Doneble Co., Ltd. complies with the "Personal Information Protection Act" and related laws to protect the freedom and rights of data subjects, processing personal information lawfully and managing it securely. In accordance with Article 30 of the "Personal Information Protection Act," this Privacy Policy has been established and published to guide data subjects on the procedures and standards for personal information processing and to address related grievances promptly and effectively.
1. Purpose of Processing Personal Information, Items Processed, and Retention Period
The company collects and uses personal information to the minimum extent necessary for providing services, in accordance with the "Personal Information Protection Act."
| Category | Purpose of Collection | Collected Items | Retention and Usage Period |
|---|---|---|---|
| Membership Registration and Management | Confirming the intent to register, identity verification for membership services, maintaining and managing membership qualifications, and verifying the consent of a legal guardian when processing personal information of individuals under 14 years old | Email address, password, nickname, gender, year of birth, height, current weight, target weight | Until membership withdrawal |
| Personalized Services | Providing customized services to customers | Name, ID, phone number, service usage details (app usage history, search history, misconduct records, access logs), IP address, cookies, MAC address, advertising identifiers | Until membership withdrawal ※ However, in accordance with the legally mandated retention period |
| Error and Inconvenience Reporting | Identifying the reporter, identifying and resolving the cause based on the report details, and responding to the report | Nickname, email address, details of errors or inconveniences, or inquiries | Until membership withdrawal ※ However, stored in accordance with the legally mandated retention period |
| Events | Event participation/winning and prize delivery | Nickname, email address, name, address, phone number | Until consent is withdrawn or membership withdrawal |
| Promotion and Marketing | Processing personal information for service promotion and sales recommendations | Nickname, email address, gender, year of birth, height, current weight, target weight, areas of interest, various automatically generated information and service usage records (app usage history, search history, misconduct records, access logs, cookies), IP address, advertising identifiers | Until 6 months after consent withdrawal or membership withdrawal |
| Performance Data Statistics and New Service Development | Statistics on product/service usage performance and new service development | Various automatically generated information and service usage records (app usage history, search history, misconduct records, access logs, cookies) generated during service use, information created by the data subject such as posts/other content, device information (OS/screen size, device ID), IP address | Until 6 months after consent withdrawal or membership withdrawal |
※ Information retained for a certain period in accordance with the legally mandated retention period will be destroyed afterward.
| Legal Basis | Retained Items | Retention Period |
| Article 6 of the Act on the Consumer Protection in Electronic Commerce, etc. and Article 6(1) of its Enforcement Decree | Records of contracts or subscription withdrawals, payments, and supply of goods, etc. | 5 years |
| Records of consumer complaints or dispute resolution | 3 years | |
| Records of labeling/advertising | 6 months | |
| Basic National Tax Act | Books and supporting documents related to all transactions prescribed by tax laws | 5 years |
| Article 22(1) of the Electronic Financial Transactions Act and Article 12(1) of its Enforcement Decree | Records of electronic financial transactions | 5 years |
| Article 15-2 of the Protection of Communications Secrets Act and Article 41(2)(2) of its Enforcement Decree | Service visit records | 3 months |
| Article 20(2) of the Credit Information Use and Protection Act | Records of collection, processing, and use of credit information | 3 years |
2. Processing of Personal Information for Children Under 14
(1) The company obtains consent from the legal guardian when processing the personal information of children under the age of 14.
(2) When obtaining consent from the legal guardian, the company may request minimal information, such as the name and contact details of the guardian. The company will display the consent details on an internet site and confirm the consent via a text message sent to the guardian’s mobile phone.
3. Procedures and Methods for Destroying Personal Information
(1) The company destroys personal information without delay when the retention period has expired or the purpose of processing has been achieved.
(2) If the retention period agreed upon by the data subject has expired or the purpose of processing has been achieved, but the information must be preserved according to other laws, it will be moved to a separate database (DB) or stored in a different location.
※ The items of personal information retained and the legal basis for their retention are outlined in [1. Purpose of Processing Personal Information, Processed Items, and Retention Period].
(3) The procedures and methods for destroying personal information are as follows:
① Destruction Procedure
The company selects personal information to be destroyed and obtains approval from the company’s Personal Information Protection Officer before proceeding.
② Destruction Method
Personal information recorded and stored in electronic file format is destroyed so it cannot be reproduced. Paper documents containing personal information a
| Delegatee (Trustee) | Outsourced Task |
|---|---|
| Stevie Co., Ltd. | Email delivery services |
| Amplitude, Inc. | Log and data analysis |
| Supabase Inc. | Data storage, including personal information |
(2) When entering into an outsourcing agreement, the company specifies in the contract or documentation the prohibition of processing personal information for purposes other than the outsourced tasks, technical and administrative protection measures, restrictions on re-outsourcing, management and supervision of the trustee, liability for damages, and other responsibilities, in accordance with Article 26 of the "Personal Information Protection Act." The company also supervises the trustee to ensure that personal information is handled securely.
(3) In accordance with Article 26(6) of the "Personal Information Protection Act," if the trustee re-outsources the company's personal information processing tasks, the trustee must obtain the company's consent.
(4) If the content of the outsourced tasks or the trustee changes, the company will disclose the changes through this Privacy Policy without delay.
5. Transfer of Personal Information Overseas
Doneble Co., Ltd. outsources certain tasks to overseas entities as follows:
| Trustee | Location of Trustee | Date and Method of Delegation | Contact Information of Data Controller | Personal Information Items Delegated | Details of Delegated Tasks | Retention and Usage Period of Personal Information |
|---|---|---|---|---|---|---|
| Amplitude, Inc. | — | Transferred via network at the time of service use | privacy@amplitude.com | Items collected as per the consent form for personal information use | Behavioral data collection for personalized services and advertisements | Until membership withdrawal or termination of the delegation contract |
| Supabase Inc. | — | Transferred via network when personal information processing is required | privacy@supabase.com | Personal information outlined in the collection, usage, retention, and destruction items | DB storage and management | Until membership withdrawal or termination of the delegation contract |
6. Measures for the Destruction of Inactive Users' Personal Information
(1) Doneble Co., Ltd. converts user accounts that have not been used for one year into dormant accounts and separates the personal information for storage. The separated personal information is retained for one year and then promptly destroyed.
(2) Doneble Co., Ltd. notifies members scheduled for dormancy at least 30 days in advance about the separation of their personal information, the expected dormancy date, and the items of personal information to be separately stored. Notifications are sent via email, text message, or other methods accessible to the user.
(3) To prevent the account from being converted to a dormant account, users can log in to the service before the conversion. Even after an account is converted to dormant status, users can restore the account to normal operation by logging in, subject to their consent.
7. Measures for the Destruction of Inactive Users' Personal Information
Rights and Obligations of Data Subjects and Legal Representatives and Methods of Exercise
(1) Data subjects may exercise their rights to access, correct, delete, or suspend the processing of their personal information at any time with Doneble Co., Ltd.
(2) Rights can be exercised through written documents, email, or fax in accordance with Article 41(1) of the Enforcement Decree of the "Personal Information Protection Act." Doneble Co., Ltd. will promptly take the necessary actions.
(3) Rights may also be exercised through a legal representative or a delegate authorized by the data subject. In such cases, a power of attorney form, as specified in "Personal Information Processing Guidelines (No. 2020-7)," Annex 11, must be submitted.
(4) Requests for access or suspension of processing of personal information may be restricted under Article 35(4) and Article 37(2) of the "Personal Information Protection Act."
(5) Requests for correction or deletion of personal information cannot be made if other laws specify that the personal information must be collected.
(6) Doneble Co., Ltd. verifies the identity of the requester or their legitimate representative before acting on requests for access, correction, deletion, or suspension of processing based on the data subject's rights.
8. Measures to Ensure the Security of Personal Information
Doneble Co., Ltd. takes the following measures to ensure the security of personal information:
(1) Administrative Measures: Establishment and implementation of internal management plans, operation of dedicated teams, and regular employee training
(2) Technical Measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of personal information, installation and updates of security programs
(3) Physical Measures: Access control to computer rooms, data storage rooms, and similar facilities
9. Collection, Use, and Rejection of Behavioral Information
(1) The company collects and uses behavioral information in identifiable forms through cookies to provide optimized personalized services, benefits, and online tailored advertisements during service use.
(2) The company collects only the minimum behavioral information necessary for optimized personalized services, benefits, and online tailored advertisements. Sensitive behavioral information that may infringe on individual rights, interests, or privacy, such as ideologies, beliefs, education, or medical history, is not collected.
(3) (When behavioral information is used for personalized advertisements) The company does not collect behavioral information from children for the purpose of personalized advertisements and does not provide personalized advertisements to children.
(4) (When behavioral information is used for personalized advertisements) Data subjects can block or allow personalized advertisements by changing their browser's cookie settings. However, changing cookie settings may restrict the use of certain services, such as automatic website logins.
▶ Blocking/Allowing Personalized Ads via Web Browsers
a. Chrome
– Click the '⋮' icon in the top-right corner of Chrome and select "Settings."
– On the left side of the settings page, click "Privacy and Security" and select "Clear browsing data" to decide whether to delete browsing history.
– Similarly, on the left side of the settings page, click "Privacy and Security," then "Third-party cookies" to decide whether to block third-party cookies.
b. Edge
– Click the '…' icon in the top-right corner of Edge and select "Settings."
– On the left side of the settings page, click "Privacy, Search, and Services," then select the level of "Tracking Prevention" under the "Tracking Prevention" section.
– Choose whether to always use "Strict" tracking prevention when browsing InPrivate.
(5) (When behavioral information is used for personalized advertisements) The company collects and uses advertising identifiers for personalized ads in apps. Data subjects can block or allow personalized ads by changing their mobile device settings.
▶ Blocking/Allowing Advertising Identifiers on Mobile Devices
a. (Android) ① Settings → ② Security and Privacy → ③ Privacy → ④ Other Privacy Settings → ⑤ Ads → ⑥ Reset Ad ID or Delete Ad ID
b. (iPhone) ① Settings → ② Privacy & Security → ③ Tracking → ④ Disable App Tracking
※ Menus and methods may vary slightly depending on the mobile OS version.
⑥ Data subjects can inquire about behavioral information, exercise the right to reject it, or report damages to the department listed in [15. Contact Information of the Personal Information Protection Officer and Related Departments].
10. Rights and Obligations of Data Subjects and Legal Representatives and Methods of Exercise
(1) Data subjects may exercise their rights with the company at any time, including accessing, correcting, deleting, suspending the processing of, or withdrawing consent for their personal information, as well as rejecting or requesting an explanation for automated decisions (hereinafter referred to as "exercise of rights").
※ Requests for access to personal information of children under the age of 14 must be made directly by their legal representatives. Data subjects aged 14 or older may exercise their rights directly or through their legal representatives.
(2) The exercise of rights can be performed through written documents, email, or fax in accordance with Article 41(1) of the Enforcement Decree of the "Personal Information Protection Act." The company will promptly take appropriate measures.
– Data subjects can view, modify, or delete their personal information directly through [the website or app route] at any time or request access through 'Contact Us.'
– Data subjects can withdraw their consent for the collection and use of personal information at any time by choosing 'Withdraw Membership.'
– Data subjects can reject or request explanations for automated decisions through [the website or app route] at any time.
(3) Rights may also be exercised through a legal representative or a delegate authorized by the data subject. In such cases, a power of attorney form, as specified in "Personal Information Processing Guidelines (No. 2023-12)," Annex 11, must be submitted.
(4) The right to request access or suspension of processing of personal information may be restricted under Article 35(4) and Article 37(2) of the "Personal Information Protection Act."
(5) Requests for correction or deletion of personal information cannot be made if the information is required to be collected under other laws.
(6) If data subjects have consented to automated decisions, were informed through contracts, or if automated decisions are clearly defined by law, the right to reject such decisions may not be granted, but they may request explanations and reviews.
– Additionally, requests to reject or explain automated decisions may be denied if such requests could unfairly infringe on the life, body, property, or other rights and interests of others.
(7) The company verifies the identity of the person exercising the rights or their legitimate representative.
(8) Data subjects can exercise their rights through the department listed in [15. Contact Information of the Personal Information Protection Officer and Related Departments]. The company will strive to ensure that the exercise of rights by data subjects is promptly addressed.
11. Contact Information of the Personal Information Protection Officer and Related Departments
(1) The company takes overall responsibility for personal information processing and has designated the following Personal Information Protection Officer to handle complaints and remedy damages related to the processing of personal information.
| Category | Name and Position | Contact Information |
| Personal Information Protection Officer | Position: CEO Name: Yu-Hwan Kim |
admin@zette.io |
| Personal Information Protection Department | ||
| Personal Information Access Requests |
(2) Data subjects may contact the Personal Information Protection Officer and related departments for any inquiries, complaints, or remedies regarding personal information protection arising from the company's services (or business). The company will promptly respond and address such inquiries.
12. Remedies for Infringement of Data Subject's Rights
(1) Data subjects may seek resolution or counseling for personal information infringement by applying to the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency's Personal Information Infringement Report Center, or other organizations. For additional inquiries or complaints about personal information infringement, please contact the institutions below:
① Personal Information Dispute Mediation Committee: (toll-free) 1833-6972 (www.kopico.go.kr)
② Personal Information Infringement Report Center: (toll-free) 118 (privacy.kisa.or.kr)
③ Supreme Prosecutors' Office: (toll-free) 1301 (www.spo.go.kr)
④ National Police Agency: (toll-free) 182 (ecrm.cyber.go.kr)
(2) The company strives to ensure data subjects' rights to self-determination of personal information and provides counseling and remedies for personal information infringement. If you need assistance or counseling, please contact the department listed in [11. Contact Information of the Personal Information Protection Officer and Related Departments].
13. Changes to the Privacy Policy
(1) This Privacy Policy is effective as of May 9, 2024.