Privacy Policy

v1.1 · Effective from 2026-06-19

Kiip Corporation ("Company," "we," "us," or "our") operates the iipuda service (including its website and mobile application, collectively the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard the personal data of users of the Service, and describes the rights available to you regarding your personal data.

The Company acts as the data controller for personal data provided through, or collected via, this website and our applications distributed on third-party platforms. We take the protection of your personal data seriously, and this Privacy Policy sets out what personal data we collect, how and why we use it, and what measures we take to protect it.

1. Purposes of Collection and Processing of Personal Data

The Company processes the minimum personal data necessary for the following purposes. Personal data is not used for any purpose beyond what is stated below; if the purpose of use changes, we will take necessary measures such as obtaining separate consent in accordance with applicable law.

Account Registration and Management: Confirming intent to register, identity verification and authentication, maintaining and managing membership status, preventing fraudulent use, and delivering notices.

Service Provision and Improvement: Facilitating bookings and payment intermediation with partner clinics/shops, sending notification messages (Kakao AlimTalk/SMS), enabling users to write and store content (reviews), issuing points/coupons, providing AI-driven personalized recommendations, and delivering location-based shop search results.

Marketing and Advertising: Developing and customizing new services, delivering promotional information and personalized advertising via app push notifications, SMS, and email, and measuring advertising performance and conducting attribution analysis.

2. Personal Data We Collect and Retention Periods

① The Company processes and retains personal data within the retention period required by applicable law, or within the retention period consented to by the data subject at the time of collection.

Service Category

Data Collected

Purpose

Retention Period

General / Social Sign-Up

Name, mobile phone number, email (used as ID), password, gender, date of birth, country of residence, device information, IP address.

[Social sign-up] Linked account identifier, profile information

Member identification, confirming intent to register, account management

Until account deletion

Content and Reviews

Names of treatments/services received, treated body part, payment receipt data, before/after photos, cost of treatment, and health-related information contained in reviews and photos (e.g., body/skin condition)

Verifying review authenticity, providing information to other users, improving Service features

Until account deletion

Booking and Advance Payment

Name, mobile phone number, payment method details (e.g., card information), booking date/time, treatment/service product information, desired procedure and area(s) of concern

Confirming bookings, processing payments and cancellations/refunds, transmitting information to partner providers

Until account deletion

Marketing and Personalization

Preferred region/category, device GPS location data

Personalized shop recommendations, interest-based targeted advertising

Until consent is withdrawn or account deletion

Automatically Collected Data

Service usage records, access logs, cookies, advertising identifiers (ADID/IDFA), app install/execution/event logs, ad click and install referrer information, campaign identifiers

Preventing fraudulent use, statistical analysis, system stability

Until account deletion, or up to 2 years from collection

② Where retention is required under applicable Korean law, the periods are as follows:

  1. Records relating to transactions under the Act on Consumer Protection in Electronic Commerce, Etc.:

  • Records of labeling/advertising: 6 months

  • Records of contracts, withdrawal of subscription, payment, and supply of goods/services: 5 years

  • Records of consumer complaints or dispute resolution: 3 years

  1. Retention of communication confirmation data under Article 41 of the Enforcement Decree of the Protection of Communications Secrets Act:

  • Subscriber communication date/time, start/end time, counterpart subscriber number, frequency of use, originating base station location data: 1 year

  • Computer/internet log records, access location tracking data: 3 months

  1. Retention of commercial books, etc. under Article 33 of the Commercial Act:

  • Commercial books and material business documents: 10 years

  • Slips or similar documents: 5 years

3. Disclosure of Personal Data to Third Parties

The Company discloses personal data to partner providers only with the user's prior consent, and only to the extent necessary to complete a transaction or booking.

Recipient

Data Disclosed

Purpose of Use by Recipient

Retention Period by Recipient

The specific "partner provider" with which the user requests a consultation or makes an advance payment through the Service

Name, gender, mobile phone number, date of birth, information on the requested event/product, preferred booking date/time, area(s) of concern

Confirming the in-person appointment, contacting the user for consultation and provision of the treatment/beauty service

3 months after the partner provider completes the service

4. Sub-Processors and International Data Transfers

① To provide the Service, the Company engages the following sub-processors to perform certain processing activities on its behalf.

Sub-Processors

Sub-Processor

Delegated Task

Meta Platforms, Inc.

Advertising optimization based on app install events (including app events, device identifiers, and hashed email/phone number values). App events may be transmitted via the Nachocode app SDK.

Google LLC

(i) Cloud infrastructure hosting (Google Cloud Platform); (ii) push notification delivery (Firebase Cloud Messaging); (iii) usage analytics (Google Analytics 4); (iv) social login (Google OAuth); (v) social login within the mobile app (via the Nachocode app SDK)

Amazon Web Services, Inc.

Media file storage infrastructure (S3)

OpenAI, LLC

AI-based translation (personally identifiable information is masked prior to transmission)

Airwallex (Hong Kong) Limited

International payment processing

SOLAPI Co., Ltd.

SMS / Kakao AlimTalk delivery (e.g., booking notifications; no personally identifiable information included)

Flipper Corporation (Nachocode)

Mobile app SDK and push token processing (based on internal server IDs)

AB180 Inc. (Airbridge)

Mobile app advertising performance measurement and attribution analysis (processing app events, advertising identifiers, campaign information, etc.)

② Personal data collected by the Company may be stored on databases located outside of Korea for the purposes and to the extent described below.

International Data Transfers

Recipient

Purpose of Transfer

Destination Country

Data Transferred

Recipient's Retention Period

Timing and Method of Transfer

Google LLC

Cloud server/database infrastructure operation (GCP)

Hong Kong (asia-east2)

Registration information, service usage records, booking/payment information, content (reviews), location data, and all other personal data generated through use of the Service

Until termination of the service agreement

At the time of Service use, via real-time network transmission

Google LLC

Push notification delivery (Firebase Cloud Messaging)

United States

Push token (device identifier), notification event logs

Until termination of the service agreement

At the time of Service use, via real-time network transmission

Google LLC

Usage analytics (Google Analytics 4)

United States

Advertising identifiers (ADID/IDFA), usage records, IP address, device information, event logs

Up to 14 months (GA4 default policy)

At the time of Service use, via real-time network transmission

Google LLC

Maps, social login, translation, and other auxiliary services

United States

Location data (when using maps), account identifier (OAuth), translation request text

Until termination of the service agreement

At the time of Service use, via real-time network transmission

OpenAI, LLC

AI-based translation (personal identifiers masked prior to transmission)

United States

Masked translation request text

Up to 30 days (per OpenAI API policy)

At the time of Service use, via real-time API call

Meta Platforms, Inc.

Advertising optimization based on app install events

United States

App events, device identifiers (ADID/IDFA), hashed email/phone number values

Until termination of the service agreement

At the time of Service use, via real-time network transmission

Airwallex (Hong Kong) Limited

International payment processing

Hong Kong

Order ID, payment amount/currency, card payment information (email, if entered by the user)

Retention period required for payment-related records under applicable law

At the time of the payment request, via real-time API call

Amazon Web Services, Inc.

Storage, transformation, and delivery of media files (S3)

Hong Kong (ap-east-1)

Metadata of user-uploaded image files in reviews

Until termination of the service agreement

At the time of Service use, real-time transmission

③ When entering into an agreement with a sub-processor, the Company specifies in writing — in accordance with Article 26 of Korea's Personal Information Protection Act — matters such as the prohibition on processing personal data for any purpose other than performing the delegated task, technical and administrative safeguards, restrictions on re-delegation, oversight of the sub-processor, and liability for damages, and supervises whether the sub-processor is processing personal data securely.

④ If the scope of delegated tasks, the sub-processor, or the details of an international transfer change, the Company will disclose the update through this Privacy Policy without delay.

5. Your Rights and How to Exercise Them

① You may exercise your rights to access, rectify, delete, or request the suspension of processing of your personal data at any time.

② You can view or edit your personal data via My Page > Edit My Information in the app, and you can delete your account via My Page > Edit My Information > Delete Account.

③ You may exercise the rights described in paragraph ① in writing, by phone, or by email, and the Company will act on your request without undue delay.

④ You may exercise these rights through a legal representative or an authorized agent. In such cases, a power of attorney in the form prescribed by the Personal Information Protection Commission's notice on personal data processing methods (Attached Form No. 11) must be submitted.

⑤ Your right to access your personal data and to request suspension of processing may be restricted under Article 35(4) and Article 37(2) of Korea's Personal Information Protection Act.

⑥ You may not request deletion of personal data if that data is required to be collected under other applicable laws.

⑦ When you request access, rectification, deletion, or suspension of processing, the Company will verify that the request is made by you or your legitimate representative.

6. Destruction of Personal Data

① The Company destroys personal data without undue delay once the retention period has elapsed or the purpose of processing has been achieved and the data is no longer necessary.

② Where personal data must continue to be preserved under other applicable laws even after the consented retention period has elapsed or the processing purpose has been achieved, such data is transferred to and stored in a separate database.

③ The Company destroys personal data using the following procedures and methods:

a. Destruction procedure: Information entered by users for account registration and similar purposes is moved to a separate database after its purpose has been achieved, and is stored for a certain period in accordance with internal policy and applicable law before being destroyed.

b. Destruction method: Personal data printed on paper is destroyed by shredding or incineration. Personal data stored in electronic file form is deleted using technical methods that prevent the records from being recovered.

7. Measures to Ensure the Security of Personal Data

The Company implements the following measures to protect personal data:

  1. Administrative measures: Establishing and implementing an internal personal data protection management plan, minimizing and designating personnel with access to personal data, and providing regular training.

  2. Technical measures: Managing access rights to personal data processing systems, installing access control systems, encrypting personal data, and installing and updating security software.

  3. Physical measures: Controlling access to server rooms and data storage facilities.

8. Automatic Data Collection Tools: Installation, Operation, and Opt-Out

The Company uses cookies and advertising identifiers (ADID/IDFA) to provide a personalized service experience. You may opt out of these at any time through your device settings.

Purpose of Cookies

Cookies are used to understand how you visit and use webpages, and to determine whether your connection is secure.

How to Opt Out of Cookies

Opting out of cookies does not disadvantage you in any way, but it may make it more difficult to use certain features of the Service, such as personalized recommendations.

  • Web browsers

    • Microsoft Edge: Menu > Settings > Cookies and Site Permissions > Manage and Delete Cookies and Site Data

    • Chrome: Menu > Settings > Privacy and Security

    • Safari: Preferences > "Prevent Cross-Site Tracking" and "Block All Cookies"

    • Other major browsers such as Firefox and Opera also offer cookie-deletion features.

  • Mobile devices

    • Android: Settings > Google > Ads > Opt out of Ads Personalization (turn ON)

    • iPhone: Settings > Privacy > Tracking > Allow Apps to Request to Track (turn OFF)

9. Data Protection Officer and Grievance Handling

If you have any questions, concerns, or complaints regarding the protection of your personal data while using the Service, you may contact our Data Protection Officer below.

Data Protection Officer

Name

Yechan Kim

Title

Chief Privacy Officer (CPO)

Email

yckim@kiipcorp.com

Phone

+82 10 2642 5232

10. Changes to This Privacy Policy

If any content is added to, removed from, or otherwise revised in this Privacy Policy, we will provide advance notice through our website.

11. Effective Date

① This Privacy Policy is effective as of June 19, 2026.