한국어 English

Chinipy Lune Privacy Policy

Chinipy (hereinafter "Company") establishes and operates the following privacy policy to protect users' personal information and rights in accordance with the Personal Information Protection Act and to smoothly handle users' grievances related to personal information.

This Privacy Policy applies to the AI character counseling and tarot card mobile application service provided by the Company and complies with international data transfer and related laws for global service provision.

Article 1 (Purpose of Personal Information Processing)

The Company processes personal information for the following purposes. Personal information being processed is not used for purposes other than the following, and when the purpose of use changes, necessary measures such as obtaining separate consent will be implemented in accordance with Article 18 of the Personal Information Protection Act.

1.1 Membership Registration and Management

Confirmation of membership registration intention, identification and authentication for membership services
Membership qualification maintenance and management, prevention of fraudulent service use
Securing contact information for various notices and grievance handling

1.2 Goods or Service Provision

AI character-based worry counseling services
AI-based tarot card consultation and interpretation services
AI-based character-specific personalized counseling
Dream interpretation services
Other services that the Company additionally develops or provides to users through partnership agreements

1.3 Grievance Handling

Identity verification of complainants, confirmation of complaints, contact and notification for fact-finding
Processing result notification, service improvement

1.4 Marketing and Advertising Utilization

New service (product) development and customized service provision
Event and advertising information provision and participation opportunities
Personalized advertising provision and advertising effectiveness measurement
Access frequency analysis and statistics on members' service usage

Article 2 (Personal Information Processing and Retention Period)

2.1 Processing and Retention Period

The Company processes and retains personal information within the personal information retention and use period according to laws or the personal information retention and use period agreed upon when collecting personal information from data subjects.

Data Type	Retention Period	Storage Purpose	Legal Basis
Member Basic Information	5 years after withdrawal	E-commerce Act compliance, dispute resolution	E-commerce Act Article 6
Current Assets	2 years from last activity	Service provision, fraud prevention	Personal Information Protection Act Article 15
Asset Change Records	370 days from occurrence	Transaction tracking, customer support	Personal Information Protection Act Article 15
In-app Purchase Information	5 years from payment date	E-commerce Act compliance	E-commerce Act
Event Participation Records	2 years from last activity	Event operation, fraud prevention	Personal Information Protection Act Article 15
Tarot Question History	Automatically deleted after 7 days	Customer support, service quality management	Personal Information Protection Act Article 15
Ad Viewing Records	Automatically deleted after 7 days	Advertising effectiveness measurement	Personal Information Protection Act Article 15

2.2 Inactive Member Information Processing

        Members inactive for 2+ years
                No purchase history: Delete all information
With purchase history: Delete all except member basic information, in-app purchase information
                    
Email notification 30 days and 7 days before deletion

Members inactive for 5+ years: Complete deletion of all information
Members who only logged in for 90 days without service use: Account deletion

Article 3 (Personal Information Items Processed)

3.1 Information Collected Through OAuth Login

The Company collects personal information through the following OAuth systems:

Information Collected During Google Login:

Required Items: Email address, name, unique identifier
Optional Items: Profile picture
Metadata: Provider information, email verification status

Information Collected During Apple Login:

Required Items: Email address (actual or Private Relay), unique identifier
Optional Items: Name (if user chooses)
Metadata: Provider information, authentication status

3.2 Information Automatically Generated and Collected During Service Use

Device Information: Mobile device identifier, OS version, app version
Service Usage Records: Access date/time, service usage records, error records
Counseling Content: Conversation content with AI characters, worry counseling history, tarot question history
Advertising Identifiers: IDFA (iOS), Google Advertising ID (Android) - collected only with consent

Article 4 (Provision of Personal Information to Third Parties)

The Company processes personal information only within the scope specified in Article 1 (Purpose of Personal Information Processing) and provides personal information to third parties only in cases corresponding to Article 17 of the Personal Information Protection Act, such as data subject consent or special provisions of laws.

4.1 Personal Information Regularly Provided to Third Parties

Recipient	Purpose of Provision	Items Provided	Retention and Use Period
Google LLC (Google AdMob)	Personalized advertising provision, advertising effectiveness measurement	Advertising identifiers (IDFA/GAID), device information, app usage patterns	Until advertising service purpose is achieved

4.2 Right to Refuse Ad Tracking

Users can refuse personalized ad tracking at any time:

iOS: Settings → Privacy & Security → Tracking → Disable Allow Apps to Request to Track
Android: Settings → Google → Ads → Disable Ad Personalization

Article 5 (Consignment of Personal Information Processing)

The Company consigns personal information processing tasks as follows for smooth personal information processing:

Consignee	Consigned Work Content	Personal Information Retention and Use Period
Supabase Inc.	Member information storage and management, OAuth authentication service	Until consignment contract termination
Google LLC	Cloud server operation, data backup, advertising services	Until consignment contract termination

When concluding consignment contracts, the Company specifies matters related to prohibition of personal information processing beyond the purpose of consignment work performance, technical and administrative protection measures, re-consignment restrictions, management and supervision of consignees, and liability for damages in documents such as contracts in accordance with Article 26 of the Personal Information Protection Act, and supervises whether consignees safely process personal information.

Article 6 (Cross-border Transfer of Personal Information)

The Company transfers personal information abroad as follows for global service provision:

Item	Content
Personal Information Items to be Transferred	Member information, service usage records, device information
Countries to which Personal Information is Transferred	United States, Singapore, European Union
Recipients	Supabase Inc. (USA), Google LLC (USA)
Recipients' Personal Information Use Purpose	Service provision, data storage and management
Retention and Use Period	Until member withdrawal or consignment contract termination

6.1 Personal Information Protection Systems in Recipient Countries

United States: EU-US Data Privacy Framework (DPF) applied
European Union: GDPR (General Data Protection Regulation) applied with mutual adequacy decision with Korea
Singapore: Personal Data Protection Act (PDPA) applied

Article 7 (Rights and Obligations of Data Subjects and Exercise Methods)

7.1 Rights of Data Subjects

Data subjects can exercise the following personal information protection-related rights against the Company at any time:

Request for notification of personal information processing status
Request for access to personal information
Request for correction and deletion of personal information
Request for suspension of personal information processing
Claim for damages

7.2 Method of Exercising Rights

The above rights can be exercised through written documents, email, etc., in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company will take measures without delay.

Article 8 (Destruction of Personal Information)

8.1 Destruction Procedure

The Company destroys personal information without delay when personal information becomes unnecessary due to expiration of the personal information retention period, achievement of processing purposes, etc.

8.2 Destruction Method

Electronic Files: Delete files using technical methods and take measures to prevent recovery and regeneration
Other Records: Destroy by shredding or incineration

8.3 Automatic Destruction System

        Automatically deleted after 7 days: Counseling content, tarot question history, ad
                viewing records
Automatically deleted after 370 days: Asset change records
Automatically deleted after 2 years: Inactive members' current assets, event
                participation records
Automatically deleted after 5 years: In-app purchase information, member basic
                information

    

Article 9 (Measures to Ensure Safety of Personal Information)

The Company takes the following technical, administrative, and physical measures necessary to ensure safety in accordance with Article 29 of the Personal Information Protection Act:

9.1 Technical Measures

Personal Information Encryption: Personal information is safely stored and managed through encryption
Supabase-based Security: Row Level Security (RLS) policy applied
API Access Control: Only authenticated users can access data
Technical Measures Against Hacking: Installation and operation of antivirus software and security programs
Storage of Access Records: Records of access to personal information processing systems are kept for at least 1 year

9.2 Administrative Measures

Minimization of Personal Information Handling Staff: Designate and minimize staff who process personal information
Regular Staff Training: Regular training on laws related to personal information protection and internal management plans for staff who process personal information

Article 10 (Installation, Operation, and Refusal of Automatic Personal Information Collection Devices)

10.1 Use of Automatic Personal Information Collection Devices

The Company uses automatic personal information collection devices that store and retrieve usage information from time to time to provide individual customized services to users.

10.2 Purpose of Use

Providing customized information according to individual interests
Analyzing access frequency and visit times to understand users' preferences and interests
Target marketing and personalized service provision through understanding event participation levels and visit counts
Advertising effectiveness measurement and improvement

10.3 Method to Refuse Settings

Users can refuse automatic personal information collection through device settings:

iOS: Settings → Privacy & Security → Tracking → Disable Allow Apps to Request to Track
Android: Settings → Google → Ads → Disable Ad Personalization

Article 11 (Personal Information Protection Officer)

11.1 Personal Information Protection Officer

Officer: Chinipy CEO
Email: chinipy@chinipy.com
Customer Support Hours: Weekdays 10:00 ~ 17:00 (Korea Time, excluding weekends and holidays)
Processing Period: Response within 10 days from inquiry receipt

11.2 Exercise of Personal Information-related Rights

Data subjects can exercise the following rights:

Request for notification of personal information processing status
Request for access to personal information
Request for correction and deletion of personal information
Request for suspension of personal information processing
Claim for damages

Article 12 (Personal Information Breach Reporting)

Data subjects can report personal information breaches to the following institutions:

Personal Information Breach Reporting Institutions

Personal Information Protection Center: privacy.go.kr, 182 (without area code)
Personal Information Dispute Mediation Committee: privacy.go.kr, 1833-6972 (without area code)
Supreme Prosecutors' Office Internet Crime Investigation Center: icic.sppo.go.kr, 1301 (without area code)
National Police Agency Cyber Terror Response Center: ctrc.go.kr, 182 (without area code)

Article 13 (Changes to Privacy Policy)

13.1 Change Notice

This Privacy Policy is applied from the effective date, and when there are additions, deletions, and corrections of changes according to laws and policies, it will be announced through notices from 7 days before the implementation of changes.

13.2 Important Changes

When significant changes affecting data subject rights occur, such as changes in the purpose of personal information collection and use or changes in third-party provision targets, we will announce at least 30 days in advance and, if necessary, obtain data subject consent again.

Effective Date: 2025-06-27

Revision Date: 2025-06-27