GrowHabit Privacy Policy
Effective Date: May 19, 2026 | Last Modified: May 19, 2026
GrowHabit (hereinafter "Service"), operated by For All People Corps (hereinafter "Company"), highly values users' personal information and complies with the 「Personal Information Protection Act」 and related regulations. This Privacy Policy explains the types of personal information the Service collects, purposes of collection and use, entrustment of processing and overseas transfers, retention periods, and more.
Article 1 (Purpose of Collection and Use of Personal Information)
The Service collects and uses personal information for the following purposes:
- Member Management: Identity verification for membership services, personal identification, prevention of unauthorized use, prevention of unauthorized access, confirmation of intent to register
- Service Provision: Storage and management of habit data, provision of customized content, service usage records and statistical analysis
- Service Improvement: Development of new services, improvement of existing services, provision of customized services through statistical analysis
- Customer Support: Delivery of announcements, handling inquiries and complaints, record keeping for dispute resolution
Article 2 (Personal Information Items Collected)
1) Information Collected During Registration
- Required Items: Email address, nickname, password (for email registration)
- Social Login: Social account information (email and profile information from Google, Apple accounts)
2) Information Automatically Collected During Service Use
- Access IP address, access time, service usage records
- Device information (device model, OS version, app version, device identifier)
- Push notification tokens (FCM registration token, APNs token)
- Device language (locale) and time zone settings
- Advertising identifiers (Android Advertising ID (ADID), iOS Identifier for Advertisers (IDFA)) — see Article 11 for details
- Crash diagnostic information (error logs and device status information generated when the app terminates abnormally)
- App install referral information (Install Referrer)
- Subscription and payment status information (subscription product, subscription activation status, renewal/expiration dates, etc.)
3) Information Collected When Contacting Customer Support
When a user submits an inquiry through customer support (the in-app inquiry form, guest inquiry, email, etc.), the Service collects the following information for the purpose of handling and responding to inquiries and providing technical support.
- Member Inquiries: Inquiry content, app version, OS information, device model, user identifier
- Non-Logged-In (Guest) Inquiries: Email address, inquiry content, app version, OS information, device model
4) Payment and Subscription Information
The Service offers in-app subscription products (monthly, yearly, lifetime). Actual payment processing and payment method information (such as card numbers) are handled by Apple Inc. (App Store) or Google LLC (Google Play); the Company does not directly collect or store payment method information.
- Items Collected: Subscription product identifier, subscription status (active, expired, cancelled), subscription start/renewal/expiration dates, free trial usage status, platform transaction identifier
- Processing Parties: Verification and management of subscription status is processed through RevenueCat, Inc., and actual in-app purchases are processed by Apple Inc. and Google LLC. (See Article 6 on entrustment of processing and Article 7 on overseas transfers for details.)
5) Information Collected from Anonymous (Non-Member) Users
The Service provides a feature that allows users to start using it anonymously without separate registration. Anonymous users are subject to the collection of the following information, in the same manner as registered members.
- Habit data and habit performance records, in-app activity records
- Push notification tokens, device information, device language and time zone
- Advertising identifiers, crash diagnostic information
Anonymous users may convert to a registered account through Google or Apple social login. The method of deleting an anonymous user's personal information follows Article 9.
6) Information Related to Consent to Receive Advertising Information
When a user consents to receiving marketing information at the time of registration or in the in-app notification settings, the Service collects and retains the following information.
- Whether the user consents to receiving marketing (advertising) information, and the dates of consent and withdrawal
- Whether the user has given separate consent to the transmission of advertising information at night (from 9:00 p.m. to 8:00 a.m. the following day), and the dates of consent and withdrawal
Consent to receive marketing information is optional, and the Service may be used without restriction even if such consent is not given. For details, please refer to Article 12.
Article 3 (Retention and Use Period of Personal Information)
In principle, personal information is destroyed without delay after the purpose of collection and use is achieved. However, the following information is retained for the specified periods for the reasons stated below:
1) Information Retained by Internal Company Policy
- Records of Fraudulent Use: Retention period 1 year
- Withdrawn Member Information: 30 days after withdrawal (to prevent re-registration and resolve disputes)
- Customer Inquiry and Response Records: 90 days after the response is completed
- Non-Logged-In (Guest) Inquiries: 30 days after receipt
- Consent to Receive Marketing Information and the Dates of Consent and Withdrawal: Until consent is withdrawn or the member withdraws from the Service
2) Information Retained by Related Laws
- Records of Contracts or Subscription Withdrawals: 5 years (E-Commerce Act)
- Records of Payment and Supply of Goods: 5 years (E-Commerce Act)
- Records of Consumer Complaints or Dispute Resolution: 3 years (E-Commerce Act)
- Records of Display and Advertisement: 6 months (E-Commerce Act)
- Website Visit Records: 3 months (Communications Secrets Protection Act)
However, actual payment and refund records for in-app subscriptions are retained by Apple Inc. (App Store), Google LLC (Google Play), and the subscription management provider RevenueCat, Inc. in accordance with each company's policies. The retention and destruction of such records follow each company's respective privacy policy.
Article 4 (Provision of Personal Information to Third Parties)
The Service does not, in principle, provide users' personal information to third parties. However, exceptions are made in the following cases:
- When users have given prior consent
- When required by law or requested by investigative agencies according to procedures and methods prescribed by law for investigation purposes
- When provided in a form that cannot identify specific individuals for purposes such as statistical compilation
Where the Company provides personal information to a third party with the user's consent, it will, in advance, inform the user of and obtain consent for the following matters:
- The party to whom the personal information is provided
- The purpose for which the recipient will use the personal information
- The items of personal information provided
- The period for which the recipient will retain and use the personal information
Article 5 (Disclosure of Information Within the Service, Including Rankings)
To motivate users in forming habits, the Service provides a ranking (leaderboard) feature that allows users to compare their records with those of other users. A user's habit performance records are automatically aggregated into weekly and monthly rankings as the user uses the Service, and accordingly the following information about that user is disclosed to other users.
- Nickname
- Level and title
- Activity records such as the number of completed habits, the number of fully bloomed plants, and the number of habits in progress
Because the above information is shown to other users through screens such as the ranking screen, users are advised not to include their real name, contact information, or any other information that can identify an individual in their nickname. The nickname can be changed at any time in the in-app [My Info] menu.
Article 6 (Entrustment of Personal Information Processing)
The Service entrusts certain personal information processing tasks to external specialized providers for the smooth provision and stable operation of the Service, as described below. When entering into entrustment contracts, the Company stipulates the necessary matters to ensure that personal information is managed securely.
- Supabase Inc. (U.S. company) — Entrusted task: database storage and management, member authentication / Storage location: Republic of Korea (Seoul region, ap-northeast-2)
- Google LLC (USA) — Entrusted task: push notification delivery (Firebase Cloud Messaging), app crash diagnostics and analysis (Crashlytics), service usage analytics (Google Analytics), advertising delivery (AdMob)
- RevenueCat, Inc. (USA) — Entrusted task: verification and management of in-app subscription status
- Apple Inc. (USA) — Entrusted task: in-app purchase processing via the App Store
- Google LLC (USA) — Entrusted task: in-app purchase processing via Google Play
Although Supabase Inc. is a U.S. company, the database in which the Service's personal information is stored is located within the Republic of Korea (Seoul region); therefore, such data is not transferred overseas. If the content of entrusted tasks or the trustee changes, we will disclose it through this Privacy Policy.
Article 7 (Overseas Transfer of Personal Information)
The Service transfers users' personal information overseas as described below. Users may refuse the overseas transfer of personal information; however, refusal may limit the use of some services, such as push notifications, ad-supported free features, and subscription management.
1) Google LLC
- Transferee: Google LLC (Privacy contact: support.google.com/policies)
- Country of Transfer: The USA and other countries where Google operates data centers
- Items Transferred: Push notification tokens, device information, advertising identifiers, crash diagnostic information, service usage records, IP address, app install referral information
- Date and Method of Transfer: Transmitted over the information and communications network at the time of service use
- Purpose of Use: Push notification delivery, app crash diagnostics and analysis, service usage analytics, advertising delivery
- Retention and Use Period: Until the entrustment purpose is achieved or the entrustment contract ends (in accordance with Google's privacy policy)
2) RevenueCat, Inc.
- Transferee: RevenueCat, Inc. (Privacy contact: www.revenuecat.com/privacy)
- Country of Transfer: USA
- Items Transferred: User identifier, device information, subscription and payment status information (subscription product, subscription status, renewal/expiration dates, platform transaction identifier)
- Date and Method of Transfer: Transmitted over the information and communications network at the time of using or checking subscription products
- Purpose of Use: Verification and management of in-app subscription status
- Retention and Use Period: Until the entrustment purpose is achieved or the entrustment contract ends (in accordance with RevenueCat's privacy policy)
Article 8 (Destruction of Personal Information)
When personal information becomes unnecessary due to the expiration of the retention period or achievement of processing purposes, the Service destroys such personal information without delay.
Destruction Procedures and Methods
- Destruction Procedure: Information entered by users is transferred to a separate DB after achieving its purpose and stored for a certain period according to internal policies and relevant laws before being destroyed.
- Destruction Method: Electronic file information is deleted using technical methods that make records irreproducible, and personal information printed on paper is destroyed by shredding or incineration.
Article 9 (Rights of Users and How to Exercise Them)
Users can exercise the following rights at any time:
- Request to view personal information
- Request for correction in case of errors
- Request for deletion
- Request to stop processing
How to Delete Your Account and Personal Information
Users may request deletion of their account and the personal information held by the Company (account withdrawal) through one of the following methods. Upon completion of withdrawal, personal data held by the Company — such as habit data, push notification tokens, and advertising identifier linkage information — will be deleted. (However, information that must be retained under relevant laws will be kept for the applicable period, as described in Article 3.)
- Within the app: [My Info] > [Account Withdrawal] menu
- Via web page: https://growhabit.netlify.app/deletion-request-en/
Anonymous (non-member) users may also request deletion of their account and data through the same methods. Other rights may be exercised through the methods above or by contacting the Personal Information Protection Officer via written communication or email, and we will take action without delay.
If a user requests correction of an error in their personal information, the Company will not use or provide such personal information to any third party until the correction is completed. In addition, where the inaccurate personal information has already been provided to a third party, the Company will notify that third party of the result of the correction without delay so that the correction is carried out.
If the Company refuses a user's request to exercise their rights for justifiable reasons — such as where it falls under grounds for restriction under applicable laws, or where there is a risk of unfairly infringing the life, body, property, or other interests of another person — the Company will notify the user of the reason and the method of objecting thereto within 10 days from the date of receiving the request.
Article 10 (Measures to Ensure the Security of Personal Information)
The Service takes the following measures to ensure the security of personal information:
1) Technical Measures
- Personal information is encrypted for storage and management.
- Security programs are installed and regularly updated and inspected to prevent leakage and damage of personal information due to hacking or viruses.
- SSL and other encrypted communications are used for secure transmission of personal information.
2) Administrative Measures
- Minimizing and training personnel handling personal information.
- Limiting access rights to personal information to a minimum.
- Maintaining access records to personal information processing systems.
Article 11 (Collection of Advertising Identifiers and Personalized Advertising)
The Service collects and uses mobile advertising identifiers to provide ad-supported free features, and personalized advertising may be delivered through them.
- What are Advertising Identifiers: The Advertising ID (ADID) on Android and the Identifier for Advertisers (IDFA) on iOS. These are device-level identifiers that users can reset or restrict.
- Purpose of Collection and Use: Advertising delivery and effectiveness measurement, provision of personalized advertising, prevention of fraudulent ad impressions
- Processing Party: Advertising is delivered through Google LLC's AdMob. (See Article 6 on entrustment of processing and Article 7 on overseas transfers.)
How to Opt Out of Personalized Advertising and Control Advertising Identifiers
- Android: In Settings > Google > Ads, you can select "Delete advertising ID" or "Opt out of Ads Personalization."
- iOS: In Settings > Privacy & Security > Tracking, you can deny apps' tracking requests. You may also decline tracking in the App Tracking Transparency (ATT) consent prompt displayed when the app first launches.
Even if a user restricts the use of advertising identifiers, the Service itself remains usable, but advertising may be delivered in a form less relevant to the user.
Use of Cookies on Web Pages
Cookies may be used solely on the Service's promotional web pages (websites). A cookie is a small piece of information that a website server sends to a user's browser; users can refuse cookies through their browser settings. The mobile app does not use cookies.
Article 12 (Transmission of Advertising Information and Use for Marketing)
In order to send users advertising information such as events and benefits, the Service obtains users' consent at the time of registration or in the in-app notification settings, as described below.
- Consent Item: [Optional] Consent to receive marketing information such as events and benefits
- Purpose of Use: Informing and transmitting advertising information such as events, promotions, and benefits, and providing customized benefits
- Method of Transmission: In-app push notifications, etc.
- Separate Consent for Nighttime Hours: In accordance with Article 50 of the 「Act on Promotion of Information and Communications Network Utilization and Information Protection」, separate consent is obtained when advertising information is transmitted during nighttime hours (from 9:00 p.m. to 8:00 a.m. the following day).
Consent to receive marketing information is optional, and there is no restriction whatsoever on the use of the Service even if such consent is not given. Even after giving consent to receive such information, users may withdraw their consent at any time in the in-app notification settings menu, and upon withdrawal, the transmission of advertising information is immediately stopped. The Company retains the dates of users' consent and withdrawal, and notifies users of such fact upon consent or withdrawal.
However, the transmission of mandatory or operationally necessary information — such as announcements required for the operation of the Service, notices of amendments to the terms, and responses to customer inquiries — does not constitute advertising information and may therefore be transmitted regardless of the above consent.
Article 13 (Protection of Personal Information of Children Under 14)
The Service does not collect personal information from children under 14 years of age. If we become aware that personal information of children under 14 has been collected, we will immediately destroy such information.
Article 14 (Changes to the Privacy Policy)
This Privacy Policy is applied from the effective date, and when there are additions, deletions, or corrections of changes according to laws and policies, we will notify you through in-app announcements or email 7 days before the implementation of changes.
Article 15 (Service Operator and Personal Information Protection Officer)
To oversee personal information processing and handle users' complaints and damage relief related to personal information processing, we have designated a Personal Information Protection Officer as follows:
- Service Operator: For All People Corps
- Personal Information Protection Officer: GrowHabit Operations Team
- Email: [email protected]
- Operating Hours: Weekdays 10:00 ~ 18:00 (excluding weekends and holidays)
Users can contact the Personal Information Protection Officer with all inquiries, complaints, and damage relief matters related to personal information protection that arise while using the Service. The Service will respond to users' inquiries promptly and sufficiently.
Article 16 (Remedies for Personal Information Infringement)
Users can apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, Korea Internet & Security Agency's Personal Information Infringement Report Center, etc., to receive relief for personal information infringement.
- Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
- National Police Agency: 182 (ecrm.cyber.go.kr)
Article 17 (Rights of Users in the EU/EEA and UK — GDPR)
If you are located in the European Union (EU), the European Economic Area (EEA), or the United Kingdom (UK), the following provisions apply to you in accordance with the General Data Protection Regulation (GDPR) and the UK GDPR.
1) Legal Bases for Processing
The Company processes your personal information on the following legal bases:
- Consent: Processing of advertising identifiers for personalized advertising, sending push notifications, and other purposes for which you have given consent.
- Performance of a Contract: Account management, provision of habit-tracking features, and management of subscriptions necessary to provide the Service you have requested.
- Legitimate Interests: Service improvement, crash diagnostics and analytics, prevention of fraudulent use, and ensuring security — to the extent that such interests are not overridden by your fundamental rights and freedoms.
- Legal Obligation: Retention of records as required by applicable laws.
2) Your Rights as a Data Subject
Subject to applicable law, you have the following rights regarding your personal information:
- Right of Access: To obtain confirmation of, and access to, your personal information.
- Right to Rectification: To have inaccurate or incomplete personal information corrected.
- Right to Erasure ("Right to be Forgotten"): To request deletion of your personal information.
- Right to Data Portability: To receive your personal information in a structured, commonly used, machine-readable format.
- Right to Restriction of Processing: To request that processing of your personal information be restricted.
- Right to Object: To object to processing based on legitimate interests, including profiling for personalized advertising.
- Right to Withdraw Consent: To withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
To exercise these rights, please contact the Personal Information Protection Officer (Article 15) or use the account deletion methods described in Article 9. You also have the right to lodge a complaint with your local data protection supervisory authority.
Article 18 (Rights of California Residents — CCPA/CPRA)
If you are a California resident, the following provisions apply to you in accordance with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
Do Not Sell or Share My Personal Information
The Company does not sell your personal information for monetary consideration. However, the use of advertising identifiers for personalized advertising may be considered "sharing" of personal information for cross-context behavioral advertising under the CCPA/CPRA. You may opt out of such sharing at any time by restricting your advertising identifier through your device settings or by declining the App Tracking Transparency (ATT) request, as described in Article 11.
Your Rights as a California Consumer
- Right to Know: To request disclosure of the categories and specific pieces of personal information collected, the sources, the purposes, and the categories of third parties with whom it is shared.
- Right to Delete: To request deletion of personal information the Company has collected about you.
- Right to Correct: To request correction of inaccurate personal information.
- Right to Opt Out of Sale/Sharing: To opt out of the sale or sharing of your personal information.
- Right to Limit Use of Sensitive Personal Information: To limit the use and disclosure of sensitive personal information.
- Right to Non-Discrimination: To not receive discriminatory treatment for exercising any of the above rights.
To exercise these rights, please contact the Personal Information Protection Officer (Article 15) or use the account deletion methods described in Article 9. We will not discriminate against you for exercising any of your CCPA/CPRA rights.
Announcement Date: May 19, 2026
Effective Date: May 19, 2026