{{brand.appName}} Privacy Policy

Language Notice. This Privacy Policy is provided in Vietnamese (vi), English (en), and Korean (ko). The Vietnamese version is the legally binding version, and pursuant to Vietnam's Law on Personal Data Protection (Law No. 91/2025/QH15) the privacy notice is provided in Vietnamese. This English version is a reference translation.

YourCampus (Representative: MinSeong Kim) (hereinafter the "Company") regards the personal information of Users as important and processes it in compliance with applicable law, including Vietnam's Law on Personal Data Protection (Law No. 91/2025/QH15) and its implementing decree (Decree No. 356/2025/ND-CP), Decree No. 147/2024/ND-CP (management of internet services), and Decree No. 53/2022/ND-CP (implementing decree of the Law on Cybersecurity).


1. Categories of Personal Information Processed

The Company processes the minimum personal information necessary to provide the Service, as follows.

1.1 Information Provided Directly by the User

Category Items Purpose of Processing
Account (required) Email or social login identifier (Facebook/Apple), nickname, password (for email sign-up) Member identification, authentication, login
Phone Verification (required) Mobile phone number Identity verification, grant of posting eligibility (Decree 147), prevention of duplicate sign-ups
School Verification (required) Member university, school webmail address or student ID card image, year of admission (student number) Confirmation of enrollment status, grant of community access rights
Profile (optional) Profile-related settings, language settings Service personalization

1.2 Information Generated or Collected in the Course of Using the Service

Category Items Purpose of Processing
User-Generated Content Posts, comments, images, hashtags, likes, scraps; timetable and course data; report and block records Provision of Service functions
Access Records (statutory retention) IP address, access date and time, device fingerprint — limited to sign-up, login, posting, commenting, and verification events Statutory retention obligation (Decree 53), prevention of fraudulent use
Device and Technical Information Device identifier, OS/app version, push token Sending notifications, compatibility, error diagnosis
Analytics Information Service usage statistics, error logs Service improvement, stability

1.3 Special Rules on Sensitive Information and Children

2. Purposes of and Legal Bases for Processing Personal Information

The Company processes personal information for the following purposes and on the following legal bases. Personal information is processed only within the scope of the stated purposes.

Purpose of Processing Principal Items Processed Legal Basis
Member sign-up, identity verification, provision of Service Account, phone number, school verification information User consent, performance of the use agreement
Identity verification to grant posting eligibility Phone number (hash), identity information Legal obligation (Decree 147/2024)
Statutory retention of access records IP, access records, device fingerprint Legal obligation (Decree 53/2022)
Community operation, safety, prevention of fraudulent use UGC, report, block, and sanction records User consent, legitimate operational necessity, legal obligation
Sending notifications (reactions to my posts, etc.) Push token, notification settings User consent
Service improvement, error handling Analytics and error logs, device information User consent, legitimate operational necessity
Response to legal disputes and fulfillment of authority requests Related records Legal obligation, exercise and defense of legal claims

3. Retention and Destruction of Personal Information

  1. Once the purpose of processing personal information has been achieved, the Company destroys the relevant personal information without delay. However, where retention is required by law, the Company retains it for the following periods.

    Data Retention Period Basis
    Account and profile information Until membership withdrawal (destroyed after a 15-day grace period upon withdrawal) Use agreement
    Student ID review image Destroyed within 90 days after review is completed Principle of minimal collection and storage
    Access records (sign-up, login, posting, commenting, verification events + IP) Automatically destroyed after 24 months Decree 53/2022
    Identity information (original phone number, etc.) Destroyed upon withdrawal (the linkage to the above access records is severed through de-identification) Decree 147/2024
  2. Processing upon Withdrawal: When a User requests withdrawal, the Company de-identifies the profile without delay and, after a 15-day grace period, destroys the personal information (including identity information). However, access records subject to the statutory 24-month retention obligation are kept in a de-identified state in which the User cannot be identified, and then automatically destroyed.

  3. Method of Destruction: Electronic files are deleted by a method that renders recovery or reproduction impossible, and printed materials and the like are shredded or incinerated.

4. Measures to Ensure the Security of Personal Information (Separate Storage of Identity Information)

The Company takes the following measures to ensure the security of personal information. In particular, to protect the trust of the anonymous community, the Company strongly isolates identity information.

  1. Three-Tier Physical Separation of Storage
    • ① Service Database: stores functional data but does not store the originals of identity information such as phone numbers. Phone numbers are stored only as irreversible hash (HMAC) values.
    • ② Identity Store (separate instance, separate access rights): stores identity information such as original phone numbers, encrypted at the field level (KMS envelope encryption), in a separate store. It cannot be queried through general code paths; access is limited to cases where a reason is specified and there is a basis for approval, such as a lawful government request or account recovery, and all access is audit-logged.
    • ③ Statutory Retention Log (append-only, immutable): retains access records on an append-only basis for 24 months and then automatically destroys them.
  2. Encryption: identity information is encrypted at rest, and data in transit is encrypted with TLS.
  3. Access Control: access rights to systems that process personal information are granted and managed at a minimum level, and access records are retained.
  4. Record of Operator Actions: all actions by operators (blinding, deletion, sanctions on content, etc.) are audit-logged together with the actor, time, reason, and a snapshot of the original.

5. Provision of Personal Information to Third Parties

  1. As a general rule, the Company does not provide Users' personal information to third parties.
  2. However, the following are exceptions:
    • where the User has given prior consent;
    • where there is a special provision of law, or where a competent authority (such as the Ministry of Public Security) makes a lawful request in accordance with the procedures and methods prescribed by law (under Decree 147/2024, a response within 24 hours of receipt of the request may be required).
  3. Even where information is provided to a competent authority, the Company records the items provided, the basis, and the date and time.

6. Entrustment of Personal Information Processing (Processors)

To provide the Service smoothly, the Company may entrust part of its personal information processing tasks to external specialist providers. When entrusting, the Company governs by contract to ensure that personal information is managed securely. The principal entrusted tasks are as follows.

Entrusted Task Processor (Example) Items Processed
Cloud infrastructure and data storage Amazon Web Services, Inc. (AWS) Service data generally
Sending SMS verification codes AWS End User Messaging (SMS) Phone number
Sending email Amazon SES Email address
Sending push notifications Expo (Expo Push Notifications) Push token
Error and performance monitoring Amazon CloudWatch Error logs, device information

The actual list of processors will be finalized and disclosed at the time the Service launches, and any change will be notified via this Policy.

7. Cross-Border Transfer of Personal Information

  1. The Service's initial infrastructure may be located in Singapore (ap-southeast-1) (e.g., Singapore), so Users' personal information may be transferred and processed outside of Vietnam.
  2. In the case of a cross-border transfer, the Company complies with the requirements set by the Law on Personal Data Protection and Decree No. 53/2022/ND-CP (cross-border transfer impact assessment and, where necessary, domestic storage or transfer procedures, etc.).
  3. As the Service grows and as required by law, the Company may relocate the data storage location within Vietnam, and any related change will be notified via this Policy.

8. Rights of Users (Data Subjects)

Users have the following rights with respect to their own personal information under the Law on Personal Data Protection. The Company fulfills requests within the processing deadlines below.

Right Description Processing Deadline
Access / Request for information Request to access or obtain a copy of the personal information being processed 10 days (15 days if third-party cooperation is required)
Request for correction Correction of inaccurate personal information 10 days (15 days if third-party cooperation is required)
Withdrawal of consent / restriction of / objection to processing Withdrawal of consent-based processing, restriction of or objection to specific processing 15 days (20 days if third-party cooperation is required)
Request for deletion Request for deletion of personal information 20 days (30 days if third-party cooperation is required)
  1. Users may exercise the above rights through the settings menu within the Service or through the contact information below.
  2. The effect of withdrawing consent applies only to processing after the withdrawal and does not affect processing already carried out before the withdrawal.
  3. Where the exercise of a right conflicts with a statutory retention obligation (e.g., the 24-month access records), the Company may notify the User of the reason and defer deletion to the extent of the retention obligation.
  4. Users have the right to lodge an objection with the competent supervisory authority regarding the Company's processing.

9. Automatic Data Collection Devices and Cookies

  1. The mobile app may collect device identifiers, app usage logs, and the like for the provision and analysis of the Service.
  2. Users may control certain collection, such as resetting the advertising identifier, through device settings.
  3. The Company does not, by default, use third-party advertising tracking for the purpose of tracking Users, and will obtain separate consent if any such tracking is introduced.

10. Notification in the Event of a Personal Information Breach or Similar Incident

Pursuant to the Law on Personal Data Protection, where a personal information breach incident occurs and the Company becomes aware of it, the Company shall report it to the competent supervisory authority within 72 hours of becoming aware, and shall also notify affected Users where required by law.

11. Data Protection Officer and Contact

Inquiries regarding the processing of personal information, requests to exercise rights, and complaint handling may be directed to the following.

12. Changes to This Policy

This Policy may be amended in response to changes in law or the Service. Upon amendment, the effective date and the content of the changes will be notified via an in-app notice or notification, and in the case of a material change, re-consent may be requested. Previous versions are retained so that they can be reviewed upon request.


This document is a draft and will be finalized after review by local counsel (Vietnamese personal data protection law and cybersecurity law) before the official launch of the Service.