Back to Home

Pandiary Privacy Policy

Effective Date: February 27, 2026 Last Updated: February 27, 2026

This Privacy Policy explains how Pandiary ("we," "us," or "our") collects, uses, shares, and protects your personal information when you use our mobile application and related services (the "Service"). We are committed to transparency and to protecting your privacy.

By using Pandiary, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Who We Are

Pandiary is a social diary application operated from the Republic of Korea. For questions about this Privacy Policy or your data, contact us at:

Email: support@pandiary.app Response Time: Within 5 business days

2. Information We Collect

2.1 Information You Provide

  • Account Information: Username, email address, and password (stored as a secure hash — we never store your password in plain text).
  • Profile Information: Display name, bio, and profile photo (optional).
  • Date of Birth: Collected at signup solely to verify you are at least 13 years old. Only your birth year is retained after age verification.
  • User Content: Diary entries, posts, and images you create. You control whether each entry is public, visible to followers only ("locked"), or private.
  • Messages: Direct messages you send to other users.
  • AI Feature Input: Text you voluntarily submit to AI writing tools (grammar check, style transform, suggestions).
  • Reports and Support: Information you provide when reporting content or contacting support.

2.2 Information Collected Automatically

  • Device Information: Device type, operating system, and app version.
  • Usage Data: Features used, pages viewed, and interaction timestamps — collected to improve the Service.
  • Log Data: IP address and access times, retained for security and fraud prevention.

2.3 Information from Third Parties

  • Authentication Providers: If you sign in with Apple or Google, we receive your email address and a unique identifier from the provider. We do not receive your password.
  • Purchase Data: Subscription status and purchase receipts are verified through Apple App Store or Google Play via RevenueCat. We do not receive or store your payment card details.

3. How We Use Your Information

We use your information only for the following purposes:

  • Providing the Service: Creating and managing your account, storing and displaying your content according to your visibility settings, and delivering messages.
  • Content Moderation: Public and locked posts are automatically scanned for safety violations before publishing (see Section 5). Private diary entries are never scanned.
  • AI Writing Assistance: When you choose to use AI features, processing your submitted text to return grammar, style, or writing suggestions.
  • Age Verification: Confirming you meet the minimum age requirement of 13.
  • Subscriptions: Processing and managing Pandiary Pro subscriptions through Apple or Google.
  • Communications: Sending account-related emails (verification, security alerts, moderation decisions). We do not send marketing emails.
  • Safety and Security: Detecting and preventing fraud, abuse, and violations of our Terms of Service.
  • Service Improvement: Analyzing aggregated, anonymized usage patterns to improve features and performance.
  • Legal Compliance: Fulfilling obligations under applicable laws.

4. How We Share Your Information

4.1 With Other Users

  • Public posts are visible to all Pandiary users.
  • Locked posts are visible only to your approved followers.
  • Private entries are visible only to you. We do not access, share, or display them to anyone.
  • Profile information (username, display name, bio, avatar) is visible to other users as you configure it.

4.2 With Service Providers

We share data with the following third-party service providers who help us operate the Service. Each operates under a data processing agreement with us:

  • Supabase (Infrastructure) — Hosts our database, handles authentication, and stores uploaded images. Privacy Policy: https://supabase.com/privacy
  • Google Gemini API (AI Processing) — Processes text submitted to AI features and content moderation. Only the text itself is sent — no personal identifiers. Privacy Policy: https://ai.google.dev/gemini-api/terms
  • RevenueCat (Subscriptions) — Manages subscription status and receipt validation. Privacy Policy: https://www.revenuecat.com/privacy
  • Apple / Google (App Distribution and Payments) — Processes in-app purchases. Apple: https://www.apple.com/legal/privacy/ | Google: https://policies.google.com/privacy
  • Expo (Development Platform) — Delivers app updates. Privacy Policy: https://expo.dev/privacy

4.3 For Legal Reasons

We may disclose your information if required by law, regulation, court order, or valid legal process. We will notify you of such requests when legally permitted.

4.4 Business Transfers

If Pandiary is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

4.5 What We Will Never Do

  • We do not sell your personal data to any third party.
  • We do not use your data for targeted advertising.
  • We do not share your data with data brokers.
  • We do not share your content with third parties for their own marketing.

5. Artificial Intelligence and Automated Processing

5.1 Content Moderation

Public and locked posts are automatically scanned by AI (Google Gemini API) before publishing. The system checks for hate speech, explicit content, violence, self-harm, harassment, illegal activity, and CSAM. Private diary entries bypass this process entirely and are never sent to any AI system.

If the system flags your post, it will be rejected with an explanation. You may edit and resubmit, or contest the decision through the moderation system.

5.2 Writing Assistance

Grammar check, style transformation, and writing suggestions are powered by Google Gemini API. These features are entirely optional and only activated when you explicitly tap an AI button. A consent modal explains data handling before your first use.

5.3 What Google Receives

  • Only the text you submit — not your entire diary, account data, or personal identifiers.
  • Text is sent through our secure server, not directly from your device.
  • Google does not use your submitted text to train their AI models (per the Gemini API Terms of Service for paid API usage).
  • Google may retain API logs for up to 55 days for abuse monitoring, after which they are deleted.

5.4 Your AI Rights

  • You can use Pandiary without ever activating AI features.
  • You have the right to contest automated moderation decisions by contacting support.
  • We do not use AI for profiling, advertising, or any purpose other than content moderation and optional writing assistance.

6. Data Retention and Deletion

6.1 How Long We Keep Your Data

  • Account and profile data: Retained while your account is active.
  • Diary entries, posts, and images: Retained while your account is active.
  • Messages: Retained while your account is active.
  • Date of birth: Full date deleted after age verification; only birth year is retained.
  • Security logs (IP, access times): Retained for 90 days, then deleted.
  • Moderation action records: Retained for 3 years for legal compliance and dispute resolution.
  • Subscription/purchase data: Retained as required by applicable tax and financial regulations.

6.2 Account Deletion

You can delete your account at any time from your Profile Settings. When you delete your account:

  • All your posts, diary entries, images, messages, profile data, follows, and blocks are permanently deleted within 30 days.
  • Backups containing your data are purged within 90 days.
  • We do not retain ghost records, "[deleted]" placeholders, or any content attributed to you.
  • Limited records may be retained only where required by law (e.g., moderation audit logs, financial records).

6.3 Content Deletion

When you delete an individual post or message, it is removed from our active systems promptly. Backup copies are purged within 90 days.

7. Data Security

We implement industry-standard measures to protect your data:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS/HTTPS.
  • Encryption at rest: Data stored in our database is encrypted at rest.
  • Password security: Passwords are hashed using secure algorithms. We never store passwords in plain text.
  • Access controls: Access to user data is restricted to authorized personnel on a need-to-know basis.
  • Secure infrastructure: Our backend infrastructure (Supabase) provides SOC 2 Type II certified security.

No system is 100% secure. While we take all reasonable precautions, we cannot guarantee absolute security. If we discover a data breach that affects your personal information, we will notify you promptly.

8. International Data Transfers

Pandiary is operated from the Republic of Korea. Your data may be processed in the following locations:

  • Supabase servers: United States
  • Google Cloud (Gemini API): United States
  • RevenueCat: United States

Data protection laws in these countries may differ from the laws in your country. We ensure appropriate safeguards are in place for all international transfers:

  • For EU/EEA users: Transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, reliance on the EU-US Data Privacy Framework.
  • For Korean users: Cross-border transfers comply with the Personal Information Protection Act (PIPA), including disclosure of recipients, purposes, and data types.
  • For all users: We apply equivalent privacy protections to your data regardless of where it is processed.

9. Your Privacy Rights

9.1 Rights for All Users

Regardless of where you live, you have the right to:

  • Access your personal data (via the in-app data export tool).
  • Correct inaccurate information in your profile settings.
  • Delete your account and all associated data.
  • Export your data in machine-readable format (JSON).
  • Withdraw consent for optional data processing (such as AI features) at any time.
  • Object to processing based on our legitimate interests.

9.2 Additional Rights for EU/EEA Residents (GDPR)

Under the General Data Protection Regulation, you also have the right to:

  • Restrict processing of your data in certain circumstances.
  • Not be subject to solely automated decision-making that produces legal effects. Our AI content moderation includes the right to human review upon request.
  • Lodge a complaint with your local Data Protection Authority.
  • Data portability — receive your data in a structured, commonly used format.

Legal bases for processing: We process your data based on: (a) performance of our contract with you (providing the Service), (b) your consent (AI features, optional data collection), (c) legitimate interests (security, fraud prevention, service improvement), and (d) legal obligations (age verification, moderation requirements).

We will respond to data subject requests within 30 days.

9.3 Additional Rights for California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act, you have the right to:

  • Know what personal information we collect, use, and share.
  • Delete your personal information.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information. We do not sell or share your personal information for cross-context behavioral advertising.
  • Non-discrimination for exercising your privacy rights.

We will respond to verifiable consumer requests within 45 days.

9.4 Additional Rights for Korean Residents (PIPA)

Under the Personal Information Protection Act, you have the right to:

  • Request data portability and transfer of your personal information.
  • Suspend processing of your personal information.
  • Request destruction of your personal information.
  • Be notified of data breaches without delay.

9.5 How to Exercise Your Rights

  • In-app: Use Profile Settings to update your information, export data, or delete your account.
  • Email: Contact support@pandiary.app with your request.
  • Verification: We may ask you to verify your identity before processing requests to protect your account.
  • No fee: We do not charge a fee for reasonable privacy requests.

10. Children's Privacy

Pandiary is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13.

  • Age verification: We collect date of birth during signup to verify that all users are at least 13 years old. Users who do not meet this requirement cannot create an account.
  • Discovery of underage users: If we learn that we have collected data from a child under 13, we will delete their account and all associated data immediately.
  • Parents and guardians: If you believe your child under 13 has created a Pandiary account, please contact us at support@pandiary.app and we will promptly delete the account.

11. Diary Entries and Sensitive Content

Diary entries are inherently personal and may contain sensitive information such as health details, personal beliefs, or emotional reflections. We treat all diary content with the highest level of care:

  • Private entries are stored securely and are accessible only to you. They are never shared with other users, accessed by Pandiary staff, or sent to third-party services (including AI systems).
  • You control visibility. You choose whether each entry is public, locked (followers only), or private. You can change visibility at any time.
  • No content-based advertising. We never analyze your diary content for advertising or marketing purposes.
  • Law enforcement: We may be compelled to produce data in response to valid legal process (court orders, subpoenas). We will notify you of such requests when legally permitted. Private entries stored on our servers are subject to this disclosure.

12. Tracking and Device Information

12.1 What We Collect

Pandiary collects limited device data (device type, OS version, app version) for providing and improving the Service. We do not use advertising identifiers (IDFA/GAID) and do not engage in cross-app tracking.

12.2 SDKs

Our app includes SDKs from Expo (app updates) and RevenueCat (subscription management). These SDKs may collect limited technical data as described in their respective privacy policies linked in Section 4.2.

12.3 Your Choices

  • You can manage tracking permissions in your device settings (iOS: Settings > Privacy & Security > Tracking).
  • Pandiary functions fully without granting tracking permissions.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes:

  • We will notify you via in-app notification at least 14 days before the changes take effect.
  • The updated policy will always be accessible within the app.
  • The "Last Updated" date at the top will reflect the most recent revision.

Continued use of Pandiary after changes take effect constitutes your acceptance. For material changes that affect how we use your data, we may request renewed consent.

14. Contact Us

If you have questions about this Privacy Policy, your data, or want to exercise any of your privacy rights:

Email: support@pandiary.app Response Time: Within 5 business days

For GDPR-related inquiries, you may also contact your local Data Protection Authority.

By using Pandiary, you acknowledge that you have read and understood this Privacy Policy.

Last updated: February 27, 2026 — Version 1.0