v1.1 | May 2026
The Company operates the NADO platform (“Platform”). In accordance with Article 30 of the Personal Information Protection Act (“PIPA”) of the Republic of Korea, the Company establishes and discloses this Privacy Policy to protect the personal information of data subjects and promptly address related grievances.
| Purpose | Details | Legal Basis |
|---|---|---|
| Registration and management | Identity verification, membership maintenance, prevention of fraudulent use | Contract performance (PIPA Art. 15(1)(4)) |
| Service provision | Intermediation between NADOs and Guests, reservation and payment processing, in-app messaging and translation, shared photo album | Contract performance |
| Safety management | Location-based safety monitoring during service use, emergency response | Legitimate interest (PIPA Art. 15(1)(6)) |
| Service improvement | Usage analysis, new feature development, quality improvement | Legitimate interest |
| Grievance handling | Complaint processing, dispute resolution, review and report handling | Legal obligation (PIPA Art. 15(1)(2)) |
| NADO settlement and tax | Activity fee settlement, withholding tax (3.3%) filing with the National Tax Service, bank account management | Legal obligation (Income Tax Act) |
| Contract management | Host activity agreement execution via e-signature (Modusign etc.), signed document storage | Contract performance |
| Application processing | Host application review, interview scheduling, onboarding | Consent / Contract performance |
| Marketing (with consent) | Event and discount notifications, personalized recommendations | Consent (PIPA Art. 15(1)(1)) |
| Category | Items | When |
|---|---|---|
| Registration | Name, email, profile photo | At registration |
| Verification | Mobile phone number (verified via SMS one-time code) | At identity verification |
| Payment | Transaction reference (PayPal order ID and capture ID). Card details and billing address are entered and held by PayPal; the Company does not collect or store them. | At reservation payment |
| Service use | Reservation records, usage history, chat messages | During use |
| Reviews | Ratings, written content | After completion |
| NADO registration | Name, email, phone, profile photo, activity name, bio | At NADO registration |
| Host application | Name, phone, email, Instagram, residence, neighborhood, interests, availability, self-introduction, photos | At application |
| Host contract (settlement) | Bank name, account holder, account number, date of birth | At contract signing |
| Guest registration | Nationality, gender, languages, interests, travel dates, city, preferred language | At registration |
| NADO profile | Areas, interests, languages, age range, real name (encrypted) | At NADO registration |
| Matching preferences (internal) | Matching preference settings — used only for matching algorithm; never displayed to guests | At NADO registration |
| Beta tester application | Name, email, country, travel dates, interests, Instagram, IP address, user agent | At beta application |
| Customer support | Report category and body submitted via in-app safety / help (including any user-supplied screenshots), associated user account, timestamp | When the user submits a report or support request |
| Marketing analytics | Referral source, UTM parameters (source, medium, campaign), referrer URL | Automatically during registration |
The Company automatically collects device information (model, OS version), push notification tokens (Apple Push Notification service / Firebase Cloud Messaging device identifiers, used to route in-app notifications), log data (IP address, access times), and usage data (feature interaction records).
The payment processor (PayPal) provides transaction confirmation data (order ID, capture ID, status). When a NADO chooses to connect their Instagram account, the public handle entered by the NADO is stored for display. If social login providers are integrated in a future release, this section will be updated accordingly and updated consent will be sought from existing users.
| Data | Retention |
|---|---|
| Membership information | Until account deletion (destroyed within 30 days) |
| Dormant account data | Separated storage for up to 3 years after dormancy conversion; permanently deleted after 4 years of total inactivity (PIPA Art. 39-6) |
| Reservation and payment records | 5 years after transaction |
| Consumer complaint records | 3 years |
| Chat messages | 3 years after completion (aligned with civil statute of limitations), or until related dispute is resolved |
| Location data | 90 days after completion |
| Shared album photos | 6 months (or upon deletion request) |
| NADO identity documents | During activity; destroyed within 30 days of termination (except settlement/tax records: 3 years after activity ends per National Tax Service requirements) |
| Host contract and settlement data | 3 years after activity ends (Income Tax Act, National Tax Basic Act) |
| Host application data (text) | If rejected: destroyed within 3 months of decision notification. If accepted: personal information (name, phone, email, etc.) is transferred to the host account and contract management system; the original application is destroyed within 30 days of transfer. If no decision: destroyed no later than 6 months after submission. Destroyed upon request via support@withnado.com. |
| Host application photos | If rejected: destroyed within 30 days of decision notification. If accepted: transferred to host profile; original destroyed within 30 days of transfer. If no decision: destroyed no later than 3 months after submission. Destroyed upon request via support@withnado.com. |
| Beta tester application data | 6 months after beta period ends; destroyed upon request |
| Signed contract PDFs | 3 years after activity ends |
| Log records | 3 months |
The Company shall destroy personal information within 5 business days of the expiration of the applicable retention period or the achievement of the processing purpose.
NADO settlement information (name, resident registration number, bank account, payment amounts) is provided to the National Tax Service for withholding tax (3.3%) filing as required by the Income Tax Act.
The Company may disclose personal information when required to do so by applicable law or in response to lawful requests from competent investigative or regulatory authorities.
The Company entrusts personal information processing to the following categories of processors. Entrustment contracts include provisions for safeguards and compliance monitoring.
Personal information may be transferred internationally for translation (chat messages), cloud storage, and payment processing. The Company ensures appropriate safeguards. For EEA/UK users, Standard Contractual Clauses (SCCs) are applied.
| Recipient | Country | Data Transferred | Purpose | Retention |
|---|---|---|---|---|
| Vercel Inc. | United States | Application data, user content | Cloud hosting, edge computing | Duration of service |
| Neon Inc. | United States | Database records (encrypted) | Database hosting | Duration of service |
| Google Cloud (Gemini) | United States | Chat messages, voice data | Translation, speech-to-text | Deleted within 24 hours |
| LiveKit, Inc. | United States | In-call audio stream, room ID | Real-time voice relay for translation | Not recorded; ephemeral during call |
| PayPal (Europe) | Luxembourg / United States | Payer email, transaction amount and identifiers | Payment processing | Per PayPal retention policy |
| Expo, Inc. | United States | Device push tokens, notification payloads | Push notification delivery | Until token invalidation |
| Apple Inc. (APNs) / Google LLC (FCM) | United States | Notification payloads | OS-level push delivery | Transient delivery only |
| Google LLC (Gmail SMTP) | United States | Recipient email, message body | Transactional email delivery | Transient delivery |
| Google LLC (reCAPTCHA Enterprise) | United States | IP address, browser/device signals | Bot & abuse prevention on auth endpoints | Per Google retention policy |
| Google LLC (Maps Platform) | United States | Query strings, approximate coordinates | Places search and directions | Per Google retention policy |
| PostHog, Inc. | United States | Pseudonymised product interaction events | Product analytics | Up to 7 years (PostHog default) unless deleted earlier on request |
| Solapi Co., Ltd. | South Korea | Recipient phone number, one-time code | SMS verification | Transient delivery |
| Modusign | South Korea | Host contract data | E-signature processing | Duration of contract |
Users have the right to refuse international transfer of their personal information. However, refusal may limit the availability of certain Platform features that require international processing. To exercise this right, contact support@withnado.com.
The Platform uses essential cookies (session, security), analytics cookies (with consent), and marketing cookies (with opt-in consent). Users may manage settings through their browser.
Users may request: access to, correction of, deletion of, suspension of processing of, and portability of their personal information. Such rights may be exercised via email (support@withnado.com), in-app settings, or written request addressed to the Company. The Company shall respond within 10 calendar days of receipt of the request (one month for EEA/UK users under GDPR).
If the Company is unable to respond within the prescribed period due to justifiable reasons, it shall notify the User of the reason for the delay and the expected processing date.
The Company employs automated systems for the following purposes:
(1) Experience recommendations based on a user’s interests, location, and language preferences
(2) Host-guest matching based on host preference settings configured at registration
(3) Detection of anomalous behavior for fraud prevention and safety purposes
With respect to matching, hosts may configure preferences that determine which guests are shown their profile. Accordingly, certain hosts may not appear in the profiles shown to a particular guest based on the host’s stated preferences.
Users have the right to: (a) request an explanation of any automated decision that affects them; (b) request human review of such a decision; and (c) contest the outcome of such a decision. Such requests shall be submitted to support@withnado.com and will receive a response within 10 business days.
The Platform is intended solely for users aged 19 and older. The Company does not knowingly collect personal information from children under the age of 14. In the event that such information is inadvertently collected, the Company shall destroy it without delay upon discovery.
The Company has designated a Chief Privacy Officer responsible for overseeing the processing of personal information and handling related grievances.
Chief Privacy Officer: Jihwan Kim
Title: CEO
Email: support@withnado.com
The following authorities are available for dispute resolution and relief in connection with personal information:
Users located in the EEA or the United Kingdom hold additional rights under the GDPR, including: the right to obtain information regarding the legal basis for processing; the right to restrict processing; the right to data portability; the right not to be subject to solely automated decision-making that produces legal or similarly significant effects; and the right to lodge a complaint with their competent national data protection supervisory authority.
As the Company is not established in the EEA, it will designate a representative within the EEA in accordance with Article 27 of the GDPR prior to commencing the processing of EEA residents’ personal data. Contact details of the designated representative will be published on this page once appointed.
In the event of a personal data breach likely to result in high risk to the rights and freedoms of data subjects, the Company will notify affected users within 72 hours of becoming aware of the breach via email or in-app notification. The notification will include the nature of the breach, likely consequences, and measures taken. The Company will also notify the Personal Information Protection Commission (PIPC) and relevant supervisory authorities as required by law.
Under PIPA, the Company shall also notify affected users and the Personal Information Protection Commission (PIPC) when the breach involves 1,000 or more data subjects, sensitive information, or unique identifiers (such as resident registration numbers), regardless of the assessed risk level.
Material changes to this Privacy Policy shall be announced at least 30 days prior to the effective date via the Platform or by email notification to registered Users.
Effective May 2026.