1. Purpose of Processing Personal Information
We process personal information for the following purposes only. We will not use your information for any other purpose without your separate consent.
- Account registration and management, identity verification, and prevention of fraudulent use
- Service delivery: creating and managing events, in-event chat, push notifications
- Customer support: handling inquiries and complaints
- Paid subscription management: billing, refunds, payment history
- Marketing and advertising (only with separate opt-in consent)
2. Categories of Personal Information We Process
a. Information you provide at sign-up (required)
- Email address, display name, profile image (optional), Google OAuth identifier
b. Information generated through use of the service
- Event data: event name, date/time, location (address, coordinates), attendee list, notes
- Chat messages: text, attachments (images, files), timestamps, read receipts
- Friend graph, attendance/no-show history, trust score
- Phone number (optional, hashed with SHA-256 if you opt into "find friends")
c. Information collected automatically
- Device information: model, OS version, app version, advertising ID (opt-in only)
- Usage logs: timestamps, IP addresses, push tokens (FCM), error logs
- Cookies (web payment pages only): for session management
d. Payment information
- Payment identifiers (Stripe Customer ID, Apple Transaction ID, Google Purchase Token), subscription status, payment dates and amounts
- Note: We do not directly store card numbers, CVCs, or other sensitive payment credentials. These are handled by our payment processors (Stripe, Apple, Google) under PCI-DSS standards.
3. Retention Period
We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.
| Category | Retention period | Legal basis |
|---|---|---|
| Account / profile | Until account deletion (immediately purged after withdrawal) | User consent |
| Event and chat content | Until account deletion or event removal | Service delivery |
| E-commerce payment / contract records | 5 years | Act on the Consumer Protection in Electronic Commerce |
| Consumer dispute records | 3 years | Act on the Consumer Protection in Electronic Commerce |
| Access logs (IP, etc.) | 3 months | Protection of Communications Secrets Act |
| Fraud prevention records | 1 year | User consent |
4. Disclosure to Third Parties
We disclose personal information to third parties only with your consent or as permitted by law. Current third-party recipients are:
| Recipient | Purpose | Data shared | Retention |
|---|---|---|---|
| Google LLC | OAuth sign-in, two-way Calendar sync (with consent) | Email, Google ID, calendar events (with consent) | Until disconnection |
| Apple Inc. | Sign in with Apple (future) | Apple ID, email | Until account deletion |
| Stripe, Inc. | Web subscription processing | Email, payment data | As required by law |
| Apple Inc. / Google LLC | In-app purchase processing | Platform identifiers, purchase tokens | As required by law |
| Functional Software, Inc. (Sentry) | Error tracking and stability | Anonymized error data, device info | 90 days |
5. Outsourced Processing
To operate the service smoothly, we engage the following processors. We supervise them under written contracts that prohibit use beyond the agreed purpose and require appropriate safeguards.
| Processor | Function | Region |
|---|---|---|
| Hetzner Online GmbH | Server hosting (application, database) | Germany / Korea |
| Cloudflare, Inc. | CDN, file storage (R2), DDoS protection | Global |
| CoolSMS (NHN Cloud) | SMS verification | Republic of Korea |
| Google LLC (Firebase Cloud Messaging) | Push notifications | Global |
6. Your Rights and How to Exercise Them
You have the following rights regarding your personal information:
- Right to access
- Right to rectification
- Right to erasure (subject to legal retention requirements)
- Right to restrict processing
- Right to withdraw consent
You can exercise these rights at any time via Settings → Account → Delete Account in the app, or by emailing [email protected]. We will respond without undue delay and at most within 10 business days.
7. Deletion Procedure
When personal information becomes unnecessary, we delete it without delay.
- Procedure: The Privacy Officer reviews and approves deletion requests.
- Method: Electronic files are securely overwritten or rendered irrecoverable. Paper records are shredded or incinerated.
8. Security Measures
We implement administrative, technical, and physical safeguards required by Article 29 of the Personal Information Protection Act:
- Internal management plan, regular employee training
- Access controls, encryption of sensitive identifiers (AES-256)
- TLS 1.2+ for all client-server communication
- Bcrypt one-way hashing for credentials
- Physical access control to data center facilities
9. Cookies
The Timingle mobile app does not use cookies. Web payment pages (Stripe Checkout) use essential session cookies for payment processing only. You may disable cookies in your browser settings, but this may limit your ability to use payment features.
10. Privacy Officer
- Name
- Shin Jung, Kim
- Title
- Representative Director
- Contact
- [email protected] /
11. Remedies for Privacy Violations
Korean residents may seek remedies through the following authorities:
- Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Reporting Center (KISA): 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office Cyber Investigation Division: 1301
- National Police Cyber Bureau: 182
Users outside Korea may contact us directly at [email protected].
12. Changes to This Policy
We may amend this Policy from time to time. Material changes will be notified at least 7 days in advance (30 days for changes adverse to users) through in-app notice or email. The latest version is always available at https://timingle.app/en/privacy.html.
For questions about this Policy, please contact [email protected].