隱私權政策
Kiip Corporation ("Company," "we," "us," or "our") operates the iipuda service (including its website and mobile application, collectively the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard the personal data of users of the Service, and describes the rights available to you regarding your personal data.
The Company acts as the data controller for personal data provided through, or collected via, this website and our applications distributed on third-party platforms. We take the protection of your personal data seriously, and this Privacy Policy sets out what personal data we collect, how and why we use it, and what measures we take to protect it.
1. Purposes of Collection and Processing of Personal Data
The Company processes the minimum personal data necessary for the following purposes. Personal data is not used for any purpose beyond what is stated below; if the purpose of use changes, we will take necessary measures such as obtaining separate consent in accordance with applicable law.
① Account Registration and Management: Confirming intent to register, identity verification and authentication, maintaining and managing membership status, preventing fraudulent use, and delivering notices.
② Service Provision and Improvement: Facilitating bookings and payment intermediation with partner clinics/shops, sending notification messages (Kakao AlimTalk/SMS), enabling users to write and store content (reviews), issuing points/coupons, providing AI-driven personalized recommendations, and delivering location-based shop search results.
③ Marketing and Advertising: Developing and customizing new services, delivering promotional information and personalized advertising via app push notifications, SMS, and email, and measuring advertising performance and conducting attribution analysis.
2. Personal Data We Collect and Retention Periods
① The Company processes and retains personal data within the retention period required by applicable law, or within the retention period consented to by the data subject at the time of collection.
Service Category | Data Collected | Purpose | Retention Period |
|---|---|---|---|
General / Social Sign-Up | Name, mobile phone number, email (used as ID), password, gender, date of birth, country of residence, device information, IP address. [Social sign-up] Linked account identifier, profile information | Member identification, confirming intent to register, account management | Until account deletion |
Content and Reviews | Names of treatments/services received, treated body part, payment receipt data, before/after photos, cost of treatment, and health-related information contained in reviews and photos (e.g., body/skin condition) | Verifying review authenticity, providing information to other users, improving Service features | Until account deletion |
Booking and Advance Payment | Name, mobile phone number, payment method details (e.g., card information), booking date/time, treatment/service product information, desired procedure and area(s) of concern | Confirming bookings, processing payments and cancellations/refunds, transmitting information to partner providers | Until account deletion |
Marketing and Personalization | Preferred region/category, device GPS location data | Personalized shop recommendations, interest-based targeted advertising | Until consent is withdrawn or account deletion |
Automatically Collected Data | Service usage records, access logs, cookies, advertising identifiers (ADID/IDFA), app install/execution/event logs, ad click and install referrer information, campaign identifiers | Preventing fraudulent use, statistical analysis, system stability | Until account deletion, or up to 2 years from collection |
② Where retention is required under applicable Korean law, the periods are as follows:
Records relating to transactions under the Act on Consumer Protection in Electronic Commerce, Etc.:
Records of labeling/advertising: 6 months
Records of contracts, withdrawal of subscription, payment, and supply of goods/services: 5 years
Records of consumer complaints or dispute resolution: 3 years
Retention of communication confirmation data under Article 41 of the Enforcement Decree of the Protection of Communications Secrets Act:
Subscriber communication date/time, start/end time, counterpart subscriber number, frequency of use, originating base station location data: 1 year
Computer/internet log records, access location tracking data: 3 months
Retention of commercial books, etc. under Article 33 of the Commercial Act:
Commercial books and material business documents: 10 years
Slips or similar documents: 5 years
3. Disclosure of Personal Data to Third Parties
The Company discloses personal data to partner providers only with the user's prior consent, and only to the extent necessary to complete a transaction or booking.
Recipient | Data Disclosed | Purpose of Use by Recipient | Retention Period by Recipient |
|---|---|---|---|
The specific "partner provider" with which the user requests a consultation or makes an advance payment through the Service | Name, gender, mobile phone number, date of birth, information on the requested event/product, preferred booking date/time, area(s) of concern | Confirming the in-person appointment, contacting the user for consultation and provision of the treatment/beauty service | 3 months after the partner provider completes the service |
4. Sub-Processors and International Data Transfers
① To provide the Service, the Company engages the following sub-processors to perform certain processing activities on its behalf.
Sub-Processors
Sub-Processor | Delegated Task |
|---|---|
Meta Platforms, Inc. | Advertising optimization based on app install events (including app events, device identifiers, and hashed email/phone number values). App events may be transmitted via the Nachocode app SDK. |
Google LLC | (i) Cloud infrastructure hosting (Google Cloud Platform); (ii) push notification delivery (Firebase Cloud Messaging); (iii) usage analytics (Google Analytics 4); (iv) social login (Google OAuth); (v) social login within the mobile app (via the Nachocode app SDK) |
Amazon Web Services, Inc. | Media file storage infrastructure (S3) |
OpenAI, LLC | AI-based translation (personally identifiable information is masked prior to transmission) |
Airwallex (Hong Kong) Limited | International payment processing |
SOLAPI Co., Ltd. | SMS / Kakao AlimTalk delivery (e.g., booking notifications; no personally identifiable information included) |
Flipper Corporation (Nachocode) | Mobile app SDK and push token processing (based on internal server IDs) |
AB180 Inc. (Airbridge) | Mobile app advertising performance measurement and attribution analysis (processing app events, advertising identifiers, campaign information, etc.) |
② Personal data collected by the Company may be stored on databases located outside of Korea for the purposes and to the extent described below.
International Data Transfers
Recipient | Purpose of Transfer | Destination Country | Data Transferred | Recipient's Retention Period | Timing and Method of Transfer |
|---|---|---|---|---|---|
Google LLC | Cloud server/database infrastructure operation (GCP) | Hong Kong (asia-east2) | Registration information, service usage records, booking/payment information, content (reviews), location data, and all other personal data generated through use of the Service | Until termination of the service agreement | At the time of Service use, via real-time network transmission |
Google LLC | Push notification delivery (Firebase Cloud Messaging) | United States | Push token (device identifier), notification event logs | Until termination of the service agreement | At the time of Service use, via real-time network transmission |
Google LLC | Usage analytics (Google Analytics 4) | United States | Advertising identifiers (ADID/IDFA), usage records, IP address, device information, event logs | Up to 14 months (GA4 default policy) | At the time of Service use, via real-time network transmission |
Google LLC | Maps, social login, translation, and other auxiliary services | United States | Location data (when using maps), account identifier (OAuth), translation request text | Until termination of the service agreement | At the time of Service use, via real-time network transmission |
OpenAI, LLC | AI-based translation (personal identifiers masked prior to transmission) | United States | Masked translation request text | Up to 30 days (per OpenAI API policy) | At the time of Service use, via real-time API call |
Meta Platforms, Inc. | Advertising optimization based on app install events | United States | App events, device identifiers (ADID/IDFA), hashed email/phone number values | Until termination of the service agreement | At the time of Service use, via real-time network transmission |
Airwallex (Hong Kong) Limited | International payment processing | Hong Kong | Order ID, payment amount/currency, card payment information (email, if entered by the user) | Retention period required for payment-related records under applicable law | At the time of the payment request, via real-time API call |
Amazon Web Services, Inc. | Storage, transformation, and delivery of media files (S3) | Hong Kong (ap-east-1) | Metadata of user-uploaded image files in reviews | Until termination of the service agreement | At the time of Service use, real-time transmission |
③ When entering into an agreement with a sub-processor, the Company specifies in writing — in accordance with Article 26 of Korea's Personal Information Protection Act — matters such as the prohibition on processing personal data for any purpose other than performing the delegated task, technical and administrative safeguards, restrictions on re-delegation, oversight of the sub-processor, and liability for damages, and supervises whether the sub-processor is processing personal data securely.
④ If the scope of delegated tasks, the sub-processor, or the details of an international transfer change, the Company will disclose the update through this Privacy Policy without delay.
5. Your Rights and How to Exercise Them
① You may exercise your rights to access, rectify, delete, or request the suspension of processing of your personal data at any time.
② You can view or edit your personal data via My Page > Edit My Information in the app, and you can delete your account via My Page > Edit My Information > Delete Account.
③ You may exercise the rights described in paragraph ① in writing, by phone, or by email, and the Company will act on your request without undue delay.
④ You may exercise these rights through a legal representative or an authorized agent. In such cases, a power of attorney in the form prescribed by the Personal Information Protection Commission's notice on personal data processing methods (Attached Form No. 11) must be submitted.
⑤ Your right to access your personal data and to request suspension of processing may be restricted under Article 35(4) and Article 37(2) of Korea's Personal Information Protection Act.
⑥ You may not request deletion of personal data if that data is required to be collected under other applicable laws.
⑦ When you request access, rectification, deletion, or suspension of processing, the Company will verify that the request is made by you or your legitimate representative.
6. Destruction of Personal Data
① The Company destroys personal data without undue delay once the retention period has elapsed or the purpose of processing has been achieved and the data is no longer necessary.
② Where personal data must continue to be preserved under other applicable laws even after the consented retention period has elapsed or the processing purpose has been achieved, such data is transferred to and stored in a separate database.
③ The Company destroys personal data using the following procedures and methods:
a. Destruction procedure: Information entered by users for account registration and similar purposes is moved to a separate database after its purpose has been achieved, and is stored for a certain period in accordance with internal policy and applicable law before being destroyed.
b. Destruction method: Personal data printed on paper is destroyed by shredding or incineration. Personal data stored in electronic file form is deleted using technical methods that prevent the records from being recovered.
7. Measures to Ensure the Security of Personal Data
The Company implements the following measures to protect personal data:
Administrative measures: Establishing and implementing an internal personal data protection management plan, minimizing and designating personnel with access to personal data, and providing regular training.
Technical measures: Managing access rights to personal data processing systems, installing access control systems, encrypting personal data, and installing and updating security software.
Physical measures: Controlling access to server rooms and data storage facilities.
8. Automatic Data Collection Tools: Installation, Operation, and Opt-Out
The Company uses cookies and advertising identifiers (ADID/IDFA) to provide a personalized service experience. You may opt out of these at any time through your device settings.
Purpose of Cookies
Cookies are used to understand how you visit and use webpages, and to determine whether your connection is secure.
How to Opt Out of Cookies
Opting out of cookies does not disadvantage you in any way, but it may make it more difficult to use certain features of the Service, such as personalized recommendations.
Web browsers
Microsoft Edge: Menu > Settings > Cookies and Site Permissions > Manage and Delete Cookies and Site Data
Chrome: Menu > Settings > Privacy and Security
Safari: Preferences > "Prevent Cross-Site Tracking" and "Block All Cookies"
Other major browsers such as Firefox and Opera also offer cookie-deletion features.
Mobile devices
Android: Settings > Google > Ads > Opt out of Ads Personalization (turn ON)
iPhone: Settings > Privacy > Tracking > Allow Apps to Request to Track (turn OFF)
9. Data Protection Officer and Grievance Handling
If you have any questions, concerns, or complaints regarding the protection of your personal data while using the Service, you may contact our Data Protection Officer below.
Data Protection Officer
Name | Yechan Kim |
|---|---|
Title | Chief Privacy Officer (CPO) |
Phone | +82 10 2642 5232 |
10. Changes to This Privacy Policy
If any content is added to, removed from, or otherwise revised in this Privacy Policy, we will provide advance notice through our website.
11. Effective Date
① This Privacy Policy is effective as of June 19, 2026.