Privacy Policy
Effective date: 2026-06-02
1. Introduction
Meroni Swing (the "Service") values your privacy and complies with the Korean Personal Information Protection Act (PIPA) and related regulations.
This policy explains what personal information we collect, why we collect it, how long we retain it, and your rights regarding your data.
The Service is intended for individuals aged 14 or older. Users under 14 may not create an account or use the Service, and we do not knowingly collect personal information from children under 14. If we confirm that an account or personal information belongs to a user under 14, we will restrict the account and delete or anonymize the related personal information.
The public release version does not serve advertisements, and we do not provide or sell members' personal information to third parties for advertising purposes.
2. Personal Information Collected
Required
| Item | When Collected |
|---|---|
| Email address | Sign-up |
| Password (encrypted) | Sign-up (email registration) |
| Nickname (display name) | Sign-up or profile setup |
Optional
| Item | When Collected |
|---|---|
| Profile image | Profile setup |
| Location (country, city) | Profile setup — user-entered. GPS / automatic location tracking not used |
| Dance experience & styles | Profile setup |
| SNS links | Team/organization/lesson registration |
User-Generated Content
| Item | When Collected |
|---|---|
| Post body and comments | When users write posts/comments |
| Uploaded images (posts, event posters) | When uploading images |
| Direct messages (DM) between users | When sending/receiving messages |
| Event/lesson/social/team registration info | When organizers/hosts register |
Automatically Collected
| Item | When Collected |
|---|---|
| IP address | Consent records, service usage |
| User-Agent (browser info) | Consent records |
| Service usage logs (page views, clicks) | Service usage — Google Analytics 4 + Vercel Analytics |
| Web Push subscription (endpoint URL, encryption keys) | Push notification subscription — stored on our servers |
| Diagnostic data (crash logs, performance traces) | Service usage — Sentry |
| GA4 client ID | Service usage |
Payment Information
Lesson payment features are currently not operational. When payment features are activated in the future, this policy will be updated and user consent will be obtained. Sensitive payment information such as card numbers will not be directly collected by the Service and will be processed through payment gateway (PG) providers.
3. Purposes of Collection and Use
- Member identification and account management
- Event, lesson, and social dance registration and management
- Team and organization management and community features
- Lesson payment and refund processing (if payment features are activated)
- Customer support and inquiry response
- Abuse prevention and service stability
- Consent record keeping (legal obligation)
- Statistical analysis for service improvement (de-identified)
4. Retention Period
| Item | Retention Period | Legal Basis |
|---|---|---|
| Member information | 30 days after deletion request (grace period) | Service agreement |
| Consent records | 3 years from consent date | Personal Information Protection Act |
| User-generated content (posts, comments, messages) | Until account deletion (deleted/anonymized after 30-day grace) | Service agreement |
| Uploaded images | Until account deletion (deleted after 30-day grace) | Service agreement |
| Web Push subscription | Until unsubscribe / account deletion | Service agreement |
| Diagnostic data (Sentry crash logs) | 90 days | Error tracking and stability |
| GA4 analytics data | Up to 14 months (Google policy) | Service improvement |
| Payment and transaction records | N/A (payment features currently disabled) | Upon activation: 5 years per Electronic Commerce Act |
| Customer inquiry records | 3 years | Electronic Commerce Act |
| Abuse prevention records | 1 year | Abuse prevention |
Personal information is destroyed without delay once the retention period has expired or the purpose of processing has been achieved. Where retention is required by law, data is stored separately for the required period before destruction.
5. Third-Party Sharing and Processors
We do not share your personal information with third parties for advertising, marketing, or other commercial purposes. Sharing occurs only in the following cases:
- With your prior consent
- When required by law
Data Processors
| Processor | Purpose | Data Processed |
|---|---|---|
| Supabase (USA) | Database, authentication, partial storage | Member info, service data, user-generated content, messages, Web Push subscriptions |
| Vercel (USA) | Web application hosting and Edge Functions | All HTTP traffic |
| Vercel Analytics (USA) | Page views, route tracking, Web Vitals performance | URL paths, Referrer, User-Agent, anonymized visitor ID, performance metrics |
| Cloudflare (Global) | Image storage (R2), DNS, email routing | Uploaded images, support@ incoming emails |
| Sentry (USA) | Error tracking and diagnostics | Crash logs, performance traces, user ID (optional) |
| Google Analytics 4 (USA) | Service usage analytics | App interactions, page views, device ID (de-identified) |
| Resend (USA, via AWS SES) | Transactional email delivery (sign-up, notifications) | Email address |
| Anthropic (USA) | External event text → structured JSON extraction (admin only) | Organizer-entered external event text |
| Google Maps Platform (USA) | Map display and location selection | IP address, User-Agent, searched addresses (auto-collected by Google) |
| YouTube — Google (USA) | Video embeds (events, teams, lessons pages) | IP, User-Agent, viewing data (auto-collected by Google) |
Push Notifications (W3C Web Push)
The Service does not use any third-party SDK (such as Firebase Cloud Messaging) for push notifications. We use the W3C standard Web Push API with VAPID authentication, self-implemented. When delivering messages, they are sent directly to the endpoint provided by the user's browser push service (Chrome → Google FCM endpoint, Firefox → Mozilla Autopush, Safari → Apple APNs) — no separate contractual relationship exists with these providers. Message contents are end-to-end encrypted using VAPID + Web Push Encryption.
6. International Data Transfer
Your personal information may be transferred outside of Korea for processing by our service providers. Only the minimum data necessary for service operation is transferred, and all recipients maintain appropriate security measures.
| Recipient | Country | Data Transferred |
|---|---|---|
| Supabase | USA (AWS) | Member info, service data, user content, messages |
| Vercel | USA, global Edge | All HTTP traffic |
| Vercel Analytics | USA | Page views, routes, Web Vitals (anonymous) |
| Cloudflare | Global | Uploaded images (R2), emails |
| Sentry | USA | Crash logs and diagnostic data |
| Google (Google Analytics 4) | USA | Service usage statistics (de-identified) |
| Resend / AWS SES | USA | Email addresses (for sending) |
| Anthropic | USA | External event text (admin only) |
| Google Maps Platform | USA | IP, User-Agent, searched addresses |
| YouTube (Google) | USA | IP, viewing data (auto-collected by Google) |
7. Cookies and Analytics
The Service uses cookies and similar technologies for the following purposes:
- Essential cookies: Login session management, authentication token handling
- Analytics cookies: Service usage statistics via Google Analytics 4 (de-identified data, client ID-based)
- Vercel Analytics: Page views, route tracking, and Web Vitals performance metrics. Uses anonymized visitor IDs (no personally identifiable information collected)
- Diagnostic data (non-cookie): Sentry collects crash logs and performance traces for debugging and stability improvement
- Web Push subscription: When users opt in to push notifications, the browser Push API subscription (endpoint URL, encryption keys) is stored on our servers
You may refuse cookies through your browser settings, but some features of the Service may be limited. Push notification subscriptions can be revoked at any time from in-app settings.
8. Your Rights
You may exercise the following rights at any time:
- Request access to, correction, or deletion of your personal data
- Withdraw consent for data collection and use (account deletion)
- Request suspension of data processing
Profile information can be directly edited or deleted through the in-service profile editing feature. Upon requesting account deletion, your data is preserved in a recoverable state for a 30-day grace period, after which it is permanently deleted or anonymized. During the grace period, the deletion may be cancelled by signing in. However, information required to be retained by law (e.g., consent records, transaction records) will be stored separately for the applicable retention period before destruction.
Account deletion channels:
- In-app:
/mypage/account/delete(email OTP verification) - Website (no login required): https://meroniswing.com/en/account/delete-request
For inquiries regarding the exercise of these rights, please contact us at the address below.
9. Data Security
We implement the following measures to ensure the security of your personal information:
- Encrypted password storage (Supabase Auth, bcrypt)
- HTTPS / TLS encryption for all data transmission
- Database Row-Level Security (RLS) policies
- Role separation and least-privilege admin access
- Audit logging for administrator actions
- Regular security reviews and dependency patching
- Regular database backups (managed by Supabase)
- Automatic masking of user identifiers in Sentry diagnostic data when possible
10. Contact
For inquiries, complaints, or remedies regarding personal data processing, please contact us at:
- Service: Meroni Swing
- Email: support@meroniswing.com
For reporting or consulting on personal information breaches in Korea, you may contact:
- KISA Privacy Center (privacy.kisa.or.kr / 118)
- Personal Information Dispute Mediation Committee (kopico.go.kr / 1833-6972)
11. Changes to This Policy
This policy may be updated due to changes in law or service operations. Changes will be announced through the Service. For material changes, a separate consent process will be conducted.
Effective date: 2026-06-02