SAJUNABI Privacy Policy
Last Updated: 2026-05-27 Version: 1.1 Effective Date: 2026-06-01
Important Notice: This Privacy Policy is a translated version. The original Korean version shall prevail in case of any conflict or ambiguity.
TULIPWOOD KOREA (CEO: Kyungmin Roh, hereinafter "Company" or "we") operates an online platform service known as SAJUNABI. In accordance with Article 30 of the Personal Information Protection Act ("PIPA"), the Company establishes and discloses the following privacy policy ("Privacy Policy" or "Policy") to protect the personal information of data subjects and to promptly and smoothly handle related grievances.
This Policy describes how the Company processes and protects your personal information. The Company may revise this Policy from time to time, and the latest version is available on the Company's website.
Article 1 (Purposes of Processing Personal Information)
As the Company provides online services through its platform, the Company collects, uses, stores, generates, or discloses to third parties your personal information (collectively, "processes") with your consent and/or based on applicable legal grounds, for the following purposes. Personal information will not be used for purposes other than those listed. If the use purpose changes, the Company will take necessary measures, such as obtaining separate consent under Article 18 of PIPA.
▶ Membership Registration and Management
To provide services and manage membership: confirming the intent to register, identifying members, verifying withdrawal/cancellation intent, handling consultations and inquiries, sending notices, and processing complaints — establishing smooth communication channels with users and/or members.
- Confirming intent to register, maintain, or withdraw membership
- Identity verification and authentication for member services
- Maintaining and managing member status
- Preventing service abuse and unauthorized use
- Various notifications
- Handling grievances
▶ Product Sales or Service Provision
Where a member registers a credit card to pay for the Company's services, the Company may use the card information within the scope necessary for payment procedures or cancellations.
- Goods delivery
- Service provision
- Sending contracts/invoices
- Content provision
- Personalized service
- Identity verification
- Age verification
- Billing/settlement
- Debt collection
▶ Customer Service
- Confirming and processing customer consultations
- Handling complaints and civil grievances
- Sending notices
- Record retention for dispute resolution
▶ Marketing/Event/Information
- New service development
- Personalized services
- Newsletter delivery
- Event and advertising information delivery
- Marketing and advertising
- Statistical analysis of service use
- Tracking access frequency
- Statistics and surveys on member service use
The Company processes personal information for: restricting use by members who violate laws or these Terms; preventing and sanctioning improper use that hinders smooth service operation; preventing account theft and fraudulent transactions; record retention for dispute mediation; handling complaints arising from service use; and protecting users' and members' interests.
The Company also processes personal information to establish a service environment that users and members can safely use in terms of security, privacy, and safety.
Article 2 (Items of Personal Information Collected and Processed)
① The Company collects the following personal information for membership registration and service use.
| Category | Information Collected |
|---|---|
| Membership Registration | Name, nickname, email address, account ID, KakaoTalk ID, Google ID, mobile phone, telephone, address, nationality, date of birth, gender |
| Product or Service Order | Orderer information (name, mobile, phone, email), delivery info (name, address, mobile, phone), payment info (account holder name, card info, payment history) |
| Service Use | Name, nickname, ID, mobile, phone, service name, (for business members) business registration certificate, profile photo, self-introduction, matching records, reviews, dispute reports and resolution records |
| Community Posts/Comments | Nickname, mobile phone |
| Device Information | Device identifier, OS, hardware version, device settings, mobile number |
| Log Information | Log data, usage time, search terms entered, IP address, cookies and web beacons, MAC address, service usage records, visit records, abuse records |
| Location Information | Device location including specific geographic location detected via GPS, Bluetooth, or Wi-Fi (only in jurisdictions where legally permitted) |
| Other Information | User preferences, advertising environment, pages visited during service use, service items used, and other activity records |
② Collection Methods
The Company collects user information through the following channels:
- Platform website or homepage, paper forms, fax, telephone, email, generated information collection tools
- Provided by partner companies
The Company may collect information directly provided by users. In addition to information directly provided, the Company may collect information generated during the user's use of the Company's services.
Article 3 (Provision of Personal Information to Third Parties)
① The Company processes personal information of data subjects only within the scope specified in Article 1 (Purposes of Processing), and provides personal information to third parties only with the data subject's consent or where specifically required under Articles 17 and 18 of PIPA.
② The Company provides personal information to third parties as follows.
| Recipient | Purpose | Items | Retention Period |
|---|---|---|---|
| Toss Payments Inc. | Payment processing and refunds | Name, email, payment information | 5 years after transaction completion |
| Resend, Inc. (United States) | Email delivery | Email, notification content | Destroyed immediately after sending |
| Kakao Corp. | Social login authentication | Kakao account identifier | Until membership withdrawal |
| Google LLC (United States) | Social login authentication | Google account identifier | Until membership withdrawal |
| Matched Nabi or User | Matching execution | Name (nickname), profile photo, messages | 5 years after matching completion |
③ In addition, your personal information may be provided to the following third parties. Except where applicable laws require longer retention, personal information will be destroyed when the purpose has been achieved, in accordance with the third party's privacy policy.
- Our contractors who help receive, process, and respond to your inquiries
- Our contractors supporting the provision of the website, our group companies, and/or third parties such as payment service providers used to help provide our products to you
- Our advertising partners
- Our contractors who assist us in analyzing web traffic data for service and marketing improvement purposes
- Our contractors who assist us in monitoring web access traffic for website security purposes
④ Where the contents of third-party provision under this Article change, the Company will notify users without delay through the Privacy Policy.
Article 4 (Outsourcing of Personal Information Processing and International Transfer)
① The Company outsources personal information processing as follows for smooth processing operations.
| Trustee | Outsourced Work | Data Storage Location | Retention Period |
|---|---|---|---|
| Supabase Inc. | Database hosting | Republic of Korea (Seoul region) | Until termination of outsourcing contract |
| Vercel Inc. | Web hosting and infrastructure | United States | Until termination of outsourcing contract |
| Resend, Inc. | Transactional email delivery | United States | Until termination of outsourcing contract |
② The Company stipulates necessary matters in outsourcing contracts under Article 25 of PIPA and applicable laws — including purpose and scope of outsourced work, restrictions on re-outsourcing, safety measures, management/supervision, and damages — to ensure personal information is securely managed. The information outsourced is limited to the minimum necessary to achieve the purpose.
③ Under Article 30 of PIPA and applicable laws, your personal information may be transferred to the following overseas countries for service maintenance, performance, and contract execution:
| Recipient | Transfer Country | Transfer Time and Method | Items Transferred | Purpose | Retention Period |
|---|---|---|---|---|---|
| Vercel Inc. | United States | Automatic transmission upon service use (HTTPS encryption) | Membership registration information, service usage records | Web hosting | Until membership withdrawal |
| Resend, Inc. | United States | Upon email sending | Email address, sending content | Email delivery | Destroyed immediately after sending |
| Google LLC | United States | Upon social login | Google account identifier | Authentication | Until membership withdrawal |
Article 5 (Processing of Personal Information of Children Under Age 14)
In principle, the Company does not collect or use information about children under 14 years of age. However, if the Company processes personal information of children under 14, the Company guarantees legal rights to legal representatives and maintains the following measures to protect such information:
- Obtaining consent of legal representatives (parents, etc.) when collecting personal information of children under 14.
- Not providing or sharing information about children under 14 with third parties without legal representative consent.
- Recording contact information of legal representatives for consent purposes, and using such information only to confirm consent.
- Legal representatives may request access to, modification of, and deletion of the child's personal information; the Company will take necessary measures without delay.
- Where a legal representative requests correction of errors in personal information collected from children under 14, the Company prohibits use and provision of the relevant personal information until correction is complete.
- The Company does not send contact-format advertisements or proposals to children under 14 without consent, nor induce greater disclosure through games, prizes, or events.
Where customer requests for access/provision are repetitive and may hinder operations or involve substantial volume and cost, the Company may delay or refuse the request, or charge actual expenses (copying fees, etc.) to the customer.
Article 6 (Rights and Obligations of Data Subjects and Legal Representatives, and Exercise Methods)
① Data subjects may at any time exercise rights to access, correct, delete, and suspend processing of personal information against the Company.
② Rights under Paragraph 1 may be exercised in writing, by email, or by fax under Article 41(1) of the PIPA Enforcement Decree, and the Company will take action without delay.
③ Rights under Paragraph 1 may be exercised through legal representatives or authorized agents. In such case, a power of attorney must be submitted in the form prescribed under Form 11 of the Notification on Personal Information Processing Methods (No. 2020-7).
④ Requests for access and processing suspension may be restricted under Article 37(2) of PIPA and applicable laws.
Article 7 (Processing and Retention Period of Personal Information)
① The Company processes and retains personal information within the retention/use period prescribed by law or the period consented to by the data subject at the time of collection.
② Each processing and retention period is as follows:
Website membership registration and management: The Company retains member personal information until membership withdrawal. To restrict re-registration of withdrawn members, the withdrawn member's ID is retained for up to 1 year before destruction or deletion.
▶ Membership Registration and Management
- Retention: Up to 1 year after membership withdrawal
- Purpose: Prevent service confusion after withdrawal, resolve disputes
▶ Provision of Goods or Services
- Retention: Until goods/service supply completion and payment/settlement completion
▶ Vendor Information
- Retention: Until termination of contract
In addition, the following information is retained for the specified periods for the stated reasons:
| Legal Basis | Information Retained | Retention Period |
|---|---|---|
| Act on Consumer Protection in Electronic Commerce | Records of contracts or withdrawal of offer | 5 years |
| Act on Consumer Protection in Electronic Commerce | Records of labeling/advertising | 6 months |
| Act on Consumer Protection in Electronic Commerce, Framework Act on National Taxes | Records of payment and supply of goods, commercial books and operational vouchers, supporting documents | 5 years |
| Act on Consumer Protection in Electronic Commerce | Records of consumer complaints or dispute handling | 3 years |
| Communications Secrets Protection Act | Computer communications, internet log records, access location tracking | 3 months |
| Communications Secrets Protection Act | Communication fact verification data (subscriber telecommunications date/time, start/end times, counterparty subscriber number, usage count, base station location tracking) | 12 months |
Where investigations are underway due to violations of applicable laws, information is retained until investigation completion.
Where credit/debt relationships from website use remain, information is retained until settlement.
Article 8 (Personal Information Destruction Procedures and Methods)
① The Company destroys personal information without delay when it becomes unnecessary (retention period elapsed, processing purpose achieved, etc.). However, if internal policies or applicable laws prescribe a retention period, the information is destroyed after retention for that period.
② Destruction procedures and methods are as follows:
▶ Destruction Procedures
- Unnecessary personal information is destroyed with approval from the Privacy Officer
- Establishing and approving destruction plans
- Executing destruction and recording results
▶ Destruction Methods
- Electronic file format: Permanent deletion
- Records, printed materials, paper: Shredding or incineration
Article 9 (Measures to Ensure Safety of Personal Information)
The Company takes the following measures to ensure the safety of personal information.
① Administrative Measures
- Establishing and implementing internal management plans
- Minimizing and training personnel handling personal information
- Conducting regular self-audits
② Technical Measures
- Access right management for personal information processing systems
- Encryption of unique identification information
- Installation and updating of security programs
③ Physical Measures
- Access control for computer rooms, data storage rooms, etc.
- Installation of locking devices for document security
Article 10 (Installation/Operation and Refusal of Automatic Personal Information Collection Devices)
① The Company uses "cookies" to provide personalized services by storing and frequently retrieving usage information.
② Cookies are small amounts of information sent by the server operating the website to the user's computer browser, sometimes stored on the user's PC hard disk.
③ Users have a choice regarding cookie installation. Users may set browser options to allow all cookies, confirm each time a cookie is stored, or refuse all cookie storage.
Article 11 (Privacy Officer)
① The Company designates the following Privacy Officer to be responsible for overall personal information processing and to handle complaints and damage relief related to personal information.
▶ Privacy Officer
- Department: Operations Team
- Position: Privacy Officer
- Name: Kyungmin Roh (노경민)
- Title: CEO
- Contact: contact@sajunabi.com
- Phone: +82-10-7564-1891
② Data subjects may contact the Privacy Officer with all personal information protection inquiries, complaints, and damage relief matters arising from use of the Company's services.
Article 12 (Remedies for Rights Infringement)
① Data subjects may apply for dispute resolution or consultation with the following institutions to obtain relief from personal information infringement:
- Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr) — Personal information dispute mediation, collective dispute mediation (civil resolution)
- Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr) — Reporting personal information infringement, consultation requests
- Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
- Korean National Police Agency: 182 (ecrm.cyber.go.kr)
② Additionally, where rights or interests are infringed by acts or omissions of a public agency head regarding data subject requests for access, correction/deletion, processing suspension, etc., an administrative appeal may be filed under the Administrative Appeals Act.
Article 13 (Installation/Operation of Video Information Processing Devices)
The Company does not install or operate video information processing devices (CCTV).
Article 14 (Other)
① Matters not specified in this Policy are governed by applicable laws including PIPA and the Act on the Promotion of Information and Communications Network Utilization and Information Protection, and the Company's Terms of Service.
② This Privacy Policy applies to all platform services provided by the Company. This Privacy Policy does not apply to additional services provided by the Company that require separate membership registration, or to the collection of personal information by partner sites linked from the Company's website.
Article 15 (Effective Date and Amendment of Privacy Policy)
① This Privacy Policy takes effect from June 1, 2026.
② Where there are additions, deletions, or modifications to this Privacy Policy due to changes in government policy or security technology, the Company will notify via notice 7 days before the effective date. However, where there are material changes to data subject rights and obligations, notice will be given 30 days before the effective date.
③ Where this Policy is provided in English or Japanese translation, the Korean original shall always prevail.