Privacy Policy

At Siggu, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at app.siggu.xyz and our desktop application.

1. Information We Collect

1.1 Information You Provide

Account Information:

• Email address, display name, and username
• Profile details such as bio, pronouns, birthday, photo, location (optional)

Content You Create:

• Journal entries, tasks, comments, and uploaded files

System-Generated Data:

• Unique membership ID and badges
• Account activity timestamps
• Subscription status and payment history

1.2 Google Calendar Integration

When you connect your Google Calendar to Siggu, we collect and process:

• Calendar Events: Event titles, descriptions, start/end times, locations, and attendee information
• Calendar Metadata: Calendar names, colors, timezone, and access permissions
• Access Tokens: OAuth tokens to maintain your Google Calendar connection (stored encrypted)

Limited Use Disclosure: Siggu's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger or acquisition disclosed to users.

Data Storage and Deletion:

• Calendar events are stored securely in our database and synchronized with your Google Calendar
• You can disconnect your Google Calendar at any time from Calendar settings
• Upon disconnection, all stored calendar data is immediately deleted from our servers

1.3 Automatically Collected Information

• Device Information: Device type, operating system, and browser (from session data)
• Log Data: IP address and timestamps for security purposes
• Cookies: Authentication cookies to keep you logged in (see Section 10)

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve our services
• Create and manage your account
• Process your transactions and manage subscriptions
• Send you service-related notifications and updates
• Respond to your support requests and feedback
• Detect and prevent fraud, abuse, and security issues
• Comply with legal obligations

3. How We Share Your Information

We do not sell your personal information.

We may share your information only in the following circumstances:

• With Your Consent: When you explicitly authorize us to share information with third parties
• Service Providers: Third-party services that help us operate (see Section 4)
• Other Users: Information you choose to make public or share with specific users
• Legal Requirements: When required by law, court order, or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets (users will be notified)

4. Third-Party Services

Siggu integrates with the following third-party services:

• Supabase: Database, authentication, and backend services - Privacy Policy
• Bunny CDN: File storage and content delivery - Privacy Policy
• Resend: Email delivery service - Privacy Policy
• Lemon Squeezy: Payment processing - Privacy Policy
• Google Calendar API: Calendar integration - Privacy Policy
• Tenor API: GIF search in journals - Privacy Policy
• Unsplash: Image search - Privacy Policy
• Iconify: Icon library (CDN only, no data collected)
• DiceBear: Avatar generation (API only, no data stored)

These services have their own privacy policies, and we encourage you to review them.

5. Data Security

5.1 Security Measures

We implement industry-standard security measures to protect your information:

• HTTPS encryption for all data transmission
• Encrypted storage for sensitive data (OAuth tokens)
• Regular security audits and updates
• Access controls and authentication
• Secure database with row-level security policies
• CDN with DDoS protection

5.2 Security Limitations

However, no method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5.3 Data Breach Response

In the event of a data breach that affects your personal information:

• Timely Notification: We will notify you and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR
• Breach Details: We will provide information about the nature of the breach, the data affected, and steps we are taking to address it
• Response Plan: We maintain a documented data breach response plan with clear escalation procedures
• Mitigation: We will take immediate steps to secure our systems and prevent further unauthorized access
• Support: We will provide support and guidance on steps you can take to protect yourself

6. Your Rights and Choices

You have the following rights regarding your personal information:

6.1 Access and Portability

• Request a copy of your personal data
• Export your content (journals, tasks, etc.) in portable formats
• Access available from Account Settings

6.2 Correction and Update

• Update or correct inaccurate information
• Modify your profile and settings at any time

6.3 Deletion and Restoration

• Request deletion of your account and associated data from Account Settings
• Delete specific content (journal entries, tasks, etc.)
• Account becomes immediately inaccessible upon deletion request
• 30-Day Grace Period: You can restore your account within 30 days of the deletion request by logging in
• All personal data is permanently deleted 30 days after the deletion request if not restored
• After 30 days, account restoration is not possible

6.4 Revoke Consent

• Disconnect Google Calendar or other integrations at any time
• Adjust privacy and visibility settings

To exercise these rights, visit your Account Settings or contact us at hello@siggu.xyz.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide services:

• Active Accounts: Data retained indefinitely while account is active
• Deleted Accounts: When you request account deletion, your account is marked for deletion and becomes immediately inaccessible. During the 30-day grace period, you can restore your account by logging in. If not restored, all personal data is permanently deleted 30 days after the deletion request.
• Google Calendar Data: Immediately removed upon disconnection
• Legal Requirements: Some data may be retained longer for legal, security, or compliance purposes
• Backups: Deleted data may persist in encrypted backups according to our infrastructure provider's retention policy

8. Children's Privacy

Siggu is not intended for children under 13 years old. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at hello@siggu.xyz.

9. International Data Transfers

Siggu is operated from the Republic of Korea. Your information may be transferred to and processed in:

• Republic of Korea (primary data storage)
• United States (Supabase, Lemon Squeezy, Google services)
• European Union (Bunny CDN edge locations)

We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable data protection laws.

10. Cookies and Tracking

We use the following types of cookies:

10.1 Essential Cookies

• Authentication: Supabase authentication cookies to keep you logged in
• Security: CSRF tokens and session management
• These cookies are necessary for the service to function and cannot be disabled

10.2 Account-Based Storage

• Preferences: Your language and display preferences are stored in your account, not in cookies

10.4 How to Control Cookies

You can control cookies through your browser settings, but disabling essential cookies may prevent you from using Siggu.

11. GDPR Rights (EU Users)

If you are in the European Union, you have additional rights under GDPR:

• Right to Access: Obtain confirmation of data processing and access to your data
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File a complaint with your local data protection authority

12. CCPA Rights (California Users)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request information about personal data collected, used, and shared
• Right to Delete: Request deletion of your personal data
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell data)
• Right to Non-Discrimination: Equal service and pricing regardless of privacy choices
• Right to Correct: Request correction of inaccurate personal information
• Right to Portability: Receive your data in a portable format

12.1 How to Exercise Your Rights

Most CCPA rights can be exercised immediately through our automated self-service tools:

• Account Settings: Access, update, or delete your data instantly
• Privacy Settings: Control who can see your content and profile information

12.2 Response Timeline

• Automated Requests: Processed immediately through Account Settings (most common)
• Manual Requests: We will respond to verifiable consumer requests within 45 days
• Extensions: If we require more time (up to 90 days total), we will inform you of the reason and extension period within the initial 45 days
• Verification: We may request additional information to verify your identity before processing requests

12.3 Record Keeping

• Account deletion and data export requests are logged for compliance purposes
• You can exercise most rights instantly through Account Settings without submitting a formal request

Note: When you request account deletion, your account becomes immediately inaccessible with a 30-day grace period for restoration. After 30 days, all personal data is permanently deleted. This exceeds CCPA requirements by providing transparency and a restoration option.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

• Posting a notice on our website (siggu.xyz)
• Sending an email to your registered address
• Displaying a notification in the app
• Updating the "Last updated" date at the top of this policy

Continued use of Siggu after changes constitutes acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: hello@siggu.xyz
• Website: https://siggu.xyz
• App: https://app.siggu.xyz

Siggu is operated as a sole proprietorship under the laws of the Republic of Korea.