# Roomfit Studio Privacy Policy **Last updated**: 2026-04-20 **Effective date**: 2026-04-20 **Data controller**: WESPION Inc. (South Korea) WESPION Inc. ("Wespion", "we", "us") respects the privacy of users of the Roomfit Studio app ("Service"). This policy describes how we collect, use, disclose, and protect personal data in compliance with the Personal Information Protection Act (PIPA) of Korea, the EU General Data Protection Regulation (GDPR) where applicable, and other relevant laws. --- ## 1. Data We Collect ### 1-1. Required | Category | Fields | Collected when | |---|---|---| | Account identity | Email address, hashed password | Sign-up | | Usage records | Login history, app session logs, device ID | While using the Service | | Workout records | Exercise type, sets/reps/weight, timestamps, BLE device data | While using the Service | | Membership (operators) | Affiliated studio, role (Owner/Trainer/Member) | On invite acceptance | ### 1-2. Optional | Category | Fields | |---|---| | Profile | Nickname, profile photo | | Contact | Phone number | ### 1-3. Automatically collected - OS, app version, language, IP address - Roomfit device IDs over BLE (never transmitted off-device) - Anonymized crash logs and performance metrics --- ## 2. Purposes of Processing 1. Account authentication and membership management 2. Service delivery (workout logging, trainer-member matching, session handling) 3. Service improvement through aggregated analytics and bug fixes 4. Customer support and in-app notifications 5. Legal compliance (record keeping required by applicable law) We do **not** use personal data for third-party marketing or advertising, and we do not sell personal data. --- ## 3. Retention | Data | Retention period | Basis | |---|---|---| | Account data | Until deletion or 1 year of inactivity | User consent | | Workout records | Immediately erased on account deletion | User consent | | Access logs, IP | 3 months | Korean Communications Privacy Act | | Payment records (if paid tier launches) | 5 years | Korean E-commerce Act | --- ## 4. Third-party Disclosure We do not disclose personal data to third parties except: - With the user's explicit prior consent - When required by law or lawful request from authorities - To protect life or bodily safety in emergencies --- ## 5. Sub-processors To deliver the Service we entrust the following processors. We maintain data processing agreements requiring security safeguards equivalent to our own. | Processor | Purpose | Data location | |---|---|---| | Supabase, Inc. | Database, authentication, storage | United States | | Google LLC (Firebase / Play Services) | Analytics, push notifications | United States | | Apple Inc. (APNs, App Store) | Push notifications, distribution | United States | --- ## 6. Your Rights You have the right to: 1. Access and correct your data (in-app Settings) 2. Request deletion or account termination (in-app or via support) 3. Restrict processing or object to processing 4. Data portability (where applicable) 5. Lodge a complaint with a supervisory authority Requests may be sent to **bruce@wespion.com**. We will respond within 30 days. --- ## 7. Data Deletion Upon account deletion or legal retention period expiry, personal data is erased through unrecoverable means. Backups are purged during the next scheduled rotation. --- ## 8. Children The Service targets adult trainers and studio operators. We do not knowingly collect personal data from children under 14. If such data is discovered, we will delete it promptly. --- ## 9. Security We protect data through: - **Technical**: TLS encryption in transit, database access logs, periodic security audits, Supabase Row-Level Security - **Organizational**: Least-privilege access for staff, regular training, this policy - **Physical**: Cloud provider controls at Supabase / GCP / Apple data centers No system is perfectly secure; we encourage users to keep credentials confidential. --- ## 10. Data Protection Officer | Role | Name | Contact | |---|---|---| | Data Protection Officer | Sungwoo Hwang (CEO, Wespion Inc.) | wespion@wespion.com | | Engineering / DPO delegate | Bruce Choe | bruce@wespion.com | --- ## 11. Complaints Korean residents may contact: - Personal Information Dispute Mediation Committee: 1833-6972 / kopico.go.kr - Korean Internet & Security Agency Privacy Center: 118 / privacy.kisa.or.kr EU / EEA residents may contact their national data protection authority. --- ## 12. Changes to This Policy We may update this policy to reflect legal, technical, or business changes. Material changes will be notified in-app at least 7 days in advance. --- This policy is effective from April 20, 2026.