MyTravel (hereinafter referred to as the "Service") protects the personal information of its users in accordance with the Personal Information Protection Act of Korea, the Act on Promotion of Information and Communications Network Utilization and Information Protection, the EU General Data Protection Regulation (GDPR), and other applicable laws and regulations. This Privacy Policy is established and disclosed to handle related grievances promptly and smoothly. This policy applies to all personal information collected through the use of the Service.
1. Personal Information We Collect
The Service collects the following personal information for membership registration, service provision, and customer inquiry handling.
Required Information
| Collected Item | Collection Point | Purpose |
|---|---|---|
| Email address | Registration | Account identification, login, notifications |
| Password (stored encrypted) | Registration | Account authentication |
| Name (nickname) | Registration | Display within service, social features |
Information Collected via Social Login
When using social login through Google, Apple, Kakao, or other providers, the following information is collected from the respective OAuth provider.
- Google — Email, name, profile picture URL
- Apple — Email, name (at first login only)
- Kakao — Kakao account email, nickname, profile image
Unique identifiers (IDs) provided by OAuth providers are used solely for account linking and are not shared with third parties.
Optional Information (Collected with Feature Use)
The following items are collected only when the user explicitly grants permission and uses the corresponding feature.
| Collected Item | Collection Point | Purpose | Legal Basis |
|---|---|---|---|
| Location Information (GPS coordinates) | After user permission | Location-based travel recommendations, nearby attractions search | Act on the Protection and Use of Location Information |
| Push Notification Permission | After user permission | Trip invitations, AI generation completion, schedule notifications | Act on Promotion of Information and Communications Network Utilization and Information Protection |
| Photo/Camera Access Permission | After user permission | Profile photo, travel photo uploads | Personal Information Protection Act |
Location Information Usage and Protection
- Collection Method: Collected only when users explicitly grant location permission in the mobile app.
- Purpose: Location-based travel recommendations, nearby attractions/restaurants search, route calculation
- Retention Period: Location information is not permanently stored on the server and is only used temporarily for API requests.
- Third-Party Provision: Used for geocoding and place search through Google Maps API and LocationIQ.
- Withdrawal Method: Permission can be withdrawn at any time in Device Settings > App Permissions > Location.
Information Automatically Collected During Service Use
- Travel plan data — Destinations, travel dates, activity details, expense records, and other travel-related information directly entered by the user
- Access logs — IP address, access time, browser type, operating system, language settings, access platform (web/iOS/Android), User-Agent string
- Device information — Device type (mobile/desktop/tablet), screen resolution, last access platform
- Mobile advertising identifier — Google Advertising ID (GAID, Android) or IDFA (iOS) may be collected by the Google AdMob SDK for personalized advertising purposes. You can reset your advertising ID or opt out of personalized ads in your device settings.
- Service usage records — Feature usage history, error logs (when errors occur, user identification information, device information, and error details are collected for diagnostic purposes), service access patterns
- Photo data — Travel cover photos, activity photos (converted and optimized to WebP format upon upload)
- Subscription data — Subscription type, subscription platform (App Store/Google Play), expiration date, monthly AI usage count
- Social data — Follow relationships, likes, share tokens, public/private settings
- Announcement read records — Whether service announcements have been read and when they were dismissed (for announcement display management)
- Security logs — Audit logs (security events such as login, password changes), push notification tokens
2. Purpose of Personal Information Use
The collected personal information is used for the following purposes.
- Service provision — AI-powered travel plan generation, weather and time zone information, itinerary management
- Member management — Registration and account deletion processing, identity verification, account security management (2FA, password changes), prevention of unauthorized use
- Social features — Travel plan sharing, follow/like features, travel feed
- Notification services — Travel itinerary reminders, service announcements, email verification
- Service improvement — Usage statistics analysis, service quality enhancement, bug fixes and stability improvements
- Customer support — Inquiry reception and processing, complaint resolution, usage guidance
- Advertising — Personalized advertising through Google AdSense (web) and Google AdMob (mobile app) (personal information is not directly provided to advertisers)
3. Retention and Disposal of Personal Information
Retention Period
Users' personal information is promptly destroyed once the purpose of collection and use has been achieved. However, where retention is required by applicable laws and regulations, such information is stored separately in a dedicated database for the specified period.
| Retained Item | Retention Period | Legal Basis |
|---|---|---|
| Account information (email, name) | Until account deletion | Service agreement / GDPR Art. 6(1)(b) |
| Travel plan data | Until account deletion | Service agreement / GDPR Art. 6(1)(b) |
| Access logs | 3 months | Korean Telecommunications Privacy Act / GDPR Art. 6(1)(f) |
| E-commerce transaction records | 5 years | Korean Consumer Protection in E-Commerce Act / GDPR Art. 6(1)(c) |
| Audit logs | 30 days | Service security and management / GDPR Art. 6(1)(f) |
Disposal Methods
- Electronic files — Permanently deleted using technical methods that make recovery impossible.
- Automatic disposal — Data that has exceeded the retention period is regularly deleted through automated scripts.
- Account deletion — Upon account deletion request, all personal information and travel data are completely deleted within 30 days.
4. Disclosure to Third Parties
The Service does not, in principle, provide users' personal information to external parties. However, information may be shared in the following exceptional circumstances.
- With user consent — Only when explicit prior consent has been obtained.
- Legal requirements — Only when requested through legal procedures for investigative purposes.
External Services Used for Service Operation
| Service | Provider | Purpose | Data Collected |
|---|---|---|---|
| Google Analytics | Google LLC | Usage statistics analysis | Cookies, access logs, usage patterns (de-identified) |
| Google AdSense | Google LLC | Web ad placement | Cookies, ad interaction data |
| Google AdMob | Google LLC | Mobile app ad placement | Advertising identifier (GAID/IDFA), ad interaction data |
| OpenAI API | OpenAI Inc. | AI travel plan generation | Travel destination, dates (not personally identifiable) |
| OpenWeatherMap | OpenWeather Ltd. | Weather information | Location information (city name) |
| Google OAuth | Google LLC | Social login | Email, name, profile (with consent) |
| Kakao OAuth | Kakao Corp. | Social login | Email, nickname, profile (with consent) |
| RevenueCat | RevenueCat Inc. | Subscription payment management | Subscription status, payment events (payment information is processed directly by app stores) |
| Google Maps API | Google LLC | Place search | Search queries, session tokens |
| LocationIQ | LocationIQ GmbH | Geocoding (place name to coordinates) | Place search queries (not personally identifiable) |
| Google Timezone API | Google LLC | Time zone information | Location coordinates (not personally identifiable) |
| Sentry | Functional Software Inc. | Error monitoring | Error data, user context (de-identified) |
| Paddle | Paddle.com Market Ltd | Web payment processing (Merchant of Record) | Email, payment information, subscription status (card information is processed directly by Paddle) |
| Mapbox | Mapbox Inc. | Place search (primary) | Search queries, session information (not personally identifiable) |
| Expo (Push Notifications) | Expo Inc. | Push notification delivery | Expo push token, device information |
| Affiliate partners | Booking.com, Klook, etc. | Affiliate service referrals | Click events, IP address, User Agent |
5. Cookie Policy
The Service uses cookies to provide a better user experience. Cookies are small text files stored in the user's browser by the website, and are used for functions such as maintaining login status and remembering service settings.
Types of Cookies Used
- Essential cookies — Cookies necessary for service use, such as login authentication tokens (JWT) and language settings.
- Analytics cookies — Cookies used for collecting service usage statistics through Google Analytics.
- Advertising cookies — Cookies used by advertising services such as Google AdSense.
This Service allows third-party advertisers, including Google, to use cookies to serve ads based on previous visits. For information about Google's use of advertising cookies, please refer to Google's Advertising and Content Network Privacy Policy.
Users can refuse cookie storage through browser settings; however, this may limit the use of certain services such as login. For Google advertising cookies, you can disable personalized ads on the Google Ad Settings page.
6. User Rights
Users (or their legal representatives) may exercise the following rights at any time.
- Right to access personal information — You can view your personal information stored in the Service. (GDPR Art. 15 — Right of access)
- Right to rectification — You can request correction of inaccurate or outdated personal information. Profile information can be directly edited within the Service. (GDPR Art. 16 — Right to rectification)
- Right to erasure — You can request complete deletion of your account and personal information through the account deletion (Delete Account) feature or by email. (GDPR Art. 17 — Right to erasure / "Right to be forgotten")
- Right to restriction of processing — You can request the restriction of processing of your personal information. (GDPR Art. 18 — Right to restriction of processing)
- Right to data portability (GDPR data export) — In accordance with the EU General Data Protection Regulation (GDPR), you can export all your data (account information, travel plans, expense records, notifications, etc.) in JSON format. You can use the "Export Data" feature in the profile settings menu within the Service, or request it by email. (GDPR Art. 20 — Right to data portability)
- Right to withdraw consent — You can withdraw your consent to the collection and use of personal information at any time. (GDPR Art. 7(3))
- Right to object — You can object to the processing of your personal information based on legitimate interests. (GDPR Art. 21 — Right to object)
Rights can be exercised through the profile settings within the Service or by contacting the Data Protection Officer via email. Requests will be processed and results communicated within 10 days (or within one month for GDPR requests, with possible extension). However, information required to be retained by applicable laws may be preserved for the designated period despite deletion requests.
7. Security Measures
The Service implements the following technical and administrative security measures to safely protect users' personal information.
- Data encryption — Passwords are stored with bcrypt (12 rounds) one-way encryption, and all data transmission is encrypted via HTTPS (TLS 1.2 or higher).
- Authentication security — JWT-based authentication, one-time use refresh token rotation, two-factor authentication (TOTP), and account lockout (15-minute lock after 10 failed attempts).
- Access control — Administrator privilege separation, database access restrictions, and automatic exclusion of sensitive information columns (select: false).
- Security headers — HSTS Preload, CSP (Content Security Policy), Referrer-Policy, X-Content-Type-Options, and other security headers are applied.
- Log security — Personal information such as email addresses in access logs is masked.
- Regular audits — Administrator activities are recorded through audit logs, and dependency security vulnerabilities are regularly inspected.
- Data backup — Automated daily database backups are performed and retained for 14 days.
- Infrastructure security — Docker containers run as non-root, source maps are removed, and CORS whitelist policies are applied.
8. Data Protection Officer
The following Data Protection Officer has been designated to handle inquiries, complaints, and remedies related to personal information protection.
- Officer: Hoonjae Park (Representative)
- Email: [email protected]
If you need to report or consult regarding a personal information breach, you may contact the following organizations.
- Korea Internet & Security Agency — Personal Information Infringement Report Center (privacy.kisa.or.kr / 118)
- Supreme Prosecutors' Office Cyber Investigation Division (www.spo.go.kr / 1301)
- National Police Agency Cyber Investigation Bureau (ecrm.police.go.kr / 182)
For EU residents, you have the right to lodge a complaint with your local Data Protection Authority (DPA) under GDPR Art. 77.
9. International Data Transfers
Users' personal information may be transferred internationally as follows for the operation of the Service.
| Recipient | Location | Transferred Data | Purpose |
|---|---|---|---|
| OpenAI | United States | Travel data | AI itinerary generation |
| United States | Ad ID, usage patterns | Ad delivery, place search | |
| RevenueCat | United States | Subscription information | Payment processing |
| Sentry | United States | Error data | Error monitoring |
| Paddle | United Kingdom | Email, payment information | Web payment processing (Merchant of Record) |
| LocationIQ | Germany | Place search queries | Geocoding |
| Mapbox | United States | Search queries, session information | Place search |
| Expo | United States | Push token, device information | Push notification delivery |
Each service provider maintains appropriate personal information protection measures. Transfers are conducted with user consent in accordance with applicable laws. For transfers from the EU/EEA, the Service relies on Standard Contractual Clauses (SCCs) or adequacy decisions as appropriate under GDPR Art. 46.
10. Data Breach Notification
In the event of a personal information breach, the following matters will be notified to users without delay.
- Categories of personal information affected
- Time and circumstances of the breach
- Measures for minimizing user harm
- Response actions taken and remediation procedures
- Responsible department and contact information
Notifications will be made via email, in-app announcements, or other appropriate methods. Where required by GDPR, the relevant supervisory authority will be notified within 72 hours of becoming aware of the breach (GDPR Art. 33).
11. California Residents (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out of Sale: We do not sell your personal information. We share limited data with advertising partners (Google AdMob/AdSense) for personalized advertising. You can opt out of personalized ads by adjusting your device advertising settings or using the GDPR consent banner on our web service.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise these rights, use the in-app data export or account deletion features, or contact us at [email protected].
12. App Tracking Transparency (ATT)
On iOS devices, in accordance with Apple's App Tracking Transparency (ATT) policy, the Service separately requests tracking permission for personalized advertising. Users may decline this request, and declining will not limit the use of the Service. Tracking permission can be changed at any time in Device Settings > Privacy & Security > Tracking.
13. Changes to This Privacy Policy
This Privacy Policy may be amended in accordance with changes in applicable laws, service policies, or security technologies. Any changes will be announced through in-service notices or email at least 7 days before the effective date. For significant changes, advance notice of 30 days will be provided.
14. Effective Date
- Initial effective date: January 1, 2024
- Last modified: April 18, 2026