Privacy Policy
MoyeoBom - Smart Building Management
Bomtobe (hereinafter referred to as "the Company") establishes and discloses this Privacy Policy to protect users' personal information in accordance with the Personal Information Protection Act and related regulations, and to promptly and effectively address any related grievances.
Article 1 (Collection Items and Methods of Personal Information)
1. Information Collected at Registration
| Category | Collected Items | Required/Optional |
|---|---|---|
| Required Information | Name, email address, password, site code (building identifier) | Required |
| Optional Information | Phone number, department name, building (Building), unit number (UnitNumber), company name | Optional |
| Consent Information | Terms of service agreement, privacy policy agreement, marketing communication consent | Required/Optional |
2. Information Automatically Collected During Service Use
| Category | Collected Items | Collection Purpose |
|---|---|---|
| Device Information | Device model, OS version, platform (Android/iOS/Web), push notification token (FCM) | Push notification delivery, device identification |
| Service Usage Records | Login date/time, post creation/view records, vote participation records, message send/receive records | Service provision and improvement |
| App Usage Analytics | App events (login, post creation, search, etc.), error logs, screen view records | Service quality improvement, error analysis |
3. Collection Methods
App registration screen, profile settings screen, automatic generation and collection during service use, automatic device information collection
Article 2 (Purpose of Collection and Use of Personal Information)
The Company processes personal information for the following purposes.
| Purpose | Details |
|---|---|
| Member Management | Verification of registration/withdrawal intent, identity verification, prevention of fraudulent use, grievance handling |
| Service Provision | Provision of building management services including notices, bulletin boards, voting, calendar, messaging, and marketplace |
| AI Chatbot Service | RAG-based AI response generation for user inquiries, chat session management |
| Notification Service | Push notification delivery for notices, votes, messages, and other key activities |
| Voting Rights Management | Unit owner verification and area-based voting rights calculation |
| Service Improvement | App usage statistical analysis, error diagnosis, and service quality enhancement |
| Marketing (Optional) | New feature announcements and event information (only with marketing consent) |
Article 3 (Retention and Use Period of Personal Information)
The Company shall promptly destroy personal information after the purpose of collection and use has been fulfilled. The retention period for each item is as follows.
| Item | Retention Period | Notes |
|---|---|---|
| Member Account Information | Until account deletion | Destroyed immediately upon withdrawal |
| Posts, Comments, Messages | Until account deletion | All deleted upon withdrawal |
| AI Chat Sessions | 30 days after last activity | Automatic TTL deletion |
| Push Notification History | 30 days after creation | Automatic TTL deletion |
| Authentication Token (Access) | 60 minutes after issuance | Automatic expiration |
| Authentication Token (Refresh) | 7 days after issuance | Automatic expiration; previous token revoked upon reissuance |
| Password Reset Code | 30 minutes after issuance | Destroyed upon use or expiration |
| Uploaded Files | Until account deletion | Completely deleted from storage upon withdrawal |
| App Usage Analytics | 26 months after collection | Firebase Analytics default policy |
Article 4 (Provision of Personal Information to Third Parties)
The Company does not, in principle, provide users' personal information to external parties. However, the following cases are exceptions.
- When the user has given prior consent
- When required by law or when an investigative agency makes a request in accordance with the procedures and methods prescribed by law for investigative purposes
Article 5 (Entrustment of Personal Information Processing and Third-Party Services)
The Company entrusts personal information processing or uses third-party services as follows for service provision.
| Service | Company | Entrusted Tasks | Processed Information |
|---|---|---|---|
| Push Notifications | Google (Firebase Cloud Messaging) | Mobile and web push notification delivery | Device token, notification content |
| App Analytics | Google (Firebase Analytics) | App usage statistical analysis | App event logs, device information, user identifiers |
| File Storage | Kakao (Kakao Cloud Object Storage) | Image and document file storage | Original uploaded files |
| Email Delivery | Google (Gmail SMTP) | Password reset code delivery, etc. | Recipient email address |
| Cloud Infrastructure | Kakao (Kakao Cloud) | Server hosting, database operations | All service data |
AI Service Notice: The AI chatbot is operated on a self-hosted Ollama server. User conversation content is not transmitted to external AI services (ChatGPT, Claude, etc.).
Article 6 (Procedures and Methods for Destruction of Personal Information)
1. Destruction Procedures
Users' personal information is destroyed without delay in accordance with internal policies after the purpose of collection and use has been fulfilled.
2. Destruction Methods
- Electronic Files: Permanently deleted using irrecoverable methods (MongoDB document deletion, object storage file deletion)
- Paper Documents: Shredded or incinerated
3. Scope of Deletion Upon Account Withdrawal
Upon account withdrawal, the following data is completely deleted sequentially.
- Posts and related comments
- Notices and linked calendar events
- All authored comments
- Uploaded files (metadata and original files)
- Calendar events
- Sent and received messages
- Device registration information and notification history
- Authentication tokens (Access/Refresh)
- AI chat sessions, uploaded documents, and embedding data
- Member account information
Article 7 (Rights of Users and Legal Representatives and Methods of Exercise)
Users (or legal representatives) may exercise the following rights at any time.
- Right to Access: View the status of personal information processing
- Right to Rectification: Correct errors in personal information (via in-app profile editing or customer support)
- Right to Deletion: Delete personal information (via account withdrawal or customer support)
- Right to Suspend Processing: Suspend the processing of personal information
- Right to Withdraw Consent: Withdraw marketing communication consent (changeable directly in app settings)
The above rights may be exercised through the app settings menu or by submitting a written or email request to the Privacy Officer listed below. We will take action without delay.
Article 8 (Measures to Ensure the Security of Personal Information)
The Company takes the following measures to ensure the security of personal information.
| Category | Measures |
|---|---|
| Password Encryption | Encrypted with BCrypt one-way hash algorithm (original text cannot be recovered) |
| Authentication Token Security | JWT-based authentication; Access Token expires in 60 minutes, Refresh Token in 7 days; previous token immediately revoked upon auto-renewal |
| Data Transmission Encryption | HTTPS (TLS) encrypted communication with Let's Encrypt certificate |
| Access Control | Role-based access control (RBAC: dev/manager/ceo/member), site code-based data isolation |
| API Security | Rate limiting applied (authentication 10 requests/min, API 100 requests/min, uploads 5 requests/min) |
| Biometric Authentication | Processed locally on the device only (fingerprint/face data is not transmitted to the server) |
| Sensitive Information Protection | Password hash values excluded from API responses (JsonIgnore), search query regex escaping applied |
| Infrastructure Security | Kubernetes container-based operations, security header middleware applied |
Article 9 (Biometric Authentication Information Processing)
The MoyeoBom app provides biometric authentication (fingerprint, facial recognition) for convenient login.
- Biometric data (fingerprints, facial templates) is stored only in the secure enclave of the user's device (iOS Keychain, Android Keystore, Windows Hello) and is not transmitted to the server.
- Only the biometric authentication activation status (Boolean value) is stored on the server.
- Biometric authentication is optional and can be disabled at any time in the app settings.
Article 10 (Cookies and Local Storage)
- Mobile App (Android/iOS): Authentication tokens are encrypted and stored in the platform's secure storage (SecureStorage).
- Web Version: Authentication tokens are stored in browser session storage (sessionStorage) and are automatically deleted when the browser tab is closed.
- Admin Dashboard (Dev): Uses cookie-based authentication, which automatically expires after 8 hours.
Article 11 (Installation, Operation, and Rejection of Automatic Data Collection Devices)
1. Firebase Analytics
The Company uses Firebase Analytics to collect app usage statistics for service improvement.
- Collected information: App events (login, post creation, search, voting, etc.), screen view records, error logs
- User properties: Role, affiliated site, platform information
- Data retention period: 26 months (Google default policy)
- Opt-out method: Analytics data collection can be disabled in the app settings menu
2. Firebase Cloud Messaging
Device tokens are collected for push notification delivery. If you do not wish to receive notifications, you can disable notifications in the app settings.
Article 12 (International Transfer of Personal Information)
The Company may transfer personal information overseas as follows for service provision.
| Recipient | Country | Transfer Purpose | Transferred Items | Retention Period |
|---|---|---|---|---|
| Google LLC | United States | Firebase Analytics (app usage statistics), FCM (push notifications) | App event logs, device tokens | 26 months / upon termination of service use |
Article 13 (Privacy Officer)
The Company designates a Privacy Officer as follows to oversee the processing of personal information and to handle user complaints and remedies for damages.
Article 14 (Methods of Remedy for Infringement of Rights)
Users may apply for dispute resolution or consultation with the following organizations to seek remedies for personal information infringement.
- Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office Cyber Investigation Division: 1301 (www.spo.go.kr)
- National Police Agency Cyber Investigation Bureau: 182 (ecrm.cyber.go.kr)
Article 15 (Changes to the Privacy Policy)
This Privacy Policy is effective from the enforcement date. In the event of additions, deletions, or modifications due to changes in laws, policies, or security technologies, the changes shall be announced through the app at least 7 days prior to their effective date.
Announcement Date: February 20, 2026
Effective Date: February 20, 2026
© Bomtobe. All rights reserved.