Privacy Policy
Donggyu Won (hereinafter "Operator") values the personal information of users of the mobile application "Chromission" (hereinafter "Service") and establishes and discloses the following Privacy Policy in order to comply with the Personal Information Protection Act and other applicable laws and regulations.
1. Purposes of Processing Personal Information
The Operator processes personal information for the following purposes. Prior consent will be obtained if the purposes change.
- Member identification and registration management: Identity verification, prevention of fraudulent use, confirmation of intent to sign up, and verification of compliance with terms of service
- Service provision: Assigning missions, saving and syncing grids, and recording grid/photo editing history
- Personalized mission and content recommendations: Adjusting mission category weights and providing recommendations based on photo moods and interests selected by the member at sign-up
- Customer inquiry support: Reviewing inquiries and sending responses
- Advertising and statistics: Serving rewarded and interstitial ads, preventing ad fraud, and conducting anonymized statistical analysis
- Compliance with laws: Fulfilling obligations under applicable laws and regulations
2. Categories of Personal Information Collected
| Category | Items | Point of Collection |
|---|---|---|
| Sign-up (social login) | Social account identifier (ID token) from Google, Apple, etc.; nickname entered directly by the member; optional email address; confirmation that the member is age 14 or older | At sign-up |
| Preferences and interests | Photo moods and interest categories selected at sign-up (e.g., nature, street, objects); marketing communications opt-in status | At sign-up (can be skipped) |
| Service usage information | Mission progress status, grid data, photo metadata (capture time, mission type, etc.), daily reset time set by the member | During service use |
| Photo content | Photo files taken directly by the member or selected from the album and uploaded | When completing a mission |
| Automatically generated information | Device identifier (installation ID), OS version, app version, device model, access time, error logs, advertising identifier (IDFA / GAID, only when the user has consented) | On app launch and ad impression |
| Customer inquiries | Email address, inquiry content | When an inquiry is submitted |
The Operator does not collect sensitive information or unique identification information such as national ID numbers or credit card numbers.
3. Retention Period for Personal Information
- Member information: Until the member withdraws from the service. Deleted promptly upon withdrawal; if retention is required by applicable law, stored separately for the required period and then deleted.
- Photos and grid data: Until the member withdraws or manually deletes the data. Where server sync is applied, permanently deleted within 30 days pursuant to the backup policy.
- Service usage logs (access logs, etc.): 3 months under the Protection of Communications Secrets Act.
- Customer inquiry records: 3 years under the Act on Consumer Protection in Electronic Commerce.
4. Disclosure of Personal Information to Third Parties and Marketing Analysis Consent
The Operator processes personal information only within the scope stated in Section 1 of this Policy and does not provide it to third parties without the member's prior consent. Exceptions are as follows.
- When the member has given prior consent
- When required by law or requested by a law-enforcement authority following the procedures and methods prescribed by applicable statutes for investigative purposes
Chromission does not sell or provide members' personal information to separate third parties outside its own operations. Data processing occurs only within the scope of processors listed in Section 5 (Entrustment of Personal Information Processing). If a member consents to the use of advertising identifiers (IDFA / GAID), advertising partners (e.g., Google AdMob) may use those identifiers for ad matching and ad fraud prevention.
Consent items obtained at sign-up
At the sign-up stage, members may choose to agree or disagree with the following items. Declining optional items does not affect access to the core features of the Service.
| Item | Type | Description |
|---|---|---|
| Terms of Service | Required | Service usage rules and confirmation of age 14 or older |
| Privacy Policy | Required | Agreement to this Policy in its entirety |
| Marketing communications | Optional | Consent to receive push notifications and emails about events, new missions, etc. See the Marketing Communications Consent Notice for details. |
| Third-party disclosure of personal information | Optional | Consent to providing the member's personal information to third parties such as the Operator's partners for purposes including marketing, advertising, statistics, and research. Information is provided only to consenting members in accordance with the "Third-Party Disclosure Items and Procedures" below. |
Scope and procedure of the "consent to third-party disclosure"
This consent serves as advance authorization, effective from the time of the member's agreement, for the Operator to provide the member's personal information to partners specified in this Policy. However, actual disclosure occurs only when the following conditions are met pursuant to applicable law.
- Prior identification of the recipient: This Policy identifies the third-party recipient (company name), purpose of disclosure, items disclosed, and retention/use period.
- Policy update and notification: When a new third party is added, members will be notified at least 7 days in advance (30 days for changes unfavorable to members) via in-app notices, push notifications, or email.
- App store disclosure update: The shared items listed in Google Play's Data safety section and Apple App Store's App Privacy label will be updated simultaneously.
- Right to withdraw consent: Members may withdraw this consent at any time via in-app settings or by emailing the Operator. After withdrawal, the member's information will no longer be provided to third parties.
- No disadvantage for declining: Declining this consent does not affect access to the core features of the Service.
Current list of third-party recipients
There are currently no external third parties to whom the Operator directly provides members' personal information. This list will be updated immediately whenever a new partner is added.
| Recipient | Purpose | Items Disclosed | Retention / Use Period |
|---|---|---|---|
| Not applicable | |||
5. Entrustment of Personal Information Processing
The Operator entrusts personal information processing as follows for the smooth provision of the Service.
| Processor | Entrusted Work | Items Processed |
|---|---|---|
| Google LLC (Firebase) | Push notifications (FCM) | FCM token, device identifier |
| Google LLC (AdMob) | Ad serving and settlement, ad fraud prevention | Advertising identifier, device information (when consented) |
| Apple Inc. | Apple Sign In authentication | Apple account identifier (ID token), nickname |
| Amazon Web Services, Inc. | Storage of member information and photo data (Seoul region) | Member information, photo content, mission and grid data |
| BraveMobile (CodePush) | App code push deployment | Installation ID, OS and app version |
| Functional Software, Inc. (Sentry) | Crash and error log collection and analysis | Device identifier, OS and app version, error stack, user ID |
| Cloudflare, Inc. | DNS, CDN, DDoS protection | Access IP, User-Agent |
When entering into entrustment agreements, the Operator specifies that the processor may not process personal information beyond the scope of the entrusted work, and requires appropriate technical and administrative safeguards, and supervises compliance.
6. Rights of Data Subjects and How to Exercise Them
-
Members may exercise the following rights at any time.
- Right to access personal information
- Right to rectification if errors exist
- Right to erasure
- Right to restriction of processing
- Rights may be exercised through the in-app settings screen or by submitting a written or email request to the Privacy Officer. The Operator will act on such requests without delay.
- For members under age 14, a legal guardian may exercise the rights of access, rectification, erasure, and restriction of processing on the member's behalf.
7. GDPR — Additional Rights for EU/EEA/UK Residents
If you are located in the European Union, European Economic Area, or United Kingdom, the following additional provisions apply to you.
Legal bases for processing. The Operator processes your personal information on the following legal bases: consent (e.g., for advertising identifiers and optional marketing communications); performance of a contract (providing the Service you have signed up for); compliance with legal obligations; and legitimate interests (service security and improvement).
Rights of EU/EEA/UK data subjects. In addition to the rights set out in Section 6, you have the right to data portability, the right to object to processing based on legitimate interests, and the right to withdraw consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
International data transfers. Personal data may be processed on servers located outside your country (including the Republic of Korea and the United States). The Operator applies appropriate safeguards — such as standard contractual clauses or equivalent mechanisms — to ensure an adequate level of protection for such transfers.
Right to lodge a complaint. You have the right to lodge a complaint with your local data protection authority (e.g., the supervisory authority in your EU/EEA member state or the UK Information Commissioner's Office).
To exercise any of the above rights, contact the Privacy Officer at haghl980813@gmail.com.
8. CCPA — Additional Rights for California Residents
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights regarding your personal information.
Categories of personal information collected. As described in Section 2, the Operator collects: identifiers (such as account ID and email address); user-generated content (such as photos uploaded when completing missions); and usage data (such as mission progress, device information, and error logs).
We do not sell your personal information. The Operator does not sell personal information to third parties, and has not done so in the preceding 12 months.
Your rights under the CCPA. You have the right to know what personal information is collected, used, disclosed, or sold about you; the right to request deletion of your personal information; and the right to non-discrimination — meaning you will not receive different prices, service quality, or other disadvantages for exercising your CCPA rights.
How to exercise these rights. To submit a request to know or a request to delete, contact us at haghl980813@gmail.com. We will respond within 45 days as required by the CCPA.
9. Disposal of Personal Information
- The Operator disposes of personal information without delay when it is no longer necessary — for example, when the retention period has expired or the purpose of processing has been achieved.
- Disposal procedure: Information entered by the member is transferred to a separate database after the purpose is fulfilled, stored for the period specified by internal policy and applicable law, and then disposed of.
- Disposal method: Electronic files are deleted using a technical method that renders recovery and reproduction impossible. Printed documents are shredded or incinerated.
10. Measures to Ensure Security of Personal Information
- Administrative measures: Minimizing the number of personnel who handle personal information; regular audits
- Technical measures: Access control management; one-way encryption of passwords; HTTPS encryption of communications; installation and regular updates of security software
- Physical measures: Access controls on systems such as servers where personal information is stored
11. Operation and Opt-Out of Advertising Identifiers and Automatic Collection Devices
The Operator may use advertising identifiers (IDFA on iOS, Advertising ID on Android) to serve personalized ads and prevent ad fraud.
- iOS: You may consent or decline on the App Tracking Transparency (ATT) prompt. Declining does not restrict access to the core features of the app. You can change this setting later at Settings → Privacy & Security → Tracking.
- Android: You may reset your Advertising ID or disable personalized ads at Settings → Google → Ads.
The Service does not use cookies or web tracking tools. Analytics are performed only in the form of de-identified statistics.
12. Personal Information of Children Under Age 14
The Operator does not, as a rule, collect personal information from children under age 14. If it is confirmed that a member is under age 14, the Operator will promptly delete the relevant information. If such a member has already registered, the information will be processed only with the consent of a legal guardian.
13. Remedies for Infringement of Rights
If you need to report or seek advice regarding a personal information infringement, please contact the following organizations.
- Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office Cyber Investigation Division: 1301 (www.spo.go.kr)
- National Police Agency Cyber Investigation Bureau: 182 (ecrm.police.go.kr)
14. Privacy Officer
The Operator has designated the following Privacy Officer to protect members' personal information and handle personal information-related complaints.
- Officer: Donggyu Won
- Contact: haghl980813@gmail.com
- Location: Seoul, Republic of Korea
15. Changes to This Policy
This Privacy Policy takes effect on the date stated above. If additions, deletions, or corrections are made in accordance with changes to laws or internal policy, the Operator will provide notice via in-app announcements at least 7 days before the changes take effect (30 days for material changes).