Privacy Policy
Effective Date: March 25, 2026
Hurest (hereinafter "Company") values the personal information of users of Legends of Habit (hereinafter "Service") and complies with the Personal Information Protection Act of Korea and other applicable laws. This Privacy Policy explains how the Company collects, uses, retains, and destroys personal information.
Article 1 (Purpose of Processing Personal Information)
The Company processes personal information for the following purposes. Personal information will not be used for purposes other than those stated below, and prior consent will be obtained if the purpose of use is changed.
| Purpose | Details |
|---|---|
| Registration and account management | Identity verification and authentication, membership maintenance, consent record management |
| Service provision | Habit Card management, motivation system operation, shop and payment processing, push notification delivery, habit search feature |
| Service improvement | Usage statistics analysis, service quality improvement, new feature development |
| Marketing use | Creating statistics and case studies using de-identified habit data (used only in forms that cannot identify specific users) |
| Customer inquiry response | Receiving and processing user inquiries and complaints, notifying results |
| Legal compliance | Record retention in accordance with the Act on Consumer Protection in Electronic Commerce and other applicable laws |
Article 2 (Types of Personal Information Collected)
1. Collected at Registration
| Category | Items | Collection Method |
|---|---|---|
| Required | Email address, name (nickname) | Provided via social login (Google, Apple) |
| Optional | Profile image | Provided via social login or set directly |
2. Collected During Service Use
| Items | Purpose |
|---|---|
| Habit Card information (habit name, cycle, etc.) | Service provision |
| Service data (level, coins, rubies, items, etc.) | Service provision |
| Member interaction data (reactions, connection relationships, etc.) | Service provision |
| Consent records (consent version, consent date) | Legal compliance |
| Payment records (purchase history, transaction ID) | Payment processing and refunds |
3. Automatically Collected
| Items | Purpose |
|---|---|
| Access logs, IP address | Service operation and security |
| Device information (device type, OS, browser) | Service optimization |
| Push tokens (FCM tokens, Web Push endpoints) | Push notification delivery |
| Cookies | Authentication session maintenance (see Article 8) |
| Google Analytics data (page views, usage patterns, etc.) | Service improvement and statistics |
Note: Payment method information (card numbers, bank account numbers, etc.) is processed directly by the payment platforms (Apple, Google, PayPal) and is not stored on the Company's servers.
Article 3 (Retention and Processing Period of Personal Information)
The Company retains personal information until the purpose of collection and use is fulfilled, and destroys it without delay upon membership withdrawal. However, information that must be preserved under applicable laws will be retained for the required period.
| Retained Items | Retention Period | Legal Basis |
|---|---|---|
| Records of contracts or withdrawal of subscription | 5 years | Act on Consumer Protection in Electronic Commerce |
| Records of payment and supply of goods | 5 years | Act on Consumer Protection in Electronic Commerce |
| Records of consumer complaints or dispute resolution | 3 years | Act on Consumer Protection in Electronic Commerce |
| Access logs | 3 months | Protection of Communications Secrets Act |
Article 4 (Provision of Personal Information to Third Parties)
In principle, the Company does not provide users' personal information to third parties. However, exceptions apply in the following cases:
- When the user has given prior consent
- When disclosure is required by investigative authorities or other agencies under applicable laws
- When a member sets a Habit Card to public, information such as the habit name may appear in other members' search results. Setting a Habit Card to private restricts visibility to the creator only.
- A member's nickname and profile image may be visible to other members through search results, Habit Card views, social features, and other aspects of the Service.
Article 5 (Outsourcing of Personal Information Processing)
The Company outsources certain personal information processing tasks as follows for the purpose of providing the Service:
| Subcontractor | Outsourced Task | Retention Period |
|---|---|---|
| Google (Firebase) | Push notification delivery | Duration of service use |
| Google (Analytics) | Usage statistics analysis | Per Google's policies |
| Supabase | Database hosting | Duration of service use |
| Vercel | Web app hosting | Duration of service use |
| Apple / Google / PayPal | Payment processing | Per each platform's policies |
The Company's outsourcing agreements include provisions on compliance with privacy laws, confidentiality of personal information, prohibition of disclosure to third parties, liability for damages in the event of an incident, and return or destruction of personal information upon termination of the outsourcing arrangement.
Article 6 (User Rights and How to Exercise Them)
Users may exercise the following rights at any time:
- Request access to personal information: View personal information held by the Company
- Request correction of personal information: Correct inaccurate personal information
- Request deletion of personal information: Delete unnecessary personal information
- Request suspension of processing: Suspend the processing of personal information
- Membership withdrawal: Request via email at legendsofhabit@hurest.com. The Company will process the request within 7 business days. Upon withdrawal, all personal information except items required to be retained by law will be deleted.
These rights may be exercised directly through the settings features within the Service. In cases where the matter cannot be resolved through in-Service features, requests may be directed to the Privacy Officer (Article 13).
Article 7 (Personal Information of Children Under 14)
The Service is intended for users aged 14 and older, and does not accept registration from children under the age of 14. If the Company becomes aware that personal information of a child under 14 has been collected, such information will be destroyed without delay.
Article 8 (Use of Cookies)
1. Purpose
The Company uses cookies to maintain users' authentication status.
2. Cookies Used
| Cookie | Purpose | Type |
|---|---|---|
| Session cookie (NextAuth) | Maintaining login authentication status | Essential |
3. How to Refuse Cookies
Users may refuse cookies through their web browser settings. However, refusing essential cookies may restrict access to features that require login.
Article 9 (Use of Google Analytics)
The Company uses Google Analytics for usage statistics analysis and service improvement.
- Google Analytics collects information about users' service usage (page views, session duration, device used, etc.) through cookies.
- Collected information is stored on Google's servers and processed in accordance with Google's privacy policy.
- Users may opt out of Google Analytics data collection by installing the Google Analytics opt-out browser add-on (https://tools.google.com/dlpage/gaoptout).
Article 10 (Marketing Use of De-identified Data)
- The Company may de-identify habit card data created by users and use it for marketing purposes.
- De-identification means processing data so that specific individuals cannot be identified. Such data may be used in the following forms:
- Statistics: "78% of users created exercise-related habits"
- Case studies: "Achieved 30 consecutive days with the 'Drink Water Daily' habit"
- De-identified data does not include personally identifiable information such as the user's name, email, or profile image.
Article 11 (Destruction of Personal Information)
The Company shall promptly destroy personal information when the retention period expires or the purpose of processing has been fulfilled.
- Electronic files: Deleted in an unrecoverable manner
- Physical records: Shredded or incinerated
Article 12 (Measures to Ensure the Security of Personal Information)
The Company implements the following measures to ensure the security of personal information:
- Access control: Limiting the number of personnel who process personal information to the minimum necessary
- Encryption in transit: Encrypting data transmission via HTTPS
- Authentication security: Secure management of OAuth tokens and session information
- Access log retention: Retaining and managing access logs for personal information processing systems
Article 13 (Privacy Officer)
The Company designates the following Privacy Officer who oversees personal information processing:
| Item | Details |
|---|---|
| Name | Chiyoung Choi |
| Position | Representative (concurrent) |
| Contact | legendsofhabit@hurest.com |
For inquiries, complaints, or damage relief related to personal information processing, please contact the Privacy Officer above.
Article 14 (Remedies for Rights Infringement)
Users may contact the following organizations for relief from personal information infringement:
| Organization | Contact | Website |
|---|---|---|
| Personal Information Infringement Report Center (KISA) | 118 (no area code) | privacy.kisa.or.kr |
| Personal Information Dispute Mediation Committee | 1833-6972 | kopico.go.kr |
| Supreme Prosecutors' Office Cyber Investigation Division | 1301 (no area code) | spo.go.kr |
| National Police Agency Cyber Bureau | 182 (no area code) | cyberbureau.police.go.kr |
Article 15 (Amendment of the Privacy Policy)
This Privacy Policy may be amended in accordance with changes in applicable laws or service policies. Any changes will be communicated through in-Service notices, push notifications, or other methods.
Supplementary Provisions
This Privacy Policy shall take effect on March 25, 2026.
Business Information
- Business Name: Hurest
- Representative: Chiyoung Choi
- Business Registration Number: 764-14-02720
- Contact: legendsofhabit@hurest.com