Privacy Policy

Effective Date: May 1, 2026  ·  Version: 1.0.0

The Habitate team complies with the Personal Information Protection Act and relevant laws,

and establishes and discloses this Privacy Policy

to process users' personal information lawfully and safely.

Overview

Habitate (hereinafter "Company") operates the mobile service "Habitate" (hereinafter "Service"), which supports habit tracking and goal achievement through gamification.

In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and discloses this Privacy Policy to guide the procedures and standards for processing data subjects' personal information and to promptly and smoothly handle related complaints.

This policy is effective from May 1, 2026.

Article 1 Purpose, Items, and Retention Period of Personal Information Processing

The Company collects and processes the minimum personal information necessary for the following purposes. Personal information shall not be used for any purpose other than the following, and if the purpose changes, necessary measures such as obtaining separate consent shall be taken in accordance with Article 18 of the Personal Information Protection Act.

① Membership Registration and Account Management

The service is provided through email/password authentication and social login (Google, Apple, Kakao, GitHub).

CategoryItems CollectedPurposeLegal BasisRetention Period
Email/Password Registration[Required] Email address, nickname, password (encrypted) [Auto-generated] Member unique identifier (UUID), registration dateMember identification, service provision, identity verification, fraud preventionPIPA Article 15(1)4 (Contract performance)Until membership withdrawal (destroyed within 30 days of withdrawal)
Social Login (Google/Apple/Kakao/GitHub)[Provided info — varies by provider] Email address (if available), social provider's unique ID, nickname (if available) [Auto-generated] Member unique identifier (UUID), registration dateProviding easy login via social account, member identificationPIPA Article 15(1)4 (Contract performance)Until membership withdrawal (destroyed within 30 days of withdrawal)
Password ResetEmail addressSending password reset email after identity verificationPIPA Article 15(1)4 (Contract performance)Immediately destroyed after processing (reset link: 1 hour after issuance)

② Service Use (Gamification Features)

Features for goal setting, quest completion, reward system, and virtual space customization are provided.

CategoryItems Collected/GeneratedPurposeLegal BasisRetention Period
Goal Management[User input] Goal title, start date, end date, status (in progress/completed/archived) [Auto-generated] Total days, completed days, weekly reward data (JSON)Setting/managing personal goals and calculating achievement ratePIPA Article 15(1)4Until membership withdrawal
Quest Management[User input or AI-generated] Quest title, description, category (daily/weekly/monthly), difficulty (easy/normal/hard), days of the week [Auto-generated] Reward values (EXP/gold, JSON)Creating/managing quests and calculating completion rewardsPIPA Article 15(1)4Until membership withdrawal
Quest Log[Auto-recorded] Completion date, completion status [Optional — not yet implemented] Evidence image URLManaging quest completion history and generating statisticsPIPA Article 15(1)4Until membership withdrawal
User Game Stats[Auto-generated/updated] Level, experience points (EXP), gold, created/updated timestampsProviding gamification elements (level-up, rewards)PIPA Article 15(1)4Until membership withdrawal
Virtual Space (Room) Management[User settings] Space name, primary space designation [Auto-recorded] Furniture placement data (JSON), wallpaper/floor setting IDs, sort orderSaving and restoring personalized virtual spacesPIPA Article 15(1)4Until membership withdrawal
Inventory & Items[Auto-recorded] Item IDs owned, acquisition date, quantity, context data (JSON)Managing acquired items and supporting placement in virtual spacesPIPA Article 15(1)4Until membership withdrawal

③ AI Quest Generation Service

AI-based quest recommendations and image generation using the Google Gemini API.

CategoryItems ProcessedPurposeLegal BasisRetention Period
AI Quest Generation[Info provided for AI processing] Goal title, quest category, difficulty settings [AI-generated output] Quest title/description (text), AI-generated images (PNG, stored in Supabase Storage)Automatically generating custom quest ideas and item imagesPIPA Article 15(1)4AI-generated images: permanently stored in item catalog (item data retained after withdrawal) Processing prompts: immediately deleted after AI processing

※ AI Processing Notes

· Please be careful not to include sensitive personal information such as names, contact details, or national ID numbers in goal titles.

· During AI processing, the relevant text is sent to Google Gemini API servers (located in the US). Please refer to Article 6 (Cross-Border Transfer) for details.

· AI-generated images may be registered in the public item catalog.

④ Retention Required by Law

Information that must be retained under relevant laws shall be retained for the period required by those laws.

ItemsApplicable LawRetention Period
Records of contracts or withdrawal of offersAct on Consumer Protection in Electronic Commerce, Article 65 years
Records of payment and supply of goodsAct on Consumer Protection in Electronic Commerce, Article 65 years
Records of consumer complaints or dispute resolutionAct on Consumer Protection in Electronic Commerce, Article 63 years
Communication confirmation data (login records, access IP, etc.)Protection of Communications Secrets Act, Article 413 months
Records related to service use disputesInternal policy (for dispute resolution purposes)Until dispute resolution

Article 2 Status of Personal Information Files

The Company operates personal information files in accordance with Article 32 of the Personal Information Protection Act, with processing purposes and retention periods within the scope described in Article 1.

File NameKey ItemsProcessing PurposeRetention Period
Member Basic Information FileEmail, nickname, password (hash), social provider info, member unique IDMember management30 days after withdrawal
Game Stats FileLevel, EXP, gold, created/modified timestampsService provision30 days after withdrawal
Goal & Quest FileGoal/quest title, category, difficulty, reward values, schedule infoService provision30 days after withdrawal
Quest Log FileQuest ID, completion date, completion statusStatistics and history management30 days after withdrawal
Virtual Space FileSpace name, furniture placement data (JSON), wallpaper/floor IDsService provision30 days after withdrawal
Inventory FileItem IDs owned, acquisition date, quantityService provision30 days after withdrawal
AI-Generated Image FileAI-generated PNG images (stored in Supabase Storage)Item image displayPermanently retained

Article 3 Provision of Personal Information to Third Parties

① The Company provides personal information to third parties only when applicable under Articles 17 and 18 of the Personal Information Protection Act, such as with the data subject's consent or under special legal provisions.

② Currently, the Company does not in principle provide users' personal information to third parties. However, exceptions apply in the following cases:

  • When the user has given prior consent
  • When required by law or when requested by investigative agencies following legally prescribed procedures for investigative purposes
  • When necessary for fee settlement in connection with service provision (applicable upon introduction of paid services)

③ If third-party provision occurs in the future, the Company will immediately amend this policy and obtain prior consent.

Article 4 Standards for Additional Use and Provision

When additionally using or providing personal information without the data subject's consent under Article 15(3) or Article 17(4) of the Personal Information Protection Act, the Company considers the following:

1. Relevance to the original collection purposeUsed only for service improvement purposes such as quest achievement statistics analysis, without exceeding the scope of the original collection purpose.

2. PredictabilityProcessed only within the range predictable to users in the context of service use.

3. Whether interests are infringedProcessed within the range that does not unfairly infringe on the data subject's interests.

4. Safety measuresAppropriate safety measures such as encryption are taken even during additional use or provision.

Article 5 Consignment of Personal Information Processing

① The Company consigns personal information processing as follows for smooth service operation:

ConsigneeConsigned WorkPersonal Information Processed
Supabase, Inc. (USA)Member authentication and account management, database operation, file storage (images)Email, password (encrypted), social account info, all service usage data
Google LLC (USA, Gemini API)AI-based quest text generation and image generation processingGoal title, quest category/difficulty settings (immediately deleted after processing)
Render Services, Inc. (USA)Backend server hosting and operationAPI request/response data transmitted through the server (no cache or permanent storage)

② Upon entering into consignment contracts, the Company specifies the following in the contract in accordance with Article 26 of the Personal Information Protection Act and supervises whether the consignee processes personal information safely:

  • Prohibition of personal information processing beyond the purpose of consigned work
  • Matters regarding safety measures
  • Matters regarding restrictions on re-consignment
  • Matters regarding management and supervision of the consignee
  • Matters regarding liability for damages

③ If the content of consigned work or the consignee changes, the Company will promptly disclose this through this policy.

Article 6 Cross-Border Transfer of Personal Information

The Company transfers personal information overseas as follows for service operation. The relevant transfers meet the standards under Article 28-8 of the Personal Information Protection Act.

RecipientCountryItems TransferredPurposeRetention PeriodSafeguards
Supabase, Inc.USAMember account information, all service usage dataAuthentication, DB, storage service provisionUntil membership withdrawalStandard Contractual Clauses (SCC) and SOC2 Type II certification
Google LLC (Gemini API)USAGoal title, quest generation parameters (immediately deleted after processing)AI quest/image generationImmediately deleted after AI processingGoogle Cloud Privacy Policy and Data Processing Addendum (DPA)
Render Services, Inc.USAAPI request/response data (no permanent storage)Backend server hostingImmediately deleted after processingStandard Contractual Clauses (SCC) and SOC2 compliance

Article 7 Procedures and Methods for Destroying Personal Information

① The Company destroys personal information without delay when it becomes unnecessary, such as when the retention period has expired or the processing purpose has been achieved.

② If personal information must continue to be retained in accordance with other laws despite the expiration of the agreed retention period or achievement of the processing purpose, such personal information is transferred to a separate database (DB) or stored in a different location.

③ The procedures and methods for destroying personal information are as follows:

Destruction Procedure

Withdrawal request received → Verify destruction reason → Protection Officer approval → Execute destruction → Confirm destruction (within 30 days)

Destruction ReasonTimingMethod
Membership withdrawalWithin 30 days of withdrawal requestElectronic files: permanently deleted by irreversible method (Supabase DB record deletion, Storage object deletion)
Legal retention period expiredImmediately after the retention period expiresPermanently deleted after separation to a separate DB upon retention period expiration
AI processing promptsImmediately after AI processing is completeImmediately deleted from memory (not stored on server)
Password reset tokensAfter 1 hour of issuance or immediately upon useSupabase Auth token expiration processing

Article 8 Rights and Obligations of Data Subjects and Legal Representatives

① Data subjects may exercise the following personal information protection rights against the Company at any time:

RightContentHow to Exercise
Right of AccessYou may access your personal information processing status, purpose, items, retention period, etc.App's 'My Info' menu or email inquiry
Right to Correction/DeletionYou may request correction if the personal information being processed differs from facts, or request deletion. However, deletion may be restricted if collection is mandated by law.App's 'Edit Nickname' feature or email inquiry
Right to Suspend ProcessingIf you have consented to personal information processing, you may withdraw consent and request suspension at any time.Email inquiry or membership withdrawal
Right to Withdraw MembershipYou may withdraw consent to personal information processing through membership withdrawal; personal information will be destroyed within 30 days after withdrawal.App's 'Delete Account' menu (to be implemented) or email inquiry
Right to Object to Automated DecisionsYou may request an explanation or raise objections regarding automated processing results such as AI quest generation. (PIPA Article 37-2)Email inquiry

② Rights may be exercised through the following methods:

  • Email: project.habitate@gmail.com
  • In-app customer center: Settings > Customer Center (to be implemented)
  • Identity verification procedures will be conducted, and requests will be processed within 10 days of receipt.

③ In the case of children under the age of 14, their legal representatives may request access, correction, deletion, and suspension of processing of personal information concerning the child under Article 38(2) of the Personal Information Protection Act. The Company in principle restricts membership registration for children under 14 years of age.

④ Rights may also be exercised through an agent such as the data subject's legal representative or a duly authorized person. In this case, a power of attorney and a copy of the agent's ID must be submitted.

Article 9 Measures to Ensure Safety of Personal Information

The Company takes the following safety measures in accordance with Article 29 of the Personal Information Protection Act:

1. Administrative Measures

  • Establishment and implementation of internal management plans
  • Regular training and security pledges for employees handling personal information
  • Minimizing personal information access rights by limiting them to relevant personnel
  • Regular inspection of personal information processing status

2. Technical Measures

  • Password encryption: Argon2id algorithm applied (Supabase Auth)
  • Transmission channel encryption: HTTPS/TLS 1.2 or higher applied (all API communications)
  • JWT (JSON Web Token)-based authentication token issuance, 7-day validity period
  • Secure client-side storage of authentication tokens: React Native AsyncStorage (device-level encrypted storage)
  • Supabase Row-Level Security (RLS): DB policies configured so only the user's own data can be accessed
  • Web vulnerability defense including SQL injection: FastAPI framework and Pydantic input validation
  • AI image generation rate limiting: API call frequency limits to prevent abuse
  • Social login: OAuth 2.0 standard compliance, provider secret keys not exposed in frontend

3. Physical Measures

  • Physical security of cloud infrastructure (Supabase, Render) data centers (SOC2 Type II certified)
  • Separation of development and production environments: sensitive information managed via environment variables (.env), not included in code repositories
  • GitHub repository security: prohibition on writing secret keys/API keys directly in code, .gitignore applied

Article 10 Installation, Operation, and Opt-Out of Automatic Collection Devices

① Mobile App (Habitate App)

Habitate is a React Native-based mobile app and does not use the following automatic collection devices in the current version (1.0.0):

ItemIn UseNotes
CookiesNot usedNot applicable in mobile app environment
Location Information (GPS)Not used (not collected)No location-based features in current version
Camera/PhotosNot used (not collected)Quest evidence photo feature planned for future release (separate consent to be obtained upon implementation)
Push Notification Device TokenNot used (not collected)Push notification feature planned for future release (separate consent to be obtained upon implementation)
Third-party Analytics ToolsNot usedFirebase Analytics, Mixpanel, Google Analytics, etc. not applied
Advertising Identifiers (IDFA/GAID)Not usedNo advertising features
JWT Token (for authentication)In useStored locally on device for user authentication (AsyncStorage). Can be deleted upon app logout.

② Website (Upon Future Introduction)

If a separate website is operated in the future, cookies may be used, in which case users' right to choose will be guaranteed through a cookie consent popup, and this policy will be revised and disclosed.

※ How to Delete JWT Token (Logout)

You can immediately delete the authentication token stored on your device through Settings > Logout in the app. After logging out, you must log in again to use the service.

Article 11 Personal Information Protection Officer

① The Company designates a Personal Information Protection Officer as follows to take overall responsibility for personal information processing and to handle complaints and provide remedies related to personal information processing:

CategoryInformation
PositionPersonal Information Protection Officer (CPO)
DepartmentHabitate Development Team
Emailproject.habitate@gmail.com
Response PeriodWithin 10 days of receipt

② Data subjects may inquire about all matters related to personal information protection, complaints, and remedies arising from using the Company's services. The Company will respond and process data subjects' inquiries without delay.

Article 12 Department Receiving and Processing Access Requests

① Data subjects may request access to personal information in accordance with Article 35 of the Personal Information Protection Act at the following department:

DepartmentFiles ProcessedContact
Habitate Development TeamMember Basic Information File Game Stats File Goal & Quest File Quest Log File Virtual Space File Inventory File AI-Generated Image FileEmail: project.habitate@gmail.com Response period: within 10 days

② If a data subject is dissatisfied with or has objections to the measures taken in response to a request, they may raise an objection, and the results of the measures will be notified within 10 days from the date the objection is received.

Article 13 Remedies for Infringement of Data Subject's Rights

① Data subjects may apply to the following institutions for dispute resolution or consultation to obtain remedies for personal information infringement:

InstitutionContactMain Services
Personal Information Dispute Mediation Committee(without area code) 1833-6972 www.kopico.go.krApplications for personal information dispute mediation
Personal Information Infringement Report Center (KISA)(without area code) 118 privacy.kisa.or.krPersonal information infringement reports and consultations
National Police Agency Cyber Crime Report System(without area code) 182 ecrm.police.go.krCybercrime damage reports
Supreme Prosecutors' Office Cyber Investigation Division02-3480-3573 www.spo.go.krComplaints/accusations related to personal information infringement

② Persons whose rights or interests have been infringed upon by a disposition or inaction regarding requests under Articles 35 (Access), 36 (Correction/Deletion), and 37 (Suspension of Processing, etc.) of the Personal Information Protection Act may file an administrative appeal in accordance with the Administrative Appeals Act.

※ Central Administrative Appeals Commission: (without area code) 110 · www.simpan.go.kr

Article 14 Changes to the Privacy Policy

① This Privacy Policy is effective from May 1, 2026.

② When amending the Privacy Policy to reflect changes in laws or services, the Company will provide notice at least 7 days before the amendment through in-app notices or email. However, when significant changes occur to user rights, at least 30 days' notice will be provided.

③ Previous versions of this Privacy Policy can be confirmed through version management.

VersionEffective DateKey Changes
v1.0.0May 1, 2026Initial establishment and enforcement

This policy is effective from May 1, 2026.

Last modified: April 26, 2026  ·  Habitate Team