Privacy Policy

Effective date: 2026-06-02

1. Introduction

Meroni Swing (the "Service") values your privacy and complies with the Korean Personal Information Protection Act (PIPA) and related regulations.

This policy explains what personal information we collect, why we collect it, how long we retain it, and your rights regarding your data.

The Service is intended for individuals aged 14 or older. Users under 14 may not create an account or use the Service, and we do not knowingly collect personal information from children under 14. If we confirm that an account or personal information belongs to a user under 14, we will restrict the account and delete or anonymize the related personal information.

The public release version does not serve advertisements, and we do not provide or sell members' personal information to third parties for advertising purposes.

2. Personal Information Collected

Required

ItemWhen Collected
Email addressSign-up
Password (encrypted)Sign-up (email registration)
Nickname (display name)Sign-up or profile setup

Optional

ItemWhen Collected
Profile imageProfile setup
Location (country, city)Profile setup — user-entered. GPS / automatic location tracking not used
Dance experience & stylesProfile setup
SNS linksTeam/organization/lesson registration

User-Generated Content

ItemWhen Collected
Post body and commentsWhen users write posts/comments
Uploaded images (posts, event posters)When uploading images
Direct messages (DM) between usersWhen sending/receiving messages
Event/lesson/social/team registration infoWhen organizers/hosts register

Automatically Collected

ItemWhen Collected
IP addressConsent records, service usage
User-Agent (browser info)Consent records
Service usage logs (page views, clicks)Service usage — Google Analytics 4 + Vercel Analytics
Web Push subscription (endpoint URL, encryption keys)Push notification subscription — stored on our servers
Diagnostic data (crash logs, performance traces)Service usage — Sentry
GA4 client IDService usage

Payment Information

Lesson payment features are currently not operational. When payment features are activated in the future, this policy will be updated and user consent will be obtained. Sensitive payment information such as card numbers will not be directly collected by the Service and will be processed through payment gateway (PG) providers.

3. Purposes of Collection and Use

  • Member identification and account management
  • Event, lesson, and social dance registration and management
  • Team and organization management and community features
  • Lesson payment and refund processing (if payment features are activated)
  • Customer support and inquiry response
  • Abuse prevention and service stability
  • Consent record keeping (legal obligation)
  • Statistical analysis for service improvement (de-identified)

4. Retention Period

ItemRetention PeriodLegal Basis
Member information30 days after deletion request (grace period)Service agreement
Consent records3 years from consent datePersonal Information Protection Act
User-generated content (posts, comments, messages)Until account deletion (deleted/anonymized after 30-day grace)Service agreement
Uploaded imagesUntil account deletion (deleted after 30-day grace)Service agreement
Web Push subscriptionUntil unsubscribe / account deletionService agreement
Diagnostic data (Sentry crash logs)90 daysError tracking and stability
GA4 analytics dataUp to 14 months (Google policy)Service improvement
Payment and transaction recordsN/A (payment features currently disabled)Upon activation: 5 years per Electronic Commerce Act
Customer inquiry records3 yearsElectronic Commerce Act
Abuse prevention records1 yearAbuse prevention

Personal information is destroyed without delay once the retention period has expired or the purpose of processing has been achieved. Where retention is required by law, data is stored separately for the required period before destruction.

5. Third-Party Sharing and Processors

We do not share your personal information with third parties for advertising, marketing, or other commercial purposes. Sharing occurs only in the following cases:

  • With your prior consent
  • When required by law

Data Processors

ProcessorPurposeData Processed
Supabase (USA)Database, authentication, partial storageMember info, service data, user-generated content, messages, Web Push subscriptions
Vercel (USA)Web application hosting and Edge FunctionsAll HTTP traffic
Vercel Analytics (USA)Page views, route tracking, Web Vitals performanceURL paths, Referrer, User-Agent, anonymized visitor ID, performance metrics
Cloudflare (Global)Image storage (R2), DNS, email routingUploaded images, support@ incoming emails
Sentry (USA)Error tracking and diagnosticsCrash logs, performance traces, user ID (optional)
Google Analytics 4 (USA)Service usage analyticsApp interactions, page views, device ID (de-identified)
Resend (USA, via AWS SES)Transactional email delivery (sign-up, notifications)Email address
Anthropic (USA)External event text → structured JSON extraction (admin only)Organizer-entered external event text
Google Maps Platform (USA)Map display and location selectionIP address, User-Agent, searched addresses (auto-collected by Google)
YouTube — Google (USA)Video embeds (events, teams, lessons pages)IP, User-Agent, viewing data (auto-collected by Google)

Push Notifications (W3C Web Push)

The Service does not use any third-party SDK (such as Firebase Cloud Messaging) for push notifications. We use the W3C standard Web Push API with VAPID authentication, self-implemented. When delivering messages, they are sent directly to the endpoint provided by the user's browser push service (Chrome → Google FCM endpoint, Firefox → Mozilla Autopush, Safari → Apple APNs) — no separate contractual relationship exists with these providers. Message contents are end-to-end encrypted using VAPID + Web Push Encryption.

6. International Data Transfer

Your personal information may be transferred outside of Korea for processing by our service providers. Only the minimum data necessary for service operation is transferred, and all recipients maintain appropriate security measures.

RecipientCountryData Transferred
SupabaseUSA (AWS)Member info, service data, user content, messages
VercelUSA, global EdgeAll HTTP traffic
Vercel AnalyticsUSAPage views, routes, Web Vitals (anonymous)
CloudflareGlobalUploaded images (R2), emails
SentryUSACrash logs and diagnostic data
Google (Google Analytics 4)USAService usage statistics (de-identified)
Resend / AWS SESUSAEmail addresses (for sending)
AnthropicUSAExternal event text (admin only)
Google Maps PlatformUSAIP, User-Agent, searched addresses
YouTube (Google)USAIP, viewing data (auto-collected by Google)

7. Cookies and Analytics

The Service uses cookies and similar technologies for the following purposes:

  • Essential cookies: Login session management, authentication token handling
  • Analytics cookies: Service usage statistics via Google Analytics 4 (de-identified data, client ID-based)
  • Vercel Analytics: Page views, route tracking, and Web Vitals performance metrics. Uses anonymized visitor IDs (no personally identifiable information collected)
  • Diagnostic data (non-cookie): Sentry collects crash logs and performance traces for debugging and stability improvement
  • Web Push subscription: When users opt in to push notifications, the browser Push API subscription (endpoint URL, encryption keys) is stored on our servers

You may refuse cookies through your browser settings, but some features of the Service may be limited. Push notification subscriptions can be revoked at any time from in-app settings.

8. Your Rights

You may exercise the following rights at any time:

  • Request access to, correction, or deletion of your personal data
  • Withdraw consent for data collection and use (account deletion)
  • Request suspension of data processing

Profile information can be directly edited or deleted through the in-service profile editing feature. Upon requesting account deletion, your data is preserved in a recoverable state for a 30-day grace period, after which it is permanently deleted or anonymized. During the grace period, the deletion may be cancelled by signing in. However, information required to be retained by law (e.g., consent records, transaction records) will be stored separately for the applicable retention period before destruction.

Account deletion channels:

For inquiries regarding the exercise of these rights, please contact us at the address below.

9. Data Security

We implement the following measures to ensure the security of your personal information:

  • Encrypted password storage (Supabase Auth, bcrypt)
  • HTTPS / TLS encryption for all data transmission
  • Database Row-Level Security (RLS) policies
  • Role separation and least-privilege admin access
  • Audit logging for administrator actions
  • Regular security reviews and dependency patching
  • Regular database backups (managed by Supabase)
  • Automatic masking of user identifiers in Sentry diagnostic data when possible

10. Contact

For inquiries, complaints, or remedies regarding personal data processing, please contact us at:

  • Service: Meroni Swing
  • Email: support@meroniswing.com

For reporting or consulting on personal information breaches in Korea, you may contact:

  • KISA Privacy Center (privacy.kisa.or.kr / 118)
  • Personal Information Dispute Mediation Committee (kopico.go.kr / 1833-6972)

11. Changes to This Policy

This policy may be updated due to changes in law or service operations. Changes will be announced through the Service. For material changes, a separate consent process will be conducted.

Effective date: 2026-06-02