DAYWIKAUnder U.S. Law

Privacy Policy

v1.2 | Effective: February 25, 2026

Exydos ("Company," "we," "us," or "our") provides this Privacy Policy to describe how we collect, use, disclose, and otherwise process personal information in connection with our multilingual language learning application Daywika (the "Service"), and to explain the rights and choices available to individuals with respect to their personal information.

1. Information We Collect

1-1. Information You Provide

Category Specific Data Source Purpose
Account Information Email address, name (nickname), profile picture URL Google/Apple social login Account creation, authentication
Login Method Google or Apple identifier Automatically recorded at login Authentication processing
Device Platform iOS or Android Automatically detected Service compatibility
Country Code App Store / Play Store region App Store / Play Store Region identification
Age Verification (is_adult) Whether user is 14 or older (boolean only; date of birth is not stored) User input at registration Age restriction compliance

1-2. Information Collected Automatically

Category Specific Data Purpose
Device Information OS version, device model, screen resolution, app version Service compatibility, usage analytics
Learning Data Vocabulary lists, quiz records, review schedules, memorization status, correct/incorrect history, level test results Core service delivery
Character Learning Progress Completed stages, current position, challenge mode records Learning continuity
Learning Statistics Streak count, experience points (XP), daily completion status, session records Growth analysis
Learning Settings Daily learning volume, learning mode, notification settings Personalization
Subscription Status Free/paid tier, store type Premium feature access
Error Logs Error content, email, nickname (only upon error occurrence) App stability improvement
IP Address Automatically collected upon server connection Security, access log recording

1-3. Automatic Collection of IP Addresses

We automatically collect your IP address when you access our Service. IP addresses are used for approximate geolocation, security monitoring, access log recording, and analytics purposes. We do not use IP addresses to determine precise geolocation.

1-4. Information We Do NOT Collect

We do not collect: location data (GPS), contacts, photos, camera access, or passwords.

Advertising Identifiers: We do not collect any advertising identifier on iOS (no IDFA, and no App Tracking Transparency prompt). On Android, we collect the Google Advertising ID (GAID) only from users aged 14 or older who have opted in to analytics. See Section 9 for details. We never collect advertising identifiers from users under 14.

1-5. Information Collected During Customer Support

Email correspondence to [email protected] may result in collection of your email address and support content (including text and images).

2. How We Use Your Information

We use personal information for the following purposes:

  1. Account Management: Identity verification, fraud prevention, account administration
  2. Service Delivery: Language learning features, data synchronization, AI-powered learning optimization
  3. Paid Services: Subscription status verification, premium feature access, payment/refund processing
  4. Service Improvement: Error detection and stability, usage analytics, new feature development
  5. Notifications: Push notifications including learning reminders and streak maintenance alerts
  6. Usage Analysis: First-party analysis of service usage patterns and acquisition channels to improve the Service

3. How We Share Your Information

We do not sell your personal information. We share personal information only in the following circumstances:

3-1. Service Providers

Provider Location Data Shared Purpose
Supabase, Inc. United States Account information, all learning data Cloud data sync and backup
Functional Software, Inc. (Sentry) United States Error content, email, nickname App error monitoring
RevenueCat, Inc. United States Subscription status, payment platform Subscription management
Amplitude, Inc. United States Usage event data, device information, advertising identifier (Android GAID, with analytics consent only), IP address First-party app usage analytics
PowerSync (JourneyApps) United States Learning data (for offline sync) Offline-first data synchronization
Cloudflare, Inc. United States IP address, access logs Website hosting and CDN

We contractually require all service providers to process personal information only for the specified purposes, implement technical and administrative safeguards, restrict re-delegation, and accept liability for any breach of these obligations.

3-2. Authentication Partners

Provider Data Shared Purpose
Google LLC Email, name, profile picture Social login authentication
Apple Inc. Email, name, profile picture Social login authentication

3-3. Other Disclosures

We may also disclose personal information when required by law, to protect our rights or safety, or in connection with a merger, acquisition, or sale of assets.

4. Data Retention

We retain personal information for the periods described below, after which data is deleted or anonymized. Retention periods vary by data category to reflect differing legal requirements and business purposes.

Data Category Retention Period Basis
Account Information (email, name, profile) Retained while account is active + 1 year after account deletion Service agreement; post-deletion period for account recovery and fraud prevention
Learning Data (vocabulary, quiz records, progress, statistics) Retained while account is active; deleted upon account deletion Core service delivery
Analytics Data (Amplitude) 12 months from collection Amplitude default retention policy; service improvement
Error Logs (Sentry) 90 days from collection App stability monitoring
Subscription/Payment Records 5 years after subscription end Tax law compliance and financial record-keeping requirements
Advertising Identifier (Android GAID) 12 months (via Amplitude) First-party usage analytics; Amplitude retention policy
Customer Support Records 1 year after resolution of inquiry Service quality and dispute resolution

5. Data Deletion

When you delete your account (via Settings > Account Management > Delete Account):

  • Supabase: All account and learning data deleted
  • RevenueCat: Anonymized (subscription itself managed by Apple/Google)
  • Device: Local database, internal storage, and authentication tokens all deleted
  • Sentry: Automatically deleted within 90 days (immediate deletion not possible)

Electronic records are permanently deleted in a manner that prevents recovery or reconstruction.

6. AI-Powered Automated Processing

Our Service uses the following automated systems to enhance your learning experience:

System Function Description
AI Operations System Daily learning volume adjustment Analyzes learning history and workload to calculate optimal daily volume
AI Operations System Review ratio optimization Automatically balances new learning and review
FSRS Algorithm Review schedule calculation Determines optimal review timing based on memory strength
MMR System Adaptive difficulty adjustment Adjusts quiz difficulty based on accuracy and response patterns
AI Operations System Learning mode recommendation Recommends optimal learning modes based on user context

You may disable automated learning optimization in Settings > Learning Settings and switch to manual configuration at any time. Disabling automated features will not restrict your access to the Service, though learning optimization effectiveness may be reduced.

If you wish to raise an objection regarding automated processing, contact [email protected]. We will review your objection within 15 days.

7. Children's Privacy (COPPA Compliance)

Our Service is not directed to children under 13 (as defined by the Children's Online Privacy Protection Act, "COPPA") or under 14 (as required by Korean law, the Personal Information Protection Act). We apply the more restrictive age limit of 14 to all users worldwide. We do not knowingly collect personal information from children under 13 in compliance with COPPA, or under 14 in compliance with Korean law.

7-1. Age Verification

During registration, users are required to enter their date of birth. We use this solely to determine whether the user is 14 or older (is_adult flag). The date of birth itself is not stored on our servers. This threshold exceeds the COPPA requirement of age 13, providing additional protection for minors aged 13.

7-2. Multi-Layered Protection for Minors

If a user is determined to be under 14, the following measures are applied:

  1. Registration Blocked: The registration screen displays an age restriction notice and halts the sign-up process.
  2. Data Anonymization: If any data is inadvertently generated, it is anonymized.
  3. Analytics Exclusion: The user is excluded from Amplitude analytics tracking.
  4. No Ad Identifier Collection: No advertising identifier is collected (and on iOS no ATT prompt is shown).
  5. Payment Blocking: Access to in-app purchases (subscriptions) is blocked.

7-3. Post-Discovery Response

If we become aware that we have collected personal information from a child under 13 (COPPA) or under 14 (Korean law) without proper verification, we will promptly delete that information and the associated account. If you believe a child under 13 or under 14 has provided us with personal information, please contact us at [email protected].

8. Your Privacy Rights

8-1. Rights for All Users

All users may:

  • Access their personal information via Settings > Account Management
  • Request correction of inaccurate information
  • Delete their account and all associated data
  • Object to automated processing (see Section 6)
  • Contact us at [email protected] for any privacy-related request
  • Request a portable copy of their personal information

We will respond to all privacy requests within 10 business days.

While a correction or deletion request is being processed, we will suspend use of the relevant personal information until the request is resolved.

8-2. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act, "CPRA"):

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information.
  • Right to Correct: You have the right to request correction of inaccurate personal information that we maintain about you.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. See Section 8-3 below.
  • Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined under the CPRA (see Section 8-5).
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Categories of Personal Information Collected (Past 12 Months)

The following table describes the categories of personal information we have collected within the preceding twelve (12) months, mapped to the statutory categories defined by the CCPA (Cal. Civ. Code § 1798.140(v)):

CCPA Statutory Category Specific Data Elements Collected Source Business Purpose Shared for Cross-Context Behavioral Advertising Sold
A. Identifiers Name (nickname), email address, device identifiers (device model, OS version), IP address, advertising identifier (Android GAID, with analytics consent only; not collected on iOS) User-provided (social login); automatically collected Account management, authentication, analytics, security No No
B. Personal Information (Cal. Civ. Code § 1798.80(e)) Name, email address User-provided (social login) Account management No No
F. Internet or Other Electronic Network Activity App usage data, learning interaction history, session data, browsing/search activity within the app, error logs, app version Automatically collected Service delivery, service improvement, error monitoring No No
G. Geolocation Data Approximate location derived from IP address; country code from App Store/Play Store region Automatically collected Region identification, security, analytics No No
K. Commercial Information Subscription status (free/paid), store type (App Store/Play Store), purchase history Automatically collected via RevenueCat Subscription management, premium feature access No No
L. Inferences Learning patterns, vocabulary proficiency levels, memory strength scores, optimal review timing, adaptive difficulty levels Derived from learning data via FSRS algorithm and AI systems Learning optimization, personalized review scheduling No No
  • Categories Sold (Past 12 Months): None. We do not sell personal information.
  • Categories Disclosed for a Business Purpose (Past 12 Months): Identifiers and internet/electronic network activity data (disclosed to service providers listed in Section 3 for the business purposes described therein).

To exercise your CCPA/CPRA rights, contact [email protected]. We will verify your identity and respond within 45 days. If we require additional time, we will inform you of the reason and extension period in writing, not to exceed an additional 45 days.

8-3. Do Not Sell or Share My Personal Information

We do not "sell" or "share" your personal information as those terms are defined under the CCPA (Cal. Civ. Code § 1798.140). We do not disclose personal information to third parties for monetary or other valuable consideration, and we do not share personal information for cross-context behavioral advertising.

We use Amplitude, Inc. as our service provider for first-party analytics. Amplitude processes usage event data, device information, and (on Android, with your analytics consent) the Google Advertising ID solely on our behalf and under contract, and is prohibited from using this information for cross-context behavioral advertising or for any purpose other than providing analytics services to us. We do not disclose advertising identifiers to any advertising network for behavioral advertising.

Because we do not sell or share personal information, we do not provide a separate "Do Not Sell or Share My Personal Information" opt-out, and there is no sale or sharing for an opt-out preference signal (such as the Global Privacy Control) to act upon. You may nonetheless turn off analytics collection at any time through in-app settings, or, on Android, by deleting your advertising ID in your device settings (Settings > Security & Privacy > Ads > Delete advertising ID).

8-4. Global Privacy Control (GPC)

We do not sell or share personal information for cross-context behavioral advertising, so there is currently no such activity for a Global Privacy Control (GPC) signal to opt out of. Should our practices change in the future, we will recognize the GPC signal as a valid opt-out request under the CCPA and applicable state privacy laws. For more information about GPC, visit https://globalprivacycontrol.org.

8-5. Sensitive Personal Information (CPRA)

We do not collect sensitive personal information as defined under the CPRA (Cal. Civ. Code § 1798.140(ae)), including but not limited to: Social Security numbers, driver's license or state identification numbers, financial account information (account log-in combined with access codes or passwords), precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric information for identification purposes, health information, information concerning sex life or sexual orientation, or the contents of mail, email, or text messages (other than communications directed to us).

8-6. Other U.S. State Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy laws may have similar rights, including but not limited to the right to access, correct, delete, and obtain a copy of personal data, We do not process personal data for targeted advertising, do not sell personal data, and do not engage in profiling that produces legal or similarly significant effects; accordingly, no opt-out of targeted advertising or sale is necessary. We honor all applicable state privacy law requests.

Right to Appeal: If we deny your privacy request in whole or in part, you have the right to appeal our decision. To appeal, contact us at [email protected] with "Privacy Appeal" in the subject line. We will acknowledge your appeal and respond with a written decision within 60 days of receipt. If we deny your appeal, we will provide you with information on how to contact your state's attorney general to submit a complaint.

Contact [email protected] to exercise your rights under any applicable state privacy law.

9. Cookies and Tracking Technologies

9-1. Cookies

The Daywika app does not use cookies. Our external website (policy pages, etc.) may use essential functional cookies only. You may refuse cookie storage through your web browser settings.

9-2. Advertising Identifiers

iOS: We do not collect the Apple Identifier for Advertisers (IDFA) and do not display the App Tracking Transparency (ATT) prompt. No advertising identifier is collected on iOS.

Android: We collect the Google Advertising ID (GAID) through the Amplitude SDK only from users aged 14 or older who have opted in to analytics during onboarding. The identifier is used solely for our own first-party usage analytics.

  1. If You Do Not Consent: No advertising identifier is collected. Declining does not affect your ability to use any features of the Service.
  2. Minors (Under 14): No advertising identifier is collected, and these users are excluded from Amplitude analytics entirely.
  3. Withdrawing Consent: You may turn off analytics collection at any time through in-app settings. On Android, you may also go to Settings > Security & Privacy > Ads > Delete advertising ID.

We use the advertising identifier solely for first-party analytics. We do not use it for targeted advertising and do not share it with third-party advertising networks.

10. Security

We implement the following measures to protect your information:

  1. Encryption in Transit: All data transmissions use HTTPS (TLS) encryption.
  2. Server Security: Supabase managed security (TLS) with access controls.
  3. Device Security: iOS sandbox and Android app isolation (OS-level protection).
  4. Authentication Security: JWT token-based session management; no direct password storage.
  5. Access Control: Personal information access restricted to minimum necessary personnel.

11. Data Breach Notification

In the event of a data breach that compromises the security of your personal information, we will:

  1. Notify affected individuals in accordance with applicable state breach notification laws (including but not limited to California Civil Code §1798.82), providing details of the breach, the types of information involved, and steps individuals can take to protect themselves.
  2. Notify relevant authorities as required by applicable law.
  3. Timing: Notifications will be made without unreasonable delay, and in no event later than the timeframes required by applicable state laws.

12. Do Not Track and Online Tracking Disclosure (CalOPPA)

As required by the California Online Privacy Protection Act (CalOPPA), we disclose the following regarding online tracking:

Do Not Track (DNT) Signals: Our Service does not currently respond to "Do Not Track" browser signals. There is no industry consensus on how to interpret DNT signals, and we do not alter our data collection or use practices upon receiving a DNT signal.

Global Privacy Control (GPC) Signals: As described in Section 8-4, we do not sell or share personal information for cross-context behavioral advertising, so there is currently no such activity for a GPC signal to opt out of. Should this change, we will honor GPC signals as a valid opt-out request under the CCPA and applicable state privacy laws.

Third-Party Tracking: We do not share advertising identifiers or usage data with third parties for cross-context behavioral advertising. Our analytics provider, Amplitude, acts as our service provider and processes data only on our behalf, as described in Sections 3 and 8-3. You may turn off analytics collection at any time through in-app settings.

13. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

  • Name: Kim Doil
  • Title: CEO / Privacy Officer
  • Address: 105 Wausan-ro, 5F 174-A, Mapo-gu, Seoul, Republic of Korea
  • Email: [email protected]
  • Customer Support Team: [email protected]

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 7 days before the effective date via in-app notification or email. Changes that significantly affect your rights will be communicated at least 30 days in advance.

Change Log

Version Effective Date Summary of Changes
v1.0 February 23, 2026 Initial version
v1.2 February 25, 2026 Age verification method changed (date of birth input → is_adult only), advertising identifiers now ATT consent-based, multi-layered child protection added, service providers added (Amplitude, Google Ads, PowerSync), COPPA compliance enhanced, contact information updated
v1.3 June 16, 2026 iOS advertising identifier (IDFA) collection and ATT removed; Android advertising identifier (GAID) now collected only with in-app analytics opt-in consent; Google Ads advertising-identifier sharing discontinued and removed from service providers, international transfers, and CCPA disclosures; clarified that we do not sell or share personal information for cross-context behavioral advertising