Fleaz

Fleaz: Privacy Policy

Last Updated: July 10, 2026

Fleaz ("we," "our," or "us"), operated by the founding team of the Fleaz platform, a peer-to-peer classifieds network for international expatriates in the Republic of Korea, processes personal information in compliance with the Personal Information Protection Act ("PIPA") and other applicable laws of South Korea.

This Privacy Policy describes how we collect, use, disclose, retain, transfer, and destroy your personal data when you use fleaz.app (the "Platform").

Article 1: Purpose of Processing Personal Information

We process personal information for the following explicit purposes only. If the processing purpose changes, we will obtain your prior separate consent in accordance with Article 18 of PIPA.

  • Member Registration and Management: Verifying intent to join, identifying users, maintaining membership records, preventing unauthorized or fraudulent use, and sending essential administrative notices.
  • Provision of Platform Services: Operating the peer-to-peer classifieds marketplace, including publishing listings, managing favorites, and facilitating direct user-to-user transactions.
  • Communication and Messaging: Enabling the creation and routing of direct messages, file attachments, and custom transaction lots within the Platform's internal messaging environment.
  • Community Safety and Dispute Resolution: Processing user reports and managing account restrictions to address scams, offensive behavior, and community guideline violations. This includes reviewing the content of a full conversation when it is the subject of a user report, or when a message is automatically flagged by our scam-detection system.
  • Identity Verification: Voluntarily awarding the "Verified Fleazer" trust badge through secure administrative review of government-issued credentials.

Article 2: Age Eligibility and Minors

Fleaz is intended for use by adults only and does not knowingly collect personal information from individuals under the age of majority.

  • Minimum Age: You must be at least 18 years old, or the legal age of majority in your country of residence or nationality if that age is higher than 18, to create an account or use the Platform. By registering, you confirm that you meet this requirement.
  • No Voluntary Collection From Minors: Fleaz does not knowingly collect personal information from individuals under 18 years of age.
  • Discovery of a Minor Account: If we discover, or have reasonable grounds to believe, that an account belongs to a person under 18, we will suspend the account and permanently delete it along with the associated personal information, without prior notice.

Article 3: Categories of Personal Information Collected

1. Authentication Data (Collected Automatically)

  • Via Google or Facebook login: email address, first name, last name, public profile picture URL.
  • Via email and password: email address and a hashed (encrypted) password. Passwords are never stored in plain text.

2. Public Profile Information (Voluntary)

  • Public username, nationality, spoken languages, and a short biographical text (maximum 300 words).
  • Approximate location zone (e.g., "Mapo-gu, Seoul") and listing photos, visible to all Platform users.

3. Private Account Data (Confidential)

  • Phone number, gender, date of birth, and visa type.
  • Privacy Guardrail: These fields are kept strictly confidential. They are never displayed publicly, shared with other users, or transferred to third parties except as required by law.

4. Location and Transaction Data

  • Approximate listing coordinates (latitude and longitude) for proximity display features.
  • Listing details: titles, descriptions, condition status, prices, and photos.
  • Favorites lists, transaction lot histories, and conversation records.
  • Privacy Guardrail: Exact residential addresses and real-time GPS coordinates are never processed or exposed.

5. Identity Verification Material (Voluntary)

  • A single photo showing the user holding their government-issued identity document (Passport or Alien Registration Card) next to their face.
  • Mandatory Masking: All unique identification numbers (passport numbers, alien registration numbers, resident registration numbers) must be fully redacted by the user before upload. Fleaz does not collect or process national identification numbers.

6. Community Interaction Data

  • Records of users you have blocked or reported, and reasons provided.
  • Platform notifications received (e.g., new message alerts, listing status updates, verification outcomes).
  • Anonymous listing deletion reasons (e.g., "sold on Fleaz," "sold elsewhere," "no taker found") retained without personal identifiers for marketplace analytics only.

Article 4: Retention Periods

We retain personal information only for as long as necessary to fulfill the stated purpose, or as required by applicable law.

Data CategoryRetention Period
General account dataUntil account deletion or administrative termination
Listing dataUntil listing deletion or account termination
Messages and conversationsRetained to preserve the other participant's conversation history. If you delete your account, your identifying information is anonymized, but the messages themselves are not erased.
Identity verification files (passport, selfie)Reviewed submissions (approved or rejected): permanently deleted 7 days after review. Submissions left unreviewed: automatically expired and permanently deleted 14 days after upload.
Block and report recordsRetained for up to 3 years for community safety purposes, after which they may be periodically deleted
Notification recordsRetained for up to 12 months, after which they may be periodically deleted
Anonymized analytics (listing deletion reasons)Retained indefinitely without personal identifiers
Email transmission logsCleared per the standard log policy of the email service provider

Upon account deletion, all personal data is permanently removed from our systems within 30 days, except for anonymized records and data retained for legal compliance or community safety.

Article 5: Outsourcing and Cross-Border Transfer of Personal Information

To operate our cloud-native infrastructure, certain data processing tasks are outsourced to external service providers. Because these providers use globally distributed infrastructure, personal information may be transferred outside of South Korea in accordance with Articles 28-8 and 28-9 of PIPA.

RecipientCountryTransfer MethodData TransferredPurpose & Retention
Supabase Inc.United States / GlobalAutomatic TLS encryption during all account actionsAll database records: accounts, listings, messages, storage filesDatabase hosting, user authentication, and encrypted media storage. Retained until account deletion.
Resend Inc.United StatesProgrammatic API call during platform eventsEmail address, first name, notification payloadTransactional email delivery (e.g., login confirmation, verification result). Logs cleared per Resend's standard policy.

Users are informed of these international transfers at registration and consent by accepting this Privacy Policy.

Article 6: Destruction of Personal Information

When personal information becomes unnecessary, upon expiry of the retention period or achievement of the processing purpose, we destroy it without delay.

  • Electronic Database Records: Upon account deletion, all personally identifying fields (name, email, phone, avatar, date of birth, address, visa type) are irreversibly overwritten with anonymized values. The underlying database row is kept only where necessary to preserve the integrity of records shared with other users (e.g., a conversation or report), but it no longer identifies you. Once overwritten, this personal information cannot be recovered through the Platform.
  • Stored Files: Uploaded avatars and listing photos are permanently deleted from all Supabase Storage nodes upon account deletion. Identity verification documents are permanently deleted automatically 7 days after an administrative review is completed (approved or rejected), or 14 days after upload if the submission was never reviewed.

Article 7: Technical and Administrative Security Measures

We implement the following technical, administrative, and organizational measures to protect your personal information:

  • Encryption in Transit and at Rest: All data transmitted between users and the Platform is encrypted using TLS (HTTPS). Sensitive data fields are encrypted at rest within our database clusters.
  • Access Controls: Access to backend systems, database dashboards, and verification file storage is strictly limited to authorized founding members, protected by multi-factor authentication (MFA).
  • Row-Level Security (RLS): All database tables are protected by RLS policies that strictly prevent any user from accessing another user's private data.
  • Password Security: Passwords are never stored in plain text. All passwords are hashed using industry-standard cryptographic methods before storage.
  • Minimum Data Exposure: Private fields (phone number, gender, date of birth, visa type, exact address) are never exposed via any public-facing API endpoint.
  • Automated Scam Detection: Messages are automatically screened using keyword-based pattern matching (e.g., requests to pay outside the Platform, shortened or suspicious links) to flag potentially fraudulent conversations for human review. Flagged messages are reviewed by authorized Fleaz administrators only; this screening does not involve automated profiling or algorithmic decision-making that produces legal effects on users.

Article 8: Rights of Data Subjects

As a data subject under PIPA, you have the following rights, which you may exercise at any time:

  1. Right to Inspect: Request access to your personal information held by Fleaz.
  2. Right to Correct: Request correction of any inaccurate or incomplete personal information.
  3. Right to Delete: Request the deletion of your personal information and account.
  4. Right to Suspend Processing: Request that we stop processing your personal information.
  5. Right to Withdraw Consent: Withdraw consent for optional data processing (e.g., marketing emails) at any time, without penalty.
  6. Right to Data Portability: Request a copy of your personal data in a portable format.

You may exercise these rights directly via your /profile settings panel or by contacting our Chief Privacy Officer by email. We will respond to all requests within 10 business days, in accordance with PIPA.

If you believe your privacy rights have been violated, you have the right to file a complaint with the Personal Information Protection Commission of Korea (PIPC):

  • Website: www.pipc.go.kr
  • Phone: 182 (no area code required)

Article 9: Cookies and Tracking Technologies

9.1 What are cookies?

Cookies are small text files placed in your browser when you visit a website. They allow the site to remember your session and basic preferences.

9.2 Cookies used by Fleaz

Fleaz currently uses only strictly necessary cookies required for the Platform to function:

CookiePurposeConsent Required
Authentication session cookie (Supabase)Keeps you logged in during your sessionNo, technically necessary

We do not use advertising cookies, behavioral tracking cookies, cross-site tracking technologies, or third-party analytics scripts.

9.3 Managing cookies

You may disable or delete cookies at any time via your browser settings. Please note that disabling essential session cookies will prevent you from logging in to the Platform.

9.4 Future changes

If we introduce optional analytics or functional cookies in the future, we will update this section and request your explicit prior consent before setting any new cookies.

Article 10: Chief Privacy Officer (CPO)

We have designated a Chief Privacy Officer responsible for overall personal information management, complaint resolution, and privacy remedy handling:

  • Name and Role: Guillaume, Co-Founder & Infrastructure Lead
  • Contact Email: fleaz.app@gmail.com
  • Response Time: We aim to respond to all privacy inquiries within 10 business days.

Article 11: Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in platform features, service scope, or South Korean regulations.

  • Minor changes (technical corrections, wording clarifications): announced at least 7 days before taking effect, via a notice on the Platform.
  • Material changes (changes that affect your rights or how we use your personal information): announced at least 30 days before taking effect, via Platform notification and direct email where feasible.

The "Last Updated" date at the top of this document reflects the most recent revision. Continued use of the Platform after the effective date of any update constitutes acceptance of the revised Policy.