1. Introduction
Flowplit (hereinafter "the Service") is a travel planning platform that values the privacy of its users and complies with applicable data protection laws, including the Personal Information Protection Act (PIPA) of Korea, the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). This Privacy Policy describes the types of personal information we collect, the purposes for which we use it, retention periods, and third-party sharing practices.
Service Operator: Sungil Park (Individual Developer)
Bundle ID (iOS): com.triplab.flowplit
2. Personal Information We Collect
2.1 Information Collected via Social Login (OAuth2)
The Service does not offer direct registration. Users can only sign up through social login (OAuth2).
| Login Provider | Data Collected | Required |
|---|---|---|
| Apple | Apple User ID | Required |
| Email address | Optional (user may hide) | |
| Name | Optional (first sign-up only) | |
| Google User ID | Required | |
| Email address | Required | |
| Profile image URL | Optional |
We do not collect passwords. Authentication is handled entirely by each social login provider.
2.2 Information Collected During Service Use
| Category | Data Collected | Purpose |
|---|---|---|
| Profile | Nickname, profile image, bio, website URL, friend search code | Display user profile and friend search |
| Travel | Trip title, itinerary, places, budget, notes, routes | Provide trip planning features |
| Social Activity | Follows, likes, comments, bookmarks, trip sharing | Provide social features |
| Expenses | Expense records, settlement history | Cost sharing and settlement |
| Photos | Travel photos, receipt images | Travel records and receipt scanning |
| Saved Places | Place name, location, collection | Provide place saving features |
| Settings | Default currency, language, timezone, profile visibility | Personalization |
2.3 Automatically Collected Information
| Data Collected | Purpose |
|---|---|
| Device type (iOS) | Service optimization |
| App version | Compatibility management |
| Access date and time | Usage statistics |
| Last active time | Account activity management |
| Feed view history | Content recommendation improvement |
2.4 Information Collected for Push Notifications
| Data Collected | Purpose |
|---|---|
| Device push token (APNs) | Sending push notifications |
Push notifications can be disabled at any time in your device settings.
2.5 Location Information
| Data Collected | Purpose | Collection Method |
|---|---|---|
| Approximate location (country/region) | Nearby place search, map display | Collected with user consent |
Location information is only collected while the app is in use, not in the background. You can change location permissions in your device settings.
2.6 Photos and Camera
| Data Collected | Purpose | Storage Location |
|---|---|---|
| User-selected photos | Travel records, profile image, feed posts | Google Cloud Storage (cloud) |
| Camera-captured images | Travel records, receipt scanning (OCR) | Google Cloud Storage (cloud) |
Receipt Scanning: Text recognition (OCR) of receipt images is processed on-device and recognized text is not sent to the server (iOS Vision framework on-device processing).
2.7 Information Automatically Collected via SDKs
The Service uses the following SDK to deliver advertisements, which automatically collects information.
| SDK | Data Collected | Purpose | Retention |
|---|---|---|---|
| Google AdMob SDK | Advertising identifier (IDFA), app usage data, approximate location (country/region), device information | Personalized ad delivery and ad performance measurement | Per Google's Privacy Policy |
Data collection by the AdMob SDK is limited based on iOS ATT (App Tracking Transparency) consent. If you decline tracking, non-personalized ads are displayed instead.
2.8 Behavioral Information (Online Targeted Advertising)
The Service provides targeted advertising through Google AdMob. The following behavioral information is collected and used for this purpose.
| Collector | Behavioral Data | Collection Method | Retention |
|---|---|---|---|
| Google LLC (AdMob) | App usage history, ad click history, interest-based profiles | Automatic collection via SDK | Per Google's Privacy Policy |
To opt out of behavioral data collection, disable tracking for Flowplit in iOS Settings > Privacy & Security > Tracking, or disable personalized ads in the app's Settings > Privacy.
3. Purpose of Collection and Use
| Purpose | Details |
|---|---|
| Account Management | Social login authentication, identity verification, account management |
| Service Delivery | Trip planning, companion management, expense splitting |
| Social Features | Trip sharing, follows, likes, comments, bookmarks, invitations |
| Personalization | Language, currency, and timezone preferences |
| Notification Service | Trip schedule alerts, invitation alerts, social activity alerts |
| Service Improvement | Usage analytics, bug fixes, new feature development |
| Customer Support | Inquiries, reports, announcements |
4. Retention and Deletion
4.1 Retention Periods
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account information | Until account deletion | Service provision |
| Travel/social data | Until account deletion | Service provision |
| Uploaded photos | Until account deletion | Service provision |
| Device push tokens | Until account deletion or token deactivation | Notification service |
| Access logs | 1 year | Legal requirement |
| Report records | 3 years | Dispute resolution |
4.2 Deletion Procedure
- Procedure: Personal information is deleted without delay upon account deletion request, except where retention is required by law.
- Method: Electronic files are permanently deleted using methods that prevent recovery. Images in cloud storage are immediately deleted.
4.3 Account Deletion
| Item | Action |
|---|---|
| Account information | Immediately deleted |
| Private trips | Immediately deleted |
| Public trips | Anonymized or deleted (user's choice) |
| Uploaded photos | Immediately deleted from cloud storage |
| Device tokens | Immediately deleted |
| Comments/Likes | Anonymized ("Deleted User") |
5. Third-Party Sharing
We do not sell your personal information and do not share it with third parties, except in the following cases:
- Requests from law enforcement pursuant to legal process
- Court orders or judgments
6. Service Providers
| Provider | Service | Data Processed | Retention |
|---|---|---|---|
| Google Cloud Platform (GCP) | Cloud infrastructure (Cloud Run, Cloud SQL, Cloud Storage, Cloud CDN) | All data necessary for service operation | Until contract termination |
| Google AdMob | Advertising services | Advertising identifier, approximate location, app usage data | Until contract termination |
| Google Maps Platform | Map display and place search | Location information, place search queries | Per Google's Privacy Policy |
| Apple Push Notification service (APNs) | iOS push notification delivery | Device tokens, notification content | Per Apple's Privacy Policy |
7. International Data Transfers
The Service transfers personal information to the following countries for operational purposes:
| Recipient | Country | Data Transferred | Purpose | Retention |
|---|---|---|---|---|
| Google LLC | United States | All service data | Cloud infrastructure (GCP) | Until contract termination |
| Google LLC | United States | Advertising identifier, usage data | AdMob advertising | Until contract termination |
| Apple Inc. | United States | Device tokens, notification content | APNs push notifications | Per Apple's policy |
Data protection in the destination country (United States): The US does not have a single comprehensive federal data protection law but protects personal information through sector-specific legislation (CCPA, COPPA, HIPAA, etc.). Google LLC and Apple Inc. protect data through their own privacy policies and industry-standard security measures. Google maintains SOC 2/3 and ISO 27001 certifications.
8. Advertising
The Service displays advertisements through Google AdMob.
8.1 Data Collected for Advertising
- Advertising identifier (IDFA)
- Approximate location (country/region)
- App usage data
8.2 App Tracking Transparency (iOS)
On iOS 14.5 and later, the Service requests App Tracking Transparency (ATT) consent for ad tracking. You may decline, and declining does not affect your use of the Service.
8.3 Opting Out of Personalized Ads
- iOS: Settings > Privacy & Security > Apple Advertising > Turn off Personalized Ads
- In-app: Settings > Privacy > Disable Personalized Ads
For more information, see Google's Privacy Policy.
9. Your Rights
9.1 Available Rights
| Right | Description |
|---|---|
| Right of Access | Request access to your personal data |
| Right to Rectification | Request correction of inaccurate data |
| Right to Erasure | Request deletion of your data |
| Right to Restrict Processing | Request to restrict processing of your data |
| Right to Data Portability | Request transfer of your data to another service |
| Right to Withdraw Consent | Withdraw consent for data collection and use |
9.2 How to Exercise Your Rights
- Delete Account: In-app Settings > Account > Delete Account
- Disable Push Notifications: Disable Flowplit notifications in device settings
- Revoke Location Access: Change Flowplit location permissions in device settings
- Opt Out of Ad Tracking: iOS ATT settings or device advertising settings
- Email: qkrtjddlf11@gmail.com
Response timelines: Korea within 10 days / US (CalOPPA) within 30 days / Japan (APPI) without delay.
10. Data Security
| Measure | Details |
|---|---|
| Encryption in Transit | All communications encrypted with SSL/TLS (HTTPS) |
| Authentication Token Management | JWT tokens securely stored in iOS Keychain |
| Access Control | Minimized access privileges; API key-based client authentication |
| Rate Limiting | Server-side rate limiting to block abnormal access |
| Content Moderation | Automated safety review of uploaded images |
| Audit Logs | Access logs to personal data systems are maintained and audited |
| Database Security | Encrypted storage via Google Cloud SQL managed database |
11. Data Breach Response
In the event of a personal data breach, we will take the following actions.
| Action | Details | Deadline |
|---|---|---|
| User Notification | Breached data categories, timing, circumstances, mitigation steps, contact information | Within 72 hours of discovery |
| Regulatory Report | Korea: PIPC / Japan: PPC (個人情報保護委員会) / US: Per applicable state law | Within 72 hours (Japan: preliminary 3-5 days, full report 30 days) |
| Damage Containment | Root cause analysis, vulnerability remediation, prevention measures | Immediately |
12. Children's Privacy
The Service does not knowingly collect personal information from children below the following age thresholds. If we become aware that such a user has registered, we will promptly delete the account and all related data.
| Country | Minimum Age | Legal Basis |
|---|---|---|
| Korea | Under 14 | Personal Information Protection Act (PIPA) |
| United States | Under 13 | COPPA (Children's Online Privacy Protection Act) |
| Japan | Under 14 (Korean standard applied) | APPI (no specific age provision) |
13. Data Protection Officer
| Item | Details |
|---|---|
| Officer | Sungil Park |
| qkrtjddlf11@gmail.com |
For inquiries, complaints, or requests related to personal data, please contact us at the above address.
14. Changes to This Policy
This Privacy Policy may be updated due to changes in law or the Service. We will notify you of any changes through in-app announcements and push notifications.
- Notice date: March 4, 2026
- Effective date: March 4, 2026
15. Governing Law and Dispute Resolution
- This policy is governed by the laws of the Republic of Korea.
- Korean users may file disputes with:
- Personal Information Dispute Mediation Committee: www.kopico.go.kr
- Privacy Infringement Report Center: privacy.kisa.or.kr (Tel: 118)
- Supreme Prosecutors' Office Cyber Investigation: www.spo.go.kr (Tel: 1301)
- National Police Agency Cyber Bureau: ecrm.police.go.kr (Tel: 182)
- Japanese users may exercise rights under the Act on the Protection of Personal Information (APPI) and contact:
- Personal Information Protection Commission (PPC): www.ppc.go.jp (Tel: 03-6457-9680)
- US users: California residents may exercise their rights under CalOPPA. For privacy-related inquiries, please contact qkrtjddlf11@gmail.com.
16. Previous Versions
- v1.0 (Feb 22, 2026 – Mar 3, 2026) — Initial release