Privacy Policy

Dowin is a goal-management service operated by Dasoslab.

This Privacy Policy applies to the Dowin web service and to connected account, logging, notification, billing, and support flows.

We aim to protect user privacy under applicable law and to process only the minimum information needed to run the service.

You can contact us about privacy matters through the following channel.

Privacy contact: Dowin Privacy Manager

Email: support@dowin.app

For sign-up and authentication, we process account ID (customId), nickname, password hash, session identifiers, and recovery-code hashes.

During service use, we process workspace information, scoreboards, lead measures, daily logs, team memos, profile settings (avatar and locale), notification settings, and app push token data (FCM).

When paid features are used, we may process workspace plan state, billing events, checkout request history, and customer or subscription identifiers provided by the payment provider.

For product analytics, Google Analytics may process online identifiers and event logs such as device context, page views, and feature usage events.

We process personal information to create accounts, identify users, maintain login sessions, reset passwords, and prevent abuse.

We also process personal information to operate workspaces, store scoreboards and logs, send notifications, manage profiles, respond to support requests, and keep the service stable.

For paid plans, we process billing-related information to verify plan status, handle refunds or cancellations, and review suspicious payment or repeated refund patterns.

We may analyze product-usage events to improve the service, but we do not intentionally send free-form memo content or passwords to analytics tools for advertising purposes.

Account data such as customId, nickname, and password hash is retained until the account is deleted.

Session data corresponding to the dowin_sid cookie is retained for the period needed to keep a user signed in and is no longer used after expiration or logout.

Recovery-code hashes are retained to support account recovery and are deleted or disabled when the account is deleted or when they are no longer needed for recovery.

User-generated data such as workspaces, scoreboards, lead measures, daily logs, team memos, profile settings, and notification settings is retained until the account is deleted.

App push token data (FCM) is retained until the user disables notifications or the token expires or becomes invalid.

Online identifiers and event logs processed through Google Analytics may be retained or deleted according to the company's Analytics property settings and Google's policies.

Billing identifiers, billing events, and checkout request history may be retained for the period needed for settlement, refund handling, dispute response, or abuse review.

Support-request records may be retained for 12 months after a general inquiry is resolved. Where the record relates to billing, refunds, termination, or a consumer complaint or dispute, it may be retained for 3 years as required by applicable law.

When an account is deleted, we aim to delete the user account and directly linked data. Some data may still be retained separately where reasonably required by law, dispute handling, refund settlement, or security review.

Dowin does not sell users' personal information and does not disclose it to third parties except where required by law or permitted by the user's consent.

We may rely on external services only to the extent needed to provide the relevant feature.

Cloudflare may be used for application infrastructure, security, and database operation, and account data, user-generated service data, and technical access data may be processed in that context.

Google Analytics may be used for usage analytics and may process online identifiers, device context, page transitions, and feature-usage events. We operate the service so that sensitive content such as free-form memo bodies or passwords is not intentionally sent to analytics tools.

Polar may be used for paid-plan billing, recurring billing management, and customer-portal access, and billing-related customer identifiers, subscription identifiers, billing status, and checkout-request history may be processed in that context.

Tally may be used to provide the support-intake form, and the user's name, email address, inquiry content, and attached information entered directly by the user may be processed for that purpose. Dowin determines the purpose and categories of inquiry data, and Tally is used as an external form and response-storage service.

Some external services used by Dowin may operate infrastructure or servers outside the Republic of Korea, and personal information may therefore be processed or stored outside Korea.

Cloudflare may process account data, user-generated service data, and technical access data outside Korea through its global infrastructure.

Google Analytics may process online identifiers, device context, page transitions, and feature-usage events outside Korea through Google's global infrastructure.

Polar may process billing-related customer identifiers, subscription identifiers, billing status, and checkout-request history outside Korea for payment processing and customer-portal access.

Inquiry data submitted through the Tally form, including name, email address, inquiry content, and attachments, may be processed or stored outside Korea when the form is submitted. According to Tally's public guidance, form-response data is stored in Europe.

For Tally inquiry data, general inquiries may be retained for 12 months after resolution, while billing, refund, termination, or consumer-dispute inquiries may be retained for 3 years where required by law.

The exact processing region, transfer timing, and storage period can vary depending on each provider's global infrastructure and the way the service is configured.

Where required by applicable law, we review whether additional notice or consent is needed for overseas processing or transfers.

When the purpose of processing ends or the retention period expires, we review any recovery or legal-retention need and then delete the data or handle it in a way that no longer identifies an individual.

Electronic records are deleted from the service database and connected storage. Where separate retention is required, access is restricted and the data is handled separately.

Users may request access, correction, deletion, or restriction of processing regarding their personal information.

Some rights can be exercised directly through product features such as profile updates, locale changes, workspace leave, or account deletion. Additional requests can be sent through the in-product contact link or by email at support@dowin.app.

The in-product contact path currently links to an external support form on Tally (https://tally.so/r/2ExbKb), so users should avoid entering unnecessary sensitive personal information such as resident registration numbers, bank-account details, passwords, or health information there.

Account deletion may require current-password verification, and a sole workspace admin may need to transfer admin rights or delete the workspace first.

Dowin may use cookies to keep users signed in and to remember locale settings. Typical examples include the session cookie (dowin_sid) and the locale-preference cookie (NEXT_LOCALE).

Cookies or other online identifiers may also be used when analytics tools such as Google Analytics are enabled.

Users can reject cookie storage or delete existing cookies through browser settings. If they do, login persistence, locale memory, or some analytics-based improvements may not work as intended.

If users do not want Google Analytics collection, they may use browser privacy settings, cookie-blocking features, or tools provided by Google where available.

Passwords are stored in hashed form. We also work to apply reasonable safeguards such as access control, least-privilege access, HTTPS-based transport, and separated operational logging.

Users may also seek help from the Personal Information Protection Commission or other relevant Korean privacy dispute and complaint channels when they believe their rights have been infringed.

Dowin will make reasonable efforts to review submitted requests and respond promptly within the scope it can verify.

This Privacy Policy may be updated when legal requirements, service features, or external integrations change.

Where a material change occurs, we will notify users through the service or a posted notice.