Privacy Policy
Last updated: February 24, 2026
This Privacy Policy describes how the Brain Signal Processing Laboratory (BSPL), Department of Brain and Cognitive Engineering, Korea University ("the research team," "we," "us," or "our") collects, uses, stores, and protects information obtained through the bbmi mobile application ("the App"). The App is developed and operated exclusively for an IRB-approved academic research study.
Important Notice: This App is not available to the general public. It is intended solely for participants enrolled in an IRB-approved research study (Approval No.: KUIRB-2025-0488-01) who have completed informed consent. All minor participants may only participate with verified written consent from a parent or legal guardian.
1. Research Context
This App is part of a research study conducted at Korea University, Department of Brain and Cognitive Engineering, under the supervision of Prof. Jong-Hwan Lee. The study investigates the relationship between physiological responses and psychological states using Home-based Training (HBT). The research protocol has been reviewed and approved by the Korea University Institutional Review Board (KUIRB) (Approval No.: KUIRB-2025-0488-01).
2. Participants and Eligibility
The App is designed for research participants aged 9 to 12 years (elementary school students, grades 4–6). As all participants are minors, the following safeguards are in place:
- At least one parent or legal guardian must be present during the informed consent process and must co-sign the consent form.
- Participants and their parents/legal guardians are provided with a full explanation of all study procedures, data collection methods, and their rights prior to enrollment.
- Participation is entirely voluntary, and participants or their parents/legal guardians may withdraw at any time without any penalty or disadvantage.
3. Data We Collect
The App collects the following categories of data for research purposes only:
| Data Category |
Specific Data |
Collection Method |
| Account Information |
Email address (Google or Apple sign-in) |
User login |
| Participant Identifier |
Pseudonymized participant research identifier |
System-generated |
| Physiological Data (ECG) |
Electrocardiogram signals at 200Hz |
External Movesense BLE sensor |
| Physiological Data (IMU) |
Inertial measurement signals at 52Hz |
External Movesense BLE sensor |
| Facial Video |
Front-facing camera video recording (approximately 10 minutes per session) |
Device front camera |
| Audio |
Audio recording during task sessions |
Device microphone |
| Psychological Survey Responses |
Self-Assessment Manikin (SAM) arousal/valence ratings, task performance ratings |
In-app survey |
| Blood Pressure (pilot group only) |
Systolic and diastolic blood pressure |
Manual entry |
| Session Metadata |
Timestamps, session identifiers, device type |
Automatically generated |
| In-App Chat Data |
Chat message text with the research team, timestamps, read status |
User input (stored in Firestore) |
| Push Notification Token |
FCM/APNs device token |
System-generated |
In addition, the server infrastructure used to operate the App (Firebase, Google Cloud Functions, etc.) may automatically generate and log the following information during service operation:
- Access logs (date/time of access, IP address)
- Device information (device model, operating system, version, language, time zone)
This information is used solely for security, abuse prevention, and system quality management purposes and is managed in accordance with Google's infrastructure policies. The research team does not separately collect or analyze this information for research purposes.
4. How We Use Your Data
All collected data is used exclusively for the following purposes:
- Academic research: To study the relationship between physiological signals, facial cues, and psychological states in the context of Home-based Training (HBT).
- App functionality: To provide real-time ECG monitoring, session management, and data upload features.
- Quality control: To verify the completeness and integrity of collected research data.
- Research communication: To send study-related notifications and facilitate communication between participants and the research team via in-app chat.
We do not use your data for:
- Advertising, marketing, or commercial purposes
- User profiling or behavioral tracking
- Sale or transfer to third parties
- Clinical diagnosis or medical treatment
5. Data Storage and Security
5.1 Storage Locations
- Google Cloud Storage (GCS): All primary research data (ECG, IMU, video, audio, surveys, blood pressure (pilot, where applicable)) is uploaded to secure cloud storage via signed URLs with encrypted transmission.
- Firebase (Google): Authentication data and in-app messaging are managed through Firebase services.
- Local Device: Data is temporarily stored on the participant's device until upload is confirmed, after which local copies are automatically deleted.
Primary research data is stored in the Google Cloud Storage Seoul region (asia-northeast3). However, certain Firebase services such as authentication and messaging may be processed through Google's global infrastructure, and data may pass through servers located outside of Korea during this process.
Data storage servers for the above cloud services (Google Cloud Storage, Firebase) may be located outside of Korea, and collected data may accordingly be transferred to and stored in overseas locations. All data transfers are encrypted (HTTPS/TLS) and managed in accordance with Google's data protection policies.
5.2 Security Measures
- All data is transmitted using encrypted connections (HTTPS/TLS).
- Participant identifiers are pseudonymized and managed as research identifiers (codes). The mapping between email addresses and research identifiers is stored in access-restricted Firebase Firestore and is accessible only to the principal investigator and authorized research team members.
- Cloud storage access is restricted to authorized research team members through access controls. Service providers may access data to the extent necessary for service operation and security, as described in Section 8.
- Upload authentication uses time-limited signed URLs generated by secure cloud functions.
6. Facial Video Data Processing
Facial video recordings are subject to additional privacy protections:
- Uploaded facial video data is segmented on the server into separate regions: eye area, mouth area, and remaining facial area.
- After segmentation is complete, the original facial video is deleted from the server.
- The segmented region videos are used solely for estimating physiological indicators (e.g., eye blink frequency, nasal breathing verification, heart rate variability estimation).
- As segmented region videos may still carry residual personal identification risk, they are subject to the same level of access control, retention period, and disposal standards as the original video. These data are accessible only to the research team and are disposed of in accordance with the retention period specified in Section 9.
7. Children's Privacy
The research team is committed to protecting the privacy of children participating in this study. The following measures are in place:
- Parental consent required: No data is collected from any minor without verified, written consent from a parent or legal guardian. At least one parent or legal guardian must be present during the consent process and must co-sign the informed consent form.
- IRB oversight: All data collection procedures involving minors have been reviewed and approved by the Korea University Institutional Review Board (KUIRB-2025-0488-01).
- Private distribution: The App is distributed as unlisted on the App Store and is accessible only to pre-approved research participants.
- No third-party provision for sales/marketing: Children's data is not sold, transferred, or disclosed to any third party for advertising, marketing, or commercial purposes. However, data processing services such as Google Cloud/Firebase may be used for the technical operation of the App, and such use is limited to the scope described in Section 8.
- No advertising or tracking: The App does not contain any advertising SDKs, IDFA-based tracking SDKs, or third-party SDKs for behavioral analytics. The Firebase services used in the App (authentication, cloud messaging, database) serve solely as technical infrastructure for App operation and are not used for advertising or user tracking purposes.
- Right to withdraw: Parents or legal guardians may withdraw their child from the study at any time. Upon withdrawal, the participant's data will be deleted upon request.
- Data minimization: Only data necessary for the research objectives as specified in the IRB-approved protocol is collected.
8. Data Sharing and Processing Delegation
We do not disclose personal data to third parties for advertising, marketing, sales, or other commercial purposes. We use service providers (such as Google Cloud/Firebase) to process data solely for operating the App and supporting the research described in this Policy. Direct access to research data within the research team is limited to:
- The principal investigator (Prof. Jong-Hwan Lee)
- Authorized research team members of BSPL, Korea University
However, data processing is delegated to the following services for the technical operation of the App. This constitutes "processing delegation" under the research team's control for operating technical infrastructure, not third-party "provision" of data:
| Delegated Service |
Purpose of Delegation |
Data Processed |
| Google Cloud Storage |
Secure storage of research data |
ECG, IMU, video, audio, survey responses, blood pressure (pilot, where applicable) |
| Google Firebase Authentication |
User authentication |
Email address, authentication tokens |
| Google Firebase Cloud Messaging |
Research-related push notifications |
Device tokens (FCM/APNs), device/app information required for push delivery (device model, OS version, language, time zone, app version, etc.) |
| Google Firebase Firestore |
Participant session management, in-app chat |
Pseudonymized participant ID, session metadata, in-app chat messages (text, timestamps, read status), email-to-research identifier mapping |
| Google Sheets API |
Data quality control (QC) |
Pseudonymized participant ID, session status information |
| Google Cloud Functions |
Signed URL generation for upload authentication, session processing |
Pseudonymized participant ID, session/file metadata (file name, timestamp) |
The delegated service provider (Google) may process data to the extent necessary for service provision and maintaining security and stability. The research team does not use these services for advertising, marketing, or tracking purposes. Details regarding data processing are subject to Google/Firebase's privacy policies and terms of service. All data transfers are conducted through encrypted connections (HTTPS/TLS).
If research results are published in academic journals or presented at conferences, all data will be reported in aggregate or fully anonymized form only. No individual participant will be identifiable from published results.
9. Data Retention and Disposal
- All research data will be retained for one (1) year after the completion of data use for the research study, after which it will be permanently destroyed.
- Physical documents (consent forms, paper records) will be destroyed using a document shredder.
- Digital data will be permanently deleted from the storage systems under the research team's control (Google Cloud Storage, Firebase Firestore, Google Sheets). Server operation logs managed by service providers are handled in accordance with their respective data retention policies, as noted in Section 3.
- Upon participant withdrawal, data deletion may be requested by submitting an in-app deletion request as described in Section 10, or by contacting the research team.
- However, the minimum records required for compliance with applicable laws or IRB regulations (e.g., consent forms) may be retained until such obligations expire, after which they will be destroyed.
10. Account Deletion and Data Deletion
Participants or their parents/legal guardians may request account deletion and data deletion at any time.
How to Request Deletion
- In-app deletion request: Main screen top-right menu (⋮) → "Request Account Deletion" → confirm in the dialog to submit the request.
- In-app chat: Request deletion through the research team chat feature.
- Email: Request deletion at eprint523@korea.ac.kr.
Scope of Deletion
- Deletion of Firebase authentication information and Firestore user data
- Deletion of all research data stored in Google Cloud Storage for the participant (ECG, IMU, video, audio, survey responses, blood pressure (pilot, where applicable))
- Deletion of in-app chat history
- Deletion of participant-related records in Google Sheets
- If signed in with Apple, revocation of the Apple user token
Processing Period
Deletion will be completed within 14 days of receiving the request, and the participant will be notified by email upon completion. However, the minimum records required for compliance with applicable laws or IRB regulations (e.g., consent forms) may be retained until such obligations expire, after which they will be destroyed.
11. Participant Rights
Participants and their parents/legal guardians have the following rights:
- Right to withdraw: You may withdraw from the study at any time without any penalty or disadvantage.
- Right to access: You may request information about what data has been collected.
- Right to deletion: You may request deletion of your data by submitting an in-app deletion request as described in Section 10, or by contacting the research team.
- Right to be informed: You will be notified in advance of any significant changes to this Privacy Policy or the research protocol.
12. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our research practices or legal requirements. If significant changes are made, participants and their parents/legal guardians will be notified in advance through the App or by email. The "Last updated" date at the top of this page indicates when the most recent revision was made.
13. Contact Us
If you have any questions about this Privacy Policy, your data, or your rights as a research participant, please contact:
- Researcher: Joung Woo Choi
- Email: eprint523@korea.ac.kr
- Phone: +82-10-8813-0464
- Affiliation: Brain Signal Processing Laboratory (BSPL), Department of Brain and Cognitive Engineering, Korea University
- Address: Room 605, Science Library, Korea University, 145 Anam-ro, Seongbuk-gu, Seoul 02841, Republic of Korea
- Supervisor: Prof. Jong-Hwan Lee
For concerns about your rights as a research participant, you may also contact the Korea University Institutional Review Board (KUIRB).