Reward Train Privacy Policyv1.4

(UmayIT Co., Ltd.)
Article 1 (General Provisions)

UmayIT Co., Ltd. (hereinafter referred to as the "Company") values users' personal information and complies with the relevant laws and regulations, including the Personal Information Protection Act of the Republic of Korea.

This Privacy Policy explains how the Company collects, uses, and protects the personal information provided by users of the Reward Train service.

Article 2 (Items of Personal Information Collected and Methods of Collection)
  1. The Company may collect the following personal information:
    1. When signing up: email address, mobile phone number, nickname, ID, password, age confirmation, access country, and language settings
    2. When using social login: Google or Apple account email, profile name, authentication token
    3. When using the service: ad-viewing records, access logs, device information (OS, model, identifiers), IP address, country code, cookies
    4. When making inquiries: email address, inquiry details, and attached files (optional)
  2. Personal information is collected through the in-app sign-up process, customer service inquiries, or automatically via SDKs (e.g., Firebase, AdMob).
Advertising Identifier and Personalized Ads
  1. The Company provides personalized ads through advertising SDKs such as Google AdMob.
  2. The advertising ID does not directly identify an individual. Users may restrict personalized advertising through device settings:
    • Android: Settings → Google → Ads → Opt out of Ads Personalization
    • iOS: Settings → Privacy → Apple Advertising → Limit Ad Tracking
  3. When personalized ads are limited, certain ads may not be displayed, and the conditions for reward eligibility may differ.
Article 3 (Purpose of Collecting and Using Personal Information)

The Company uses collected personal information for the following purposes:

  1. To verify user identity and authentication
  2. To operate ad-based reward services
  3. To analyze ad-viewing history and calculate rewards
  4. To respond to inquiries and customer support
  5. To improve service quality and develop new features
  6. To prevent misuse and strengthen security measures
Article 4 (Retention and Use Period of Personal Information)
  1. Personal information is retained and used during the period of service use.
  2. When a user withdraws membership or when the purpose of collection and use has been fulfilled, the information is promptly destroyed.
  3. However, the following information may be retained for the periods required by law:
    1. Service usage records: 3 years (Consumer Protection in Electronic Commerce Act)
    2. Ad-viewing logs: 1 year (for settlement and reward verification)
    3. Electronic transaction records: 5 years (Electronic Financial Transactions Act)
Article 5 (Provision of Personal Information to Third Parties)

The Company does not, in principle, provide users' personal information to external parties.

However, exceptions apply in the following cases:

  1. When the user has given prior consent
  2. When minimal information is provided to partner companies for the purpose of reward fulfillment (such as coupon issuance or mileage exchange)
  3. When required by law or regulatory authority
  4. When information is provided in a form that cannot identify individuals for statistical or research purposes
Article 6 (Outsourcing of Personal Information Processing)

The Company may entrust personal information processing to the following service providers to ensure smooth operation:

Entrusted Party Purpose of Outsourcing Storage Location
Amazon Web Services, Inc. (AWS) Service data storage and server operation Tokyo, Japan
Google LLC (AdMob) Ad display, revenue settlement, invalid click detection United States
Google LLC (Firebase) App log analysis, crash tracking, notification delivery United States
Apple Inc. / Google Inc. Social login authentication and account integration Global

※ If there are any changes to entrusted parties, the Company will notify users through announcements.

Article 7 (Overseas Data Transfer)

Some data collected during the provision of services may be transferred to overseas servers (AWS, Google, etc.).

Such data transfers are limited to the minimum necessary information and are managed safely in accordance with Article 28-8 of the Personal Information Protection Act.

Users may refuse consent to the overseas transfer of their information.

However, refusal may result in limited access to certain services.

Article 8 (User Rights and How to Exercise Them)
  1. Users may access, modify, or delete their personal information at any time.
  2. Users may withdraw consent for the collection, use, or provision of personal information.
  3. Requests may be made through the in-app settings or by contacting cs@umayit.com.
  4. The Company will verify the user's identity and promptly take necessary measures.
Article 9 (Measures to Ensure the Security of Personal Information)

The Company takes the following measures to protect personal information:

  1. Restricting access to personal data and maintaining access logs
  2. Encrypting passwords and using SSL for secure communication
  3. Conducting regular security audits and penetration tests
  4. Managing servers through AWS security certifications (ISO27001, SOC2, etc.)
  5. Providing regular internal training on data protection
Article 10 (Destruction of Personal Information)
  1. Personal information is immediately destroyed once its retention period has expired or its purpose has been fulfilled.
  2. Electronic data is deleted in a manner that makes recovery impossible, while paper documents are shredded or incinerated.
  3. Some data may be retained for a certain period in accordance with applicable laws before destruction.
Article 11 (Personal Information Protection Officer)

Data Protection Officer: Jongsung Yoon

Affiliation: UmayIT Co., Ltd.

Email: cs@umayit.com

Article 12 (Notice and Effective Date)

This Privacy Policy shall take effect on June 3, 2024.

The Company may amend this Policy in accordance with legal or operational changes, and any revisions will be announced at least 7 days prior to enforcement.

Additional Notice for Overseas Users

The Company complies with applicable privacy laws in each region where the service is provided, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Japan's Act on the Protection of Personal Information (APPI).

The Company does not sell users' personal information and processes data only for legitimate service operation and reward distribution purposes.