Privacy Policy

Last updated: 2026.04.27 · Effective: 2026.04.27

efilog (the "Company") complies with applicable laws, including the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection, and establishes and discloses this Privacy Policy to safely protect users' personal information.

한국어 버전 보기

1. Personal Information We Collect and How We Collect It

The Company collects the following personal information.

a. Required items

  • Account: email address, password (stored encrypted), or Apple/Google account identifier
  • Nickname (auto-generated, changeable)
  • Date of birth (to verify users are at least 14 years old)
  • Device identification: push notification token, operating system type

b. Optional items

  • Profile photo, short bio
  • Location (when recording weather): latitude/longitude (not stored on our servers; used only for one-time calls to an external weather API)
  • Contacts (when using the send-to-someone feature): processed on-device only, never stored on our servers
  • Microphone (when attaching a voice recording — premium only): used only at the moment the user explicitly starts a recording. No always-on listening or background use. Recorded data is handled as an attachment under Section 1-c of this policy

c. User-generated content

  • Records you write, comments, inspirations (likes), and reports you file
  • Attached photos (JPEG): EXIF metadata (GPS, device, capture time) is automatically removed before upload
  • Attached videos (MP4) — efilog premium only: compressed on the client (720p) at upload → metadata atoms (udta, meta, ilst) removed on the server and creation/modification timestamps reset to 0. No GPS, device, or capture-time exposure.
  • Attached voice recordings (M4A/AAC) — efilog premium only: recorded directly via the microphone (up to 60 seconds each, up to 3 per record). On upload, the server removes the same atom metadata as videos and zeroes timestamps. We perform no analysis of recorded voices (recognition, transcription, speaker identification, voiceprint extraction, etc.), and access is possible only through a private bucket with signed URLs.

d. Automatically generated and collected information

  • Service usage records, access logs, error logs (excluding personally identifiable information)
  • Push notification delivery and receipt records

e. Collection methods

  • Entered directly by users during sign-up and use of the service
  • Collected automatically through the mobile operating system (iOS/Android) and SDKs (expo-notifications, expo-location, etc.)

2. Purposes of Processing Personal Information

  • Member identification, authentication, and sign-in
  • Providing core features such as writing, storing, and scheduled publishing of records
  • Sending notifications (publication arrivals, comments, follows, and other notifications the user has consented to)
  • Explore matching based on the same birth year (only the birth year is used; the exact date of birth is kept private)
  • Service operation and improvement (analysis of anonymized usage patterns)
  • Preventing fraudulent use, responding to illegal activity, and resolving disputes

3. Retention and Use Period of Personal Information

  • Deleted immediately upon account deletion (unrecoverable)
  • However, where retention is required by applicable laws, information is kept for the relevant period:
    • Protection of Communications Secrets Act: sign-in records, etc. — 3 months
    • E-Commerce Act: dispute resolution records, etc. — 3 years
  • Block records kept for fraud prevention are retained for 1 year and then destroyed

4. Provision of Personal Information to Third Parties

The Company does not provide users' personal information to external parties, except in the following cases.

  • When the user has given prior consent
  • When required by law (e.g., a lawful request from an investigative agency)
  • Content the user has explicitly set to public

5. Outsourcing of Personal Information Processing

The Company outsources the following tasks to provide a stable service.

a. Supabase Inc.

  • Outsourced tasks: database hosting, authentication server operation, file storage
  • Outsourced items: all items collected under this policy
  • Retention period: until account deletion or termination of the outsourcing contract

b. Apple Inc. (APNs)

  • Outsourced tasks: iOS push notification delivery
  • Outsourced items: device token
  • Retention period: until token expiration

c. Google LLC (FCM)

  • Outsourced tasks: Android push notification delivery, OAuth authentication
  • Outsourced items: device token, OAuth identifier
  • Retention period: until token expiration or OAuth disconnection

d. OpenWeather Ltd.

  • Outsourced tasks: weather lookup when writing a record
  • Outsourced items: latitude/longitude (one-time call, not stored on our servers)
  • Retention period: discarded immediately after the call

Contracts with processors require compliance with applicable laws, security safeguards, and restrictions on sub-outsourcing so that personal information is not processed beyond its intended purpose.

6. Rights of Data Subjects and How to Exercise Them

Users may exercise the following rights at any time.

  • Request access to personal information (app → Profile/Settings)
  • Request correction or deletion of personal information (app → Edit Profile)
  • Request suspension of processing (app → Settings → notification toggles)
  • Withdraw consent and delete your account (app → Settings → Delete Account — all data is permanently deleted immediately)

These rights can be exercised directly through in-app features; for further inquiries, contact the privacy officer listed below.

7. Measures to Secure Personal Information

  • Encryption in transit: all communication is encrypted with HTTPS (TLS)
  • Protection at rest: passwords are stored as one-way hashes; authentication tokens are kept in device secure storage (iOS Keychain / Android Keystore)
  • Access control: row-level permission separation based on Row Level Security; sensitive information (birth_date, notification toggles) is kept in a separate table accessible only by the owner
  • Scheduled record protection: until the publication time arrives, no one but the author can read the content
  • Media metadata removal: EXIF in uploaded photos and atoms (udta, meta, ilst) plus timestamps in videos and voice recordings are automatically deleted — blocking exposure of GPS, device, and capture time
  • Media storage control: private bucket + signed URLs with 1-hour expiry — external access is automatically blocked even if a URL leaks
  • Storage quotas: uploads are rejected beyond per-user limits (free 100MB / premium 2GB) — preventing resource abuse
  • Access log management: system logs are retained and abnormal access is monitored
  • Least privilege: even operators cannot arbitrarily view users' private content; access is limited to legitimate grounds such as report handling or legal compliance

8. Protection of Children Under 14

efilog is available to users aged 14 and older. Age is verified via the date of birth entered at sign-up, and registrations by children under 14 are blocked. If we learn that information of a child under 14 has been collected, we destroy it immediately.

9. Automatic Collection Devices (Cookies, etc.)

As a mobile application, efilog does not use web cookies, but collects information through the following automatic mechanisms.

  • Operating system SDKs: push notification token, device identifier (renewed when the app is reinstalled)
  • Authentication token storage: secure storage used to keep you signed in

Users can decline permissions such as notifications in their device settings; declining may limit the corresponding features (e.g., receiving notifications).

10. Right to Refuse Consent and Consequences

  • Required consent: Terms of Service and this Privacy Policy. If refused, sign-up and use of the service are not possible
  • Optional consent: marketing communications, location use. Refusal does not affect use of the core service

11. Privacy Officer

For inquiries, complaints, or remedies regarding personal information processing, please contact the officer below.

12. Remedies for Infringement

If you need to report or consult on a privacy infringement, you may contact the following organizations (Republic of Korea).

  • Personal Information Infringement Report Center (KISA): privacy.kisa.or.kr · 118 (no area code)
  • Personal Information Dispute Mediation Committee: www.kopico.go.kr · 1833-6972
  • Supreme Prosecutors' Office Cyber Crime Investigation Unit: cybercid.spo.go.kr · +82-2-3480-3573
  • National Police Agency Cyber Bureau: ecrm.cyber.go.kr · 182 (no area code)

13. Changes to This Policy

If this policy changes, we will notify users through in-app notices starting 7 days before the effective date. For changes that materially affect user rights, we will give notice starting 30 days before the effective date and, where necessary, obtain users' explicit renewed consent.