Piqo

Document Version 1.1 • Issued 2026-04-19 • Last Updated 2026-05-09

Piqo Privacy Policy

Effective Date: 2026-05-09

Change History: 1.1 (2026-05-09) — Integrated Article 19, additional provisions for users residing in Korea (PIPA). 1.0 (2026-04-19) — Initial version.

The Piqo operating team (hereinafter the "Company") regards users' personal information as important and establishes and discloses this Privacy Policy (hereinafter this "Policy") in order to process personal information lawfully and transparently in accordance with applicable laws. This Policy applies across the Piqo application, related web pages, customer support, and supplementary services provided by the Company.

Article 1 (Personal Information Items Processed)

The Company may process the following personal information, or information that may be combined with personal information, in the course of providing the Services.

1. Account and Authentication Information

  1. Email address
  2. Login provider information (Google, Apple, etc.)
  3. In-service user identifiers (such as Supabase user ID)
  4. Information regarding account creation and login history

2. Profile and Onboarding Information

  1. Year of birth
  2. Gender
  3. Religion
  4. Pregnancy status
  5. Skin type
  6. Hair type
  7. Body skin type
  8. Categories of interest
  9. Halal filter status or related settings

3. Service Usage Information

  1. Barcode scan history
  2. Search history
  3. Favorites information
  4. Routines and routine usage history
  5. Product detail views and related usage history
  6. Store link click history
  7. Notification preferences and notification dispatch records
  8. Subscription status and subscription-related identifiers transmitted from the payment platform
  9. Customer inquiry and bug report content
  10. Account deletion or customer support processing history

4. Image, OCR, and User-Submitted Information

  1. Product front-side photos
  2. Ingredient list photos
  3. OCR-extracted text
  4. Manually entered ingredient lists
  5. Product registration request information
  6. Related metadata such as image storage paths, analysis results, and confidence scores

5. Device and Access Information

  1. Device type, operating system, app version, language settings, and time zone
  2. Log information, diagnostic information, and error and crash information
  3. Push notification tokens
  4. Network access information, usage records, and event logs
  5. Identifiers generated or transmitted by advertising or analytics services
  6. Estimated country or region information, and the store country and currency settings configured by the user

6. Automatically Collected or Integrated Information

  1. Information transmitted for service operation from Firebase Analytics, Microsoft Clarity, Crashlytics, FCM, AdMob, RevenueCat, login platforms, payment platforms, customer support infrastructure, or other integrated services
  2. Minimum information necessary when using external store links, affiliate links, or URL parsing features
  3. Information lawfully collected from public data, open data, external APIs, or external login providers

Article 2 (Methods of Collecting Personal Information)

The Company may collect personal information through the following methods.

  1. Methods in which the user directly enters or submits information, such as membership registration, login, profile entry, scanning, searching, routine management, subscription, and inquiry submission
  2. Methods automatically generated during app use or collected through device and service integration
  3. Methods through third-party integrated services such as Apple, Google, app marketplaces, payment platforms, analytics and advertising tools, backend services, and customer support systems
  4. Methods collected in the course of a user using external store links or the product URL analysis feature

Article 3 (Purposes of Processing Personal Information)

The Company processes personal information within the scope of the following purposes.

  1. Member identification, account creation, login, and identity verification
  2. Provision and maintenance of the Services and processing of user requests
  3. Barcode recognition, product search, OCR analysis, ingredient analysis, and display of country-specific regulatory information
  4. Provision of Halal-related labels, filters, and analysis results
  5. Provision of personalization features such as scan history, favorites, routines, notifications, and settings
  6. Provision of country- or settings-based store links, prices, and purchase information
  7. Verification of Paid Services and subscription status, and related customer support
  8. Acceptance, response, and issue management for customer inquiries and bug reports
  9. Improvement of service quality, statistical analysis, usage pattern analysis, incident response, security enhancement, and prevention of fraudulent use
  10. Ad display, ad performance measurement, and affiliate link operation
  11. Fulfillment of legal obligations, dispute resolution, and response to the exercise of rights

Article 4 (Processing of Information of a Sensitive Nature)

  1. Due to the nature of the Services, the Company may process information reflecting users' personal characteristics, such as religion and pregnancy status.
  2. Religious information may be processed to provide Halal-related labels, filters, and user-tailored features.
  3. Pregnancy status may be processed within the scope of providing ingredient information or improving related features.
  4. The Company minimizes the necessity of processing such information and applies appropriate consent procedures or protective measures where required by applicable laws.
  5. The Company processes information of a sensitive nature only within the scope directly related to providing the Services and does not unduly use it without applicable laws or the user's consent.

Article 5 (Provision of Personal Information to Third Parties)

  1. As a rule, the Company does not sell users' personal information to outside parties.
  2. The Company does not provide users' personal information to third parties except where there is a basis in applicable laws or the user's consent.
  3. However, where integration with external services is required to provide the Services, the operator of the relevant service may process the user's information as an independent personal information controller. For example, where a user clicks an external store link or uses a service such as Apple, Google, or an app marketplace, the terms and privacy policy of the relevant third party may apply.
  4. The Company may transmit some relevant information to customer support or operational systems within the scope necessary and to the extent permitted by applicable laws, for the purposes of customer inquiries, bug reports, service incident response, or response to fraudulent use.

Article 6 (Entrustment of Personal Information Processing and Use of External Services)

The Company may use the following categories of external services or processors for service operation.

  1. Backend, authentication, database, and storage operation services
  2. Social login, payment, and subscription management services
  3. Analytics, crash reporting, advertising, and notification dispatch services
  4. Cloud infrastructure, email routing, customer support, and issue management services
  5. OCR, image processing, URL parsing, and AI-based summarization or automation services
  6. Public data, open data, and external API provision services

Where entrustment or external integration is required, the Company takes the necessary contractual and administrative measures in accordance with applicable laws.

Article 7 (Possibility of Overseas Transfer and Overseas Processing)

  1. The Company may use operators or servers located overseas in the course of providing the Services, in which case a user's personal information may be processed in a region outside the user's country of residence.
  2. Representative areas in which overseas transfer or overseas processing occurs may include cloud infrastructure, authentication, analytics, advertising, payment, subscription management, crash analysis, customer support, and OCR or AI processing services.
  3. The Company applies appropriate protective measures where required by applicable laws and makes reasonable efforts to ensure that users' rights are not infringed.
  4. Where separate consent or notice is required under the laws applicable to the user's region, the Company may take additional measures within the scope required by such laws.

Article 8 (Retention and Use Period of Personal Information)

  1. When the purpose of processing personal information has been achieved, the Company deletes or anonymizes the relevant information without delay.
  2. As a rule, a member's account information, profile, scan history, favorites, routines, notification settings, OCR-submitted information, and the like become subject to deletion upon membership withdrawal or achievement of the processing purpose.
  3. However, in the following cases, information may be retained for the relevant period.
    1. Where retention is required under applicable laws
    2. Where necessary for dispute resolution, complaint handling, response to the exercise of rights, or prevention of fraudulent use
    3. Where post-processing such as payment cancellation, refund, or subscription status verification is necessary
    4. Where the minimum scope of logs or records necessary for system failure analysis, security response, or service quality improvement is required
  4. Customer inquiry and bug report information may be retained for a certain period within the necessary scope even after the inquiry has been resolved, in order to prevent disputes and recurrence of the same issue.
  5. Where laws such as those governing e-commerce apply, the Company may retain transaction and complaint-related records for the period stipulated by such laws.
  6. Statistical information that has been anonymized or processed so that an individual cannot be directly identified may continue to be used for the purposes of service improvement and operational analysis.

Article 9 (Procedures and Methods for Destroying Personal Information)

  1. When grounds for destruction arise, such as the expiration of the retention period or the achievement of the processing purpose, the Company destroys the relevant information without delay.
  2. Personal information in the form of electronic files is deleted by a method that makes recovery or reproduction impossible, and printed materials and the like are destroyed by methods such as shredding or incineration.
  3. However, where immediate complete deletion is difficult due to technical characteristics, backup structures, or legal obligations, the Company may store the information separately with further use restricted and then delete it in accordance with applicable laws and internal policies.

Article 10 (Users' Rights and How to Exercise Them)

  1. In accordance with applicable laws, users may exercise the following rights regarding their personal information against the Company.
    1. Request for access
    2. Request for correction or modification
    3. Request for deletion
    4. Request to suspend or restrict processing
    5. Request to withdraw consent
    6. Request to withdraw the account and discontinue use of the Services
    7. Request for data portability or provision of a copy within the scope recognized by applicable laws
  2. Users may exercise the above rights through features within the Services or through the Company's contact point.
  3. The Company responds in good faith to users' requests as prescribed by applicable laws.
  4. Some information may be difficult to delete or restrict immediately due to legal obligations, security, prevention of fraudulent use, dispute response, or protection of third-party rights.

Article 11 (Analytics, Advertising, and Consent)

  1. The Company may use analytics tools, advertising tools, or related technologies for the purposes of improving service quality, analyzing usage patterns, responding to errors, measuring ad performance, and operating affiliate programs.
  2. Where required by applicable laws, the Company processes analytics- or advertising-related information within the scope of the user's consent.
  3. Depending on the user's region, the processing of analytics- or advertising-related data may be subject to separate consent or opt-out procedures.
  4. Users may exercise choices over certain analytics and advertising processing through in-service settings, device settings, or the method guided by the Company.
  5. As a rule, the Company strives not to unduly transmit directly identifying personal information such as name, email address, or phone number to analytics or advertising tools. However, identifiers necessary for login, subscription, customer support, or service operation may be processed on a limited basis.

Article 12 (Possibility of Automated Analysis and Profiling)

  1. The Company may perform automated processing or algorithm-based analysis for ingredient analysis, display of regulatory information, routine summaries, Halal-related labels, recommendation ordering, advertising, or operational optimization.
  2. Such analysis results are reference information for providing information and operating the Services, and the Company strives to ensure that they are not operated as automated final decisions that directly cause legal or comparably significant detriment to users.
  3. Users may inquire about, or request correction of, automated processing results.

Article 13 (Personal Information of Children and Minors)

  1. The Company processes the personal information of children or minors who require special protection under applicable laws within the scope permitted by law.
  2. Where a user of an age requiring the consent of a legal representative uses the Services, the Company may take necessary verification or restriction measures in accordance with applicable laws.
  3. If the Company becomes aware that it has collected a child's personal information without the consent required by law, it deletes such information or takes necessary measures within a reasonable scope.

Article 14 (Measures to Ensure the Security of Personal Information)

The Company strives to implement reasonable technical, administrative, and physical protective measures to prevent the loss, theft, leakage, forgery, alteration, or damage of personal information. However, due to the nature of the internet and information and communications environment, complete security cannot be absolutely guaranteed.

Article 15 (Notice of Additional Rights by Region)

  1. Users residing in the European Economic Area (EEA), the United Kingdom, or Switzerland may have additional rights, such as the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to object, the right to withdraw consent, and the right to data portability, to the extent that applicable laws apply.
  2. Users in the Republic of Korea may exercise statutory rights such as the right to access, correct or delete, and request suspension of processing of their personal information, to the extent that applicable laws apply.
  3. Users residing in certain U.S. states may have additional rights, such as the right to access, delete, or correct personal information and to opt out of certain types of sharing or use, to the extent that applicable laws apply.
  4. Users in Thailand, Indonesia, and other regions may also have separate rights to the extent that the personal information protection laws of the relevant region apply.
  5. The Company may provide additional notices, consent, or rights-exercise procedures as necessary, in accordance with the user's place of residence or the applicable laws.

Article 16 (External Links and Third-Party Policies)

  1. The Services may include links connecting to external retailers, external login providers, external data providers, or other third-party sites or services.
  2. Once a user moves to such an external service, the privacy policy and terms of the relevant third party may apply, and the Company has no direct control over the relevant third party's processing of personal information.

Article 17 (Changes to the Policy)

  1. The Company may change this Policy in accordance with changes to applicable laws, service content, processing purposes, external service integration, or operational policies.
  2. Where there is a material change, the Company provides notice of the effective date and the reason for the change within the Services or by a method designated by the Company.

Article 18 (Contact)

Inquiries regarding the processing of personal information may be directed to the contact below.

Article 19 (Additional Provisions for Users Residing in Korea)

This Article applies additionally to users subject to the Personal Information Protection Act of the Republic of Korea (hereinafter "PIPA"). Where this Article conflicts with another provision of this Policy, this Article prevails for users residing in Korea.

1. Consent to Collection and Use of Personal Information (PIPA Article 15)

The Company collects and uses personal information as follows.

CategoryItemsPurpose of UseRetention Period
RequiredEmail, login provider informationMember identification and loginUntil membership withdrawal
RequiredOnboarding information (gender, year of birth, pregnancy status, skin/hair/body type, religion, Halal filter)Provision of tailored analysis and routine evaluationUntil membership withdrawal
RequiredService usage records (scans, searches, routines, favorites, etc.)Provision of core featuresUntil membership withdrawal
OptionalMarketing consentNotice of new features and eventsUntil consent is withdrawn
OptionalAnalytics consent (Microsoft Clarity, Google Analytics 4)Service quality improvement and UX analysisUntil consent is withdrawn or 12 months
OptionalAdvertising identifiers (IDFA, AAID)Measurement of personalized ad effectivenessUntil consent is withdrawn or the device is reset

Users may refuse consent to optional items, and even if they refuse, they can use the core services provided by the Company normally.

2. Provision of Personal Information to Third Parties (PIPA Article 17)

RecipientPurpose of ProvisionItems ProvidedRetention and Use Period
Apple, GoogleIn-app payment processing and subscription status verificationUser identifiers, subscription status informationAfter payment processing is completed, for the period stipulated by applicable laws
Affiliate store operators such as Coupang Partners and Amazon AssociatesMovement to external stores and reward settlement upon affiliate link clicksClick events, anonymized identifiersUntil settlement is completed

Users may refuse consent to the above provision to third parties, but will be unable to use the payment and external store movement features.

3. Overseas Transfer of Personal Information (PIPA Article 28-8)

RecipientCountry of TransferItems TransferredDate and Method of TransferUse Period
Supabase Inc.United States (us-east-1 or ap-northeast-2)All processing items in Article 1 of this PolicyNetwork transmission during service useUntil membership withdrawal
Microsoft CorporationUnited States (Azure global)Anonymized session behavior information upon analytics consentReal-time SDK transmissionIn accordance with Clarity's retention policy
Google LLCUnited States (global)GA4 event data and AdMob advertising identifiers upon analytics consentReal-time SDK transmissionIn accordance with GA4's retention policy
OpenAI L.L.C.United StatesAnonymized routine composition information for generating routine evaluationsNetwork transmission upon API callUntil the response cache expires

4. Protection of Personal Information of Children Under 14

The Company does not permit membership registration by children under the age of 14. During the membership registration procedure, the Company verifies whether a user is under 14 through the year-of-birth entry and blocks registration where applicable.

5. Personal Information Protection Officer

CategoryInformation
Personal Information Protection OfficerPiqo operating team lead
Email[email protected]

6. How Data Subjects Exercise Their Rights

Users may exercise the rights set forth in Article 10 of this Policy in accordance with PIPA, and the Company processes them within the period stipulated by applicable laws (as a rule, within 10 days). The Company may verify whether the requester is the data subject or a duly authorized representative when a request to exercise rights is made.

7. Right Regarding Automated Decisions

The Company automatically generates a GPT-based natural-language evaluation (Card/RoutineEvaluation) for products registered in the user's routine. This is for informational purposes and does not constitute an automated decision that affects the user's legal or financial standing. Users may change or delete the underlying data of the automatically generated evaluation (the user's onboarding information and routine composition) at any time, in which case the evaluation result is updated upon the next call.

8. Dispute Resolution and Reporting

If a user needs to report or seek consultation regarding a personal information infringement, the user may contact the following organizations.

OrganizationContact
Personal Information Dispute Mediation Committeehttps://www.kopico.go.kr / 1833-6972
Personal Information Infringement Report Centerhttps://privacy.kisa.or.kr / 118
Supreme Prosecutors' Office Cyber Investigation Division1301
National Police Agency Cyber Investigation Bureau182