The short version
Bballi helps travelers find public toilets in Seoul. You can use it as a guest — no name, no email, no account — or sign in with Google if you want to. This page (our 개인정보 처리방침, Privacy Policy) explains the small amount of data the app handles, what stays only on your phone, what is sent to a server, and what changes if you sign in.
- Most of your data never leaves your phone. Your location, saved favorites, and language are stored on your device only.
- Three things are sent to our server: the reviews you write and your one-tap toilet reports (for example, closed or gone) — both anonymous, tied only to a random device key with no name — and the flags you place on other reviews, which require signing in and are tied to your account (so flags can't be forged to hide honest reviews).
- Sign-in is optional. As a guest we hold no name or email. If you sign in with Google, we receive your email and name (and profile image) to run your account — details in Section 2. We never collect your phone number or password.
- We do not sell your data. To keep the web app free it shows ads (Google AdSense) — ads always appear, and your consent controls only whether they are personalized (see Section 12). We also use Google Analytics to gather aggregate, non-identifying visit statistics (see Section 13). Aside from ads and this aggregate analytics, there is no other tracking.
1. Who is responsible for your data
Bballi is operated by 일오삼 (Ilosam), a sole proprietorship in the Republic of Korea (business registration 517-75-00525), at 경기도 파주시 경의로 1114, 4층 406호 (4F #406, 1114 Gyeongui-ro, Paju-si, Gyeonggi-do, Republic of Korea). For any question about your data, our 개인정보 보호책임자 (Privacy Officer) is 이윤재 (Lee Yun-jae), reachable at bballiapp@naver.com. For business or partnership matters, use the same address.
We do not appoint a separate Data Protection Officer (DPO), because a solo operator does not meet the threshold that requires one; the Privacy Officer named above handles all privacy questions. Please contact us at bballiapp@naver.com.
EU/EEA note: no EU representative under GDPR Article 27 is appointed, because the operator has no establishment in the EU/EEA and does not offer goods or services to, or monitor, individuals in the EU/EEA on a scale that requires one. If this changes, a representative's name and address will be listed here.
2. What we collect, why, and where it is kept
We keep data collection to the minimum needed to run the app. Here is every item, in plain terms:
- Your location (precise GPS) — used only to find the nearest toilets and sort them by walking distance. It is read on your phone, used in the moment, and never saved or sent to any server. If you decline location, the app falls back to a default city-center point and still works. Legal note: the app requests *precise* location (high accuracy) from your device, but it is used on-device only.
- A random device key (we call it a "device hash") — a random string like `me-...` created once and kept on your phone. It is not built from your name, phone, or any device fingerprint — it identifies nothing about you personally. We use it to attach your reviews to "you" in the app and to limit abuse. (Flagging a review is separate: it requires signing in and is tied to your account, not this key.)
- Reviews you write — the tip text (up to 1,000 characters) and the language you wrote it in. We remove angle-bracket tags before saving. This is shown to other travelers.
- Review flags (sign-in required) — flagging another person's review requires signing in. We record which account flagged which review (and an optional reason), and one account can flag a given review only once. This powers community moderation and stops anonymous forged flags — it is the one contribution that is not anonymous.
- Toilet problem reports — one-tap reports such as "closed" or "gone." These are saved on your phone and also sent to our server — the toilet, the report type, and your random device key — so repeated reports can be counted across users (see Section 4). They do not include your location.
- Favorites — the toilet IDs you star, stored on your phone only.
- Language preference — your chosen app language, first guessed from your device settings, stored on your phone only.
- Filter and sort choices — held in memory while you use the app, not saved, not sent.
- Account data — only if you sign in with Google (optional) — when you choose to sign in, we receive your email address and basic Google profile (name and profile image) through Supabase Authentication, and we store your display name, profile image, a record of which terms you accepted and when, and an optional marketing opt-in in our database. Apple sign-in is planned but not yet available. If you stay a guest, none of this is collected.
- Launch-notification email (waitlist) — only if you enter your email in the "notify me" form on our website and check the consent box. We store your email and the site language you were viewing, in our database (Supabase), for the single purpose of emailing you once when the app launches. We never sell it, never use it for other marketing without your separate consent, and you can ask us to delete it at any time (Section 10).
- Google Analytics — aggregate, non-identifying statistics such as page views, screens visited, approximate region, and device/browser type, used to understand how the site and app are used and to improve them. This is never linked to your name, email, review text, or device key, and is never used for ad personalization. See Section 13 for the consent and cookies involved.
As a guest, we do not collect your name, email, phone number, or password — other than a launch-notification email you choose to submit through the waitlist form described above. We never collect your payment details or photos. We run Google Analytics for aggregate, non-identifying usage statistics (see Section 13), and the web-app advertising described in Section 12 (Google AdSense); apart from those two, we use no other tracking tools, and the native app (Google AdMob) is not yet available. If you sign in with Google, we receive your email and name as described above, used only to run your account — never for advertising.
How the device key is classified: it is a pseudonymous identifier — a random value, not your name or account. Under the EU GDPR it counts as personal data (an online identifier), so the rights in Section 10 apply to it. Under Korea's PIPA, we take the most protective view and treat the device key as personal information (개인정보), applying the full protections in this policy to it. If it is ever formally assessed as pseudonymized information (가명정보), those same protections continue to apply.
3. What actually leaves your phone
We want to be honest and specific about this, because "anonymous" should mean something. As a guest, only these leave your device and reach our server (Supabase):
- Reviews — the text, the language, your random device key, and the time.
- Review flags — not sent as a guest. Flagging a review requires signing in; the flag is tied to your account (not your device key). As a guest you can read and write reviews and send toilet reports, but not flag.
- One-tap toilet reports — which toilet, the report type, your random device key, and the time.
- Account data — only if you sign in with Google — your email, name, profile image, agreement record, and optional marketing opt-in (see Section 2). Guests send none of this.
Everything else — your location, favorites, language, and filters — stays on your phone. If the app is running without server keys configured, even reviews and reports stay local-only.
4. About one-tap toilet reports
When you send a one-tap report (for example, "closed" or "needs a key"), the app saves it on your phone and sends it to our server — the toilet, the report type, and your random device key, over an encrypted connection. If you were offline, it is queued and sent the next time the app opens. We use these reports to spot toilets that may have closed or changed, so repeated reports for the same toilet rise in our review queue. A report never includes your name or your location.
5. Reviews and flags are public
Reviews are meant to help other travelers, so they are shown publicly. Please keep this in mind:
- Your review text and its language are public — anyone using the app can read them.
- Your random device key is attached to your reviews on our server, and your flags are tied to your account (flagging requires sign-in). Neither is shown to other app users — the app only reveals whether you wrote or flagged something. Raw device keys and reporter accounts are readable only by an operator (admin), for moderation. Your device key is pseudonymous — it does not reveal who you are.
- Please do not put your name, contact details, or other personal information into a review. Once posted, it is public.
- A review flagged 3 or more times (by three different signed-in accounts) is automatically hidden pending human review (see Section 11).
6. Legal basis for processing (for EU/EEA visitors)
If GDPR applies to you, here is the legal basis for each purpose:
- Finding nearby toilets with your location — to provide the service you asked for (Art. 6(1)(b)), and/or our legitimate interest (Art. 6(1)(f)) in making the app useful. Your device's location permission is a separate on-device consent step you control.
- The random device key, rate-limiting, and auto-hiding flagged reviews — our legitimate interest (Art. 6(1)(f)) in preventing abuse and keeping content trustworthy.
- Storing and showing reviews and flags — to provide the service (Art. 6(1)(b)) and our legitimate interest in a useful community resource.
- Optional Google sign-in and your account — to provide the account you asked for (Art. 6(1)(b)). The optional marketing opt-in runs on your consent (Art. 6(1)(a)), which you can withdraw at any time.
- Advertising (web app) — non-personalized ads run on our legitimate interest (Art. 6(1)(f)) in keeping the service free; personalized ads, and the cookies they use, run only with your consent (Art. 6(1)(a)), which you can withdraw at any time (see Section 12).
- Google Analytics — our legitimate interest (Art. 6(1)(f)) in understanding and improving the site outside the EEA/UK/Switzerland; for visitors in those regions, analytics runs only with your consent (Art. 6(1)(a)) (see Section 13).
Sharing your location is optional. If you decline, you can still browse and search toilets manually — you just lose automatic "nearest to me" sorting. Writing a review or flagging one is always voluntary.
7. Third parties and service providers
We do not sell your data, and we do not provide your personal data to any third party for their own purposes. We rely on a small number of service providers (processors / 위탁) to run the app, plus a hand-off to NAVER Map when you tap for directions and Sign in with Google if you choose to use it.
- Supabase (processor — database and sign-in) — stores your reviews and one-tap toilet reports (text, language, report type, your random device key, timestamps) and your review flags (the flagged review, your account, an optional reason, timestamps — flagging requires sign-in). If you sign in, it also handles authentication and stores your account profile (email, name, profile image, agreement record, marketing opt-in). It does not receive your location. Access is protected by database security rules; the app uses only a public, read-limited key.
- Vercel (processor — hosting) — hosts the website and app. Like any host, it keeps standard request logs (such as IP address and browser type). No app-level personal data is sent to it.
- NAVER Maps (map display, by NAVER Cloud Corp.) — contacted each time the map loads to draw the map. Like any website request, this means your IP address and the map area you are viewing are visible to NAVER. No account data is sent.
- NAVER Map (independent controller, 제3자) — used only when you tap for walking directions. This opens the NAVER Map website in a new tab with the destination toilet's name and coordinates. NAVER then acts as its own controller under NAVER's policy; your own location is provided to NAVER by your device, not by Bballi.
- Google (Sign in with Google) — used only if you choose to sign in. Google authenticates you and provides your email, name, and profile image to create your account. Google acts under its own policy; if you stay a guest, Google sign-in is never contacted.
- Google Fonts — the app loads its typeface from Google's font servers (fonts.googleapis.com / fonts.gstatic.com) when the page loads, so your IP address and browser type are visible to Google as part of that request. No account or app data is sent.
- Google AdSense (independent recipient, 제3자) — in the web app, Google serves and measures ads. With your consent it may set cookies to personalize ads; without consent it shows non-personalized ads (only minimal cookies for frequency capping and fraud prevention). Google acts under its own policy (policies.google.com/technologies/partner-sites and policies.google.com/privacy).
- Google Analytics (processor) — collects aggregate, non-identifying usage statistics (page views, screens visited, approximate region, device/browser type) to help us understand and improve the site and app. It is not used for ad personalization and is not linked to your account, review text, or device key. See Section 13 for the cookies involved and how consent applies.
8. Where your data is stored and international transfer
The reviews, flags, one-tap reports, and (if you sign in) your account profile stored by Supabase, and the hosting logs kept by Vercel, may be processed outside your country, including outside the EEA. For transparency (and to meet Korea's PIPA overseas-transfer rules), here are the details:
- Who receives the data: Supabase (database) and Vercel (hosting), acting as our processors.
- Country / region: Supabase stores this data in Japan (Northeast Asia — Tokyo, `ap-northeast-1`). Vercel delivers hosting from its global edge network, so standard server logs may be processed in other countries, including the United States.
- Items transferred: review text, language, one-tap toilet report type, your random device key, optional flag reason, and timestamps; and — only if you sign in — your account email, name, profile image, agreement record, and marketing opt-in (all Supabase); standard server logs such as IP and browser type (Vercel). Your location is not transferred.
- Purpose: database storage and moderation of reviews/flags; hosting and delivery of the app.
- When and how: transmitted over an encrypted connection at the moment you write a review or flag, or load the app.
- Retention: as described in Section 9.
For EU/EEA users: transfers rely on an appropriate GDPR safeguard. Japan holds an EU adequacy decision, which covers the Bballi data that Supabase stores in Tokyo (ap-northeast-1). For any onward transfer outside an adequacy-covered country (for example, Vercel edge logs), we rely on Standard Contractual Clauses or an equivalent safeguard. A copy of the relevant safeguards is available on request at bballiapp@naver.com.
9. How long we keep your data, and how it is destroyed
- Location — not retained. It is used on your device and discarded; it is never stored on a server.
- Reviews and their device key — kept while the review is live. When you delete your own review: if nobody has flagged it, it is destroyed immediately. If it has been flagged, the author device key is erased and the review is kept for 90 days — readable only by our moderators, for dispute handling and community moderation — and then destroyed automatically. Either way it disappears from the app at once. A review our moderators have hidden or taken down is the record behind that decision, so its author cannot delete it from the app; a review a moderator takes down is destroyed 90 days after removal.
- Reason for closing an account (optional free text) — stored on its own, never linked to the account being closed, readable only by our moderators, and used to improve the service. Nothing is stored if you leave it blank.
- Review flags — kept while they are needed for moderation, until removed or the service ends.
- One-tap toilet reports (server copy) — kept while useful for spotting closed or changed toilets, until removed or the service ends.
- Account profile (if you sign in) — email, name, profile image, agreement record, and marketing opt-in, kept until you delete your account in the app or the service ends.
- On-device data (favorites, language, the one-tap report queue, device key, offline review cache) — stays on your phone until you clear the app's storage or uninstall.
- Hosting logs (Vercel) — kept per the provider's standard log practice.
Destruction procedure and method. When a retention period ends or a purpose is achieved, server records (including the pseudonymous device key attached to them) are permanently deleted from the Supabase database so they cannot be restored or re-read. On-device data is destroyed when you clear the app's local storage or uninstall the app; because it lives only in your browser/app storage, uninstalling removes it entirely from your device.
10. Your rights and how to use them
Depending on where you live (Korea's 개인정보보호법 / PIPA, or the EU GDPR), you have rights to access, correct, delete, restrict, and object to how your data is used, plus data portability and the right to withdraw consent. EU users also have an absolute right to object to any advertising profiling.
How you exercise your rights depends on whether you signed in. If you signed in with Google, we can identify you by your account. If you are a guest, there is no account, so we locate server data only by your random device key. The practical routes are:
- Remove a flag you placed — use the in-app flag control to un-flag a review; this deletes your flag from the server.
- Delete a review you wrote — use the delete control on your own review, from the device that wrote it; the server verifies the device key and removes it (see Section 9 for what happens to flagged reviews). Two exceptions: if you have lost the device key — you cleared browser data or changed devices — the control no longer appears; and if our moderators have already hidden or taken down the review, the control is replaced by a note, because that review is the record behind their decision. In either case contact us at bballiapp@naver.com and we will review your request. To correct a review, delete it and post a new one.
- Clear all on-device data (favorites, language, one-tap reports, offline review cache, and your device key) by clearing the app's local storage or uninstalling.
- Access or object — contact us at bballiapp@naver.com (with your device key if you are a guest) so we can locate the records linked to you.
- Delete your account (signed-in users) — you can delete your Google account and its profile from within the app; this removes your account and profile data from our server.
We will respond to rights requests within the period required by the applicable law.
11. Automated moderation (auto-hide)
To fight spam and abuse, a review that is flagged 3 or more times is automatically hidden until a person reviews it. An operator can then keep it hidden or restore it, and once an operator has acted, that decision holds. This only hides content pending human review — it does not make any legal or similarly significant decision about you, so it is not a "solely automated decision" of the kind that GDPR Art. 22 restricts. If your review was hidden and you disagree, contact us at bballiapp@naver.com.
12. Advertising
The web app shows ads (Google AdSense) to keep Bballi free. Ads always appear; your consent decides only whether they are personalized. With your consent, we show interest-based personalized ads that use cookies. Without consent, we show non-personalized ads based on the page content — no personalization cookies, only minimal cookies for frequency capping and fraud prevention. Ads appear only on content screens (such as toilet details and the About page), never on the map, sign-in, or these policy pages.
For users in the EEA/UK, consent for personalization is collected through a Google-certified consent tool (a certified CMP). You can change or withdraw your consent at any time — as easily as you gave it, without affecting anything that happened before — under More → Cookie & ad settings. We will not turn on personalized ad tracking without your opt-in. The native app will use Google AdMob and is not yet available; we will update this section when it launches.
13. Cookies and on-device storage
The web app uses advertising cookies through Google AdSense — for personalized ads only with your consent; when you do not consent, non-personalized ads use only minimal cookies for frequency capping and fraud prevention (see Section 12). We also use Google Analytics, which sets first-party cookies (such as `_ga` and `_ga_*`) to distinguish visitors and sessions for aggregate statistics — never used for ad personalization or cross-site tracking. For visitors in the EEA/UK/Switzerland, these analytics cookies are not set until you consent; other visitors are included by default. We do not yet run a dedicated consent banner on this site — that is on our roadmap — so if you are in one of those regions and want to opt in or out sooner, email us at bballiapp@naver.com. Apart from advertising and analytics, Bballi uses no cross-site tracking cookies. It also saves a few small items in your browser's local storage so the app can work:
- your random device key,
- your favorites,
- your one-tap toilet reports,
- your language choice,
- an offline cache of reviews (and any reviews waiting to be sent when you write offline),
- and, if you sign in, a session token that keeps you signed in (from Supabase Authentication).
The local-storage items above are strictly necessary for the app to function and are not used for advertising or cross-site tracking. You can clear them anytime by clearing your browser/app storage, and you can manage advertising consent under More → Cookie & ad settings.
14. Location under Korea's Location Information Act
Your location is read and used only on your device to find nearby toilets. It is never transmitted to or stored on our server. Because we do not collect or hold your location on a server, Bballi does not operate as a location-based service provider that stores your location, and location-based-service registration is not triggered on this basis. If this ever changes, we will publish a 개인위치정보 처리방침 (location privacy overlay) and update this page first.
15. Sensitive data and children
We do not intentionally collect any sensitive/special-category data. Please do not include such information in reviews.
Bballi is a general travel tool and is not directed at children. We do not knowingly collect data from children. If you believe a child has submitted data, contact us at bballiapp@naver.com and we will remove it.
16. How we protect your data
- Data sent between the app and our services travels over encrypted HTTPS connections.
- Our database uses row-level security rules: anonymous users may only add reviews, add or remove their own flags, and delete a review their own device key wrote — the server checks that key before it removes anything. Editing any review, or deleting one the device key does not own, requires an authenticated operator session.
- We keep server access limited to what the app needs, using a public, read-restricted key rather than an administrative one.
- We minimize what we hold in the first place — the strongest protection is that most data never leaves your phone.
No online service can promise perfect security. This is a small, community-driven app; please avoid posting anything you would not want to be public.
17. Changes to this policy
We may update this policy as the app grows (for example, when ads or Apple sign-in are added). This version's effective date is 13 July 2026, shown at the top of the page. Meaningful changes will be announced in the app or on our site before they take effect. Continuing to use Bballi after an update means you have seen the current version.
18. Contact and how to raise a concern
Privacy questions or requests: bballiapp@naver.com (our 개인정보 보호책임자 / Privacy Officer is 이윤재). Business or partnership matters: bballiapp@naver.com.
EU/EEA users may also complain to their local data protection authority. Users in Korea may seek help from the following bodies:
- 개인정보분쟁조정위원회 (kopico.go.kr, 1833-6972)
- 개인정보침해신고센터 (privacy.kisa.or.kr, 국번없이 118)
- 대검찰청 (spo.go.kr, 국번없이 1301)
- 경찰청 (ecrm.police.go.kr, 국번없이 182)
Governing law: Republic of Korea. Court/venue: as determined by Korea's Civil Procedure Act (민사소송법) — we do not impose an exclusive court, so a consumer may bring a claim in the court for their own address. Your data-protection rights and the right to complain to a supervisory authority apply regardless of the chosen governing law.