Operator: NodajiFi Labs Applies to: NodajiFi Ecosystem — nodajifilabs.com Effective date: July 1, 2026 · Last updated: July 1, 2026
Introduction
NodajiFi Labs ("we," "us," or the "Company") respects the privacy of users worldwide. We honor the standards of the GDPR (EU General Data Protection Regulation) and CCPA (California Consumer Privacy Act), as well as the data-protection laws applicable in the user's country of residence.
Core principle — you own your data. We are a custodian of your data, not its owner.
- We do not record personal data on any blockchain (only hashes, signatures, and issuer IDs).
- The learning-reward points ("GEM") have no cash value, so we do not collect financial or payment-related sensitive data.
- We do not collect sensitive identifiers such as your real name or government-issued ID number.
1. Information We Collect
We collect only the minimum information needed to provide the service.
1.1 Common data
| Category | Items | Purpose |
|---|---|---|
| Account / authentication | Email address, phone number, passwordless login credentials (magic link / OTP) | Identification, authentication, account recovery, security |
| Profile (optional) | Nickname, avatar (no real name required) | Personalization, display |
| Age verification | "Aged 16 or older" result derived from date of birth at sign-up | Eligibility, child protection |
| Activity data | Service-usage records, GEM earn/spend history (no cash-convertible value) | Service delivery, reward calculation |
| Device / access | Device identifier, OS / app version, IP address, access logs, push token | Operation, security, notifications |
| Abuse prevention | Behavioral signals for bot / abuse / age-doubt detection (server-side only) | Reward integrity, child protection |
Age-data minimization (important): at sign-up we take a date of birth, determine only whether the user is 16 or older, store only that result (e.g., "16+ = true") and discard the raw date of birth. The email and phone number used for login are for contact and authentication, not age proof.
1.2 App-specific data
Items that differ by app (location, camera / AR, payments, etc.) are listed in the "Service-specific Terms."
2. How We Use Information
- Account management: identification, authentication, sign-up confirmation, account recovery, abuse prevention
- Service delivery: each app's core features, GEM earn/spend
- Service improvement: quality improvement via usage analysis (statistics are pseudonymized / anonymized first)
- Notices: updates and feature announcements (capped at 1–2 per day; users control frequency, timing, and type)
- Legal compliance and dispute handling
3. Retention
We delete personal data without delay once the purpose of collection is fulfilled. Where applicable law requires retention, we keep the data for the required period (e.g., transaction / payment records, dispute records, access logs).
When a user requests account deletion, deletion is actually possible by design. Because we do not store personal data on-chain, the GDPR right to erasure works fully. However, unused GEM is forfeited upon withdrawal; since GEM is not redeemable for cash, no separate settlement occurs.
4. Sharing with Third Parties
We do not share personal data with third parties beyond what this policy states, except:
- with the user's prior explicit consent, or
- when a competent authority requests it through lawful process under applicable law.
Data sharing between ecosystem brands does not operate without the user's explicit opt-in.
5. Processing Entrusted to Sub-processors
| Sub-processor | Entrusted work |
|---|---|
| Google Firebase (Google LLC) | Authentication, database, push notifications, analytics |
| Pinata / Arweave | Distributed storage of certificate metadata (no personal data) |
| Email / SMS delivery provider | Sending passwordless login (magic link / OTP) |
Some sub-processors' servers may be located outside the user's country; cross-border transfers are separately disclosed. App-specific sub-processors (e.g., payment, maps) are listed in the "Service-specific Terms."
6. Protection of Children (Ages 16+ only)
To protect children, we provide the service only to users aged 16 or older. Sixteen exceeds the major global digital-consent ages (US COPPA 13, EU GDPR 13–16 by member state).
How we protect — age-verification process
- Direct date-of-birth entry (neutral age gate): we do not ask a simple yes/no "are you 16+?"; we take a date of birth so the gate cannot be easily bypassed by changing the answer on the same device.
- Immediate block: if the result is under 16, sign-up does not proceed.
- Store only the result: we keep the 16+ flag and discard the raw date of birth.
- Ongoing monitoring: if post-signup signals suggest a user is under 16, we delete the account and collected data without delay.
We do not knowingly collect personal data from children under 16, and we delete such data as soon as we become aware of it. We provide age-appropriate content, ads, and UI to all users, and v1 is designed so that "there is no money flow at all," removing financial risk.
7. Your Rights
Regardless of location, users may exercise the following rights (including under GDPR/CCPA):
- Access: request a copy of activity records and account data
- Rectification: correct email, nickname, etc.
- Deletion: request permanent account deletion (unused GEM is forfeited)
- Portability: download your data
- Restriction of processing and withdrawal of consent
Exercise rights via in-app "NodajiFi Labs > Privacy" or the dedicated privacy email support@nodajifilabs.com; we respond without undue delay within the period set by applicable law.
8. Security Measures
- Technical: TLS encryption in transit, encrypted storage of sensitive data, access controls, abuse-prevention systems (server-authoritative checks)
- Administrative: minimized data handlers, periodic review, external compliance review
- Structural: no on-chain personal data by design, separated accounting of company funds and user funds
We do not sell users' personal data to third parties for marketing.
9. External Links and Third-party Services
The service may contain links to third-party sites/apps. We are not responsible for their privacy practices; each is governed by its own policy.
10. Contact and Data Protection Officer
| Item | Detail |
|---|---|
| Operator | NodajiFi Labs |
| Data Protection Officer | Myongsu Choe (CEO) |
| Primary channel | In-app "NodajiFi Labs > Contact us" (login-based, no impersonation risk) |
| General inquiries | together@nodajifilabs.com |
| Privacy-rights requests | support@nodajifilabs.com |
Preventing secondary harm We never ask users to buy other tokens, make external payments, or pay "recovery fees." Do not respond to outside contacts impersonating us or claiming to be our "agent"; use only the official channels above (in-app and the official emails). Unofficial messengers or personal contacts are not official channels.
You also have the right to lodge a complaint with the data-protection authority in your country.
11. Changes to This Policy
If this policy changes, we give notice in-app at least 7 days before the effective date (at least 30 days for material changes adverse to users). All notices are made only through our official in-app channels.
PART 1 (v1) note: this Privacy Policy takes effect on July 1, 2026.
A. Information collected from visitors
The website can be viewed without logging in; visiting it involves:
| Category | Items | Purpose | Note |
|---|---|---|---|
| Access info | IP address, browser/device info, timestamp, referrer URL | Security, traffic analysis, error handling | Automatic |
| Cookies / local storage | Essential cookies (session, language), analytics cookies (optional, consent-based) | Site function, usage statistics | See C |
| Inquiries | Contact-form input (email, etc.) | Responding to inquiries | When submitted |
B. Crawler / AI-agent access (access plane)
The website guides search-engine and AI crawlers via robots.txt and llms.txt. The access plane (content viewing) is permissive to crawlers, while the reward plane (GEM, etc.) applies only to authenticated app users — the two are separated. Viewing the website alone yields no reward.
C. Cookie policy (global consent standard)
- Essential cookies: basic site function (session, language). Used without consent.
- Analytics / performance cookies: for usage statistics. In regions requiring prior consent (EU/EEA, UK, etc.), set only after consent (cookie banner provided).
- Users can change/withdraw consent via browser settings or the site cookie banner.
D. Legal-document hosting notice
This site hosts the source privacy policies and terms for each NodajiFi ecosystem service. Because mobile apps load and display these documents, what you see in the app and on the web is the same source.