Privacy Policy

Effective Date: March 22, 2026 · Last Updated: May 1, 2026

This Privacy Policy explains how Rexplore Inc. ("Rexplore," "we," "us," or "our") collects, uses, discloses, stores, and otherwise processes personal data in connection with the Rexplore family of services, including Rextaurant, Rextrip, and Rexhotel (collectively, the "Platform"). This Policy is intended to serve as our public privacy notice and, where required, our notice at collection.

1. Controller, Scope, and Contact

1.1 Rexplore Inc. ("Rexplore"), a corporation registered in the Republic of Korea with its registered office in Seoul, is the controller for personal data processed through the Platform unless a separate notice states otherwise.

1.2 This Policy applies to our websites, applications, support interactions, waitlists, account creation, review and content features, analytics, and operational activities related to the Platform.

1.3 This Policy does not apply to third-party services, including Google sign-in, app stores, map providers, booking partners, payment providers, and other websites or services linked from the Platform. Those third parties have their own privacy practices.

1.4 For privacy questions, contact privacy@rexplore.xyz. For data protection matters, contact our Data Protection Officer at dpo@rexplore.xyz.

1.5 Lead Supervisory Authority and Statutory Channels

For complaints about how we handle personal data, you may contact the following authorities:

• Republic of Korea (PIPA / Network Act): Personal Information Protection Commission (PIPC) — https://www.pipc.go.kr/ · 局番なし 182. Personal Information Dispute Mediation Committee — https://www.kopico.go.kr/ · 1833-6972.
• Japan (APPI): Personal Information Protection Commission — https://www.ppc.go.jp/ · +81-3-6457-9849.
• European Economic Area / United Kingdom (GDPR / UK GDPR): you may complain to your local supervisory authority. As Rexplore has no EU establishment, there is no single lead supervisory authority under Art 56 GDPR; complaints may be addressed to your member-state DPA. The European Data Protection Board lists national DPAs at edpb.europa.eu/about-edpb/about-edpb/members_en.
• United States (state laws): California — Office of the Attorney General (oag.ca.gov). Other states administer their privacy laws through their respective Attorneys General.

1.6 Lawful Bases for Processing (GDPR Art 6 / UK GDPR)

For users located in the EEA or UK, we process personal data on the following lawful bases:

• Contract (Art 6(1)(b)): creating and operating your account, providing the Platform's core features (search, reviews, messaging, owner tools), and supporting the services you request.
• Legitimate interests (Art 6(1)(f)): security, fraud and abuse prevention, moderation enforcement, defending against legal claims, service improvement, aggregated analytics. We balance our interests against your rights and offer an objection mechanism via privacy@rexplore.xyz.
• Consent (Art 6(1)(a)): non-essential cookies and analytics on the website, optional location-based features, marketing communications. Consent can be withdrawn at any time.
• Legal obligation (Art 6(1)(c)): tax, accounting, transaction-record retention, lawful requests from competent authorities, mandatory takedowns under Korean Network Act §44-2 or Japanese Provider Liability Limitation Act.
• Vital interests (Art 6(1)(d)): rare cases involving urgent risk to life or physical safety.

2. Personal Data We Collect

2.1 Information You Provide to Us

• Account and sign-in data: name, email address, profile image, sign-in provider details, account identifier, date of birth, nationality, and other information you choose to provide during onboarding.
• Profile data: username, biography, language, preferences, saved items, and account settings.
• User Content: reviews, ratings, photos, captions, itineraries, comments, replies, reports, survey responses, and any other content you post.
• Communications: support tickets, feedback, dispute submissions, trust and safety reports, and messages you send us.
• Partner interaction data: where applicable, referral or booking-link interaction information needed to measure partner traffic, prevent abuse, and reconcile affiliate relationships.

2.2 Information We Collect Automatically

• Device and log data: IP address, browser type, device type, operating system, app version, crash data, timestamps, referring URLs, and diagnostic logs.
• Usage data: pages viewed, searches, filters used, clicks, scrolls, taps, session events, feature usage, and content interactions.
• Approximate location: city or region inferred from IP address or device signals.
• Precise location: if you choose to enable location-based features in the app or device settings.
• Push notification tokens (mobile only): when you grant notification permission on a Rexplore app, the operating system issues a push token that we register with our servers (alongside the app identifier and your selected app language) so we can deliver notifications about content moderation decisions, replies, mentions, and other in-app activity. The token rotates on its own, can be revoked by clearing app data or by signing out, and is deleted from our servers when you sign out or delete your account. We send pushes only through the canonical Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM); we do not share tokens with advertisers. You can manage which categories trigger a push from Settings → Notifications within each app; for the channel matrix and the categories that cannot be muted for compliance reasons, see our Moderation Policy §6.1–§6.2.
• Cookie and local storage data: consent status, user-requested language preferences, session preferences, security signals, and analytics identifiers where permitted.

2.3 Information from Third Parties

• Identity providers: when you sign in with Google or another provider, we receive the profile data you authorize that provider to share.
• App platforms and infrastructure providers: app store reports, push delivery events, crash reporting, and device integrity signals.
• Users and establishments: reports about abuse, copyright, impersonation, safety, or moderation issues.
• Partners and public sources: we may receive or verify listing metadata, availability indicators, and business information from partners or public sources.

2.4 Sensitive Personal Data

We do not intentionally ask for special-category data such as health, religion, or biometric data. If you voluntarily include sensitive information in reviews, captions, messages, or profile fields, you choose to make that information available to us and, where applicable, to other users. We ask that you avoid doing so unless necessary.

3. How We Use Personal Data and Our Legal Bases

Depending on the context, we process personal data for the following purposes:

• To provide the Platform and perform our contract with you: create accounts, authenticate users, publish reviews, show listings, sync profiles across Rexplore services, provide support, and operate core features.
• For our legitimate interests: secure the Platform, prevent fraud, detect fake reviews, moderate content, protect users, improve search and ranking quality, train and refine moderation and recommendation systems, debug issues, conduct analytics, develop features, measure performance, promote the Platform using public content, and administer the business.
• Based on your consent: process precise location where enabled, send certain marketing communications where consent is required, and use non-essential analytics cookies or similar technologies where required by law.
• To comply with legal obligations: maintain records, handle lawful requests, enforce rights, respond to regulators, and meet tax, audit, and compliance obligations.
• To protect vital or important interests: investigate urgent safety, fraud, abuse, or security incidents.

If the laws of your jurisdiction require a more specific legal basis, we rely on performance of a contract, legitimate interests, consent, and legal obligations as applicable. Where we rely on legitimate interests, we balance those interests against your rights and expectations.

4. How We Disclose Personal Data

4.1 Publicly Available Information

Your username, profile image, nationality flag, reviews, ratings, comments, itineraries, and photos may be visible to other users and may be indexed or cached by search engines or other third parties.

If you choose to post content in public areas of the Platform, you direct us to display and distribute that content publicly. Public content may be featured, ranked, quoted, summarized, translated, recommended, promoted, copied, archived, or cached by us, search engines, partners, and other third parties, and complete removal from all external locations is not guaranteed.

4.2 Disclosure Categories

We may disclose personal data to:

• Service providers and processors that help us host, secure, authenticate, analyze, email, support, moderate, and operate the Platform.
• Corporate affiliates, advisors, and acquirers in connection with administration, financing, audits, restructurings, mergers, asset sales, or similar transactions.
• Partners you intentionally engage with such as booking, map, or referral partners when necessary to complete the action you requested.
• Authorities, courts, and other parties where disclosure is required by law, necessary to enforce our rights, or needed to investigate fraud, safety, abuse, or legal claims.
• Insurers, professional advisors, and auditors as reasonably necessary for legal, compliance, or risk management purposes.

4.3 What We Do Not Do

• We do not sell personal information.
• We do not share personal information for cross-context behavioral advertising.
• We do not disclose private account information, date of birth, or precise location to restaurants, hotels, or other ordinary users unless you specifically direct us to do so.

4.4 Deidentified and Aggregated Information

We may aggregate, deidentify, or anonymize information so that it can no longer reasonably identify you. We may use and disclose such information for analytics, benchmarking, business planning, safety, product improvement, research, and reporting.

Where permitted by law, we may retain and use deidentified, aggregated, anonymized, and derived information indefinitely, provided that it no longer reasonably identifies you.

5. International Transfers

We may process or store personal data in the Republic of Korea, the United States, and other countries where our providers or partners operate. Where required, we use appropriate transfer safeguards such as contractual protections, adequacy decisions, or other lawful transfer mechanisms recognized under applicable law.

6. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Policy, including to provide the Platform, comply with law, resolve disputes, enforce agreements, maintain security records, and preserve platform integrity. Typical retention periods include:

• Account profile data: for the life of the account and a reasonable period afterward for backup, compliance, and fraud prevention.
• User Content: until removed, anonymized, or no longer needed for operational, legal, or platform-integrity purposes.
• Support and legal correspondence: as long as reasonably necessary to address the issue and protect our rights.
• Security and audit logs: for the period reasonably needed for fraud prevention, troubleshooting, and legal compliance.
• Moderation records (reports, appeal decisions, enforcement actions): for 2 years after resolution of the matter, with reporter and appellant identifiers pseudonymized after that period.
• Moderation audit logs: for a minimum of 7 years for legal defense purposes; actor personal data is pseudonymized while the action record is retained.
• Korea §44-2 Rights Infringement Claims: for 3 years after the matter is resolved.
• Cookie consent records and analytics preferences: generally for up to six months unless refreshed sooner due to legal or product changes.
• Deidentified, aggregated, and derived records: may be retained for longer periods, including indefinitely where permitted by law and where they no longer reasonably identify you.

7. Cookies and Similar Technologies

We use cookies, local storage, SDKs, and similar technologies for the following purposes:

• Strictly necessary technologies: required for basic security, core website functions, storing your cookie choices, and remembering language settings only when you actively choose them.
• Analytics technologies: used to understand traffic and improve the Platform. On the website, analytics are disabled until you opt in where consent is required.

Our website gives you clear controls to accept, reject, or customize non-essential cookies. You can reopen your cookie settings at any time using the cookie settings control on the site. If you decline analytics cookies, core site functions remain available.

Where analytics are enabled, we configure our analytics implementation to reduce unnecessary data use, including disabling advertising features and applying IP anonymization where available. If your browser sends a Global Privacy Control signal, we treat non-essential cookies as off by default unless you opt in.

8. Your Rights and Choices

Depending on where you live, you may have the right to request access to personal data, correction, deletion, portability, restriction, objection to certain processing, withdrawal of consent, or review of certain processing decisions. You may also have the right to complain to a supervisory authority or regulator.

To submit a rights request, contact privacy@rexplore.xyz. We may need to verify your identity and may decline or limit a request where an exemption applies, where the request would adversely affect the rights of others, or where we are permitted or required by law to retain the information.

You can also manage some data directly in the Platform, such as editing profile information, deleting content, revoking permissions, and adjusting cookie preferences.

These rights are not absolute. Where permitted by law, we may retain or restrict deletion of data needed for security, fraud prevention, repeat-abuse prevention, moderation history, platform integrity, legal compliance, tax and audit records, dispute resolution, or the establishment, exercise, or defense of legal claims. In some cases, we may anonymize public content rather than fully erase it.

Where permitted by law, we may refuse, defer, or charge a reasonable fee for requests that are manifestly unfounded, excessive, repetitive, technically infeasible, or that would require disproportionate effort, compromise security, or impair the rights of other users or third parties.

8.1 How to Delete Your Account

You can delete your account at any time. Two paths are available:

• In the app: open Settings → Account → Delete Account. The action takes effect immediately on confirmation.
• Without the app: if you no longer have the app installed, email privacy@rexplore.xyz from the email address associated with your account with subject line "Delete my account." We will action the request within 30 days.

When you delete your account, we immediately:

• Remove your profile information (name, photo, bio, birthday, gender, nationality, city, residence, phone) from public view and replace your display name with "Deleted User."
• Hide every review, comment, tip, question, answer, and essay you authored from public surfaces, the same way our moderation system hides reported content.
• Mark the account as inactive so no one can sign in to it.

The retention rules in Section 6 still apply to records we are legally required to keep (security and audit logs, moderation history, Korea §44-2 claim history, tax and dispute records). Those records are pseudonymized so they cannot be tied back to a usable identity.

9. GDPR / EEA / UK Supplemental Information

If you are in the EEA or UK, you have rights under the GDPR or UK GDPR, including the right to access, rectify, erase, restrict, object, withdraw consent, and receive a portable copy of certain personal data. You also have the right to lodge a complaint with your local supervisory authority.

We process personal data based on contractual necessity, legitimate interests, legal obligations, and consent as described above. If you object to processing based on legitimate interests, we will assess your objection in accordance with applicable law.

10. California (CCPA / CPRA) Supplemental Notice

This section applies to California residents and describes our personal information practices during the preceding 12 months.

10.1 Categories of Personal Information Collected

• Identifiers: such as name, email address, IP address, username, account IDs, and device identifiers.
• Customer records information: profile and account details you provide to us.
• Commercial information: interactions with listings, referral links, or partner-related features.
• Internet or electronic network activity information: browsing, search, usage, diagnostic, and interaction data.
• Geolocation data: approximate location and, if enabled, precise location.
• Audio, electronic, or visual information: photos, submitted media, and support attachments.
• Inferences: limited inferences generated to improve recommendations, moderation, fraud prevention, and product performance.
• Sensitive personal information: date of birth, precise geolocation, and account login information where applicable.

10.2 Sources of Personal Information

We collect personal information directly from you, automatically from your device and use of the Platform, from identity providers, from app and infrastructure providers, from partners you choose to interact with, and from other users or public sources in connection with moderation, safety, or listing quality.

10.3 Business and Commercial Purposes

We use personal information to operate and administer the Platform, authenticate accounts, publish and rank content, improve features, prevent abuse, communicate with users, analyze performance, comply with legal obligations, and protect the rights and safety of Rexplore, users, establishments, and the public.

10.4 Categories Disclosed for Business Purposes

We may disclose the categories listed above to service providers, contractors, corporate affiliates, advisors, infrastructure providers, analytics providers, support providers, fraud and moderation providers, regulators, courts, counterparties to corporate transactions, and other parties as described in Section 4.

10.5 Sale / Sharing / Sensitive Personal Information

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for purposes other than permitted business purposes and limited service-delivery purposes.

10.6 California Rights

California residents may request to know, access, correct, delete, or obtain a portable copy of personal information, and may appeal or complain where permitted by law. You may also use an authorized agent. We will not discriminate against you for exercising your rights. To make a California privacy request, contact privacy@rexplore.xyz.

11. Moderation Data Processing

11.1 When you submit a report, the following data is collected and processed: your account identifier, the identifier of the reported content, the report category, any optional note you provide, and metadata including the timestamp and your approximate IP address region. This data is used to evaluate the report, apply thresholds, and audit moderation decisions.

11.2 Report identifiers are pseudonymized when they are counted toward automated thresholds. The reporter's identity is not disclosed to the author of the reported content, except where required by a court order or legal process.

11.3 When you submit an appeal, the content of your appeal note and your account identifier are processed by our moderation team to evaluate the appeal. We may also use AI-assisted tools to provide a second-opinion assessment. AI-assisted assessment inputs are limited to structured fields (report category codes, content status, and appeal note) and do not include unstructured prompts that could affect system behavior.

11.4 When you submit a Korea §44-2 Rights Infringement Claim, the personal data in your claim (name, email, harm description, and any supporting documentation) is processed solely to evaluate and act on your claim. This data is not used for advertising, profiling, or any other purpose unrelated to the claim.

11.5 Moderation audit logs, which record moderation actions and their outcomes, are stored in a tamper-resistant format and are accessible only to authorized personnel. These logs may be provided to law enforcement or courts pursuant to valid legal process.

11.6 For further details on how moderation actions affect content visibility and what rights you have when your content is hidden, see our Moderation Policy.

12. Security and Minors

We use reasonable technical, organizational, and contractual safeguards designed to protect personal data. However, no system is completely secure, and we cannot guarantee absolute security.

The Platform is not directed to children under 14. If you believe a child provided personal data to us in violation of applicable law, contact privacy@rexplore.xyz.

For security incidents, vulnerability reports, or abuse affecting the confidentiality, integrity, or availability of the Platform, contact security@rexplore.xyz.

13. Changes to This Policy

We may revise this Policy from time to time. If we make material changes, we will update the date above and provide additional notice where required by law. Your continued use of the Platform after the updated Policy takes effect is subject to the updated Policy.

14. Contact

Privacy: privacy@rexplore.xyz

Data Protection Officer (DPO): dpo@rexplore.xyz

Security: security@rexplore.xyz