MOSS CALENDAR
Privacy Policy
Last Updated: March 27, 2026
This Privacy Policy describes how Moss Labs Co., Ltd. ("Moss Labs," "we," "us," or "our") collects, uses, shares, and protects personal information through the Moss Calendar mobile application, our website at https://moss.events, and all related services (collectively, the "Service").
This Privacy Policy is provided in accordance with the Personal Information Protection Act (개인정보보호법, "PIPA") of the Republic of Korea and other applicable data protection laws.
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
The Service is operated from the Republic of Korea, and your personal information is processed in accordance with the laws of the Republic of Korea. If you access the Service from outside of the Republic of Korea, please be aware that your information may be transferred to, stored, and processed in the Republic of Korea, where our servers are located and our central database is operated.
1. Personal Information We Collect
1.1 Information You Provide
When you create an account or use the Service, we may collect the following categories of personal information:
Account Information
• Name or display name
• Email address
• Account credentials provided through third-party authentication services (Apple Sign-In, Google OAuth) and one-time email code sign-in
Calendar Access and Relationship Data
• Calendar privacy settings and follower relationship records (such as follow requests, approvals, denials, revocations, and related timestamps)
User-Generated Content
• Calendar boards you create (names, descriptions, and public/private settings)
• Events you save, curate, or add to your calendars
• Links you submit to the Service for event creation
• Link-related content needed to create an event draft (such as captions/text, media references, and extracted event fields)
• Import diagnostics (status, errors, and quality/confidence signals)
• Profile information you voluntarily provide (biography, interests)
Communications
• Information you provide when you contact us for support or feedback
• Responses to surveys or questionnaires, if any
Preferences
• Notification preferences and communication consent preferences (where enabled)
• Location selection used to scope the shared calendar feed (including city/country text you provide when selecting "Other")
• Interest records for locations where shared calendar support is not yet active (used to notify you when support is added)
Profile routes and calendar feeds may be publicly accessible unless a user enables private calendar settings (where enabled). When a calendar is private, events added by that user are visible only to approved followers. However, private users' pinned event activity metadata may still appear in pin history and pin counts.
1.2 Information Collected Automatically
When you access or use the Service, we automatically collect certain information, including:
Device Information
• Device type, model, and operating system version
• Unique device identifiers
• Language and time zone settings
Usage Information
• Features you use and actions you take within the Service
• Pages or screens viewed, and time spent on each
• Search queries within the Service
• Date and time of access
Analytics Data
We collect product usage and technical diagnostics (for example feature interactions, page/screen events, device/browser/app context, and error traces) to run, troubleshoot, and improve the service.
1.3 Information from Third-Party Authentication Services
When you sign in through Apple Sign-In or Google OAuth, we receive limited information from those services in accordance with your settings and their privacy policies:
Apple Sign-In:: Your name (if you choose to share it), email address (or an Apple-generated relay email address if you choose to hide your email), and a unique user identifier.
Google OAuth:: Your name and email address associated with your Google account.
We do not receive or store your Apple ID password or Google account password. Authentication is handled directly by Apple and Google.
2. How We Use Your Personal Information
We use your personal information for the following purposes:
| Purpose | Categories of Information Used |
|---|---|
| Account creation and management | Account information |
| Providing and operating the Service | Account information, user-generated content, device information, usage information |
| Personalizing your experience | Usage information, user-generated content |
| Managing follow relationships and private calendar access controls (where enabled) | Account information, follower relationship records, calendar privacy settings |
| Operating pin history and pin count features, including pin metadata for private-calendar users (where enabled) | Pin activity metadata, account identifiers, event identifiers |
| Sending push notifications about events and Service updates (where enabled) | Account information, device information |
| Providing location-scoped shared calendar feeds and handling inactive-location waitlist interest | Location selection data, location state metadata, optional city/country text for "Other" location, location-interest records |
| Sending authentication and transactional service emails (for example one-time sign-in codes and account/security notices) | Account information, email address, message delivery metadata |
| Recording legal-version acceptance and optional communication/marketing consent decisions | Account information, communications, consent metadata (timestamps, version labels, preference states) |
| Responding to your inquiries and support requests | Account information, communications |
| Product analytics and measurement | Usage information, analytics events, device and app context |
| Error and performance monitoring | Technical diagnostics, error traces, device and app context |
| Link-based event draft generation and import diagnostics | Submitted links, link-related content, extracted event fields, import diagnostics |
| Improving and developing the Service | Usage information, analytics data, device information, import diagnostics |
| Detecting, preventing, and addressing fraud, abuse, security incidents, or technical issues | Account information, device information, usage information, technical diagnostics |
| Complying with legal obligations | Any information as required by law |
We do not use your personal information for automated decision-making or profiling that produces legal or similarly significant effects.
When you request an email address change, we may send verification messages to both your current email address and your new email address to prevent unauthorized account changes.
3. Sharing of Personal Information
3.1 Third-Party Service Providers
We may share your personal information with the following categories of third-party service providers who assist us in operating the Service:
| Service Provider | Purpose | Information Shared |
|---|---|---|
| Supabase (database hosting — Seoul, ap-northeast-2 region) | Data storage and management | Account information, user-generated content |
| Apple (authentication) | Account sign-in | Authentication tokens |
| Google (authentication) | Account sign-in | Authentication tokens |
| Vercel (hosting) | Service hosting | Service request and response metadata |
| PostHog (product analytics) | Product analytics and measurement | Product usage events, device/app context, event metadata |
| Sentry (error and performance monitoring) | Error tracking, diagnostics, and performance monitoring | Technical diagnostics, error traces, device/app context |
| Resend (email delivery infrastructure) | Delivering authentication and transactional service emails | Email address, message content required for delivery (such as one-time sign-in codes), delivery metadata |
| Trusted content-processing providers | Retrieving and structuring link-based content for event draft creation | Submitted links, link-related content, import diagnostics |
| Apple Push Notification Service (APNs, where enabled) | Push notifications | Device tokens, notification content |
These service providers are contractually obligated to use your information only for the purposes of providing services to us and in accordance with applicable data protection laws.
3.2 Sharing with Other Users (Service Visibility)
When you publish content in public areas, that content may be visible to other users and visitors to the Service.
Where private calendar features are enabled, event details for private calendars are shared only with approved followers.
For product transparency and consistency of shared activity metrics, pin history and pin count metadata for events pinned by private-calendar users may remain visible to other users even when private calendar event details are restricted.
3.3 Legal Requirements
We may disclose your personal information if required to do so by law, regulation, legal process, or governmental request under the laws of the Republic of Korea, or when we believe in good faith that disclosure is necessary to:
(a) Comply with applicable law or respond to valid legal process;
(b) Protect the rights, property, or safety of Moss Labs, our users, or the public;
(c) Detect, prevent, or address fraud, security, or technical issues;
(d) Enforce our Terms of Service.
3.4 Business Transfers
In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your personal information, in accordance with PIPA.
3.5 No Sale of Personal Information
We do not sell your personal information to third parties.
4. International Data Transfers
Your personal information is primarily stored in the Republic of Korea. Our database is hosted on Supabase infrastructure in the Seoul region (AWS ap-northeast-2).
However, certain service providers may process your information in countries other than the Republic of Korea:
Vercel:: Web hosting services may involve servers located in various countries, including the United States.
PostHog and Sentry:: Analytics and error/performance monitoring services may involve servers located in various countries, including the United States.
Resend:: Email delivery infrastructure services may involve servers located in various countries, including the United States.
Apple and Google:: Authentication services are operated globally by Apple Inc. and Google LLC, both headquartered in the United States.
When your personal information is transferred outside of the Republic of Korea, we ensure that appropriate safeguards are in place in accordance with PIPA (Articles 17 and 39-12), including:
• Notification to you of the recipient, purpose, and items of personal information transferred;
• Contractual obligations requiring service providers to protect your information in accordance with standards substantially similar to those required under Korean law;
• Technical and organizational security measures to protect your information during transfer and storage.
For questions about international data transfers, please contact us at contact@mosslabs.kr.
5. Retention of Personal Information
We retain your personal information for the following periods:
| Category | Retention Period | Legal Basis |
|---|---|---|
| Account information | Duration of account + 30 days after deletion request | Service provision |
| User-generated content | Duration of account + 30 days after deletion request | Service provision |
| Follow relationship and private-calendar access-control records | Duration of account + 30 days after deletion request | Service provision and access control |
| Pin activity metadata (including pin history and pin count records) | Duration of account + 30 days after deletion request | Service provision and feature integrity |
| Usage and analytics data | 1 year from collection | Service improvement |
| Communications (support inquiries) | 3 years from resolution | Act on Consumer Protection in Electronic Commerce (전자상거래 등에서의 소비자보호에 관한 법률), Article 6 |
| Records of access logs | 3 months from creation | Protection of Communications Secrets Act (통신비밀보호법), Article 15-2 |
| Device information | Duration of account + 30 days after deletion request | Service provision |
When personal information is no longer needed for the purposes for which it was collected, or upon expiration of the retention period, we will promptly destroy or anonymize the information in accordance with PIPA.
Destruction Methods:
• Electronic files: Permanently deleted using technical methods that prevent recovery.
• Physical records (if any): Shredded or incinerated.
6. Your Rights
Under PIPA and other applicable laws of the Republic of Korea, you have the following rights regarding your personal information:
6.1 Right of Access
You may request access to the personal information we hold about you.
6.2 Right of Correction
You may request correction of inaccurate or incomplete personal information. You may also update certain account information directly through the Service.
6.3 Right of Deletion
You may request deletion of your personal information, subject to any legal obligations that require us to retain certain information. You may also delete your account through the Service or by contacting us.
6.4 Right to Suspend Processing
You may request that we suspend the processing of your personal information. However, we may continue processing where required by law or where suspension would prevent us from providing the Service.
6.5 Right to Withdraw Consent
Where processing is based on your consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.
6.6 How to Exercise Your Rights
To exercise any of these rights, please contact us at:
Email:: contact@mosslabs.kr
Address:: B1F, 129, 123 Seocho-jungang-ro, Seocho-gu, Seoul, Republic of Korea
We will respond to your request within ten (10) days of receipt, in accordance with PIPA. If we are unable to fulfill your request, we will provide you with a written explanation of the reasons.
You may also exercise your rights through an authorized representative. In such cases, we may require a power of attorney or equivalent documentation in accordance with the Enforcement Decree of PIPA.
7. Protection of Children's Personal Information
The Service is not intended for use by children under the age of fourteen (14). We do not knowingly collect personal information from children under fourteen. In accordance with Article 39-3 of PIPA, collection of personal information from children under fourteen requires verifiable consent from a legal representative. If we become aware that we have collected personal information from a child under fourteen without such consent, we will take steps to promptly delete that information. If you believe that we may have collected information from a child under fourteen, please contact us at contact@mosslabs.kr.
8. Automatic Data Collection Technologies
8.1 Cookies and Similar Technologies
We use essential cookies/local storage for sign-in flow continuity, session-related routing, invitation handling, and security. We may also use optional measurement technologies where required by law and user choice.
Our mobile application may use local storage mechanisms, session tokens, authentication tokens, and similar technologies that are standard to iOS application operation. These technologies are used for purposes including maintaining your login session, storing your preferences, and enabling core app functionality. They are not used to track you across other applications or websites.
If we introduce browser cookies, advertising pixels, or similar cross-site tracking technologies in the future, we will update this Privacy Policy, publish a separate Cookie Statement, and provide appropriate notice and consent mechanisms as required by applicable law.
8.2 Push Notifications
With your consent, we may send push notifications to your mobile device. You can manage push notification preferences through your device settings at any time. Opting out of push notifications will not affect the core functionality of the Service.
9. Security Measures
We implement reasonable technical, administrative, and physical safeguards to protect your personal information from unauthorized access, alteration, disclosure, or destruction, in accordance with the security measures required by PIPA and its Enforcement Decree. These measures include:
• Encryption of data in transit using TLS/SSL
• Encryption of personal information at rest in our database
• Access controls limiting personnel access to personal information on a need-to-know basis
• Use of third-party authentication services (Apple Sign-In, Google OAuth) rather than storing passwords directly
• Regular review and update of security practices
However, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your personal information.
10. Personal Information Protection Officer
In accordance with Article 31 of PIPA, we have designated the following individual as our Personal Information Protection Officer (개인정보 보호책임자):
| Item | Details |
|---|---|
| Name | 유한결 (Yoo Hankyul) |
| Title | Co-CEO |
| contact@mosslabs.kr |
You may contact the Personal Information Protection Officer for any inquiries, complaints, or requests related to the processing of your personal information.
11. Remedies for Infringement of Rights
If you believe your personal information rights have been infringed, you may seek assistance from the following organizations:
Personal Information Dispute Mediation Committee (개인정보 분쟁조정위원회):: +82-1833-6972 / https://www.kopico.go.kr
Personal Information Infringement Report Center (개인정보 침해신고센터), Korea Internet & Security Agency:: +82-118 / https://privacy.kisa.or.kr
Supreme Prosecutors' Office Cybercrime Investigation Division (대검찰청 사이버수사과):: +82-1301 / https://www.spo.go.kr
Korean National Police Agency Cyber Bureau (경찰청 사이버수사국):: +82-182 / https://ecrm.police.go.kr
12. Notice to European Users (GDPR)
This section applies to individuals located in the European Economic Area ("EEA") and the United Kingdom (collectively, "Europe"). For the purposes of this section, references to "personal information" include "personal data" as defined under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation.
12.1 Data Controller
Moss Labs Co., Ltd. is the data controller responsible for your personal information. We can be contacted at contact@mosslabs.kr.
12.2 Legal Bases for Processing
We process your personal information based on the following legal grounds under the GDPR:
| Purpose | Legal Basis |
|---|---|
| Account creation and service delivery | Performance of a contract (Article 6(1)(b)) |
| Push notifications | Your consent (Article 6(1)(a)) |
| Service improvement and analytics | Legitimate interests (Article 6(1)(f)) — improving our Service and understanding usage patterns |
| Security and fraud prevention | Legitimate interests (Article 6(1)(f)) — protecting the Service and our users |
| Legal compliance | Compliance with legal obligations (Article 6(1)(c)) |
Where we rely on legitimate interests, we have assessed that our interests do not override your fundamental rights and freedoms.
12.3 Your Additional Rights Under GDPR
In addition to the rights described in Section 6 of this Privacy Policy, European users have the following rights:
Right to Data Portability. You may request a copy of your personal information in a structured, commonly used, machine-readable format (such as JSON), and you may request that we transmit this data to another controller where technically feasible.
Right to Object. You may object to the processing of your personal information where we rely on legitimate interests as our legal basis. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection authority. Contact details for EEA data protection authorities can be found at https://edpb.europa.eu/about-edpb/board/members\_en. For the UK, you may contact the Information Commissioner's Office at https://ico.org.uk/make-a-complaint/.
12.4 International Transfers from Europe
Your personal information may be transferred to the Republic of Korea, where our servers and central database are located. The Republic of Korea has received an adequacy decision from the European Commission (as of December 2021), which means that transfers of personal data from the EEA to South Korea are permitted without additional safeguards. For transfers to other third countries (such as the United States, where some of our service providers operate), we rely on appropriate safeguards, including standard contractual clauses approved by the European Commission.
12.5 Data Retention
We retain your personal information as described in Section 5. Where we process your data based on consent, we will retain it until you withdraw your consent. Where we process it based on legitimate interests, we will retain it for as long as necessary for those purposes.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this policy and, where practicable, by providing notice through the Service or via email. Material changes will take effect seven (7) days after posting, unless otherwise specified.
We will announce any significant changes to this Privacy Policy through the Service, in accordance with Article 30 of PIPA.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal information.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our processing of your personal information, please contact us at:
Moss Labs Co., Ltd. (주식회사 모스랩스)
Email: contact@mosslabs.kr
Address: B1F, 129, 123 Seocho-jungang-ro, Seocho-gu, Seoul, Republic of Korea