Privacy Policy

1. Introduction

GIL ("길", "we", "us", or "our") operates a travel platform that connects travellers ("Explorers") with local residents ("Scouts") to create customized, locally-guided tour experiences.

This Privacy Policy explains how we collect, use, store, and share your personal information when you use the GIL mobile application (the "Service").

This policy applies to services provided by:

• 길 (GIL) (South Korea)
• GIL LTD (United Kingdom)

If you have questions about this policy or your personal data, contact us at privacy@gilltd.com.

If you are located in a jurisdiction with data protection laws not specifically addressed in this policy, we will handle your personal data in accordance with the standards described here, which are based on GDPR and Korean PIPA which are among the most protective frameworks globally. If your local law grants you additional rights, please contact us and we will accommodate your request where feasible.

2. Information We Collect

2.1 Account & Identity Information

• Email address (required; may be a private relay address for users signing in with Apple)
• Name (required)
• Username (required; public)
• Birthday (required; used for age verification and shown on your profile. This field cannot be changed after account creation.)
• Gender (optional; shown on profile so other users can get a sense of who they are connecting with)
• Bio (optional; public)
• Base location, entered as city/country text (optional)
• Profile image (optional; EXIF metadata including GPS is stripped before upload)
• OAuth identifiers from Kakao, Google, or Apple
• Earned titles and reputation indicators (system-generated based on activity)

We do not collect passwords. Authentication is handled entirely through Kakao, Google, or Apple.

2.2 Scout Information

• Base country (selected when registering as a Scout)
• Identity verification status (via Stripe Identity)

We do not store identity documents. Document processing and storage is handled by Stripe Identity; we receive only the verification outcome.

2.3 User-Generated Content

• Tour requests (description, budget, dates, destination)
• Tour offers (price, description)
• Tour status (system-generated)

2.4 Communications

• Chat messages (text only)
• Chat room records (participants, timestamps)
• Push notification tokens (APNs)
• In-app notifications
• App feedback submissions

2.5 Reviews

• Ratings (5-category scoring)
• Public comments
• Private feedback (visible only to the recipient)

2.6 Payment Information

• Payment amount, status, and tour reference
• Transaction records (for refunds and accounting)

We do not collect or store card numbers, bank details, or any full payment credentials. All payment data is handled by Stripe (see Section 5).

2.7 Activity Logs

• Timestamps of key actions (signup, login, tour posting, payments, reviews)
• In-app activity feed records

2.8 Automatically Collected Information

• IP address (server logs maintained by Supabase)
• Push notification tokens
• Crash reports, if enabled by the user via iOS Settings (handled by Apple)

2.9 Information We Do NOT Collect

• Precise GPS location
• Contacts or address book data
• Advertising identifiers (IDFA)
• Unique device identifiers (e.g. identifierForVendor)
• Third-party usage analytics (e.g. Firebase, Mixpanel, Amplitude)
• Health, biometric, or sensor data
• Browsing history outside the app

3. How We Use Your Information

3.1 Providing Core Services

• Create and manage user accounts
• Enable tour requests and offers
• Facilitate communication between users
• Process bookings and payments
• Display public profile information to other users

3.2 Trust & Safety

• Verify Scout identities via Stripe Identity
• Display reputation indicators (reviews, verification badges)
• Investigate and respond to reports of fraud, abuse, and platform misuse

3.3 Communications

• Send transactional notifications (bookings, payments, messages, tour updates)
• Deliver relevant push notifications

We do not send marketing emails or promotional messages. If this changes in the future, we will request your explicit consent.

3.4 Legal & Operational

• Comply with legal obligations (tax, accounting, consumer protection)
• Respond to lawful requests from authorities
• Enforce our Terms of Service

3.5 No Automated Decision-Making

We do not make automated decisions that produce legal or similarly significant effects. Matching between Explorers and Scouts is driven entirely by user choice, not algorithmic scoring.

4. Legal Basis for Processing

For UK / EU users (UK GDPR & EU GDPR):

• Contractual necessity — to provide the Service
• Legitimate interests — fraud prevention, platform safety, service improvement
• Consent — for optional data fields and push notifications
• Legal obligation — tax, accounting, and consumer protection records

For South Korean users (PIPA): We obtain consent at the point of signup. Processing of payment records complies with the Electronic Financial Transactions Act and the Framework Act on National Taxes.

For Japanese users (APPI): We process your personal data in accordance with the Act on the Protection of Personal Information. We obtain your consent for processing and cross-border transfers as required by APPI.

For Vietnamese users (PDPD):We process your personal data in accordance with Vietnam's Personal Data Protection Decree. We obtain your explicit consent at the point of signup for the collection and processing of your personal data, including cross-border transfers.

5. Third-Party Services (Entrustment)

We entrust the following providers with specific processing tasks. All act on our instructions under data processing agreements.

• Supabase — Database, authentication, storage, and realtime. Data shared: all user data except payment credentials. Location: AWS ap-south-1.
• Kakao — Social login. Data shared: Kakao ID, email, nickname. Location: South Korea.
• Google — Social login. Data shared: Google account ID, email, name. Location: United States.
• Apple — Sign in with Apple and push notifications. Data shared: Apple user ID, email (or private relay address), push tokens. Location: United States.
• Stripe — Payment processing. Data shared: payment amount, user reference. Location: United States.
• Stripe Identity — Scout identity verification. Data shared: name, ID documents (collected and stored by Stripe directly). Location: United States.

These providers may process your data according to their own privacy policies. We do not sell or share your data with third parties for marketing purposes.

6. International Data Transfers

Your data may be processed in countries outside your residence, including South Korea, the United States, the United Kingdom, and the European Economic Area.

For users in South Korea: we obtain your consent for cross-border transfer as required by PIPA Articles 17 and 28-8.

For users in the UK / EU: transfers outside the UK / EEA rely on:

• Standard Contractual Clauses (SCCs) with our processors, and
• The UK International Data Transfer Addendum where applicable.

For users in Japan: in accordance with the Act on the Protection of Personal Information (APPI), your data is transferred to the United Kingdom, the United States, and South Korea. These transfers are protected by contractual safeguards equivalent to APPI requirements.

For users in Vietnam:in accordance with Vietnam's Personal Data Protection Decree (PDPD), your data may be transferred to the United Kingdom, the United States, and South Korea for processing. We implement contractual and technical safeguards to protect your data during transfer.

You may request a copy of the relevant transfer safeguards by contacting us.

7. Data Retention

We retain your personal data for the following periods:

• Active account data — retained while your account is active.
• Deleted accounts — when you delete your account, it is soft-deleted for 30 days. During this period, you can restore your account by signing back in. After 30 days, your account and personal data are permanently deleted.
• Payment and transaction records — retained for a minimum of 5 years as required by Korean commercial and tax law (Framework Act on National Taxes, Electronic Financial Transactions Act). After account deletion, payment records are anonymized (your identity is removed) and retained for accounting and legal compliance purposes.
• Server logs (including IP addresses) — retained up to 7 days by our infrastructure provider (Supabase) for operational and security purposes.
• Stripe Identity records — retained by Stripe under their own retention policy; we retain only the verification outcome.

Upon account deletion, the following data is removed immediately: profile image, notifications, feedback submissions, and activity log entries. After the 30-day recovery window, data shared with other users (chat messages, tour records, tour offers, and reviews you wrote) is anonymized — your identity is removed but the content is preserved for the other party. Reviews written about you and your earned titles are permanently deleted. Payment records are anonymized and retained for legal compliance.

8. Your Rights

Depending on your location, you have the right to:

• Access your personal data (available via in-app export)
• Correct inaccurate or incomplete data
• Delete your account and associated personal data
• Restrict or object to certain processing
• Data portability — receive a copy in machine-readable format (available via in-app export)
• Withdraw consent at any time for processing based on consent

To exercise these rights, contact privacy@gilltd.com. We will respond within 30 days (UK/EU/Japan) or 10 days (Korea).

Right to complain:

• UK: Information Commissioner's Office (ico.org.uk)
• EU: Your local data protection authority (CNIL for France, Garante per la protezione dei dati personali for Italy)
• Korea: Personal Information Protection Commission (privacy.go.kr), KISA Privacy Call Center (118), Cybercrime Investigation (1301), Cyber Terror Response Center (182)
• Japan: Personal Information Protection Commission (ppc.go.jp)
• Vietnam: Ministry of Public Security, Department of Cybersecurity and High-tech Crime Prevention

9. Data Security

We implement reasonable technical and organizational measures to protect your data, including:

• TLS-encrypted data transmission
• Row-level security (RLS) policies enforced at the database layer
• OAuth-based authentication (no password storage)
• iOS Keychain for local session storage
• Access controls restricting internal access to production data
• EXIF metadata stripping on profile images before storage

No system is completely secure, and we cannot guarantee absolute security.

10. Data Breach Notification

If we become aware of a personal data breach affecting you, we will notify you without undue delay and, where feasible, within 72 hours. We will also notify the relevant supervisory authorities as required by applicable law. Notifications will describe the nature of the breach, affected data, steps taken, and recommended actions.

11. Children's Privacy

GIL is not intended for users under 14 years of age. We do not knowingly collect personal data from users under 14. A valid birthday is required at signup, and accounts cannot be created if the user is under 14. The birthday field is locked after account creation to prevent circumvention.

If you are a parent or guardian and believe your child has created an account, contact us at privacy@gilltd.com and we will delete the account immediately.

12. Privacy Officer (개인정보보호책임자)

In accordance with Article 31 of the Personal Information Protection Act of South Korea:

• Name: Min Ji Lee
• Title: Founder
• Email: privacy@gilltd.com

Users in any jurisdiction may contact the Privacy Officer directly for any data-related matter.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via the app and/or email at least 7 days before taking effect. The "Last Updated" date at the top reflects the most recent revision.

14. Contact Us

• Email: privacy@gilltd.com
• Company: 길 (GIL) / GIL LTD
• Address: GIL LTD, 128 City Road, London EC1V 2NX