🔐 Blossom Privacy Policy
Effective Date: September 1, 2025
Last Modified: September 1, 2025
Privacy Officer: Jinny You (CEO)
📋 Article 1 (Purpose of Personal Information Processing)
1.1 Primary Processing Purposes
Blossom processes personal information for the following purposes and does not use it for any other purposes:
- Member Management: Customer registration confirmation, identity verification and authentication, member qualification maintenance and management
- Service Provision: English learning services, AI tutoring, community, and game services
- Payment Processing: Payment processing for goods or services, point charging and refunds
- Customer Support: Inquiry responses, technical support, customer service improvement
- Legal Obligations: Fulfillment of obligations and rights protection according to relevant laws
1.2 Detailed Service-Specific Processing Purposes
- AI Diary Writing: Personalized English learning and grammar correction
- Community Services: Language exchange, group chat, social feed operation
- Game Platform: Learning progress tracking and customized content provision
- Media Services: Blossom TV, shorts, and news hub personalization
- Professional Tutoring: 1:1 video classes and learning plan establishment
⏰ Article 2 (Personal Information Processing and Retention Period)
2.1 Basic Retention Principles
Blossom processes and retains personal information within the personal information retention and use period consented to by the information subject or within the period specified by law.
2.2 Detailed Retention Periods
| Processing Task | Retention Period | Relevant Laws/Basis |
|---|---|---|
| Customer Registration and Management | Until service use contract or membership termination (However, if creditor-debtor relationships remain, until settlement of such relationships) |
Electronic Commerce Act, Personal Information Protection Act |
| Electronic Commerce Contracts, Withdrawal of Offer, Payment, Goods Supply Records | 5 years | Electronic Commerce Act |
| Consumer Complaints or Dispute Resolution Records | 3 years | Electronic Commerce Act |
| Display and Advertising Records | 6 months | Electronic Commerce Act |
| Website Visit Records | 3 months | Communications Privacy Protection Act |
| Community Activity Records | Until account deletion | Personal Information Protection Act |
2.3 Post-Retention Period Processing
- Automatic Deletion: Automatic deletion within 5 days after retention period expires
- Manual Deletion: Immediate deletion upon user request
- Anonymization: Remove personal identification information for statistical purposes
🔗 Article 3 (Third-Party Personal Information Provision)
3.1 Third-Party Provision Principles
Blossom provides personal information to third parties only in cases specified in Personal Information Protection Act Article 17 and Article 18, such as information subject consent or special legal provisions.
3.2 Third-Party Provision Status
Firebase Analytics
- Recipient: Google LLC
- Provision Purpose: App activity data analysis using Firebase Analytics
- Provided Items: Service usage records, access logs, user behavior patterns
- Retention Period: According to Google's privacy policy
Payment Service Providers
- Recipient: Payment service providers for each platform
- Provision Purpose: Payment processing and refunds
- Provided Items: Payment information, transaction records
- Retention Period: According to relevant laws
📋 Article 4 (Personal Information Processing Outsourcing)
4.1 Outsourcing Processing Principles
Blossom outsources personal information processing tasks for smooth personal information business processing, and when outsourcing contracts are concluded, the following matters are specified in contracts according to Personal Information Protection Act Article 25:
- Prohibition of personal information processing beyond outsourcing task purposes
- Technical and administrative protection measures
- Re-outsourcing restrictions
- Management and supervision of outsourced parties
- Matters regarding damage compensation and other responsibilities
4.2 Outsourced Tasks Status
| Outsourced Task | Contractor | Outsourcing Content | Retention Period |
|---|---|---|---|
| Data Analysis | Google LLC | App activity data analysis using Firebase Analytics | Service usage period |
| Cloud Infrastructure | Amazon Web Services, Inc. | User data storage and synchronization | Service usage period |
4.3 Contractor Management
- Regular Supervision: Quarterly inspection of contractor personal information processing status
- Security Assessment: Annual assessment of contractor security levels
- Contract Renewal: Re-assessment of security levels and renewal when outsourcing contracts expire
- Change Notifications: 7-day advance notice when outsourcing task content or contractors change
🛡️ Article 5 (Information Subject Rights, Obligations, and Exercise Methods)
5.1 Information Subject Rights
Users may exercise the following rights as personal information subjects:
- Personal Information Access Request: Confirm personal information processing status and content
- Personal Information Correction and Deletion Request: Correct or delete erroneous personal information
- Personal Information Processing Suspension Request: Request suspension of personal information processing
- Personal Information Transfer Request: Transfer personal information to other services
- Processing Refusal Right: Refuse personal information processing for marketing purposes
5.2 Rights Exercise Methods
- Online: Direct processing through in-app Settings > Privacy Management
- Email: Request to team@blossomdiary.com
- Phone: Request to +82-10-5060-1462
- Mail: Blossom Privacy Officer, [Address], Seoul, Republic of Korea
5.3 Processing Periods
- Access, Correction, Deletion: Within 10 days after request reception
- Processing Suspension: Within 10 days after request reception
- Transfer: Within 30 days after request reception
5.4 Information Subject Obligations
- Accurate Information Provision: Provide accurate personal information necessary for service use
- Information Protection: Prohibit providing or disclosing personal information to others
👁️🗨️ Article 6 (Processed Personal Information Items)
6.1 Blossom App Usage
Required Items
- Basic Information: Email, name, profile image
- Account Information: User ID, email
- Service Usage Records: Diary content, learning progress, game records
- Access Information: Access logs, access IP information, device information
- Payment Information: Payment records, point balance, subscription status
- Notification Information: Push Token, notification settings
Optional Items
- Profile Information: Self-introduction, interests, learning goals
- Social Information: Follower/following lists, community activity records
- Learning Settings: Difficulty settings, learning notification times, language settings
6.2 AI Service Usage
AI Diary Writing
- Diary Content: Written diary text, translation request content
- Learning Data: Grammar error patterns, improvement suggestion records
- User Feedback: AI suggestion acceptance, satisfaction evaluation
AI Tutoring
- Conversation Content: Learning conversation records with AI
- Learning Plans: Personalized learning plans and progress
- Performance Analysis: Learning performance and improvement point analysis data
6.3 Community Services
Language Exchange
- Chat Content: 1:1 language exchange conversation records
- Matching Information: Language exchange partner information and preferences
- Evaluation Records: Mutual evaluations and reviews
Group Activities
- Group Information: Participating groups and roles
- Posts: Posts and comments written in the community
- Activity Records: Activities and contributions within groups
🗑️ Article 7 (Personal Information Destruction)
7.1 Destruction Principles
Blossom destroys personal information without delay when the purpose of personal information processing is achieved.
7.2 Destruction Procedures
General Destruction Procedures
- Post-Purpose Achievement Separate Storage: Information input by users is stored separately in separate databases after purpose achievement
- Retention Period Expiration: Storage for certain periods according to internal policies and relevant laws
- Final Destruction: Permanent deletion through safe methods after retention period expiration
Immediate Destruction
- Account Deletion: Immediate destruction upon account deletion request
- Consent Withdrawal: Immediate destruction upon withdrawal of personal information collection and use consent
- Legal Requests: Immediate destruction upon court orders or investigation agency requests
7.3 Destruction Deadlines
| Situation | Destruction Deadline | Basis |
|---|---|---|
| Retention Period Expiration | Within 5 days after retention period ends | Personal Information Protection Act |
| Purpose Achievement | Within 5 days after processing purpose achievement | Personal Information Protection Act |
| Service Discontinuation | Within 5 days after service discontinuation | Personal Information Protection Act |
| Business Termination | Within 5 days after business termination | Personal Information Protection Act |
7.4 Destruction Methods
Electronic File Format
- Complete Deletion: Permanent deletion through unrecoverable methods
- Encrypted Deletion: Deletion of keys while in encrypted state
- Overwriting: Multiple overwriting with random data before deletion
Printed Materials
- Shredding: Shredding with shredders for paper documents
- Incineration: Safe incineration for sensitive information
- Recycling: Recycling for general information
🤖 Article 8 (Personal Information Automatic Collection Device Installation, Operation, and Rejection)
8.1 Cookie Usage
What are Cookies?
Cookies are small amounts of information sent by servers (HTTP) operating websites to users' computer browsers and stored on users' PC computer hard disks.
Cookie Usage Purposes
- Service Optimization: Understand visits and usage patterns for each service and website visited by users
- Personalized Services: Understand popular search terms, secure connection status, etc., to provide optimized information
- User Experience: Login status maintenance, personal setting storage, shopping cart functions, etc.
Cookie Installation, Operation, and Rejection
- Setting Methods: Tools > Internet Options > Privacy menu options in web browsers
- Rejection Impact: Difficulties may occur in using personalized services
- Automatic Deletion: Automatic deletion when browsers close (session cookies)
8.2 Other Automatic Collection Devices
App Usage Analysis
- Firebase Analytics: App usage patterns and performance analysis
- Crashlytics: App error and crash analysis
- Remote Config: Real-time setting changes and A/B testing
Device Information
- Device Identifiers: Device ID, advertising ID (optional)
- System Information: OS version, app version, screen resolution
- Network Information: Connection method, IP address (temporary)
🫡 Article 9 (Personal Information Protection Officer)
9.1 Personal Information Protection Officer
Blossom designates a personal information protection officer to comprehensively oversee personal information processing-related tasks and handle information subject complaints and damage relief regarding personal information processing.
| Category | Content |
|---|---|
| Name | Jinny You |
| Position | CEO |
| Title | CEO |
| Contact | +82-10-5060-1462, jinny@blossomdiary.com |
9.2 Personal Information Protection Department
| Category | Content |
|---|---|
| Department Name | Customer Information Protection Team |
| Person in Charge | Jinny You |
| Contact | +82-10-5060-1462, privacy@blossomdiary.com |
9.3 Inquiries and Complaint Handling
Information subjects may inquire about all personal information protection-related matters, complaint handling, damage relief, etc., that occur while using Blossom services to the personal information protection officer and responsible department.
- Response Deadline: Answer within 24 hours after inquiry reception
- Processing Deadline: General inquiries within 7 days, complex inquiries within 30 days
- Tracking Management: Track inquiry processing progress and results
📝 Article 10 (Privacy Policy Changes)
10.1 Change Notice Principles
This privacy policy applies from the effective date, and when there are additions, deletions, or corrections of changed content according to laws and policies, notice is given through announcements 7 days before the change implementation.
10.2 Change Notice Methods
In-app Notifications
- Popup Notifications: Display major changes as popups when apps launch
- Settings Menu: Display privacy policy changes in settings menu
- Version Information: Include changes in release notes during app updates
Email Notifications
- Important Changes: Important changes such as personal information collection and use purposes, third-party provision
- Prior Consent: Request prior consent for legally necessary changes
- Change Content: Detailed guidance on specific change content and reasons
Website Notifications
- Announcements: Post detailed change content on official website
- Previous Versions: Store previous versions of privacy policy
- Change History: Manage change history of major changes
10.3 Change Type-Specific Notice Periods
| Change Type | Notice Period | Notice Method |
|---|---|---|
| Important Changes | 30 days in advance | App popup, email, website |
| General Changes | 7 days in advance | In-app notices, website |
| Technical Changes | Immediately | Release notes during app updates |
🧑💻 Article 11 (Personal Information Security Measures)
11.1 Technical Protection Measures
Encryption
- Personal Information: AES-256 encryption for storage and transmission
- API Communication: Encrypted communication through TLS 1.3 protocol
- Firewall: Real-time blocking of external attacks and unauthorized access through cloud-based firewalls (WAF, Cloud Firewall), and automatic application of latest security policies to protect personal information
Password Management
- No Password Collection: Blossom does not collect or store passwords
- One-Time Password (OTP) Method: Login through one-time authentication codes (OTP) via email, and since user passwords are not processed, there is no risk of password leakage
- Security Enhancement: Therefore, safe from password-related incidents, and all authentication processes are protected through encrypted communication (TLS 1.3)
Access Restrictions
- Database: Grant minimum access permissions to personal information processing systems and strictly restrict access from outside internal networks
- Network: External access control through firewalls and intrusion prevention systems
- Session Management: Automatic logout, session timeout settings
Backup and Recovery
- Automatic Backup: Perform automatic data backup every 24 hours
- Encrypted Backup: Apply same security level to backup data
- Disaster Recovery: Prevent data loss through regionally distributed backups
11.2 Administrative Protection Measures
Employee Management
- Minimum Permissions: Designate employees handling personal information and limit to responsible persons
- Regular Education: Conduct personal information protection education quarterly
- Security Agreements: Write security agreements with employees handling personal information
Internal Management
- Internal Management Plan: Establish internal management plan for safe personal information processing
- Access Logs: Manage access records to personal information processing systems
- Regular Inspections: Monthly security vulnerability checks and improvements
11.3 Physical Protection Measures
Blossom stores and processes personal information on public cloud infrastructure such as Amazon Web Services (AWS). Therefore, we do not operate our own physical server rooms or offline equipment, and main physical protection measures are managed according to international standards by cloud providers.
Cloud Facility Security
- Access Control: AWS and other cloud providers operate strict access control and authentication procedures for data centers
- 24-Hour Monitoring: 24-hour CCTV and security personnel stationed inside and outside data centers
- Disaster Preparedness: Multiple protection systems and emergency response systems for fires, floods, and other disasters
Equipment and Data Management
- Equipment Management: Equipment inside data centers is directly managed by cloud providers, and theft/loss prevention and unauthorized movement restrictions are operated according to international standards
- Disposal Management: Physical equipment storing personal information is safely disposed of and destroyed according to cloud provider policies
- Logical Separation: Blossom data is stored with logical separation and designed to prevent unauthorized access
🗣️ Article 12 (Personal Information Breach Reporting and Counseling)
12.1 Reporting and Counseling Channels
Blossom Internal Channels
- Privacy Officer: +82-10-5060-1462, team@blossomdiary.com
- Customer Support Team: In-app inquiry function
- Emergency Reports: 24-hour email response
External Agencies
- Personal Information Protection Commission: 1833-6972, www.privacy.go.kr
- Ministry of Science and ICT: 044-202-2114, www.msit.go.kr
- Korea Internet & Security Agency: 118, www.kisa.or.kr
12.2 Report Processing Procedures
Reception and Confirmation
- Report Reception: Receive report content and issue report number
- Fact Confirmation: Prompt fact confirmation regarding report content
- Action Decision: Determine appropriate actions based on confirmed facts
- Result Notification: Notify action results to reporters
Processing Deadlines
- Emergency Reports: Initial response within 24 hours
- General Reports: Complete processing within 7 days
- Complex Reports: Complete processing within 30 days (with progress updates)
12.3 Damage Relief Support
Blossom Responsibilities
- Immediate Actions: Take immediate actions upon confirmation of personal information breach facts
- Damage Minimization: Prevent breach expansion and minimize damages
- Apology and Compensation: Appropriate apology and damage compensation
Legal Support
- Legal Consultation: Provide legal expert consultation when necessary
- Dispute Mediation: Support applications for Personal Information Dispute Mediation Committee mediation
- Litigation Support: Provide appropriate support for legal disputes
🌍 Article 13 (International Personal Information Transfers)
13.1 International Transfer Status
Blossom transfers some personal information overseas for global service provision.
Transferred Personal Information
- Analysis Services: Overseas analysis services such as Google Analytics
- Cloud Infrastructure: Data storage and backup through overseas cloud servers such as Amazon AWS
Transfer Countries and Companies
- United States: Google LLC, Amazon Web Services, Inc.
- Europe: Services from GDPR-compliant companies
- Asia: Service providers complying with local laws
13.2 International Transfer Protection Measures
Contractual Protection Measures
- Standard Contractual Clauses: Compliance with international standards such as EU Standard Contractual Clauses
- Personal Information Protection: Verification of personal information protection levels in receiving countries
- Re-transfer Restrictions: Prohibition of re-transfer to third countries
Technical Protection Measures
- Encrypted Transmission: Encrypted communication during international transfers
- Access Restrictions: Only authorized employees can access personal information
- Regular Audits: Regular audits of international transfer status
📊 Article 14 (Personal Information Processing Status)
14.1 Processing Status Summary
| Category | Processing Items | Processing Purpose | Retention Period |
|---|---|---|---|
| Member Management | Email, name, profile | Service use and account management | Until account deletion |
| AI Services | Diary content | AI-based English learning provision | 30 days after service completion |
| Community | Chat content, posts | Language exchange and communication services | Until account deletion |
| Payments | Payment information, transaction records | Payment processing and refunds | 5 years |
| Analysis | Usage patterns, performance data | Service improvement and optimization | 2 years after anonymization |
14.2 Personal Information Impact Assessment
- Regular Assessment: Annual assessment of personal information processing impact
- Risk Analysis: Analysis of risk factors that may occur during personal information processing
- Improvement Measures: Personal information protection strengthening measures reflecting assessment results
📞 Article 15 (Inquiries and Contact)
15.1 Contact Information
| Category | Contact | Operating Hours |
|---|---|---|
| Privacy Officer | +82-10-5060-1462 team@blossomdiary.com |
Weekdays 09:00-18:00 |
| Customer Support Team | In-app Inquiries | 24-hour reception |
| Urgent Inquiries | team@blossomdiary.com | 24-hour response |
15.2 Inquiry Processing Guide
General Inquiries
- Response Time: Within 24 hours
- Processing Method: Email or in-app response
- Tracking Method: Check progress using inquiry number
Urgent Inquiries
- Response Time: Within 4 hours
- Processing Method: Immediate response by phone or email
- Follow-up Actions: Additional actions and result notifications as needed
🪪 Supplementary Provisions
Article 1 (Effective Date)
This privacy policy takes effect from September 1, 2025.
Article 2 (Relationship with Existing Policy)
Existing privacy policy is replaced by this policy, and existing policy applies to actions before the implementation of this policy.
Article 3 (Other Matters)
Matters not specified in this privacy policy follow relevant laws and Blossom's personal information protection policies.
This privacy policy is regularly reviewed and updated for Blossom's continuous development and user personal information protection strengthening.
Inquiries: team@blossomdiary.com
Phone: +82-10-5060-1462
Last Updated: September 1, 2025
Last Updated: 2025-09-01