InfoTravelog Privacy Policy (v0.2 draft)

Revision History

• v0.2 (2026-05-09): Initial English version reflecting v2.29 data strategy with explicit GDPR Article references
• v0.1 (2026-04-29): Internal Korean draft

Effective Date: To be announced Last Updated: 2026-05-09 Scope: Members residing outside the Republic of Korea, with explicit GDPR (EEA) and CCPA (California) provisions Review Status: ⚠ Self-drafted from public templates — qualified legal counsel review recommended once revenue begins or 1,000+ users reached Language Precedence: For non-Korean residents, this English version prevails over the Korean version in case of conflict.

InfoTravelog ("Company", "we") is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have. It is drafted to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Korean Personal Information Protection Act (PIPA).

1. Data We Collect

1.1 Account Information

1.2 Automatically Collected Data

1.3 Content Metadata (Photos You Upload)

Policy change (v0.1 → v0.2): GPS coordinates were previously not stored in any column. From v0.2, they are stored in the photoMeta JSONB column for Place matching, time-of-day recommendations, and Aggregated Anonymous Statistics. Images served for download or external sharing have GPS automatically stripped via the sharp library to prevent external exposure.

2. Purposes of Processing

We process personal data only for the following purposes:

1. Identification and authentication — OAuth login persistence, ownership verification
2. Service provision — photo uploads, Place registrations, recommendations, collections, plans, notifications
3. Automatic content classification — EXIF-based lighting/astronomical calculations, AI Vision category and tag suggestions
4. Personalization — recommendations based on Member activity and interests
5. Communication — notifications, re-consent requests, announcements, customer support
6. Moderation — report processing, inappropriate content detection, abuse prevention
7. Aggregated Anonymous Statistics — production and use of statistics processed so individual Members cannot be re-identified (Terms §10)
8. Legal compliance — Location Information Act, Information and Communications Network Act, Youth Protection Act, etc.

3. EXIF, Behavioral Log, and AI Processing Policies

3.1 Photo EXIF Processing

1. Extraction timing: Server-side via the exifr library immediately upon upload.
2. Stored fields: capture time, GPS lat/lng, altitude, camera make/model, lens, focal length, aperture, shutter, ISO, exposure compensation, white balance, compass heading.
3. Storage location: photos.photoMeta JSONB column.
4. Use:
   • Automatic Place matching (50m radius + name similarity)
   • Per-photo sun/moon/star position calculation (capture time + GPS)
   • "When and in what light" recommendations
   • Aggregated Anonymous Statistics (regional, time-of-day, equipment trends)
5. Download/sharing protection: Images served for download or external sharing have GPS and device serials stripped via the sharp library. Members may opt to retain EXIF in their own downloads (default: stripped).
6. Member control: A Member's own photo EXIF can be unpublished or deleted via the photo detail page or by emailing the Company.
7. Prohibited inference: The Company does not reverse-engineer Members' home or workplace addresses by clustering EXIF GPS time patterns.

3.2 Behavioral Log Processing

1. Items collected: search queries, result clicks, page dwell time, map navigation (bbox/zoom), filter changes, photo uploads, bookmarks, likes.
2. Storage form: events table under an anonymous hash (actor_hash = sha256(user_id + tenant_salt)). The user_id is also stored, but analysis uses only actor_hash.
3. Table structure: append-only (UPDATE/DELETE blocked by triggers); data older than 90 days is archived in monthly partitions.
4. Use:
   • Recommendation algorithm training
   • Search quality improvement (zero-result keyword analysis)
   • Aggregated Anonymous Statistics
   • Abuse detection (e.g., reciprocal-like patterns)
5. Member control: Behavioral log collection may be opted out via account settings. Opting out stops new event collection and sets the user_id of past events to NULL.

3.3 AI Analysis Processing

1. Model used: Anthropic Claude Vision API (currently Claude Haiku 4.5).
2. Data transmitted: Photo image (base64 or presigned URL).
3. Processing contract: Under Anthropic's standard agreement, transmitted data is not used for external model training and is discarded after analysis (per Anthropic Trust & Safety policy).
4. Storage of results: photos.photoMeta.aiTags, .aiMood, .aiComposition, etc.
5. Member control: Members may select "Disable AI analysis" at upload time (which may degrade auto-classification and recommendation quality).

4. Retention Periods

5. Disclosure to Third Parties

We do not provide personal data to third parties except:

1. With your prior consent (separate consent screen specifying recipient, items, purpose)
2. As required by law or upon a lawful request from a law enforcement authority (only the minimum information necessary)
3. As pseudonymized data for statistical, scientific research, or public-archival purposes under PIPA Art. 28-2

Important: Aggregated Anonymous Statistics (Terms §10) are processed so as not to constitute "personal data" under PIPA and may be provided externally. The Company will publicly announce the timing and recipients of such external provision via the Service.

6. Sub-processors

We engage the following processors to provide the Service:

Under the processing agreements, sub-processors may not use personal data for any purpose other than the contracted task and must destroy data upon termination.

International data transfers (GDPR Art. 44–49):

• Supabase, Vercel, Anthropic, Resend, and Sentry transfer data to the US.
• The European Commission has not adopted an adequacy decision for the US since 2023, but each US sub-processor relies on Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework (DPF) where applicable.
• AWS Seoul data stays in the Republic of Korea, which has been recognized as adequate by the European Commission (Adequacy Decision, December 2021).

7. Your Rights

7.1 Standard Rights (PIPA + GDPR + CCPA harmonized)

• Right of access — confirm what personal data we hold
• Right to rectification — correct inaccurate data
• Right to erasure ("right to be forgotten") — delete your data
• Right to restriction of processing — limit how we process your data
• Right to data portability — receive your data in machine-readable format
• Right to object — object to processing based on legitimate interest, including profiling
• Right to withdraw consent — withdraw any optional consent without affecting prior lawful processing
• Right to non-discrimination (CCPA) — exercising rights does not affect Service quality

7.2 Data Download (Right to Data Portability)

In account settings, request "Download all my data" to receive the following as a JSON file:

• Member profile
• Metadata of your uploaded photos (image files separately)
• Your registered Places, guides, collections, plans
• Summary of your behavioral logs
• Like and bookmark history

Processing time: within 7 days (free, once per month). For GDPR-applicable Members, within 30 days (extendable by 60 days for complex requests).

7.3 Opt-out

Per-item opt-out in account settings:

• Behavioral log collection
• EXIF metadata use (affects auto-classification and recommendations)
• Inclusion in Aggregated Anonymous Statistics
• Public display of nickname (when off, shown as "Anonymous Member")
• Email notifications

7.4 How to Exercise

• Settings page: /profile/preferences
• Email: infotravelog@naver.com
• Response time: within 10 days (within 30 days for GDPR-applicable Members)
• For EEA residents, you may also lodge a complaint with your local supervisory authority. We encourage prior contact with us to attempt resolution.

8. Security Measures

8.1 Technical

1. HTTPS end-to-end (HSTS, TLS 1.3)
2. OAuth tokens and session cookies: HTTP-only + Secure + SameSite
3. No password storage (OAuth-only)
4. Identity verification data (name, mobile, DOB) encrypted with pgcrypto in a separate users_pii table
5. Prisma ORM blocks SQL injection
6. S3 uploads via presigned URL with content-type/size whitelist
7. events table is append-only (UPDATE/DELETE blocked by triggers)
8. Anonymous hash ID for analytics (actor_hash)

8.2 Organizational

1. Single-operator administration (Hun) — unified access control
2. All admin actions logged to audit_logs (5-year retention)
3. Suspected breach → immediate read-only mode on production DB
4. Regular quarterly security reviews and vulnerability analysis

8.3 Physical

We do not operate our own data centers; all data resides in the facilities of the sub-processors listed in §6.

9. Data Breach Response

Upon recognizing a personal data breach, we follow this procedure:

1. Immediate (0–6 hours): Switch production DB to read-only; sever the attack vector
2. Within 24 hours: Notify the Korean Internet & Security Agency (KISA) under PIPA §34. For EEA residents, notify the relevant supervisory authority within 72 hours under GDPR Art. 33.
3. Member notification: For affected Members, in-app banner + email describing the breach, affected items, and Company response. For high-risk breaches, direct notification under GDPR Art. 34.
4. Post-incident report: Public disclosure of root cause and prevention measures via Service announcement (transparency).

10. Children Under 14 (and Under 16 for EEA)

1. We do not accept registrations from persons under the age of 14 in Korea. For EEA residents, the relevant minimum age for digital service consent under GDPR Art. 8 is 16 (or as set by the Member State, ranging from 13 to 16); we apply the higher of the applicable age.
2. If under-age registration is confirmed, the account is terminated and data destroyed immediately.
3. Should we accept under-age users in the future, we will obtain verifiable parental consent.

11. Automated Decision-making (Profiling and Recommendations)

1. We operate automated algorithms ("Recommendation System") to provide photo, Place, guide, and itinerary recommendations.
2. Inputs: Member activity (likes, bookmarks, dwell), photo EXIF, AI Vision classifications, activity score.
3. Recommendations have no legal or similarly significant effect on Members. Member tier upgrades (e.g., to L4) are not automated; they are subject to operator manual review.
4. Members can view the main factors used in their recommendation results in the settings page and may opt out, in which case only general (non-personalized) recommendations are provided. (GDPR Art. 22 right not to be subject to solely automated decision-making is preserved.)

12. Policy Changes

Changes will be announced at least 7 days before the effective date (30 days for changes unfavorable to Members). The revision history is recorded at the top of this document.

13. Contact and Complaints

14. Revision History

Related Documents:

• Terms of Service: /legal/en/terms (master: SitePlanning/07_legal/terms-v2.en.md)
• Location Information Policy: /legal/en/location (master: SitePlanning/07_legal/location-info-v1.en.md)
• Korean version: /legal/privacy (master: SitePlanning/07_legal/privacy-v2.md)

Privacy Policy v0.2 — End.