Privacy Policy

주식회사 더모랩스 (the "Company") establishes and discloses the following Privacy Policy in accordance with Article 30 of the Personal Information Protection Act of the Republic of Korea ("PIPA"), in order to protect the personal information of data subjects and to handle any related grievances promptly and smoothly.

Article 1. Purpose of Processing Personal Information

The Company processes personal information for the following purposes. Personal information being processed shall not be used for any purpose other than those stated below, and in the event of a change of purpose, the Company will take necessary steps such as obtaining separate consent pursuant to Article 18 of PIPA.

Member registration & management: identity verification, maintenance of membership, prevention of fraudulent use
Service delivery: storing and syncing workout logs, program recommendations, statistics and charts, push notifications
Billing & advertising: paid-subscription settlement and refunds, personalised and non-personalised ad delivery and measurement
Grievance handling: verifying the identity of complainants, confirming the complaint, contacting and notifying for fact-finding, and reporting the outcome

Article 2. Items of Personal Information Processed

The Company processes the following categories of personal information.

Mandatory: email address, password (hashed), nickname, sex, year of birth, service-use history, access logs, access IP, device identifier
Social login: Google / Apple account email, unique identifier, profile name
Optional: workout goal, available workout days and times, available equipment and other program-recommendation inputs
Automatically collected: cookies, advertising identifiers (IDFA / GAID), service-use history, error logs

Article 3. Processing of Sensitive Information

Under Article 23 of PIPA and Article 18 of its Enforcement Decree, information relating to physical condition and health is treated as sensitive information. The Company processes the following sensitive information to provide personalised workout-logging and program-recommendation features.

Health- and body-related data: height, weight, workout performance records (sets, reps, weight, duration, rounds, tempo, variant, failed-set flag, RIR/RPE, etc.), heart rate during workout (when a connected device is used), training history, training goals
Purpose: generation of individualised training programs and progress calculation, statistics and charts
Retention: until membership withdrawal; destroyed without delay after withdrawal

Consent-flow status: as of the effective date of this policy, the Company's mobile apps and web settings present a dedicated sensitive-information (health/body) consent UI. At membership registration, data subjects can individually accept or decline sensitive-information collection and use independently of their agreement to this Privacy Policy, and core features — sign-up, login, workout session logging, and baseline program recommendations — remain available without the grant. Sensitive information is used for personalised program-recommendation safety adjustments (reflecting pain, injury, and contraindicated areas) and the related statistics only after the consent is recorded as `GRANTED`. Data subjects can review and withdraw consent at any time from the "Privacy & Consent" menu in Settings; withdrawal may limit the availability of the relevant features (see Article 9).

Data subjects may withdraw consent to sensitive-information collection and use at any time. Upon withdrawal, features that rely on sensitive information (program recommendations, statistics, etc.) will be limited. Withdrawal requests are handled via the rights channel described in Article 9.

Article 4. Processing & Retention Period

The Company processes and retains personal information within the retention and use period prescribed by law or agreed upon with the data subject at the time of collection. Specific retention periods are as follows.

Member registration & management data: until membership withdrawal (retained for 30 days after withdrawal to prevent fraudulent use, then destroyed)
Payment and contract-performance records: 5 years, per the Act on Consumer Protection in Electronic Commerce, etc.
Records of consumer complaints and dispute handling: 3 years, per the same Act
Access logs: 3 months, per the Protection of Communications Secrets Act

Article 5. Provision of Personal Information to Third Parties

The Company processes personal information only within the scope stated in Article 1 (Purpose). Personal information is provided to third parties only in cases prescribed by Articles 17 and 18 of PIPA — such as the data subject's consent or a specific statutory provision. As a rule, the Company does not provide personal information to third parties.

Article 6. Outsourcing of Personal Information Processing

For smooth operations, the Company entrusts certain personal-information-processing tasks to the following entities.

Cloud infrastructure: Amazon Web Services, Inc. (data storage & transmission)
Push notifications: Google Firebase Cloud Messaging (Google LLC)
Social login: Google LLC, Apple Inc.
Ad mediation & delivery: AppLovin Corporation (AppLovin MAX SDK — bidding, delivery and measurement on iOS & Android), Google AdMob (Google LLC) and Meta Audience Network (Meta Platforms, Inc.) and other connected ad networks (only when such ads are served)

Under Article 26 of PIPA, the Company documents in the relevant contract the prohibition on processing beyond the entrusted purpose, technical and administrative safeguards, restrictions on re-entrustment, supervision of the trustee and liability for damages, and supervises whether each trustee processes personal information safely.

Article 7. Overseas Transfer of Personal Information

Pursuant to Article 28-8 of PIPA and Article 29-9 of its Enforcement Decree, the Company transfers personal information overseas because some of the trustees listed in Article 6 process data through servers located outside the Republic of Korea. The transferee, the country of transfer, the time and method of transfer, the items transferred, the purpose, and the retention-use period are as follows.

Transferee	Country	Method	Items transferred	Purpose	Retention period
Amazon Web Services, Inc.	United States (availability zones within the service region)	Encrypted over HTTPS/TLS at service-use time	Member info, workout logs, sensitive info (height/weight/performance), access logs	Cloud infrastructure (storage, transmission, backup)	Until membership withdrawal or end of outsourcing
Google LLC	United States	Encrypted over HTTPS/TLS when calling the relevant service	FCM device token, Google social-login identity, Firebase/AdMob SDK event logs	Push notifications, social-login authentication, advertising identification and measurement	Until membership withdrawal or end of outsourcing
Apple Inc.	United States	Encrypted over HTTPS/TLS when calling the relevant service	Apple social-login identity	Social-login authentication	Until membership withdrawal or end of outsourcing
AppLovin Corporation	United States	Encrypted over HTTPS/TLS on ad impression	Advertising identifier (IDFA/GAID), device/OS info, app events, coarse location (IP-based)	Ad mediation, delivery and measurement (AppLovin MAX bidding)	Until membership withdrawal or end of outsourcing
Meta Platforms, Inc.	United States	Encrypted over HTTPS/TLS on ad impression	Advertising identifier (IDFA/GAID), app events	Ad delivery and measurement (Audience Network connected networks)	Until membership withdrawal or end of outsourcing

Data subjects may object to the above overseas transfers pursuant to Article 9. A refusal may, however, restrict features that rely on the relevant outsourced services (e.g. cloud-based sync, push notifications, personalised ads). Refusal requests are handled via the Data Protection Officer listed in Article 12.

Article 8. Destruction Procedure & Method

When personal information becomes unnecessary — for example, after the retention period expires or the processing purpose is achieved — the Company destroys it without delay.

Procedure: personal information subject to destruction is identified and destroyed upon approval of the Data Protection Officer.
Method: electronic files are deleted using technical means that prevent recovery; printed personal information is shredded or incinerated.

Article 9. Rights of Data Subjects & Legal Representatives

Data subjects may at any time exercise their rights to access, correct, delete or suspend the processing of their personal information held by the Company. Such requests may be made in writing, by email, etc., pursuant to Article 41(1) of the Enforcement Decree of PIPA, and the Company will act on them without delay.

If a data subject requests correction or deletion due to an error, the Company will not use or disclose the relevant personal information until correction or deletion is complete. Rights may be exercised through a legal representative or an authorised agent, in which case a power of attorney following the standard form in Annex 11 of the Notification on Methods of Personal Information Handling must be submitted.

Article 10. Safety Measures

Pursuant to Article 29 of PIPA, the Company takes the following technical, administrative and physical measures to ensure safety.

Minimisation of personnel handling personal information, with periodic training
Establishment and enforcement of an internal management plan
Encryption of personal information (password hashing; TLS in transit)
Storage and tamper-prevention of access logs
Access control (permission management, intrusion-prevention systems)
Physical locks for document security

Article 11. Installation & Operation of Automated Collection Tools; Opt-Out

The Company may use cookies and advertising identifiers (IDFA / GAID) to provide tailored services and maintain sessions. Data subjects may refuse the storage of cookies and advertising identifiers through their web-browser or mobile-device settings. On iOS, users may deny personalised-ad tracking via the App Tracking Transparency (ATT) prompt shown on first launch; non-personalised ads may still be served after denial. Refusing cookies may restrict some personalised services.

Article 12. Data Protection Officer

The Company designates the following Data Protection Officer to take overall responsibility for personal-information processing and to handle complaints and provide remedies for data subjects.

Data Protection Officer: 이청천
Contact: 010-2883-8333, dermo@dermolabs.com

Article 13. Remedies for Rights Infringement

Data subjects may apply for dispute resolution or counselling with the following agencies regarding personal-information infringement.

Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
Personal Information Infringement Report Center (KISA): 118 (privacy.kisa.or.kr)
Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
Korean National Police Agency: 182 (ecrm.police.go.kr)

Article 14. Changes to This Privacy Policy

This Privacy Policy applies from its effective date. Any additions, deletions or corrections due to changes in law or policy will be announced through the notice page at least 7 days before they take effect. When the change materially affects the rights of data subjects, notice will be given at least 30 days in advance.

Business Information

Company: 주식회사 더모랩스
Representative: 이청천
Address: 서울특별시 서초구 강남대로51길 10, 비2층 105-181호 (서초동)

Effective date: 2026-04-23