information files in accordance with Article 32 of the Personal Information Protection Act, with processing purposes and retention periods within the scope described in Article 1.
| File Name | Key Items | Processing Purpose | Retention Period |
|---|---|---|---|
| Member Basic Information File | Email, nickname, password (hash), social provider info, member unique ID | Member management | 30 days after withdrawal |
| Game Stats File | Level, EXP, gold, created/modified timestamps | Service provision | 30 days after withdrawal |
| Goal & Quest File | Goal/quest title, category, difficulty, reward values, schedule info | Service provision | 30 days after withdrawal |
| Quest Log File | Quest ID, completion date, completion status | Statistics and history management | 30 days after withdrawal |
| Virtual Space File | Space name, furniture placement data (JSON), wallpaper/floor IDs | Service provision | 30 days after withdrawal |
| Inventory File | Item IDs owned, acquisition date, quantity | Service provision | 30 days after withdrawal |
| AI-Generated Image File | AI-generated PNG images (stored in Supabase Storage) | Item image display | Permanently retained |
Article 3 Provision of Personal Information to Third Parties
① The Company provides personal information to third parties only when applicable under Articles 17 and 18 of the Personal Information Protection Act, such as with the data subject's consent or under special legal provisions.
② Currently, the Company does not in principle provide users' personal information to third parties. However, exceptions apply in the following cases:
- When the user has given prior consent
- When required by law or when requested by investigative agencies following legally prescribed procedures for investigative purposes
- When necessary for fee settlement in connection with service provision (applicable upon introduction of paid services)
③ If third-party provision occurs in the future, the Company will immediately amend this policy and obtain prior consent.
Article 4 Standards for Additional Use and Provision
When additionally using or providing personal information without the data subject's consent under Article 15(3) or Article 17(4) of the Personal Information Protection Act, the Company considers the following:
1. Relevance to the original collection purpose — Used only for service improvement purposes such as quest achievement statistics analysis, without exceeding the scope of the original collection purpose.
2. Predictability — Processed only within the range predictable to users in the context of service use.
3. Whether interests are infringed — Processed within the range that does not unfairly infringe on the data subject's interests.
4. Safety measures — Appropriate safety measures such as encryption are taken even during additional use or provision.
Article 5 Consignment of Personal Information Processing
① The Company consigns personal information processing as follows for smooth service operation:
| Consignee | Consigned Work | Personal Information Processed |
|---|---|---|
| Supabase, Inc. (USA) | Member authentication and account management, database operation, file storage (images) | Email, password (encrypted), social account info, all service usage data |
| Google LLC (USA, Gemini API) | AI-based quest text generation and image generation processing | Goal title, quest category/difficulty settings (immediately deleted after processing) |
| Render Services, Inc. (USA) | Backend server hosting and operation | API request/response data transmitted through the server (no cache or permanent storage) |
② Upon entering into consignment contracts, the Company specifies the following in the contract in accordance with Article 26 of the Personal Information Protection Act and supervises whether the consignee processes personal information safely:
- Prohibition of personal information processing beyond the purpose of consigned work
- Matters regarding safety measures
- Matters regarding restrictions on re-consignment
- Matters regarding management and supervision of the consignee
- Matters regarding liability for damages
③ If the content of consigned work or the consignee changes, the Company will promptly disclose this through this policy.
Article 6 Cross-Border Transfer of Personal Information
The Company transfers personal information overseas as follows for service operation. The relevant transfers meet the standards under Article 28-8 of the Personal Information Protection Act.
| Recipient | Country | Items Transferred | Purpose | Retention Period | Safeguards |
|---|---|---|---|---|---|
| Supabase, Inc. | USA | Member account information, all service usage data | Authentication, DB, storage service provision | Until membership withdrawal | Standard Contractual Clauses (SCC) and SOC2 Type II certification |
| Google LLC (Gemini API) | USA | Goal title, quest generation parameters (immediately deleted after processing) | AI quest/image generation | Immediately deleted after AI processing | Google Cloud Privacy Policy and Data Processing Addendum (DPA) |
| Render Services, Inc. | USA | API request/response data (no permanent storage) | Backend server hosting | Immediately deleted after processing | Standard Contractual Clauses (SCC) and SOC2 compliance |
Article 7 Procedures and Methods for Destroying Personal Information
① The Company destroys personal information without delay when it becomes unnecessary, such as when the retention period has expired or the processing purpose has been achieved.
② If personal information must continue to be retained in accordance with other laws despite the expiration of the agreed retention period or achievement of the processing purpose, such personal information is transferred to a separate database (DB) or stored in a different location.
③ The procedures and methods for destroying personal information are as follows:
Destruction Procedure
Withdrawal request received → Verify destruction reason → Protection Officer approval → Execute destruction → Confirm destruction (within 30 days)
| Destruction Reason | Timing | Method |
|---|---|---|
| Membership withdrawal | Within 30 days of withdrawal request | Electronic files: permanently deleted by irreversible method (Supabase DB record deletion, Storage object deletion) |
| Legal retention period expired | Immediately after the retention period expires | Permanently deleted after separation to a separate DB upon retention period expiration |
| AI processing prompts | Immediately after AI processing is complete | Immediately deleted from memory (not stored on server) |
| Password reset tokens | After 1 hour of issuance or immediately upon use | Supabase Auth token expiration processing |
Article 8 Rights and Obligations of Data Subjects and Legal Representatives
① Data subjects may exercise the following personal information protection rights against the Company at any time:
| Right | Content | How to Exercise |
|---|---|---|
| Right of Access | You may access your personal information processing status, purpose, items, retention period, etc. | App's 'My Info' menu or email inquiry |
| Right to Correction/Deletion | You may request correction if the personal information being processed differs from facts, or request deletion. However, deletion may be restricted if collection is mandated by law. | App's 'Edit Nickname' feature or email inquiry |
| Right to Suspend Processing | If you have consented to personal information processing, you may withdraw consent and request suspension at any time. | Email inquiry or membership withdrawal |
| Right to Withdraw Membership | You may withdraw consent to personal information processing through membership withdrawal; personal information will be destroyed within 30 days after withdrawal. | App's 'Delete Account' menu (to be implemented) or email inquiry |
| Right to Object to Automated Decisions | You may request an explanation or raise objections regarding automated processing results such as AI quest generation. (PIPA Article 37-2) | Email inquiry |
② Rights may be exercised through the following methods:
- Email: project.habitate@gmail.com
- In-app customer center: Settings > Customer Center (to be implemented)
- Identity verification procedures will be conducted, and requests will be processed within 10 days of receipt.
③ In the case of children under the age of 14, their legal representatives may request access, correction, deletion, and suspension of processing of personal information concerning the child under Article 38(2) of the Personal Information Protection Act. The Company in principle restricts membership registration for children under 14 years of age.
④ Rights may also be exercised through an agent such as the data subject's legal representative or a duly authorized person. In this case, a power of attorney and a copy of the agent's ID must be submitted.
Article 9 Measures to Ensure Safety of Personal Information
The Company takes the following safety measures in accordance with Article 29 of the Personal Information Protection Act:
1. Administrative Measures
- Establishment and implementation of internal management plans
- Regular training and security pledges for employees handling personal information
- Minimizing personal information access rights by limiting them to relevant personnel
- Regular inspection of personal information processing status
2. Technical Measures
- Password encryption: Argon2id algorithm applied (Supabase Auth)
- Transmission channel encryption: HTTPS/TLS 1.2 or higher applied (all API communications)
- JWT (JSON Web Token)-based authentication token issuance, 7-day validity period
- Secure client-side storage of authentication tokens: React Native AsyncStorage (device-level encrypted storage)
- Supabase Row-Level Security (RLS): DB policies configured so only the user's own data can be accessed
- Web vulnerability defense including SQL injection: FastAPI framework and Pydantic input validation
- AI image generation rate limiting: API call frequency limits to prevent abuse
- Social login: OAuth 2.0 standard compliance, provider secret keys not exposed in frontend
3. Physical Measures
- Physical security of cloud infrastructure (Supabase, Render) data centers (SOC2 Type II certified)
- Separation of development and production environments: sensitive information managed via environment variables (.env), not included in code repositories
- GitHub repository security: prohibition on writing secret keys/API keys directly in code, .gitignore applied
Article 10 Installation, Operation, and Opt-Out of Automatic Collection Devices
① Mobile App (Habitate App)
Habitate is a React Native-based mobile app and does not use the following automatic collection devices in the current version (1.0.0):
| Item | In Use | Notes |
|---|---|---|
| Cookies | Not used | Not applicable in mobile app environment |
| Location Information (GPS) | Not used (not collected) | No location-based features in current version |
| Camera/Photos | Not used (not collected) | Quest evidence photo feature planned for future release (separate consent to be obtained upon implementation) |
| Push Notification Device Token | Not used (not collected) | Push notification feature planned for future release (separate consent to be obtained upon implementation) |
| Third-party Analytics Tools | Not used | Firebase Analytics, Mixpanel, Google Analytics, etc. not applied |
| Advertising Identifiers (IDFA/GAID) | Not used | No advertising features |
| JWT Token (for authentication) | In use | Stored locally on device for user authentication (AsyncStorage). Can be deleted upon app logout. |
② Website (Upon Future Introduction)
If a separate website is operated in the future, cookies may be used, in which case users' right to choose will be guaranteed through a cookie consent popup, and this policy will be revised and disclosed.
※ How to Delete JWT Token (Logout)
You can immediately delete the authentication token stored on your device through Settings > Logout in the app. After logging out, you must log in again to use the service.
Article 11 Personal Information Protection Officer
① The Company designates a Personal Information Protection Officer as follows to take overall responsibility for personal information processing and to handle complaints and provide remedies related to personal information processing:
| Category | Information |
|---|---|
| Position | Personal Information Protection Officer (CPO) |
| Department | Habitate Development Team |
| project.habitate@gmail.com | |
| Response Period | Within 10 days of receipt |
② Data subjects may inquire about all matters related to personal information protection, complaints, and remedies arising from using the Company's services. The Company will respond and process data subjects' inquiries without delay.
Article 12 Department Receiving and Processing Access Requests
① Data subjects may request access to personal information in accordance with Article 35 of the Personal Information Protection Act at the following department:
| Department | Files Processed | Contact |
|---|---|---|
| Habitate Development Team | Member Basic Information File Game Stats File Goal & Quest File Quest Log File Virtual Space File Inventory File AI-Generated Image File | Email: project.habitate@gmail.com Response period: within 10 days |
② If a data subject is dissatisfied with or has objections to the measures taken in response to a request, they may raise an objection, and the results of the measures will be notified within 10 days from the date the objection is received.
Article 13 Remedies for Infringement of Data Subject's Rights
① Data subjects may apply to the following institutions for dispute resolution or consultation to obtain remedies for personal information infringement:
| Institution | Contact | Main Services |
|---|---|---|
| Personal Information Dispute Mediation Committee | (without area code) 1833-6972 www.kopico.go.kr | Applications for personal information dispute mediation |
| Personal Information Infringement Report Center (KISA) | (without area code) 118 privacy.kisa.or.kr | Personal information infringement reports and consultations |
| National Police Agency Cyber Crime Report System | (without area code) 182 ecrm.police.go.kr | Cybercrime damage reports |
| Supreme Prosecutors' Office Cyber Investigation Division | 02-3480-3573 www.spo.go.kr | Complaints/accusations related to personal information infringement |
② Persons whose rights or interests have been infringed upon by a disposition or inaction regarding requests under Articles 35 (Access), 36 (Correction/Deletion), and 37 (Suspension of Processing, etc.) of the Personal Information Protection Act may file an administrative appeal in accordance with the Administrative Appeals Act.
※ Central Administrative Appeals Commission: (without area code) 110 · www.simpan.go.kr
Article 14 Changes to the Privacy Policy
① This Privacy Policy is effective from May 1, 2026.
② When amending the Privacy Policy to reflect changes in laws or services, the Company will provide notice at least 7 days before the amendment through in-app notices or email. However, when significant changes occur to user rights, at least 30 days' notice will be provided.
③ Previous versions of this Privacy Policy can be confirmed through version management.
| Version | Effective Date | Key Changes |
|---|---|---|
| v1.0.0 | May 1, 2026 | Initial establishment and enforcement |
This policy is effective from May 1, 2026.
Last modified: April 26, 2026 · Habitate Team