Privacy Policy

Article 1 (Purpose)

LookPick AI Inc. ("LookPick AI" or the "Company") establishes this Privacy Policy (the "Policy") to protect the personal information of individuals ("Users" or "Individuals") who use the services provided by the Company (the "Services"), to comply with the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection ("Network Act"), and other related laws, and to promptly and effectively address any grievances of Users regarding the protection of personal information.

Article 2 (Principles of Personal Information Processing)

In accordance with applicable personal information laws and this Policy, the Company may collect personal information from Users. Such personal information may be provided to third parties only with the User's consent. However, the Company may provide collected personal information to third parties without prior consent if legally required or compelled by applicable laws.

Article 3 (Disclosure of this Policy)

The Company makes this Policy available to Users at all times via the homepage landing page or a linked page from the homepage.

When disclosing this Policy under Paragraph 1, the Company uses appropriate font sizes and colors to ensure Users can easily read and understand the content.

Article 4 (Amendments to this Policy)

This Policy may be amended in response to changes in personal information laws, guidelines, notices, or government policies, or in the policies or content of the Company's Services.

When amending this Policy under Paragraph 1, the Company will provide notice through one or more of the following methods:

  1. Posting on the notice board of the Company's homepage or via a separate pop-up window
  2. Notifying Users in writing, by fax, by email, or through similar means

Notices under Paragraph 2 shall be provided at least 7 days before the effective date of the amendment. However, if the amendment materially affects User rights, notice shall be provided at least 30 days in advance.

Article 5 (Information Collected for Membership Registration)

The Company collects the following information for membership registration:

  • Required Information: Email address and name (provided by the social login provider where applicable)
  • Optional Information: Profile photo, name and link of the store(s) operated

Article 6 (Information Collected for Payment Services)

The Company processes payments through a payment gateway (such as PortOne; see the outsourcing in Article 30). Sensitive payment method information such as card numbers is handled by the payment gateway, and the Company does not directly collect or store it. The payment-related information held by the Company is as follows:

  • Information Held: Payment authorization information, order information, and payment method type

Article 7 (Information Collected for Service Provision)

The Company collects the following information to provide its Services:

  • Required Information: Email address, name, and contact information

Article 8 (Information Collected for Service Use and Fraud Prevention)

The Company collects the following information for statistical and analytical purposes related to service usage, as well as for the detection and analysis of fraudulent activity. ("Fraudulent activity" refers to actions such as repeated re-registration after withdrawal, repeated cancellations after purchase, or any illegal or improper acquisition of economic benefits from discount coupons, event rewards, or similar benefits provided by the Company; acts prohibited under the Terms of Service; identity theft; or other illegal or improper conduct.)

  • Required Information: Service usage records and access location information
  • Optional Information: Profile photo, name and link of the store(s) operated

Article 9 (Methods of Collecting Personal Information)

The Company collects personal information from Users through the following methods:

  1. The User enters personal information directly on the Company's homepage
  2. The User enters personal information through services provided by the Company outside of the homepage, such as applications
  3. Information entered by the User in the course of using the Company's services, such as customer support inquiries or activity on bulletin boards

Article 10 (Use of Personal Information)

The Company uses personal information for the following purposes:

  1. Sending notices and other communications necessary for Company operations
  2. Responding to inquiries, handling complaints, and otherwise improving services for Users
  3. Providing the Company's Services
  4. Imposing usage restrictions on members who violate the law or the Company's Terms of Service, and preventing or sanctioning fraudulent activity or other conduct that disrupts smooth service operations
  5. Developing new services
  6. Marketing purposes, including event and promotional notifications
  7. Demographic analysis and analysis of service visit and usage records
  8. Understanding customer usage patterns through service reviews and similar feedback

Article 11 (Retention and Use Period of Personal Information)

The Company retains and uses personal information only for the period necessary to fulfill the purposes of collection and use.

Notwithstanding the foregoing, the Company retains records of fraudulent service use for up to one year after a member's withdrawal in order to prevent fraudulent re-registration and use, in accordance with internal policy.

Article 12 (Retention and Use Period of Personal Information by Law)

The Company retains and uses personal information in accordance with applicable laws as follows:

  • Information retained under the Act on Consumer Protection in Electronic Commerce, etc.
    • Records of contracts or withdrawal of subscription: 5 years
    • Records of payment and supply of goods, etc.: 5 years
    • Records of consumer complaints or dispute resolution: 3 years
    • Records related to display and advertising: 6 months
  • Information retained under the Communication Secrets Protection Act
    • Website log data: 3 months
  • Information retained under the Electronic Financial Transactions Act
    • Records of electronic financial transactions: 5 years
  • Act on the Protection and Use of Location Information
    • Records of personal location information: 6 months

Article 13 (Principles of Destruction of Personal Information)

In principle, the Company promptly destroys personal information when it is no longer needed, such as when the purpose of processing has been fulfilled or the retention and use period has expired.

Article 14 (Procedure for Destruction of Personal Information)

Information entered by a User for membership registration or other purposes is, after the purpose of processing has been fulfilled, transferred to a separate database (or, in the case of paper records, to a separate filing cabinet), stored for a certain period in accordance with internal policies and applicable laws (see Retention and Use Period), and then destroyed.

Personal information for which destruction is required is destroyed only after approval by the Company's Personal Information Protection Officer.

Article 15 (Method of Destruction of Personal Information)

Personal information stored in electronic file format is deleted using technical methods that prevent the recovery of records. Personal information printed on paper is destroyed by shredding or incineration.

Article 16 (Measures Regarding Transmission of Advertising Information)

When transmitting advertising information for commercial purposes via electronic transmission media, the Company obtains the User's express prior consent. However, prior consent is not required in the following cases:

  1. Where the Company has directly collected the recipient's contact information through a transaction relationship for goods, etc., and intends to transmit advertising information for commercial purposes related to goods of the same type as those transacted within 6 months from the end of the transaction
  2. Where a telephone solicitor under the Door-to-Door Sales Act notifies the recipient by voice of the source of the personal information collection and conducts the telephone solicitation

Notwithstanding the foregoing, if the recipient indicates a refusal to receive or withdraws prior consent, the Company shall not transmit advertising information for commercial purposes and shall notify the recipient of the processing result regarding the refusal or withdrawal.

When transmitting advertising information for commercial purposes via electronic transmission media between 9:00 PM and 8:00 AM the following day, the Company obtains separate prior consent from the recipient, notwithstanding Paragraph 1.

When transmitting advertising information for commercial purposes via electronic transmission media, the Company specifies the following details clearly in the advertising content:

  1. Company name and contact information
  2. Information regarding the means of expressing refusal to receive or withdrawal of consent to receive

When transmitting advertising information for commercial purposes via electronic transmission media, the Company shall not engage in any of the following:

  1. Acts that avoid or hinder the recipient's refusal to receive or withdrawal of consent
  2. Acts of automatically generating recipient contact information such as phone numbers or email addresses by combining digits, symbols, or letters
  3. Acts of automatically registering phone numbers or email addresses for the purpose of transmitting advertising information for commercial purposes
  4. Acts of concealing the identity of the sender or the source of the advertising information
  5. Acts of deceiving the recipient to induce a response for the purpose of transmitting advertising information for commercial purposes

Article 17 (Protection of Children's Personal Information)

To protect the personal information of children under the age of 14, the Company permits membership registration only by Users aged 14 or older.

Notwithstanding Paragraph 1, if a User is a child under the age of 14, the Company obtains consent for the collection, use, and provision of the child's personal information from the child's legal guardian.

In the case of Paragraph 2, the Company additionally collects the legal guardian's name, date of birth, gender, duplicate registration confirmation information (ID), and mobile phone number.

Article 18 (Obligations of Users)

Users must keep their personal information up to date, and any issues arising from the User's inaccurate input of information are the User's own responsibility.

In the case of membership registration using another person's personal information, the User may lose membership status or be subject to penalties under applicable personal information protection laws.

Users are responsible for maintaining the security of their email address, password, etc., and may not transfer or lend such information to third parties.

Article 19 (Management of Personal Information by the Company)

In processing Users' personal information, the Company implements the technical and administrative protective measures necessary to ensure security so that personal information is not lost, stolen, leaked, altered, or damaged.

Article 20 (Handling of Deleted Information)

Personal information that has been canceled or deleted at the request of the User or legal guardian is processed in accordance with the periods specified under "Retention and Use Period of Personal Information" and is handled so that it cannot be viewed or used for any other purpose.

Article 21 (Encryption of Passwords)

Users' passwords are stored and managed using one-way encryption. Verification and modification of personal information are possible only by the individual who knows the password.

Article 22 (Measures Against Hacking, etc.)

The Company makes its best efforts to prevent the leakage or damage of Users' personal information caused by hacking, computer viruses, or other intrusions into information and communications networks.

The Company uses the latest antivirus programs to prevent the leakage or damage of Users' personal information and data.

The Company uses an intrusion prevention system to maintain optimal security against potential incidents.

When sensitive personal information is collected and held, the Company ensures that personal information is securely transmitted over the network through encrypted communication.

Article 23 (Minimization and Training of Personnel Handling Personal Information)

The Company limits the personnel handling personal information to the minimum necessary, and emphasizes compliance with laws and internal policies through administrative measures such as training for personnel handling personal information.

Article 24 (Measures in Case of Personal Information Breach)

When the Company becomes aware of any loss, theft, or leakage of personal information ("Breach"), it promptly notifies the affected User of all of the following items and reports the Breach to the Korea Communications Commission or the Korea Internet & Security Agency:

  1. The categories of personal information involved in the Breach
  2. The time at which the Breach occurred
  3. Measures the User can take
  4. Response measures by the information and communications service provider
  5. The department and contact through which the User can seek consultation

Article 25 (Exception to Measures in Case of Personal Information Breach)

Notwithstanding the preceding article, if there is a legitimate reason that prevents the Company from contacting the User (such as the User's contact information being unavailable), the Company may, in lieu of the notification under the preceding article, post the relevant information on the Company's homepage for at least 30 days.

Article 26 (Installation, Operation, and Refusal of Automatic Personal Information Collection Devices)

The Company uses automatic personal information collection devices ("Cookies") that store and frequently retrieve usage information in order to provide personalized services to Users. Cookies are small pieces of information sent from the server (HTTP) operating the website to the User's web browser (including PC and mobile), and may also be stored on the User's storage device.

Users have the right to choose whether to allow Cookies. Therefore, Users may configure their web browser settings to allow all Cookies, to require confirmation each time a Cookie is stored, or to refuse all Cookies.

However, if the User refuses to allow Cookies, some of the Company's services that require login may be difficult to use.

Article 27 (How to Configure Cookie Settings)

You can configure cookie acceptance and blocking through your web browser's settings:

  • Edge: Settings menu (top right) > Cookies and site permissions > Manage and delete cookies and site data
  • Chrome: Settings menu (top right) > Privacy and security > Cookies and other site data
  • Whale: Settings menu (top right) > Privacy > Cookies and other site data

Article 28 (Designation of Personal Information Protection Officer)

The Company designates the following department and Personal Information Protection Officer to protect Users' personal information and to handle complaints related to personal information:

Personal Information Protection Officer

  • Name: Junho Park
  • Title: CEO
  • Phone: +82 10-4326-2463
  • Email: armanpark@lookpickai.com

Article 29 (Remedies for Infringement of Rights)

Data subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency Personal Information Infringement Report Center, or similar bodies in order to seek remedies for personal information infringement. For other inquiries regarding the reporting or consultation of personal information infringement, please contact the following organizations:

  • Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
  • Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
  • Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
  • National Police Agency: 182 (ecrm.cyber.go.kr)

The Company strives to ensure data subjects' right to self-determination of personal information and to provide consultation and remedies for infringement of personal information. For reports or consultation, please contact the department listed in Paragraph 1.

Any person whose rights or interests have been infringed by a disposition or omission by the head of a public agency in response to a request under Article 35 (Inspection of Personal Information), Article 36 (Correction or Deletion of Personal Information), or Article 37 (Suspension of Processing of Personal Information, etc.) of the Personal Information Protection Act may file an administrative appeal in accordance with the Administrative Appeals Act.

  • Central Administrative Appeals Commission: 110 (www.simpan.go.kr)

Rights of Overseas Residents

Data subjects residing outside the Republic of Korea have the following rights under the laws of their country of residence:

  • EU residents (GDPR): the rights of access, rectification, erasure, restriction of processing, data portability, and objection, as well as the right to lodge a complaint with their member state supervisory authority (DPA). The Company shall, in principle, respond within one month of receipt of the request (with notice if extended).
  • China residents (PIPL): the rights of access, copying, correction, deletion, restriction of processing, and withdrawal of consent.
  • Japan residents (APPI): the rights provided under the Act on the Protection of Personal Information (APPI).
  • California residents (CCPA/CPRA): the rights to know, delete, and correct, and to opt out of the sale or sharing of personal information. The Company shall, in principle, respond within 45 days of receipt of the request.

These rights may be exercised by contacting armanpark@lookpickai.com.

Article 30 (Outsourcing of Personal Information Processing)

For the smooth provision of its services, the Company outsources the processing of personal information to external specialized providers in accordance with Article 26 of the Personal Information Protection Act. When entering into outsourcing contracts, the Company specifies in the contract documents matters such as the prohibition of processing personal information for purposes other than performing the outsourced work, technical and administrative protective measures, restrictions on subcontracting, supervision of the trustee, and liability including damages, and supervises the trustee to ensure that personal information is processed safely.

  • Korea PortOne Co., Ltd. (PortOne)
    Outsourced Work: Electronic payment processing, payment data integration and verification, and processing of payment cancellations and refunds
    Outsourced Information: Payment method information entered at the time of payment (partial card numbers, payment authorization information, order information, etc.)
    Retention Period: Until member withdrawal or termination of the outsourcing contract (information required to be retained under applicable laws shall be retained for the relevant period)
  • MongoDB, Inc. (MongoDB Atlas)
    Outsourced Work: Database storage and management of user account, session, and payment metadata
    Data Location: Republic of Korea (GCP Seoul region, asia-northeast3)
    Retention Period: Until member withdrawal (information required to be retained under applicable laws shall be retained for the relevant period)
  • Vercel Inc. (Vercel Blob)
    Outsourced Work: Storage of generated output images
    Data Location: Republic of Korea (Incheon region)
    Retention Period: 30 days from the date of generation

In the event of any change to the content of the outsourced work or the trustee, this Privacy Policy will be updated and disclosed without delay.

Article 31 (Cross-Border Transfer of Personal Information)

For the provision of services, the Company transfers personal information abroad as follows, in accordance with Article 28-8 of the Personal Information Protection Act. The User consents to such cross-border transfer upon registration and payment.

  • Railway Corp. (DPA: railway.com/legal/dpa)
    Country of Transfer: Singapore
    Items Transferred: personal information during service processing (account information, request data, etc.)
    Time/Method of Transfer: as needed during service use, via network transmission
    Purpose of Use: backend server hosting and processing of service requests
    Retention/Use Period: the service processing period
  • Railway Corp. (Redis hosting, DPA: railway.com/legal/dpa)
    Country of Transfer: Singapore
    Items Transferred: authentication token management information (including email and verification code if email verification is introduced)
    Time/Method of Transfer: at login/authentication, via network transmission
    Purpose of Use: authentication token management and email verification processing
    Retention/Use Period: temporary (minutes to session duration)
  • Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA / privacy contact: dpo@cloudflare.com)
    Country of Transfer: Asia-Pacific region (specific country not designated)
    Items Transferred: B2B uploaded input images
    Time/Method of Transfer: at upload, via network transmission
    Purpose of Use: storage of B2B uploaded images
    Retention/Use Period: the policy retention period

The User may refuse consent to the above cross-border transfer. Refusal may be requested through customer support (armanpark@lookpickai.com); however, refusal may restrict the use of the relevant features such as registration, payment, and B2B upload.

Supplementary Provisions

Article 1

This Policy takes effect on May 22, 2026.