Privacy Policy

1. Information we collect

We collect account information such as email address, authentication identifiers, profile name, avatar, language, and user tier; content and metadata you provide such as photos, videos, captions, tags, content dates, group selections, and optional location; and technical data such as device identifiers for push notifications, app version, platform, IP address, logs, crash reports, analytics events, and subscription entitlement information.

When you select media, the app may read file metadata such as creation date and embedded GPS information to help prefill optional fields. On-device image labeling and translation may generate descriptive keywords about your media (such as general objects or scenes); these keywords are stored as searchable metadata linked to that media so you can search and organize your own content later. Face detection runs on your device and stores only normalized face position (bounding-box coordinates) as content metadata for layout and framing; it does not include facial feature data such as face templates or embeddings, and is not used to identify or recognize specific individuals.

2. How we use information

We use information to create and authenticate accounts, provide media upload and playback, generate thumbnails and previews, enforce plan limits, sync content across devices, show content according to visibility settings, enable content search and organization, process subscriptions, send service notifications, respond to inquiries, improve reliability and security, detect abuse, and comply with legal obligations.

3. Sharing and processors

We do not sell personal information. We share information only as needed to operate the Service, follow your visibility choices, comply with law, or protect rights and safety.

Service providers may process information for authentication, database hosting, media storage, image/video delivery, push notifications, analytics, crash reporting, subscriptions, maps, email delivery, and customer support. Current infrastructure may include Supabase, Cloudflare, Firebase/Google services, RevenueCat, Sentry, Apple, Google Play, and App Store systems, depending on platform and feature use.

4. Content visibility

Photos, videos, captions, tags, dates, location names, and related metadata may be visible to users who have access under the visibility scope you choose, such as selected group members or private access rules. Removing a member from a group or changing a post may affect future access, but previously viewed, cached, or saved information may not be fully recoverable.

5. Location data

Location is optional. You may add a location manually, use device location permission, or allow the app to read embedded GPS metadata from selected media. Location may include coordinates, place names, and map display data. See the Location-Based Services Terms for details.

6. Notifications

If you allow push notifications, we store device tokens and platform information to deliver service messages such as friend requests, shared post notices, account notices, and other app-related alerts.

7. Retention and deletion

We retain information while your account is active and as needed for the purposes described in this policy. You can delete posts or request account deletion in the app. Account deletion requests hide content where technically supported and schedule permanent deletion after the grace period shown in the app, unless you cancel within that period.

Under applicable Korean law, certain records are retained for the periods specified below before being destroyed: - Records on contracts or subscription withdrawal, and on payment and the supply of goods: 5 years each (Act on Consumer Protection in Electronic Commerce) - Records on consumer complaints or dispute handling: 3 years (same Act) - Sign-in (access) logs: 3 months (Protection of Communications Secrets Act) - Abuse records: 1 year (anonymized identifiers, to prevent re-registration and abuse)

Other information may remain for a limited time in backups, logs, security records, payment records, or legal compliance records. Store purchase history may be retained by Apple, Google, or subscription processors under their own policies.

8. Your rights

Subject to applicable law, you may request access, correction, deletion, portability, restriction, objection, or withdrawal of consent. You may also manage device permissions, notification permissions, and subscription settings through your device or store account.

9. Security

We use technical and organizational measures such as authentication, access control, row-level permissions where applicable, encrypted transport, token-based access, and operational monitoring. No system is perfectly secure, so you should protect your account credentials and device access.

Scope and limits of encryption: passwords are stored using one-way hashing, data in transit is encrypted with SSL/TLS, and storage media use the at-rest disk and database encryption provided by our cloud infrastructure providers. Media access is controlled by short-lived signed URLs (1-hour expiry) and row-level security so that only group members can view it.

However, uploaded photos, videos, posts, and location data are not end-to-end encrypted (E2EE). Authorized infrastructure personnel or Company operators may therefore be technically able to access content, but only to the minimum extent necessary for legitimate purposes such as reviewing reported content, resolving outages, improving the Service, and responding to lawful requests; all such access is logged and audited. The Company may disclose content where required by a lawful warrant or request.

10. International processing

The Service and its providers may process and store information in countries other than where you live, including the United States. Infrastructure and processors such as Supabase, Cloudflare, Google/Firebase, RevenueCat, and Sentry are located primarily in the United States. The transferred information may include the account, content, and technical data described in this policy, processed for the purposes and retention periods stated herein. We take steps intended to protect information according to applicable requirements.

11. Children (under 14)

We restrict membership for children under 14. Where it is unavoidable to process the personal information of a child under 14, we do so only after obtaining the consent of a legal guardian. If you believe a child’s personal information has been provided without appropriate consent, please contact us and we will take prompt action.

12. Chief Privacy Officer & Contact

To secure your privacy and resolve any concerns or complaints, we maintain a Chief Privacy Officer (CPO) and support team:

■ Chief Privacy Officer (CPO) - Name / Role: Song-yi Han / Director - Address: Okjeong-ro 7-gil, Yangju-si, Gyeonggi-do, Republic of Korea - Phone: +82-10-2479-3204 - Email: support@turnpoint-labs.com

■ Service General Support - Email: support@turnpoint-labs.com

13. Remedies for rights infringement

Users in Korea may contact the following bodies for reporting or counseling on privacy infringement:

- Personal Information Dispute Mediation Committee: +82-1833-6972 / www.kopico.go.kr

- Privacy Infringement Report Center (KISA): +82-118 / privacy.kisa.or.kr

- Supreme Prosecutors’ Office Cybercrime Division: +82-1301 / www.spo.go.kr

- National Police Agency Cyber Bureau: +82-182 / ecrm.cyber.go.kr