1. INFORMATION WE COLLECT

1.1 Information You Provide Directly

Sign-in methods: Google OAuth, Apple Sign In.

When you create an account through Google OAuth, we collect:

• Full name as registered with Google
• Email address
• Profile photograph
• Google account identifier

When you create an account through Apple Sign In, we collect:

• Name as provided by Apple (if shared)
• Email address (which may be a private relay email from Apple)
• Apple account identifier

1.2 Information Collected Automatically

• Routine usage data (emotion selections, completion status, duration)
• Emotional state ratings before and after routines (1-5 scale)
• Time of use (hour of day, day of week)
• Device type (mobile or desktop)
• App usage patterns and behavioral data

1.3 Information We Do NOT Collect

• Payment information
• Location data
• Contacts or address book
• Camera or microphone data
• Biometric data
• Government IDs or Social Security numbers

2. HOW WE USE YOUR INFORMATION

2.1 Service Provision

• To create and manage your account
• To provide personalized routine recommendations
• To track your routine history and progress
• To display your usage statistics

2.2 Service Improvement

• To analyze usage patterns and improve features
• To develop new routines and content
• To fix bugs and optimize performance
• To conduct internal research and analytics (anonymized and aggregated data only — individual data is never used for research)

2.3 Communications

• To send service-related notifications
• To respond to your inquiries
• To send marketing communications (only with your explicit consent)
• To notify you of significant policy changes

2.4 Legal Compliance

• To comply with applicable laws and regulations
• To respond to lawful requests from authorities
• To protect our legal rights and interests

3. LEGAL BASIS FOR PROCESSING

We process your personal information based on:

• Your explicit consent (Article 15, Personal Information Protection Act of Korea)
• Performance of our contract with you
• Compliance with legal obligations

4. DATA SHARING AND DISCLOSURE

4.1 Service Providers

Google LLC

• Purpose: Authentication via Google OAuth
• Note: Your Google account security is your responsibility. We are not liable for damages caused by unauthorized Google account access.

Apple Inc.

• Purpose: Authentication via Sign in with Apple
• Note: Your Apple ID security is your responsibility. We are not liable for damages caused by unauthorized Apple account access.

Supabase Inc.

• Purpose: Database storage and management
• Location: United States
• All transfers encrypted

4.2 Legal Requirements

We may disclose your information only when required by:

• Valid court orders or warrants
• Legal obligations under applicable law
• Emergency situations involving risk to life

4.3 What We Will NEVER Do

• Sell your personal information to third parties
• Share your data with advertisers
• Use your data beyond stated purposes
• Transfer data to unauthorized parties

5. DATA RETENTION AND DELETION

5.1 Retention Period

• Account information: Until account deletion
• Routine records: Until account deletion
• Usage logs: 6 months
• Legal dispute records: 1 year after resolution

5.2 Deletion Process

Upon account deletion request:

• Acknowledgment email sent upon receipt of request
• All personal data deleted within 10 business days
• Completion confirmation email sent upon deletion
• Deletion records retained for 6 months as evidence
• Anonymized aggregate data may be retained for research
• Backup copies purged within 30 days

5.3 Data Deletion Method

• Electronic files deleted using methods that prevent recovery
• Backup data overwritten or destroyed

6. DATA SECURITY

6.1 Technical Safeguards

• All data transmitted via HTTPS/TLS encryption
• Data at rest encrypted
• Access controls limiting data to authorized personnel
• Regular security assessments

6.2 Data Breach Response

In the event of a data breach:

• Affected users notified within 72 hours via email and in-app notice
• Description of breach, affected data, and remediation steps
• Report filed with relevant authorities as required

7. INTERNATIONAL DATA TRANSFER

Your data is stored on servers in the United States (Supabase infrastructure). By using our Service, you consent to this transfer. All transfers are encrypted and subject to data processing agreements.

8. YOUR RIGHTS

8.1 Rights Under Korean Law (PIPA)

• Right to be informed about data processing
• Right to access your personal information
• Right to correct inaccurate information
• Right to delete your information
• Right to suspend processing
• Right to withdraw consent at any time

8.2 How to Exercise Your Rights

Email: routinity.app@gmail.com
Response time: Within 10 business days
Identity verification may be required.
Refusal will be communicated with reasons.

8.3 Right to Complain

• Personal Information Protection Commission: privacy.go.kr
• Personal Information Dispute Mediation: +82-2-2100-2499
• Cyber Crime Report Center: cyberbureau.police.go.kr
• Personal Information Infringement Report: 182 (no area code)

9. CHILDREN'S PRIVACY

9.1 Age Restriction

Our Service is not directed to individuals under 14 years of age.

9.2 False Age Declaration

If a user provides false age information to access the Service:

• Legal responsibility lies entirely with the user (or their legal guardian)
• We are not liable for any consequences arising from false age declarations

9.3 Discovery of Minor's Data

If we discover data collected from a user under 14:

• Account immediately suspended
• All data deleted within 48 hours
• Parent/guardian notified if contact info available

9.4 Parental Rights

Parents/guardians may contact us to:

• Access their child's data
• Request deletion of their child's data
• Withdraw consent on behalf of their child

10. COOKIES AND LOCAL STORAGE

Used for: Login state maintenance, onboarding completion tracking
To disable: Adjust browser settings
Note: Disabling cookies will prevent you from staying logged in.

11. AUTOMATED DECISION MAKING

Routinity does not use automated decision-making or profiling. All routine recommendations are based on your manual selections.

Note: If AI-powered features are added in the future, separate consent will be obtained before activation.

12. RESEARCH AND ACADEMIC USE

Your data may be used for academic research only in the following form:

• Completely anonymized and aggregated
• Individual users cannot be identified
• Raw personal data is never used for research purposes

13. MARKETING COMMUNICATIONS

Only sent with your explicit consent.
To opt-out: routinity.app@gmail.com
Processed within 5 business days.

14. DATA PROTECTION OFFICER

Email: routinity.app@gmail.com
Response Time: Within 10 business days

15. SERVICE TERMINATION DATA HANDLING

In the event of service termination:

• 30 days advance notice provided
• Data download period provided before termination
• All data permanently deleted upon service closure

16. CHANGES TO THIS POLICY

Policy version is dated and tracked.

• Minor changes: Updated version date only
• Material changes: 7 days advance notice via in-app notification and email
  • Email delivery records maintained as evidence of notification.
  • Notice is deemed delivered upon email transmission regardless of receipt. Continued use after changes = acceptance

17. CONTACT US

Email: routinity.app@gmail.com
Response Time: Within 10 business days
Version: 2026-04-14