Privacy Policy

Last updated:

Privacy Policy

Effective Date: 26 March 2026 Last Updated: 26 March 2026

Ridio Company (a UK corporation, hereinafter the “Company”) establishes and discloses this Privacy Policy as follows, in accordance with Article 30 of the Personal Information Protection Act, to protect the personal information of data subjects and to handle related grievances promptly and smoothly.

Marejo (hereinafter the “App”) is a voice-based personal assistant mobile app that offers journalling, calendar, reminders, to-do management, and AI chat through a single conversational interface.

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. The personal information processed will not be used for any purpose other than those listed below, and if the purpose of use changes, the Company will take necessary measures, such as obtaining separate consent, in accordance with Article 18 of the Personal Information Protection Act.

  1. Member registration and management: confirming intent to register, identifying and authenticating users for member services, maintaining and managing membership status, and preventing fraudulent use of services

  2. Service provision: providing voice journalling, calendar management, reminder setup, to-do management, and AI conversation services

  3. Speech recognition: converting user voice into text for journal and schedule entries

  4. AI conversation processing: generating AI responses to user messages, refining journal entries, emotion analysis, and support for schedule management

  5. Text-to-speech (TTS): converting and playing AI responses as speech based on user settings

  6. Push notification delivery: delivering notifications requested by users, such as reminders, calendar alerts, and to-do alerts

  7. Service improvement: improving service quality through usage statistics analysis (only with user consent)

  8. Error monitoring: detecting app errors and improving stability

  9. Usage management: managing credit-based usage for AI chat and text-to-speech features

  10. Email delivery: sending emails required for service operation, such as verification codes, account deletion confirmations, and email change confirmations

  11. Grievance handling: verifying complainant identity, confirming complaint details, contacting/notifying for fact-finding, and notifying processing results

Article 2 (Items of Personal Information Processed)

The Company processes the following items of personal information.

Required items

Account information items: name, email address, email verification status, profile image

Authentication information items: OAuth token (for Google login), session token, hashed password (for email/password authentication)

Automatically collected information items: IP address, user agent (device/browser information), access date and time

Journal information items: original voice transcription text, AI-refined content, emotion classification

Calendar information items: event title, description, start/end time, all-day status, reminder settings

Reminder information items: reminder message, scheduled time, delivery status

To-do information items: title, description, completion status, due date, priority

Notification information items: Expo push notification token

User preferences items: AI assistant name, user salutation, chat background colour, time zone, language, notification settings, do-not-disturb times, custom emotion labels

Conversation content items: chat messages with the AI assistant, AI responses, tool call history

Conversation usage metadata items: AI model used, token count (input/output/reasoning/cache), provider information

Credit balance items: per-user credit balance for managing AI feature usage

Daily journal summary items: AI-generated daily journal summary, overall emotion assessment, number of entries

AI-generated image items: image generation text prompt, generated image file

Account management information items: account suspension status, reason for suspension, suspension expiry date (in case of service terms violation)

Optional items

Photo attachment items: photos attached to journals, captions

TTS voice settings items: voice ID, voice name, TTS model, speed, stability, similarity, speaker boost, autoplay setting

Analytics data items: user ID, email, name, app usage events, screen views, button taps, UI interactions (collected only with user consent, including PostHog autocapture)

Error information items: device type, OS version, app version, crash logs, stack traces

Notice on voice data

Marejo provides a voice input feature, but does not store voice recording files themselves on Company servers. Voice is sent directly to the OpenAI Whisper API for text conversion, and only the converted text is stored. Voice recordings are not stored on Company servers even temporarily. Voice recordings are not used as biometric information and are not used for voice identification or voiceprint creation.

Article 3 (Processing and Retention Period of Personal Information)

The Company processes and retains personal information within the retention/use period prescribed by law or within the retention/use period consented to by the data subject at the time of collection.

Account information — until membership withdrawal Journal entries (text, photos) — until deletion of the relevant entry or membership withdrawal Calendar events — until deletion of the relevant event or membership withdrawal Reminders — until deletion of the relevant reminder or membership withdrawal To-do items — until deletion of the relevant item or membership withdrawal User preferences — until membership withdrawal Session information — until session expiry or logout Conversation history and usage metadata — until membership withdrawal Credit balance — until membership withdrawal Daily journal summaries — until membership withdrawal Push notification token — until notifications are disabled or membership withdrawal Analytics data (PostHog) — in accordance with PostHog retention policy (typically 1 year) Error logs (PostHog) — in accordance with PostHog retention policy (typically 1 year)

However, where preservation is required by applicable law, the Company retains member information for the period stipulated by such laws:

  • Records regarding contracts or withdrawal of offers: 5 years (Act on Consumer Protection in Electronic Commerce, etc.)

  • Records regarding payment and supply of goods/services: 5 years (same Act)

  • Records regarding consumer complaints or dispute resolution: 3 years (same Act)

  • Login records under the Protection of Communications Secrets Act: 3 months

Article 4 (Provision of Personal Information to Third Parties)

The Company processes data subjects’ personal information only within the scope specified in Article 1, and provides personal information to third parties only in the following cases.

AI and voice processing services

Vercel (AI Gateway) Purpose of provision: AI API request routing and load balancing Items provided: all AI API request content Retention and use period: in accordance with Vercel policy after processing is complete

Google (Gemini 3 Flash) Purpose of provision: generating AI conversation responses, refining journals, emotion analysis Items provided: chat messages, conversation history, journal content, calendar data, user preferences (AI name, salutation) Retention and use period: in accordance with Google API policy after processing is complete

Google (Gemini 3 Pro Image) Purpose of provision: AI image generation (limited to 5 times per day) Items provided: image generation text prompt Retention and use period: in accordance with Google API policy after processing is complete

OpenAI (Whisper API) Purpose of provision: speech-to-text conversion Items provided: voice recording data Retention and use period: immediately after processing, retained for a limited period and then deleted in accordance with OpenAI API policy

ElevenLabs Purpose of provision: text-to-speech conversion Items provided: text content Retention and use period: in accordance with ElevenLabs policy after processing is complete

Tavily Purpose of provision: web search (when AI searches on behalf of the user) Items provided: search query Retention and use period: immediately after processing is complete

Authentication service

Google Purpose of provision: Google login authentication Items provided: OAuth authentication information Retention and use period: in accordance with Google policy

Email delivery service

Resend (email service provider) Purpose of provision: sending operational emails such as verification codes and account notifications Items provided: email address, email content Retention and use period: in accordance with Resend retention policy

Analytics and monitoring

PostHog Purpose of provision: service usage analytics (only with user consent), app error monitoring and stability improvement Items provided: user ID, email, name, app usage events, device information, OS version, crash logs, stack traces Retention and use period: in accordance with PostHog retention policy

Article 5 (Entrustment of Personal Information Processing)

To ensure smooth processing of personal information-related tasks, the Company entrusts personal information processing tasks as follows.

S3-compatible storage provider — storage of photo and file attachments Expo (Expo Application Services) — push notification delivery Resend (email service provider) — sending operational emails (verification, notifications, etc.) Database hosting provider — data storage and management

When entering into entrustment agreements, the Company specifies in contractual documents matters such as prohibition of processing personal information beyond the entrusted purpose, technical and administrative safeguards, restrictions on re-entrustment, management and supervision of entrusted parties, and liability including damages, in accordance with Article 26 of the Personal Information Protection Act, and supervises whether entrusted parties handle personal information safely.

Article 6 (Cross-border Transfer of Personal Information)

The Company transfers personal information overseas as follows to provide services.

Vercel (AI Gateway) — United States — AI API request content — AI API routing — API transfer (as needed when using services) — in accordance with Vercel policy after processing Google (Gemini 3 Flash) — United States — chat messages, conversation history, journal content — AI conversation processing — API transfer (as needed when using services) — in accordance with Google policy after processing Google (Gemini 3 Pro Image) — United States — image generation text prompts — AI image generation — API transfer (when requesting image generation) — in accordance with Google policy after processing OpenAI (Whisper API) — United States — voice recording data — speech-to-text conversion — API transfer (during voice input) — retained for a limited period after processing ElevenLabs — United States — text content — text-to-speech conversion — API transfer (when requesting TTS) — deleted after processing Resend — United States — email address, email content — sending operational emails — API transfer (when sending email) — in accordance with Resend retention policy PostHog — United States/EU — analytics data, error logs, device information — service usage analysis and error monitoring — automatic SDK transfer (upon consent/when errors occur) — typically 1 year Tavily — United States — search query — web search — API transfer (during AI search) — immediately after processing

The Company implements appropriate safeguards for overseas transfer of personal information in accordance with Article 28-8 of the Personal Information Protection Act.

The Company is an overseas corporation registered in the United Kingdom.

Article 7 (Destruction of Personal Information)

The Company destroys personal information without delay when it is no longer needed, such as upon expiry of the retention period or achievement of the processing purpose.

Destruction procedure: when a user requests account deletion, all related data stored in the database (account information, journals, daily journal summaries, calendar events, reminders, to-dos, conversation history, conversation usage metadata, credit balance, preferences, sessions, etc.) is deleted via cascade deletion.

When deleting an individual journal entry: if a journal entry is deleted individually, the text content is deleted immediately. However, photos attached to that journal may remain as separate independent files and will be deleted separately by the user or together upon account deletion.

Destruction methods:

  • Electronic files: deleted using technical methods that prevent record recovery

  • Photos and AI-generated images stored in S3: permanently deleted within up to 30 days after account deletion

  • Paper documents: not applicable (the Company does not store personal information in paper form)

Article 8 (Rights, Obligations, and Exercise Methods of Data Subjects)

Data subjects may exercise the following personal information protection rights against the Company at any time.

  1. Right to request access: you may request access to your personal information held by the Company.

  2. Right to request correction in case of errors, etc.: if personal information contains errors, you may request correction. You may edit it directly in app settings or request correction by email.

  3. Right to request deletion: you may request deletion of personal information. You may delete individual journals, events, reminders, and to-dos in the app, or delete your entire account.

  4. Right to request suspension of processing: you may request suspension of personal information processing.

  5. Withdrawal of consent: you may withdraw consent at any time for optional processing, including analytics data collection.

How to exercise rights: the above rights may be exercised in the following ways:

  • Email: hello@ridiocompany.com

  • In-app settings: account deletion, preference changes, notification management

The Company will take action within 10 days from the date it receives a request to exercise rights and will notify you of the outcome.

If a data subject requests correction or deletion due to errors in personal information, the Company will not use or provide that personal information until the correction or deletion is complete.

Article 9 (Measures to Ensure the Security of Personal Information)

The Company has implemented the following measures to ensure the security of personal information.

  1. Encryption in transit: HTTPS/TLS encryption is applied to all data transmissions between user devices and servers.

  2. Authentication security: supports OAuth 2.0-based Google login and secure password hashing-based email/password authentication.

  3. Access control: all database queries are restricted by user ID, so users can access only their own data.

  4. Input validation: Zod schema-based input validation prevents SQL injection and invalid data input.

  5. Rate limiting: rate limiting is applied to AI and voice transcription API endpoints to prevent abuse.

  6. Error monitoring: security-related errors are promptly detected and addressed via PostHog.

  7. Measures against hacking, etc.: passwords and authentication tokens are encrypted and stored using secure hashing algorithms.

  8. Administrator access control: administrators may access user accounts only for customer support and security purposes; administrator access is logged and limited to authorised personnel. Administrators may, in limited situations, access user sessions (session proxy access) for customer support and security investigations.

Article 10 (Installation/Operation of Automatic Personal Information Collection Devices and Refusal Thereof)

Mobile app

The Marejo mobile app does not use cookies. However, to provide app functionality, session tokens, user preferences, and cache data may be stored in the device’s secure local storage. This data is stored only on the user’s device and is not shared with third parties.

Analytics tool (PostHog)

The Company uses the PostHog analytics tool to improve services. PostHog is disabled by default (opt-out) and is activated only when the user gives explicit consent, including through iOS App Tracking Transparency prompts.

How to opt out of analytics collection:

  • iOS: Settings > Privacy & Security > Tracking, then disable tracking permission for the Marejo app

  • In-app: select “Ask App Not to Track” in the tracking permission pop-up when first launching the app

Website

When accessing legal pages such as the Privacy Policy, cookies may be used on the website for session management. Users may manage or refuse cookies in their web browser settings. For details, please refer to the cookie policy (marejo.app/legal/cookie-policy).

Article 11 (Chief Privacy Officer)

The Company designates a Chief Privacy Officer as follows, who is responsible for overall personal information processing and for handling complaints and remedying damages related to personal information processing.

Chief Privacy Officer

Name: Sang Jin Lee (이상진) Position: Chief Executive Officer (CEO) Email: hello@ridiocompany.com Phone: +44 020 4524 7944 Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

Data subjects may contact the Chief Privacy Officer regarding all privacy-related enquiries, complaint handling, and damage remedies arising while using the Company’s services. The Company will respond and process such enquiries without delay.

Article 12 (Changes to this Privacy Policy)

This Privacy Policy applies from its effective date. If there are additions, deletions, or corrections due to laws or policy changes, the Company will provide notice through in-app notifications (push notifications or in-app notices) from 7 days before the changes take effect.

In the case of material changes (such as changes to collected personal information items, third-party recipients, or purposes of use), notice will be provided 30 days in advance, and separate consent may be obtained in accordance with applicable laws.

Article 13 (Remedies for Infringement of Rights and Interests)

Data subjects may contact the following institutions for damage relief and consultation regarding personal information infringement.

Personal Information Infringement Report Centre (Korea Internet & Security Agency) — (without area code) 118 — privacy.kisa.or.kr Personal Information Dispute Mediation Committee — (without area code) 1833-6972 — kopico.go.kr Supreme Prosecutors’ Office Cyber Investigation Division — (without area code) 1301 — spo.go.kr National Police Agency Cyber Bureau — (without area code) 182 — ecrm.police.go.kr

Article 14 (Protection of Children’s Personal Information)

Marejo is not intended for children under the age of 14. The Company does not intentionally collect personal information from children under 14. If we become aware that personal information of a child under 14 has been collected, we will delete that information immediately.

Under the Personal Information Protection Act, processing personal information of children under 14 requires consent from a legal representative.

Article 15 (Installation and Operation of Image Information Processing Devices)

The Company does not install or operate image information processing devices (such as CCTV).

Article 16 (Guidance on AI Services and Automated Decision-Making)

(Related to Article 37-2 of the Personal Information Protection Act)

Marejo provides services using artificial intelligence (AI) technology. When using AI services, please note the following:

Existence and details of automated decision-making

Marejo’s AI analyses users’ conversation content and performs the following automated processing:

  • Automatic journal saving: detects when users share experiences, then automatically creates journal entries and classifies emotions.

  • Automatic schedule creation: detects future plans mentioned by users and automatically creates calendar events.

  • Automatic reminder setup: detects user reminder requests and automatically schedules alerts.

  • Automatic to-do creation: detects tasks mentioned by users and automatically creates to-do items.

  • Journal refinement: automatically corrects original voice transcriptions to produce an easier-to-read version.

  • Daily summary generation: automatically summarises the day’s journal content.

Logic of automated decision-making

The above automated processing is performed by the Google Gemini AI model (routed via Vercel AI Gateway). Based on users’ message content, conversation context, and calendar and journal data, the AI determines user intent and calls appropriate tools.

Rights to refuse and object

Data subjects may exercise the following rights regarding automated decision-making:

  1. Right to refuse: users may directly edit or delete all tasks automatically performed by AI (journals, events, reminders, to-dos) within the app.

  2. Right to request an explanation: users may request an explanation for AI’s automated judgement. Please contact hello@ridiocompany.com.

  3. Right to object: if you object to automated decision-making, you may submit an objection to hello@ridiocompany.com, and the Company will notify you of the result within 10 days.

General guidance on AI services

  1. Limitations of AI responses: AI-generated responses (conversation replies, journal refinement, emotion analysis, etc.) may not always be accurate. Please do not rely solely on AI responses for important decisions.

  2. Data processing: for AI conversation processing, user messages and related data are transmitted to the Google Gemini API via Vercel AI Gateway. For details on Google’s AI data processing, please refer to ai.google/responsibility/privacy/.

  3. Voice data: for voice transcription, voice recordings are sent to the OpenAI Whisper API. Under OpenAI’s API data usage policy, data transmitted via the API is not used for model training and is retained only for a limited period for abuse monitoring purposes.

Supplementary Provision

This Privacy Policy takes effect on 26 March 2026.