Privacy Policy
Effective date: 2026-04-17
This English text is a translation of the Korean original; the Korean version governs in case of any discrepancy.
1. General Provisions
kipid Inc. (the “Company”) operates the Recoeve service (the “Service”) with due regard for users’ personal information and complies with the Republic of Korea’s Personal Information Protection Act (PIPA) and related laws. This Privacy Policy is established and disclosed pursuant to Article 30 of PIPA to protect data subjects’ personal information and to handle related grievances promptly and smoothly.
2. Purposes of Processing
The Company processes personal information for the purposes below. Personal information is not used for purposes other than those listed; if the purpose changes, the Company will obtain separate consent and take any other required measures.
- Account registration and management (identity verification, member identification, prevention of abuse)
- Service delivery (core features such as content saving, sharing, and recommendations)
- Service operation and improvement (usage analytics, error analysis, feature improvement)
- Customer inquiries and announcements
- Fulfillment of legal obligations and dispute response
3. Items Processed and Methods of Collection
a. Information the user provides directly
- Email address, username, password (stored as a one-way bcrypt hash)
- Display name provided by the social login provider (Google, Kakao)
b. Information collected automatically during service use
- Social login provider identifier (Google sub, Kakao app_id)
- Profile image URL received from the social login provider
- IP address at signup, registration time, last visit time
c. Collection methods
- Input in the signup form
- Google / Kakao OAuth 2.0 authentication flow
- Automatic generation or collection during service use
4. Retention and Use Period
The Company processes and retains personal information within the retention period required by law or the period consented to by the data subject at the time of collection.
- Member information: until account withdrawal
- Email verification token: 1 hour after issuance (volatile Redis storage)
- Refresh token: 7 days after issuance (volatile Redis storage)
- When retention is required by law, the applicable statutory period:
- Records on contracts or subscription withdrawal: 5 years (Act on Consumer Protection in Electronic Commerce)
- Records on payment and supply of goods: 5 years (Act on Consumer Protection in Electronic Commerce)
- Records on consumer complaints or dispute resolution: 3 years (Act on Consumer Protection in Electronic Commerce)
- Communication confirmation records: 3 months (Protection of Communications Secrets Act)
5. Provision to Third Parties
The Company processes personal information only within the scope stated in Section 2 (Purposes of Processing). Personal information is provided to third parties only with the data subject’s consent or in cases permitted under Articles 17 and 18 of PIPA. The Company does not currently provide personal information to any third party.
6. Processing Delegation (Subprocessors)
The Company delegates certain personal-information processing tasks to the entities below for smooth operation of the Service.
| Subprocessor | Delegated task | Retention / use period |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | Server and database hosting (EC2, RDS) | Until account withdrawal or termination of the delegation agreement |
| Vercel Inc. | Frontend hosting and deployment | Until account withdrawal or termination of the delegation agreement |
| Resend, Inc. | Email delivery (verification email, etc.) | Until delivery is complete |
7. Overseas Transfer of Personal Information
The Company transfers certain personal information overseas in order to provide the Service. Consent to this transfer is obtained at signup via agreement to the Terms of Service and this Privacy Policy.
| Recipient | Country | Items transferred | Purpose |
|---|---|---|---|
| Vercel Inc. | United States | Request information generated during service use (IP, User-Agent, etc.) | Frontend hosting and deployment |
| Resend, Inc. | United States | Email address, message contents | Verification and notification email delivery |
Transfer method: encrypted HTTPS/TLS communication. Timing: on every service use. Retention: until account withdrawal or termination of the delegation agreement.
8. Rights and Obligations of the Data Subject and Legal Representatives
Users may exercise the following personal-information rights against the Company at any time.
- Request access to personal information
- Request correction of any errors
- Request deletion (except where collection is mandated by law)
- Request suspension of processing
Rights may be exercised through in-service account settings or via the contact in Section 12, by writing or email. The Company will respond without delay.
9. Destruction Procedure and Method
When personal information is no longer necessary (retention period elapsed, processing purpose achieved, etc.), the Company destroys it without delay.
- Procedure: unnecessary personal information is moved to a separate database, retained for a defined period under internal policy and applicable law, then destroyed.
- Method: electronic files are permanently deleted using non-recoverable techniques; printed materials are shredded or incinerated.
10. Security Measures
The Company applies the following measures to ensure the security of personal information:
- One-way bcrypt hashing of passwords
- End-to-end TLS/HTTPS encryption
- JWT-based authentication tokens with server-side volatile storage for refresh tokens (Redis TTL)
- Minimized and access-controlled database and server access
- Training for personnel handling personal information, and access logging
11. Cookies
The Company uses cookies to maintain login sessions and to improve the user experience. Users may refuse cookies through their browser settings, but doing so may limit certain features of the Service.
The Company does not use third-party cookies for advertising or tracking purposes; it operates only first-party session cookies required for authentication.
12. Privacy Officer and Remedies
The Company has designated a Privacy Officer responsible for overall personal-information processing and for handling complaints and remedies from data subjects.
Privacy Officer
- Name: Kang-su Lee (Representative Director)
- Contact: recoeve.kipid@gmail.com
Data subjects may apply for dispute resolution or consultation in cases of personal-information infringement with the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency (KISA) Privacy Infringement Reporting Center, and similar bodies.
- Personal Information Dispute Mediation Committee: 1833-6972 / www.kopico.go.kr
- Privacy Infringement Reporting Center: 118 / privacy.kisa.or.kr
- Supreme Prosecutors’ Office, Cybercrime Investigation Division: 1301 / www.spo.go.kr
- Korean National Police Agency, Cybercrime Investigation Bureau: 182 / ecrm.police.go.kr
Addendum
This Policy is effective as of 2026-04-17.