Effective Date: June 27, 2025
Chinipy (hereinafter "Company") establishes and operates the following privacy policy to protect users' personal information and rights in accordance with the Personal Information Protection Act and to smoothly handle users' grievances related to personal information.
This Privacy Policy applies to the AI character counseling mobile application service provided by the Company and complies with international data transfer and related laws for global service provision.
Article 1 (Purpose of Personal Information Processing)
The Company processes personal information for the following purposes. Personal information being processed is not used for purposes other than the following, and when the purpose of use changes, necessary measures such as obtaining separate consent will be implemented in accordance with Article 18 of the Personal Information Protection Act.
1.1 Membership Registration and Management
- Confirmation of membership registration intention, identification and authentication for membership services
- Membership qualification maintenance and management, prevention of fraudulent service use
- Securing contact information for various notices and grievance handling
1.2 Goods or Service Provision
- AI character-based worry counseling services
- AI-based character-specific personalized counseling
- Other services that the Company additionally develops or provides to users through partnership agreements
1.3 Grievance Handling
- Identity verification of complainants, confirmation of complaints, contact and notification for fact-finding
- Processing result notification, service improvement
1.4 Marketing and Advertising Utilization
- New service (product) development and customized service provision
- Event and advertising information provision and participation opportunities
- Personalized advertising provision and advertising effectiveness measurement
- Access frequency analysis and statistics on members' service usage
Article 2 (Personal Information Processing and Retention Period)
2.1 Processing and Retention Period
The Company processes and retains personal information within the personal information retention and use period according to laws or the personal information retention and use period agreed upon when collecting personal information from data subjects.
| Data Type | Retention Period | Storage Purpose | Legal Basis |
|---|---|---|---|
| Member Basic Information | 5 years after withdrawal | E-commerce Act compliance, dispute resolution | E-commerce Act Article 6 |
| Current Assets | 2 years from last activity | Service provision, fraud prevention | Personal Information Protection Act Article 15 |
| Asset Change Records | 370 days from occurrence | Transaction tracking, customer support | Personal Information Protection Act Article 15 |
| In-app Purchase Information | 5 years from payment date | E-commerce Act compliance | E-commerce Act |
| Event Participation Records | 2 years from last activity | Event operation, fraud prevention | Personal Information Protection Act Article 15 |
| Worry Counseling History | Automatically deleted after 7 days | Customer support, service quality management | Personal Information Protection Act Article 15 |
| Ad Viewing Records | Automatically deleted after 7 days | Advertising effectiveness measurement | Personal Information Protection Act Article 15 |
2.2 Inactive Member Information Processing
- Members inactive for 2+ years
- No purchase history: Delete all information
- With purchase history: Delete all except member basic information, in-app purchase information
- Email notification 30 days and 7 days before deletion
- Members inactive for 5+ years: Complete deletion of all information
- Members who only logged in for 90 days without service use: Account deletion
Article 3 (Personal Information Items Processed)
3.1 Information Collected Through OAuth Login
The Company collects personal information through the following OAuth systems:
Information Collected During Google Login:
- Required Items: Email address, name, unique identifier
- Optional Items: Profile picture
- Metadata: Provider information, email verification status
Information Collected During Apple Login:
- Required Items: Email address (actual or Private Relay), unique identifier
- Optional Items: Name (if user chooses)
- Metadata: Provider information, authentication status
3.2 Information Automatically Generated and Collected During Service Use
- Device Information: Mobile device identifier, OS version, app version
- Service Usage Records: Access date/time, service usage records, error records
- Counseling Content: Conversation content with AI characters, worry counseling history
- Advertising Identifiers: IDFA (iOS), Google Advertising ID (Android) - collected only with consent
Article 4 (Provision of Personal Information to Third Parties)
The Company processes personal information only within the scope specified in Article 1 (Purpose of Personal Information Processing) and provides personal information to third parties only in cases corresponding to Article 17 of the Personal Information Protection Act, such as data subject consent or special provisions of laws.
4.1 Personal Information Regularly Provided to Third Parties
| Recipient | Purpose of Provision | Items Provided | Retention and Use Period |
|---|---|---|---|
| Google LLC (Google AdMob) | Personalized advertising provision, advertising effectiveness measurement | Advertising identifiers (IDFA/GAID), device information, app usage patterns | Until advertising service purpose is achieved |
4.2 Right to Refuse Ad Tracking
Users can refuse personalized ad tracking at any time:
- iOS: Settings → Privacy & Security → Tracking → Disable Allow Apps to Request to Track
- Android: Settings → Google → Ads → Disable Ad Personalization
Article 5 (Consignment of Personal Information Processing)
The Company consigns personal information processing tasks as follows for smooth personal information processing:
| Consignee | Consigned Work Content | Personal Information Retention and Use Period |
|---|---|---|
| Supabase Inc. | Member information storage and management, OAuth authentication service | Until consignment contract termination |
| Google LLC | Cloud server operation, data backup, advertising services | Until consignment contract termination |
When concluding consignment contracts, the Company specifies matters related to prohibition of personal information processing beyond the purpose of consignment work performance, technical and administrative protection measures, re-consignment restrictions, management and supervision of consignees, and liability for damages in documents such as contracts in accordance with Article 26 of the Personal Information Protection Act, and supervises whether consignees safely process personal information.
Article 6 (Cross-border Transfer of Personal Information)
The Company transfers personal information abroad as follows for global service provision:
| Item | Content |
|---|---|
| Personal Information Items to be Transferred | Member information, service usage records, device information |
| Countries to which Personal Information is Transferred | United States, Singapore, European Union |
| Recipients | Supabase Inc. (USA), Google LLC (USA) |
| Recipients' Personal Information Use Purpose | Service provision, data storage and management |
| Retention and Use Period | Until member withdrawal or consignment contract termination |
6.1 Personal Information Protection Systems in Recipient Countries
- United States: EU-US Data Privacy Framework (DPF) applied
- European Union: GDPR (General Data Protection Regulation) applied with mutual adequacy decision with Korea
- Singapore: Personal Data Protection Act (PDPA) applied
Article 7 (Rights and Obligations of Data Subjects and Exercise Methods)
7.1 Rights of Data Subjects
Data subjects can exercise the following personal information protection-related rights against the Company at any time:
- Request for notification of personal information processing status
- Request for access to personal information
- Request for correction and deletion of personal information
- Request for suspension of personal information processing
- Claim for damages
7.2 Method of Exercising Rights
The above rights can be exercised through written documents, email, etc., in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company will take measures without delay.
Article 8 (Destruction of Personal Information)
8.1 Destruction Procedure
The Company destroys personal information without delay when personal information becomes unnecessary due to expiration of the personal information retention period, achievement of processing purposes, etc.
8.2 Destruction Method
- Electronic Files: Delete files using technical methods and take measures to prevent recovery and regeneration
- Other Records: Destroy by shredding or incineration
8.3 Automatic Destruction System
- Automatically deleted after 7 days: Counseling content, ad viewing records
- Automatically deleted after 370 days: Asset change records
- Automatically deleted after 2 years: Inactive members' current assets, event participation records
- Automatically deleted after 5 years: In-app purchase information, member basic information
Article 9 (Measures to Ensure Safety of Personal Information)
The Company takes the following technical, administrative, and physical measures necessary to ensure safety in accordance with Article 29 of the Personal Information Protection Act:
9.1 Technical Measures
- Personal Information Encryption: Personal information is safely stored and managed through encryption
- Supabase-based Security: Row Level Security (RLS) policy applied
- API Access Control: Only authenticated users can access data
- Technical Measures Against Hacking: Installation and operation of antivirus software and security programs
- Storage of Access Records: Records of access to personal information processing systems are kept for at least 1 year
9.2 Administrative Measures
- Minimization of Personal Information Handling Staff: Designate and minimize staff who process personal information
- Regular Staff Training: Regular training on laws related to personal information protection and internal management plans for staff who process personal information
Article 10 (Installation, Operation, and Refusal of Automatic Personal Information Collection Devices)
10.1 Use of Automatic Personal Information Collection Devices
The Company uses automatic personal information collection devices that store and retrieve usage information from time to time to provide individual customized services to users.
10.2 Purpose of Use
- Providing customized information according to individual interests
- Analyzing access frequency and visit times to understand users' preferences and interests
- Target marketing and personalized service provision through understanding event participation levels and visit counts
- Advertising effectiveness measurement and improvement
10.3 Method to Refuse Settings
Users can refuse automatic personal information collection through device settings:
- iOS: Settings → Privacy & Security → Tracking → Disable Allow Apps to Request to Track
- Android: Settings → Google → Ads → Disable Ad Personalization
Article 11 (Personal Information Protection Officer)
11.1 Personal Information Protection Officer
- Officer: Chinipy CEO
- Email: chinipy@chinipy.com
- Customer Support Hours: Weekdays 10:00 ~ 17:00 (Korea Time, excluding weekends and holidays)
- Processing Period: Response within 10 days from inquiry receipt
11.2 Exercise of Personal Information-related Rights
Data subjects can exercise the following rights:
- Request for notification of personal information processing status
- Request for access to personal information
- Request for correction and deletion of personal information
- Request for suspension of personal information processing
- Claim for damages
Article 12 (Personal Information Breach Reporting)
Data subjects can report personal information breaches to the following institutions:
Personal Information Breach Reporting Institutions
- Personal Information Protection Center: privacy.go.kr, 182 (without area code)
- Personal Information Dispute Mediation Committee: privacy.go.kr, 1833-6972 (without area code)
- Supreme Prosecutors' Office Internet Crime Investigation Center: icic.sppo.go.kr, 1301 (without area code)
- National Police Agency Cyber Terror Response Center: ctrc.go.kr, 182 (without area code)
Article 13 (Changes to Privacy Policy)
13.1 Change Notice
This Privacy Policy is applied from the effective date, and when there are additions, deletions, and corrections of changes according to laws and policies, it will be announced through notices from 7 days before the implementation of changes.
13.2 Important Changes
When significant changes affecting data subject rights occur, such as changes in the purpose of personal information collection and use or changes in third-party provision targets, we will announce at least 30 days in advance and, if necessary, obtain data subject consent again.
Effective Date: 2025-06-27
Revision Date: 2025-06-27