Back

Privacy Policy

Effective date: 2026-05-03  |  Version: 1.0

Howmuch Team (hereinafter referred to as the "Team"), which operates the service "Howmuch" (hereinafter referred to as the "Service"), values the personal information of users and complies with relevant laws and regulations, including the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection of the Republic of Korea, and the General Data Protection Regulation (GDPR) of the European Union.

This Privacy Policy informs users about the purposes, methods, and protective measures applied to the processing of their personal information.

 

1. Items of Personal Information Processed

The Team processes only the minimum personal information required to provide the Service:

1) Member Registration and Authentication

  • Social Login Identifiers: Identity provider (Google / Apple / Kakao) and the provider's unique user identifier (sub)
  • Email Address
  • Name (or Nickname), Profile Image

2) Information Generated or Inputted During Service Use

  • Settlement Room Information: Settlement room name, total amount, total number of participants, distribution method, and round/session details.
  • Account Information Inputted by the Host: Bank name, account number, and account holder's name. (This is displayed solely for wire transfer guidance to participants; the Team does not directly process payments or transactions.)
  • Deposit History: Transfer amount, transfer date/time, approval/rejection records, and memos.
  • Participant Identification Information: Invitation link tokens and participant names.

3) Automatically Collected Information

  • Device Information: OS type and version, device model, app version, language, and region settings.
  • Connection Information: IP address, date and time of connection, service usage records, and error logs.
  • Push Notification Identifier: FCM (Firebase Cloud Messaging) token.

Note on Financial & Sensitive Data: The Team strictly does not collect or store sensitive payment authentication information such as credit card numbers, account passwords, CVC codes, or resident registration numbers/passport numbers. Actual wire transfers take place directly through the user's external banking applications; the Service only provides tracking and confirmation features for those transfers.

 

2. Collection Methods of Personal Information

The Team collects personal information through the following methods:

  • Direct input by users during registration, room creation/participation, and deposit confirmation requests.
  • Provision by social login providers (Google, Apple, Kakao, Naver) after obtaining user consent.
  • Automatic generation and collection via the mobile application and server logs (including embedded SDKs).
  • Collection during customer inquiries or reports.

 

3. Purpose of Processing Personal Information

The Team uses personal information strictly for the following purposes. If the purpose changes, explicit consent will be obtained in advance.

  • Member registration and management, user identification, and prevention of fraudulent use.
  • Provision of settlement services for group expenses and recurring payments (room creation, participant invitation, deposit tracking, and round management).
  • Crucial operational notifications such as deposit status updates, approvals, and rejections (via FCM push and in-app notifications).
  • Handling customer support, dispute resolution, and civil complaints.
  • Service improvement, statistical analysis, security, and anomaly detection.
  • Fulfillment of legal obligations.

Legal Basis for Processing under GDPR (EU/EEA Residents)

  • Performance of a Contract: Member registration and provision of settlement services (GDPR Art. 6(1)(b)).
  • Compliance with Legal Obligations: Data retention obligations under tax and electronic commerce laws (Art. 6(1)(c)).
  • Legitimate Interests: Security, prevention of abuse, and quality improvement of the Service (Art. 6(1)(f)).
  • Consent: Optional items such as receiving marketing communications (Art. 6(1)(a)).

 

4. Retention and Usage Period of Personal Information

In principle, personal information is destroyed without delay once the purpose of collection and use is achieved. However, certain information is retained for the periods specified below in accordance with relevant policies and regulations:

Category / ItemRetention PeriodLegal Basis
Member InformationUntil membership withdrawal (separated and stored for 30 days prior to destruction to prevent abuse)Operational Policy
Settlement Records (Rooms, deposit history)5 YearsAct on Electronic Commerce §6
Consumer Complaints & Disputes3 YearsAct on Electronic Commerce §6
Service Connection Logs (IP, access timestamps)3 MonthsProtection of Communications Secrets Act §15-2
Marketing Consent DataUntil consent is withdrawn or membership is terminatedUser Consent

 

5. Third-Party Provision of Personal Information

The Team does not disclose users' personal information to third parties, except in the following circumstances:

  • When the user gives prior explicit consent.
  • When required by law or requested by investigative agencies in accordance with legal procedures.

Information Sharing within Settlement Rooms: Information required for the operation of the Service (e.g., host's name/account info, participant's name, allocated amount, and deposit history) is visible strictly to other participants within that specific settlement room. This is necessary for service delivery and does not constitute third-party disclosure under personal data protection laws.

 

6. Delegation of Personal Information Processing (Data Entrustment)

To ensure stable service operations, the Team entrusts personal information processing to the following external service providers:

Trustee (Data Processor)Entrusted TaskCountry
Supabase, Inc.Database, authentication backend, file (branding asset) storageUSA (or selected region)
Google LLC (Firebase / FCM)Delivery of push notificationsUSA
Google LLCGoogle social login authenticationUSA
Apple Inc.Apple social login authenticationUSA
Kakao Corp.Kakao social login authenticationRepublic of Korea
NAVER Cloud Corp.Naver social login authenticationRepublic of Korea
[AWS]Server infrastructure operations[Seoul, Republic of Korea]

Processors are bound by data entrustment agreements or Data Processing Addendums (DPA) to protect personal information. Any changes to these processors will be disclosed immediately via updates to this Privacy Policy.

 

7. Cross-Border Transfer of Personal Information (GDPR & Network Act)

For service maintenance and operation, certain personal information is transferred overseas as follows:

RecipientCountryTransferred ItemsTransfer Schedule & MethodRetention PeriodBasis for Transfer
Supabase, Inc.USAMember info, settlement data, logsNetwork transmission upon service useSame as Retention Period in Section 4User Consent / SCC
Google LLCUSADevice tokens, notification contentTransmitted during push notificationsDeleted after a set period from deliveryUser Consent / SCC
Apple Inc.USAAuthentication identifiersTransmitted during login processDiscarded immediately after authenticationUser Consent

Users reserve the right to refuse cross-border transfers. However, refusing transfers may restrict access to the core features of the Service (such as login, notifications, and data synchronization).

 

8. Rights of Data Subjects and How to Exercise Them

Users (or legal guardians for children under 14) can exercise the following rights at any time:

  • Right to request access to personal information.
  • Right to request correction or erasure of errors.
  • Right to request suspension of processing.
  • Right to withdraw consent and terminate membership.

How to exercise rights: Requests can be made via the in-app menu [Settings > App Settings] or by contacting the Chief Privacy Officer listed in Section 14. The Team will take action without delay.

 

9. Additional Rights for EU/EEA Residents (GDPR)

Data subjects subject to the GDPR may exercise the following additional rights:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / Right to be forgotten (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right not to be subject to automated decision-making, including profiling (Art. 22)
  • Right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint with a supervisory authority.

Requests can be submitted to [slmntr47@gmail.com] or to the Chief Privacy Officer. The Team will process requests within the timeframe mandated by the GDPR (in principle, within one month).

 

10. Children Under 14

The Service is not intended for and does not knowingly permit registration from children under the age of 14 (or under 16 for EU Member States, depending on national legislation, without parental consent). If the Team discovers that personal information of a child under 14 has been inadvertently collected, the information will be deleted immediately.

 

11. Automated Collection Tools and SDKs

The Service utilizes the following SDKs for push notifications, statistics, and error tracking:

  • Firebase Cloud Messaging (Google): For push notification delivery.
  • Firebase Crashlytics (Google): For collecting app crash logs (when applicable).
  • Supabase SDK: For user authentication and data synchronization.

Opt-out method: Users may disable these tools via the OS notification settings, ad identifier settings, or the in-app notification toggles. Disabling these options may limit certain functionalities (such as push notifications).

 

12. Destruction of Personal Information

  • Destruction Timing: Personal information is destroyed without delay (in principle, within 5 days) once the retention period expires or the processing purpose is fulfilled.
  • Destruction Method:
    • Electronic files: Permanently deleted using technical methods that prevent recovery or reconstruction.
    • Paper documents (if any): Shredded or incinerated.
  • Soft Delete Policy: Upon membership withdrawal, certain items subject to soft deletion are moved to a separate database for 30 days to resolve potential disputes and prevent fraudulent re-registration, after which they are permanently deleted.
  •  

13. Technical and Administrative Measures for Data Security

The Team implements the following measures to ensure data safety:

  • Administrative Measures: Establishment of internal management plans, regular security training for Team members, and restriction of data access privileges to a minimum.
  • Technical Measures:
    • One-way cryptographic hashing for passwords and sensitive authentication data (bcrypt 2a$12, with separate protection for TOTP secret keys).
    • Encryption of data in transit using HTTPS / TLS 1.2 or higher.
    • Mandatory 2-Factor Authentication (Google OTP) for administrative dashboard access.
    • Access control systems and continuous anomaly detection monitoring.
  • Physical Measures: The Team relies on the physical infrastructure security of our cloud service providers (Supabase, Google, etc.). The Team verifies that these providers comply with international security standards such as ISO/IEC 27001 and SOC 2.
  •  

14. Personal Information Protection Officer and Contacts

The Team has designated the following representatives to manage personal information protection and address user inquiries:

Chief Privacy Officer

  • Name: Jinyeol Kim
  • Title: Representative of Howmuch Team
  • Email: slmntr47@gmail.com

Privacy Coordinator

  • Name: Seungmin Han
  • Email: seungmin7322@gmail.com

Note: If services to EU residents scale significantly, the Team will appoint an EU Representative pursuant to Article 27 of the GDPR and update this Privacy Policy accordingly.

 

15. Remedies for Infringement of Rights and Interests

Users may contact the following organizations for dispute resolution or reporting infringements:

For Domestic (South Korea) Users

  • Personal Information Dispute Mediation Committee: 1833-6972 (kopico.go.kr)
  • Personal Information Privacy Complaint Center (KISA): 118 (privacy.kisa.or.kr)
  • Supreme Prosecutors' Office Cyber Crime Investigation Division: 1301 (spo.go.kr)
  • National Police Agency Cyber Bureau: 182 (ecrm.police.go.kr)

For EU/EEA Users

  • You may lodge a complaint with the Data Protection Authority (DPA) of your country of residence.
  • European Data Protection Board (EDPB): edpb.europa.eu
  •  

16. Amendments to the Privacy Policy

This Privacy Policy is effective from the enforcement date below. If modifications are required due to legal amendments, changes in regulatory policies, or service updates, notice will be provided via the in-app notice board at least 7 days prior to enforcement (or 30 days prior for material changes unfavorable to users).

 

Revision History

  • v1.0 (May 3, 2026): Initial enactment.
  •  

Addendum

This Privacy Policy shall enter into force on May 3, 2026.