MyTravel (hereinafter referred to as the "Service") protects the personal information of its users in accordance with the Personal Information Protection Act of Korea, the Act on Promotion of Information and Communications Network Utilization and Information Protection, the EU General Data Protection Regulation (GDPR), and other applicable laws and regulations. This Privacy Policy is established and disclosed to handle related grievances promptly and smoothly. This policy applies to all personal information collected through the use of the Service.
1. Personal Information We Collect
The Service collects the following personal information for membership registration, service provision, and customer inquiry handling.
Required Information
| Collected Item | Collection Point | Purpose |
|---|---|---|
| Email address | Registration | Account identification, login, notifications |
| Password (stored encrypted) | Registration | Account authentication |
| Name (nickname) | Registration | Display within service, social features |
Information Collected via Social Login
When using social login through Google, Apple, Kakao, or other providers, the following information is collected from the respective OAuth provider.
- Google — Email, name, profile picture URL
- Apple — Email, name (at first login only)
- Kakao — Kakao account email, nickname, profile image
Unique identifiers (IDs) provided by OAuth providers are used solely for account linking and are not shared with third parties.
Information Automatically Collected During Service Use
- Travel plan data — Destinations, travel dates, activity details, expense records, and other travel-related information directly entered by the user
- Access logs — IP address, access time, browser type, operating system, language settings, access platform (web/iOS/Android), User-Agent string
- Device information — Device type (mobile/desktop/tablet), screen resolution, last access platform
- Service usage records — Feature usage history, error logs (when errors occur, user identification information, device information, and error details are collected for diagnostic purposes), service access patterns
- Photo data — Travel cover photos, activity photos (converted and optimized to WebP format upon upload)
- Subscription data — Subscription type, subscription platform (App Store/Google Play), expiration date, monthly AI usage count
- Social data — Follow relationships, likes, share tokens, public/private settings
- Announcement read records — Whether service announcements have been read and when they were dismissed (for announcement display management)
- Security logs — Audit logs (security events such as login, password changes), push notification tokens
2. Purpose of Personal Information Use
The collected personal information is used for the following purposes.
- Service provision — AI-powered travel plan generation, weather and time zone information, itinerary management
- Member management — Registration and account deletion processing, identity verification, account security management (2FA, password changes), prevention of unauthorized use
- Social features — Travel plan sharing, follow/like features, travel feed
- Notification services — Travel itinerary reminders, service announcements, email verification
- Service improvement — Usage statistics analysis, service quality enhancement, bug fixes and stability improvements
- Customer support — Inquiry reception and processing, complaint resolution, usage guidance
- Advertising — Personalized advertising through Google AdSense and similar services (personal information is not directly provided to advertisers)
3. Retention and Disposal of Personal Information
Retention Period
Users' personal information is promptly destroyed once the purpose of collection and use has been achieved. However, where retention is required by applicable laws and regulations, such information is stored separately in a dedicated database for the specified period.
| Retained Item | Retention Period | Legal Basis |
|---|---|---|
| Account information (email, name) | Until account deletion | Service agreement / GDPR Art. 6(1)(b) |
| Travel plan data | Until account deletion | Service agreement / GDPR Art. 6(1)(b) |
| Access logs | 3 months | Korean Telecommunications Privacy Act / GDPR Art. 6(1)(f) |
| E-commerce transaction records | 5 years | Korean Consumer Protection in E-Commerce Act / GDPR Art. 6(1)(c) |
| Audit logs | 30 days | Service security and management / GDPR Art. 6(1)(f) |
Disposal Methods
- Electronic files — Permanently deleted using technical methods that make recovery impossible.
- Automatic disposal — Data that has exceeded the retention period is regularly deleted through automated scripts.
- Account deletion — Upon request, all personal information and travel data are completely deleted within 30 days.
4. Disclosure to Third Parties
The Service does not, in principle, provide users' personal information to external parties. However, information may be shared in the following exceptional circumstances.
- With user consent — Only when explicit prior consent has been obtained.
- Legal requirements — Only when requested through legal procedures for investigative purposes.
External Services Used for Service Operation
| Service | Provider | Purpose | Data Collected |
|---|---|---|---|
| Google Analytics | Google LLC | Usage statistics analysis | Cookies, access logs, usage patterns (de-identified) |
| Google AdSense | Google LLC | Ad placement | Cookies, ad interaction data |
| OpenAI API | OpenAI Inc. | AI travel plan generation | Travel destination, dates (not personally identifiable) |
| OpenWeatherMap | OpenWeather Ltd. | Weather information | Location information (city name) |
| Google OAuth | Google LLC | Social login | Email, name, profile (with consent) |
| Kakao OAuth | Kakao Corp. | Social login | Email, nickname, profile (with consent) |
| RevenueCat | RevenueCat Inc. | Subscription payment management | Subscription status, payment events (payment information is processed directly by app stores) |
| Google Maps API | Google LLC | Place search | Search queries, session tokens |
| LocationIQ | LocationIQ GmbH | Geocoding (place name to coordinates) | Place search queries (not personally identifiable) |
| Sentry | Functional Software Inc. | Error monitoring | Error data, user context (de-identified) |
| Stripe | Stripe Inc. | Web payment processing | Email, payment information, subscription status (card information is processed directly by Stripe) |
| Affiliate partners | Booking.com, Klook, etc. | Affiliate service referrals | Click events, IP address, User Agent |
5. Cookie Policy
The Service uses cookies to provide a better user experience. Cookies are small text files stored in the user's browser by the website, and are used for functions such as maintaining login status and remembering service settings.
Types of Cookies Used
- Essential cookies — Cookies necessary for service use, such as login authentication tokens (JWT) and language settings.
- Analytics cookies — Cookies used for collecting service usage statistics through Google Analytics.
- Advertising cookies — Cookies used by advertising services such as Google AdSense.
This Service allows third-party advertisers, including Google, to use cookies to serve ads based on previous visits. For information about Google's use of advertising cookies, please refer to Google's Advertising and Content Network Privacy Policy.
Users can refuse cookie storage through browser settings; however, this may limit the use of certain services such as login. For Google advertising cookies, you can disable personalized ads on the Google Ad Settings page.
6. User Rights
Users (or their legal representatives) may exercise the following rights at any time.
- Right to access personal information — You can view your personal information stored in the Service. (GDPR Art. 15 — Right of access)
- Right to rectification — You can request correction of inaccurate or outdated personal information. Profile information can be directly edited within the Service. (GDPR Art. 16 — Right to rectification)
- Right to erasure — You can request complete deletion of your account and personal information through the account deletion feature or by email. (GDPR Art. 17 — Right to erasure / "Right to be forgotten")
- Right to restriction of processing — You can request the restriction of processing of your personal information. (GDPR Art. 18 — Right to restriction of processing)
- Right to data portability (GDPR data export) — In accordance with the EU General Data Protection Regulation (GDPR), you can export all your data (account information, travel plans, expense records, notifications, etc.) in JSON format. You can use the "Export Data" feature in the profile settings menu within the Service, or request it by email. (GDPR Art. 20 — Right to data portability)
- Right to withdraw consent — You can withdraw your consent to the collection and use of personal information at any time. (GDPR Art. 7(3))
Rights can be exercised through the profile settings within the Service or by contacting the Data Protection Officer via email. Requests will be processed and results communicated within 10 days (or within one month for GDPR requests, with possible extension). However, information required to be retained by applicable laws may be preserved for the designated period despite deletion requests.
7. Security Measures
The Service implements the following technical and administrative security measures to safely protect users' personal information.
- Data encryption — Passwords are stored with bcrypt (12 rounds) one-way encryption, and all data transmission is encrypted via HTTPS (TLS 1.2 or higher).
- Authentication security — JWT-based authentication, one-time use refresh token rotation, two-factor authentication (TOTP), and account lockout (15-minute lock after 10 failed attempts).
- Access control — Administrator privilege separation, database access restrictions, and automatic exclusion of sensitive information columns (select: false).
- Security headers — HSTS Preload, CSP (Content Security Policy), Referrer-Policy, X-Content-Type-Options, and other security headers are applied.
- Log security — Personal information such as email addresses in access logs is masked.
- Regular audits — Administrator activities are recorded through audit logs, and dependency security vulnerabilities are regularly inspected.
- Data backup — Automated daily database backups are performed and retained for 14 days.
- Infrastructure security — Docker containers run as non-root, source maps are removed, and CORS whitelist policies are applied.
8. Data Protection Officer
The following Data Protection Officer has been designated to handle inquiries, complaints, and remedies related to personal information protection.
- Officer: MyTravel Operations Team
- Email: [email protected]
If you need to report or consult regarding a personal information breach, you may contact the following organizations.
- Korea Internet & Security Agency — Personal Information Infringement Report Center (privacy.kisa.or.kr / 118)
- Supreme Prosecutors' Office Cyber Investigation Division (www.spo.go.kr / 1301)
- National Police Agency Cyber Investigation Bureau (ecrm.police.go.kr / 182)
For EU residents, you have the right to lodge a complaint with your local Data Protection Authority (DPA) under GDPR Art. 77.
9. International Data Transfers
Users' personal information may be transferred internationally as follows for the operation of the Service.
| Recipient | Location | Transferred Data | Purpose |
|---|---|---|---|
| OpenAI | United States | Travel data | AI itinerary generation |
| United States | Ad ID, usage patterns | Ad delivery, place search | |
| RevenueCat | United States | Subscription information | Payment processing |
| Sentry | United States | Error data | Error monitoring |
| Stripe | United States | Email, payment information | Web payment processing |
| LocationIQ | Germany | Place search queries | Geocoding |
Each service provider maintains appropriate personal information protection measures. Transfers are conducted with user consent in accordance with applicable laws. For transfers from the EU/EEA, the Service relies on Standard Contractual Clauses (SCCs) or adequacy decisions as appropriate under GDPR Art. 46.
10. Data Breach Notification
In the event of a personal information breach, the following matters will be notified to users without delay.
- Categories of personal information affected
- Time and circumstances of the breach
- Measures for minimizing user harm
- Response actions taken and remediation procedures
- Responsible department and contact information
Notifications will be made via email, in-app announcements, or other appropriate methods. Where required by GDPR, the relevant supervisory authority will be notified within 72 hours of becoming aware of the breach (GDPR Art. 33).
11. Changes to This Privacy Policy
This Privacy Policy may be amended in accordance with changes in applicable laws, service policies, or security technologies. Any changes will be announced through in-service notices or email at least 7 days before the effective date. For significant changes, advance notice of 30 days will be provided.
12. Effective Date
- Initial effective date: January 1, 2024
- Last modified: March 2, 2026