[ … 입력 필요] placeholder. This English text is a convenience translation; the Korean version prevails.incove Privacy Policy
incove ("the Service") is an application for gathering and looking back on short everyday moments inside closed groups of family and people close to you. The operator treats your personal information seriously and complies with the Personal Information Protection Act and other applicable laws. This policy explains what information the Service processes and how, and in particular how end-to-end encryption (E2EE) protects your content.
1. End-to-end encryption (E2EE) — core principle
The contents of photos and videos and the contents of sealed messages (Echoes) captured or uploaded in the Service are encrypted on your device and decrypted only on the devices of your group members.
No third party, including the operator, can decrypt or view this content. It is transmitted to and stored on servers (database and storage) only in encrypted form, and the server does not hold the decryption key. This content is therefore not information that the operator can "collect" and read or analyze.
The unlock time of a sealed message (Echo) is chosen by the user (from 1 day up to 5 years, 6 months by default), and the server enforces the lock by refusing to deliver the ciphertext before that time. The server controls "when it is delivered," never "what it says."
2. Personal information we process
We process the following to provide the Service. The E2EE content in section 1 cannot be read by the operator and is listed separately below.
| Category | Items | Purpose |
|---|---|---|
| Account / auth | Email or social login identifier, display name | Member identification, authentication, account management |
| Profile | Profile/avatar image, circle membership and role info | In-group display and features |
| Device / push | Device identifier, push token (FCM) | Notifications, security |
| Usage metadata | Upload frequency/time, group creation/invite patterns, non-identifying mood value | Operation, abuse detection, music matching (only the on-device mood result is sent) |
| Reports / safety | Report reason and details, submitted evidence (with reporter consent) | Handling illegal/harmful content (section 6) |
| E2EE content | Photo, video, sealed-message contents | Not readable by the operator. Relayed/stored as ciphertext only |
The Service does not collect location data; EXIF and other metadata (including capture location) are stripped from uploaded videos. The Service has no advertising and does not collect advertising identifiers.
3. Purposes of use
Collected information is used only for member management and identity verification, providing group-based sharing and recap features, sending notifications, ensuring service stability and preventing fraudulent/illegal use, and fulfilling legal obligations. It is not used for other purposes; if purposes change, separate consent is obtained.
4. Retention and use period
As a rule, personal information is destroyed without delay upon account withdrawal. Exceptions:
- Where laws require retention, data is kept for that period and then destroyed.
- Material related to reports of child sexual abuse material (CSAE) or non-consensual intimate imagery may be kept separately to the extent necessary to cooperate with authorities and meet legal duties, then destroyed.
5. Account and data deletion
You may request deletion of your account and related data at any time.
- In-app: delete your account directly under Settings → Delete account.
- By email: if you cannot use the app, request deletion at hello@incove.app.
On request, the operator destroys the personal information linked to the account and the content you uploaded (including ciphertext), except material subject to the legal retention/preservation in section 4. If you own a group, group handling follows the in-app guidance.
6. Handling illegal/harmful content
Although the Service is closed, safety measures are taken only when a group member files a report. Content submitted with the reporter's consent (material the reporter can legitimately decrypt) is used only to process the report and meet legal obligations, and is stored in a separate secure area for that purpose. See the Terms of Service and the in-app community guidelines and child-safety policy for details.
7. Third parties and processing entrustment
The operator does not sell your personal information or provide it for marketing. We use the following providers' infrastructure to run the Service; they process information only within the entrusted scope.
- Auth / database: Supabase (Seoul region)
- Content storage: Cloudflare R2 — ciphertext only
- Push notifications: Google Firebase Cloud Messaging (FCM)
We do not provide information to third parties except upon a lawful request under applicable law.
8. Security measures
We apply end-to-end encryption of content (standard algorithms such as RSA-OAEP-3072 and AES-256-GCM), transport encryption (TLS/HTTPS), storage of private keys in the device secure storage, access controls, and audit logs.
9. Rights of users and legal representatives
You may request access, correction, deletion, or suspension of processing of your personal information, and may withdraw consent. The Service currently targets adults (child accounts and guardian-consent procedures will be introduced separately at a later stage). Personal information of children under 14 is not collected during the beta.
10. Privacy officer and contact
Inquiries, complaints, and remedies regarding personal information can be submitted below.
- Privacy officer: incove team / privacy@incove.app
- Inquiries: hello@incove.app / Safety & reports: safety@incove.app
- Operator: incove team ([business reg. no. 입력 필요]), [operator address 입력 필요]
11. Changes to this policy
This policy may be revised in line with changes in law or the Service; the effective date and changes will be announced upon revision.