DAYLAB (“Company”) values the privacy of mentalog service (“Service”) users and complies with applicable privacy laws, including the Korean Personal Information Protection Act (PIPA), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). This policy describes the personal information we collect, why we collect it, the legal basis for processing, retention periods, and your rights.
1. Personal Information We Collect and Legal Basis
A. At Registration (Required)
| Data | Legal Basis |
|---|---|
| Email address | Contract performance (service delivery) |
| Name (nickname) | Contract performance |
| Social login identifier (Google UID / Apple UID) | Contract performance |
Collected via Google or Apple sign-in. We do not collect passwords.
B. During Service Use
| Data | Legal Basis |
|---|---|
| Mood check-in data (mood score, emotion/condition/activity tags, memo, timestamp) | Explicit consent |
| App settings (notification time, language) | Contract performance |
| Device info (OS, app version, device language) | Legitimate interest (service stability) |
C. For Paid Subscriptions
- We do not directly collect payment information (card numbers, etc.).
- Payments are processed by Apple App Store or Google Play Store. Subscription status and receipt tokens are managed through RevenueCat.
2. Health-Related Sensitive Data
Mood, emotion, and condition data recorded in the Service are subjective entries voluntarily provided by users. This data may be classified as “data concerning health” (special category data) under the GDPR, and we process it based on your explicit consent (GDPR Article 9(2)(a)). You provide separate explicit consent for health data collection when you create your first check-in, and you may withdraw this consent at any time.
PHQ-9, GAD-7, and ASRM scores are statistical estimates based on tag data and are not medical diagnoses. The Service is not a medical service and does not replace professional medical advice.
3. Purposes of Processing
- Service delivery: Mood check-in recording, calendar, reports, pattern analysis
- Account management: User identification, login session
- Notifications: Daily reminder push notifications (FCM)
- Service improvement: De-identified usage analytics
- Advertising: Personalized ads for free users (AdMob)
- Customer support: Inquiry response, account issue resolution
4. Cookies and Tracking Technologies
- Google AdMob: Uses advertising identifiers (IDFA/GAID) to serve ads to free users. On iOS, we request consent via Apple's App Tracking Transparency (ATT) framework before tracking.
- Firebase Analytics: Collects de-identified usage statistics (screen views, feature usage frequency, etc.) for service improvement. You can opt out of analytics data collection in app settings.
- Web cookies: Our website uses only essential cookies (session maintenance).
5. Data Retention
| Category | Retention Period |
|---|---|
| Active members | Duration of membership |
| Account deletion | Immediately deleted (check-in data, profile) |
| Inactive for 12+ months | Prior notice via email, then marked dormant; deleted after 30 days |
| Payment records | 5 years (per Korean E-Commerce Act) |
| App usage logs | De-identified and retained for statistical purposes only |
6. Third-Party Disclosure
We do not provide personal information to third parties without your consent, except:
- When you have given prior consent
- When required by law
7. Data Processors and International Transfers
We use the following service providers, which may result in your data being transferred to servers in the United States. Each provider maintains SOC 2, ISO 27001 or equivalent certifications and applies safeguards comparable to EU Standard Contractual Clauses (SCCs).
| Provider | Purpose | Country |
|---|---|---|
| Google (Firebase Auth, Firestore) | Authentication, data storage | USA |
| Google (AdMob) | Ad serving (free users) | USA |
| Google (FCM) | Push notifications | USA |
| RevenueCat | Subscription management | USA |
8. Your Rights
You may exercise the following rights at any time:
- Access: View your check-in data within the app
- Rectification: Edit your check-in records
- Erasure: Delete all data via Settings → Delete Account
- Portability: Export your data as CSV from app settings (free of charge)
- Restriction: Request processing restriction (via email)
- Withdraw consent: Selectively withdraw individual consent items (ad personalization, analytics data collection, etc.) in app settings, or withdraw all consent by deleting your account
- Automated decision-making: The Service does not perform automated decision-making or profiling
For EEA Residents (GDPR)
EEA residents also have the right to lodge a complaint with a supervisory authority. To exercise your rights, contact us at contact@daylab.dev. We will respond within 30 days.
For California Residents (CCPA)
California residents may request disclosure of collected personal information, deletion of data, and opt-out of sharing of personal information. We do not sell your personal information for monetary consideration. However, for free users, advertising identifiers may be shared with advertising partners through AdMob for personalized ad delivery, which may constitute “sharing” under the CCPA. You can opt out of personalized ads in app settings, or disable ad personalization via ATT settings on iOS or device settings > Privacy > Ads on Android. To exercise your rights, contact us at contact@daylab.dev. We will respond within 45 days.
For Korean Residents (PIPA)
To exercise your rights, contact us at contact@daylab.dev. We will respond within 10 days.
9. Children's Privacy
The Service is not intended for children. If we become aware that a user is under the applicable minimum age, we will promptly delete their account and data.
| Applicable Law | Minimum Age |
|---|---|
| Korea (PIPA) | Under 14 |
| United States (COPPA) | Under 13 |
| EU (GDPR) | Under 16 (varies by member state) |
10. Data Security
- Encryption in transit (TLS 1.2+)
- Access control via Firebase Security Rules
- Multi-factor authentication (MFA) for admin accounts
- Regular security reviews and vulnerability patching
11. Data Breach Response
In the event of a data breach, we will promptly notify affected users and report to the relevant supervisory authority as required by law. Under the GDPR, we will report to the supervisory authority within 72 hours of becoming aware of a breach.
12. Contact
- Business: DAYLAB (Sole Proprietorship)
- Representative: DaSong Sim
- Address: 91 Baumoe-ro, Seocho-gu, Seoul, Republic of Korea
- Business Registration No.: 401-23-55110
- Privacy Officer: DaSong Sim (CEO)
- Email: contact@daylab.dev
13. Governing Law and Jurisdiction
This policy is governed by the laws of the Republic of Korea. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the Seoul Central District Court. However, for EEA residents, the GDPR shall prevail to the extent applicable, and for California residents, the CCPA shall prevail to the extent applicable.
14. Changes to This Policy
If this policy is updated, we will notify users via in-app notice or email in advance. Changes take effect 7 days after the notice is posted.