Privacy Policy

Dan Hana is a habit-tracking app built around a single promise per day. We collect only what we need to deliver the service — no advertising IDs, no third-party tracking, no data sales. This policy meets the strictest applicable standards (GDPR, CCPA/CPRA, and South Korea's PIPA) so the same rules apply to every user worldwide.

We collect only the minimum information needed to provide the service.

• When you sign up — email address, password (stored as a one-way Argon2id hash), and nickname.
• Social sign-in — the identifier and email provided by Apple or Google (required fields only).
• Service use — the “one thing” you write each day, your success or missed checks, reminder times, and your IANA time zone.
• Notifications — APNs / FCM device tokens used solely to deliver reminders and check-in prompts.
• Automatic — device identifiers (no advertising ID), OS version, app version, crash logs (Sentry), and anonymous usage analytics (PostHog — screen entries and feature counts only; no personal identifiers).

• Identify your account and deliver the service
• Save your daily promises and statistics
• Generate and deliver your weekly AI letter
• Send the morning and evening reminders you scheduled
• Diagnose crashes and improve the app (anonymous aggregates only)

We do not sell or share personal information for cross-context behavioral advertising.

• Contract (Art. 6(1)(b)) — account creation, daily records, weekly letters, reminders.
• Legitimate interests (Art. 6(1)(f)) — crash diagnostics, anonymous usage analytics, security.
• Consent (Art. 6(1)(a)) — optional notifications and any future marketing channels.
• Legal obligation (Art. 6(1)(c)) — limited retention required by law (see §5).

We delete personal data without delay when you close your account, except where law requires us to retain limited records:

• E-commerce records (Korea): 5 years
• Sign-in logs (Korea, Protection of Communications Secrets Act): 3 months

See Account & Data Deletion for the full procedure.

We never sell personal information. We rely on the following processors strictly to operate the service:

• Apple Inc. — App Store payments and push notifications (APNs).
• Google LLC — Google Sign-In (only when you choose it) and push (FCM) on Android.
• Supabase (AWS ap-northeast-2 / Seoul) — managed database and authentication.
• Fly.io (Tokyo) — application (API server) hosting.
• Resend — transactional email (password reset, signup verification).
• Sentry — error and performance monitoring (personal identifiers masked).
• PostHog — anonymous product analytics (no personal identifiers).
• OpenAI, L.L.C. (United States) — generates your weekly, monthly, and yearly AI letters. Your journal entries and nickname are sent to the OpenAI API; email and other contact information are not. Per OpenAI Enterprise Privacy, inputs are not used to train models and are deleted within 30 days. Transport is TLS 1.2+ with US ↔ EU Standard Contractual Clauses. You can opt out by deleting your account.

Most processing happens in the Seoul (Supabase) and Tokyo (Fly.io) regions. AI letter generation involves a transfer to the United States (OpenAI) under Standard Contractual Clauses. We rely on equivalent safeguards (encryption in transit and at rest, access controls, audit logs) for all processors.

You may exercise the following rights at any time, free of charge:

• Access, correction, deletion — write to danhana.official@gmail.com or delete in-app under Settings → Account → Delete account.
• Portability (GDPR Art. 20) — request a JSON export of your records.
• Restriction and objection (GDPR Art. 18, 21) — including objection to processing based on legitimate interests.
• Withdraw consent — turn off notifications anytime in Settings.
• CCPA/CPRA (California residents) — Right to Know, Delete, Correct, Limit Use of Sensitive Personal Information, and to opt out of sale/share. We do not sell or share personal information for cross-context behavioral advertising. We honor the Global Privacy Control (GPC) signal as a valid opt-out request.
• PIPA (South Korea) — right to access, correct, suspend processing, and request deletion.
• Complaint — you may lodge a complaint with your local data protection authority (e.g., Korea PIPC, EU member-state DPA, California Privacy Protection Agency).

• Passwords are stored as one-way Argon2id hashes — the plaintext never appears in our systems or logs.
• All traffic is encrypted with TLS 1.2 or higher.
• Production access is limited to a small operations team with audit logging.
• Crash reports and analytics events are scrubbed of personal identifiers.

Dan Hana is rated 4+ on the App Store and is suitable for all ages. Under South Korea's PIPA, users under 14 require a legal guardian's consent to register. Where COPPA (United States) applies, we do not knowingly collect personal information from children under 13 without verifiable parental consent. Parents and legal guardians can exercise every right listed in §7 on behalf of their child.

• April 28, 2026 — initial release
• May 11, 2026 — global v1.2: English version, GDPR/CCPA/PIPA tri-compliance notes