Privacy Policy (EN)
MOSS CALENDAR
Privacy Policy
Effective Date: March 20, 2026
Last Updated: March 20, 2026
This Privacy Policy describes how Moss Labs Co., Ltd. ("Moss Labs," "we," "us," or "our") collects, uses, shares, and protects personal information through the Moss Calendar mobile application, our website at https://mosslabs.kr, and all related services (collectively, the "Service").
This Privacy Policy is provided in accordance with the Personal Information Protection Act (개인정보보호법, "PIPA") of the Republic of Korea and other applicable data protection laws.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
The Service is operated from the Republic of Korea, and your personal information is processed in accordance with the laws of the Republic of Korea. If you access the Service from outside of the Republic of Korea, please be aware that your information may be transferred to, stored, and processed in the Republic of Korea, where our servers are located and our central database is operated.
1. Personal Information We Collect
1.1 Information You Provide
When you create an account or use the Service, we may collect the following categories of personal information:
Account Information
- Name or display name
- Email address
- Account credentials provided through third-party authentication services (Apple Sign-In, Google OAuth)
User-Generated Content
- Calendar boards you create (names, descriptions, and public/private settings)
- Events you save, curate, or add to your calendars
- Links you submit to the Service for event creation
- Profile information you voluntarily provide (biography, interests)
Communications
- Information you provide when you contact us for support or feedback
- Responses to surveys or questionnaires, if any
1.2 Information Collected Automatically
When you access or use the Service, we automatically collect certain information, including:
Device Information
- Device type, model, and operating system version
- Unique device identifiers
- Language and time zone settings
Usage Information
- Features you use and actions you take within the Service
- Pages or screens viewed, and time spent on each
- Search queries within the Service
- Date and time of access
Analytics Data
We use Vercel Analytics to collect anonymized usage data about how users interact with the Service. This includes page views, session duration, and general interaction patterns. Vercel Analytics is designed to collect analytics data without using cookies and without collecting personally identifiable information.
1.3 Information from Third-Party Authentication Services
When you sign in through Apple Sign-In or Google OAuth, we receive limited information from those services in accordance with your settings and their privacy policies:
Apple Sign-In:: Your name (if you choose to share it), email address (or an Apple-generated relay email address if you choose to hide your email), and a unique user identifier.
Google OAuth:: Your name and email address associated with your Google account.
We do not receive or store your Apple ID password or Google account password. Authentication is handled directly by Apple and Google.
2. How We Use Your Personal Information
We use your personal information for the following purposes:
| Purpose | Categories of Information Used |
|---|---|
| Account creation and management | Account information |
| Providing and operating the Service | Account information, user-generated content, device information, usage information |
| Personalizing your experience | Usage information, user-generated content |
| Sending push notifications about events and Service updates | Account information, device information |
| Responding to your inquiries and support requests | Account information, communications |
| Improving and developing the Service | Usage information, analytics data, device information |
| Detecting, preventing, and addressing fraud, abuse, security incidents, or technical issues | Account information, device information, usage information |
| Complying with legal obligations | Any information as required by law |
We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects.
3. Sharing of Personal Information
3.1 Third-Party Service Providers
We may share your personal information with the following categories of third-party service providers who assist us in operating the Service:
| Service Provider | Purpose | Information Shared |
|---|---|---|
| Supabase (database hosting — Seoul, ap-northeast-2 region) | Data storage and management | Account information, user-generated content |
| Apple (authentication) | Account sign-in | Authentication tokens |
| Google (authentication) | Account sign-in | Authentication tokens |
| Vercel (hosting and analytics) | Service hosting, anonymized analytics | Anonymized usage data |
| Apple Push Notification Service (APNs) | Push notifications | Device tokens, notification content |
These service providers are contractually obligated to use your information only for the purposes of providing services to us and in accordance with applicable data protection laws.
3.2 Legal Requirements
We may disclose your personal information if required to do so by law, regulation, legal process, or governmental request under the laws of the Republic of Korea, or when we believe in good faith that disclosure is necessary to:
(a) Comply with applicable law or respond to valid legal process;
(b) Protect the rights, property, or safety of Moss Labs, our users, or the public;
(c) Detect, prevent, or address fraud, security, or technical issues;
(d) Enforce our Terms of Service.
3.3 Business Transfers
In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your personal information, in accordance with PIPA.
3.4 No Sale of Personal Information
We do not sell your personal information to third parties.
4. International Data Transfers
Your personal information is primarily stored in the Republic of Korea. Our database is hosted on Supabase infrastructure in the Seoul region (AWS ap-northeast-2).
However, certain service providers may process your information in countries other than the Republic of Korea:
Vercel:: Web hosting and analytics services may involve servers located in various countries, including the United States.
Apple and Google:: Authentication services are operated globally by Apple Inc. and Google LLC, both headquartered in the United States.
When your personal information is transferred outside of the Republic of Korea, we ensure that appropriate safeguards are in place in accordance with PIPA (Articles 17 and 39-12), including:
- Notification to you of the recipient, purpose, and items of personal information transferred;
- Contractual obligations requiring service providers to protect your information in accordance with standards substantially similar to those required under Korean law;
- Technical and organizational security measures to protect your information during transfer and storage.
For questions about international data transfers, please contact us at contact@mosslabs.kr.
5. Retention of Personal Information
We retain your personal information for the following periods:
| Category | Retention Period | Legal Basis |
|---|---|---|
| Account information | Duration of account \+ 30 days after deletion request | Service provision |
| User-generated content | Duration of account \+ 30 days after deletion request | Service provision |
| Usage and analytics data | 1 year from collection | Service improvement |
| Communications (support inquiries) | 3 years from resolution | Act on Consumer Protection in Electronic Commerce (전자상거래 등에서의 소비자보호에 관한 법률), Article 6 |
| Records of access logs | 3 months from creation | Protection of Communications Secrets Act (통신비밀보호법), Article 15-2 |
| Device information | Duration of account \+ 30 days after deletion request | Service provision |
When personal information is no longer needed for the purposes for which it was collected, or upon expiration of the retention period, we will promptly destroy or anonymize the information in accordance with PIPA.
Destruction Methods:
- Electronic files: Permanently deleted using technical methods that prevent recovery.
- Physical records (if any): Shredded or incinerated.
6. Your Rights
Under PIPA and other applicable laws of the Republic of Korea, you have the following rights regarding your personal information:
6.1 Right of Access
You may request access to the personal information we hold about you.
6.2 Right of Correction
You may request correction of inaccurate or incomplete personal information. You may also update certain account information directly through the Service.
6.3 Right of Deletion
You may request deletion of your personal information, subject to any legal obligations that require us to retain certain information. You may also delete your account through the Service or by contacting us.
6.4 Right to Suspend Processing
You may request that we suspend the processing of your personal information. However, we may continue processing where required by law or where suspension would prevent us from providing the Service.
6.5 Right to Withdraw Consent
Where processing is based on your consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.
6.6 How to Exercise Your Rights
To exercise any of these rights, please contact us at:
Email:: contact@mosslabs.kr
Address:: B1F, 129, 123 Seocho-jungang-ro, Seocho-gu, Seoul, Republic of Korea
We will respond to your request within ten (10) days of receipt, in accordance with PIPA. If we are unable to fulfill your request, we will provide you with a written explanation of the reasons.
You may also exercise your rights through an authorized representative. In such cases, we may require a power of attorney or equivalent documentation in accordance with the Enforcement Decree of PIPA.
7. Protection of Children's Personal Information
The Service is not intended for use by children under the age of fourteen (14). We do not knowingly collect personal information from children under fourteen. In accordance with Article 39-3 of PIPA, collection of personal information from children under fourteen requires verifiable consent from a legal representative. If we become aware that we have collected personal information from a child under fourteen without such consent, we will take steps to promptly delete that information. If you believe that we may have collected information from a child under fourteen, please contact us at contact@mosslabs.kr.
8. Automatic Data Collection Technologies
8.1 Cookies and Similar Technologies
Our website (mosslabs.kr) does not currently use cookies for tracking purposes. Vercel Analytics, our web analytics provider, operates without the use of cookies.
Our mobile application may use local storage mechanisms, session tokens, authentication tokens, and similar technologies that are standard to iOS application operation. These technologies are used for purposes including maintaining your login session, storing your preferences, and enabling core app functionality. They are not used to track you across other applications or websites.
If we introduce browser cookies, advertising pixels, or similar cross-site tracking technologies in the future, we will update this Privacy Policy, publish a separate Cookie Statement, and provide appropriate notice and consent mechanisms as required by applicable law.
8.2 Push Notifications
With your consent, we may send push notifications to your mobile device. You can manage push notification preferences through your device settings at any time. Opting out of push notifications will not affect the core functionality of the Service.
9. Security Measures
We implement reasonable technical, administrative, and physical safeguards to protect your personal information from unauthorized access, alteration, disclosure, or destruction, in accordance with the security measures required by PIPA and its Enforcement Decree. These measures include:
- Encryption of data in transit using TLS/SSL
- Encryption of personal information at rest in our database
- Access controls limiting personnel access to personal information on a need-to-know basis
- Use of third-party authentication services (Apple Sign-In, Google OAuth) rather than storing passwords directly
- Regular review and update of security practices
However, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your personal information.
10. Personal Information Protection Officer
In accordance with Article 31 of PIPA, we have designated the following individual as our Personal Information Protection Officer (개인정보 보호책임자):
| Item | Details |
|---|---|
| Name | 유한결 (Yoo Hankyul) |
| Title | Co-CEO |
| contact@mosslabs.kr |
You may contact the Personal Information Protection Officer for any inquiries, complaints, or requests related to the processing of your personal information.
11. Remedies for Infringement of Rights
If you believe your personal information rights have been infringed, you may seek assistance from the following organizations:
Personal Information Dispute Mediation Committee (개인정보 분쟁조정위원회):: \+82-1833-6972 / https://www.kopico.go.kr
Personal Information Infringement Report Center (개인정보 침해신고센터), Korea Internet & Security Agency:: \+82-118 / https://privacy.kisa.or.kr
Supreme Prosecutors' Office Cybercrime Investigation Division (대검찰청 사이버수사과):: \+82-1301 / https://www.spo.go.kr
Korean National Police Agency Cyber Bureau (경찰청 사이버수사국):: \+82-182 / https://ecrm.police.go.kr
12. Notice to European Users (GDPR)
This section applies to individuals located in the European Economic Area ("EEA") and the United Kingdom (collectively, "Europe"). For the purposes of this section, references to "personal information" include "personal data" as defined under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation.
12.1 Data Controller
Moss Labs Co., Ltd. is the data controller responsible for your personal information. We can be contacted at contact@mosslabs.kr.
12.2 Legal Bases for Processing
We process your personal information based on the following legal grounds under the GDPR:
| Purpose | Legal Basis |
|---|---|
| Account creation and service delivery | Performance of a contract (Article 6(1)(b)) |
| Push notifications | Your consent (Article 6(1)(a)) |
| Service improvement and analytics | Legitimate interests (Article 6(1)(f)) — improving our Service and understanding usage patterns |
| Security and fraud prevention | Legitimate interests (Article 6(1)(f)) — protecting the Service and our users |
| Legal compliance | Compliance with legal obligations (Article 6(1)(c)) |
Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms.
12.3 Your Additional Rights Under GDPR
In addition to the rights described in Section 6 of this Privacy Policy, European users have the following rights:
Right to Data Portability. You may request a copy of your personal information in a structured, commonly used, machine-readable format (such as JSON), and you may request that we transmit this data to another controller where technically feasible.
Right to Object. You may object to the processing of your personal information where we rely on legitimate interests as our legal basis. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection authority. Contact details for EEA data protection authorities can be found at https://edpb.europa.eu/about-edpb/board/members\_en. For the UK, you may contact the Information Commissioner's Office at https://ico.org.uk/make-a-complaint/.
12.4 International Transfers from Europe
Your personal information may be transferred to the Republic of Korea, where our servers and central database are located. The Republic of Korea has received an adequacy decision from the European Commission (as of December 2021), which means that transfers of personal data from the EEA to South Korea are permitted without additional safeguards. For transfers to other third countries (such as the United States, where some of our service providers operate), we rely on appropriate safeguards, including standard contractual clauses approved by the European Commission.
12.5 Data Retention
We retain your personal information as described in Section 5. Where we process your data based on consent, we will retain it until you withdraw your consent. Where we process it based on legitimate interests, we will retain it for as long as necessary for those purposes.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this policy and, where practicable, by providing notice through the Service or via email. Material changes will take effect seven (7) days after posting, unless otherwise specified.
We will announce any significant changes to this Privacy Policy through the Service, in accordance with Article 30 of PIPA.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal information.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our processing of your personal information, please contact us at:
Moss Labs Co., Ltd. (주식회사 모스랩스)
Email: contact@mosslabs.kr
Address: B1F, 129, 123 Seocho-jungang-ro, Seocho-gu, Seoul, Republic of Korea