Privacy
Effective date: 2026-02-22 · Last updated: 2026-02-22
1. Purpose of Processing Personal Data
- User identification, login authentication, account/session management
- Photo-based body measurement and 3D model generation/delivery
- AI styling recommendation generation and history lookup
- Payment verification and ticket accrual/deduction/refund(recovery)
- Cookie consent management and advertising conversion measurement
- Incident response, security monitoring, abuse prevention
2. Data Collected
Account/Auth Data
For Email OTP login, we process email and OTP hash value (no raw OTP stored). For social login, we process provider user ID and email.
Session Data
Access tokens are validated statelessly; refresh tokens are managed through secure internal storage and cache servers.
Cookie/Consent Data
Through the Cookiebot banner, we process cookie category consent status (required/statistics/marketing) and consent update history to control tag behavior.
Profile Data
Nickname, gender, height, and weight are stored to improve measurement and recommendation quality.
Measurement Data
Front/side image keys, 3D model(GLB) key, measurement result JSON, status/error metadata, and mode(Quick/Premium).
Payment/Ticket Data
Payment identifiers, ticket type/quantity, and ticket ledger history(HOLD/CONSUME/RELEASE).
Operational Logs
Minimal logs such as request IP, URL, and exception messages for stability and security.
3. Retention Period
The periods below are default operating values and may be adjusted by law or policy updates.
| Item | Retention | Note |
|---|---|---|
| OTP hash | Default 300 sec | Deleted on expiration or successful verification |
| OTP request cooldown | Default 60 sec | Auto-deleted after time window |
| OTP attempt count | Max 5 attempts | OTP invalidated when exceeded |
| Refresh token | Configured TTL | Deleted immediately on logout/withdrawal |
| Upload URL | Default 10 min | Unavailable after expiration |
| Download URL | Default 30 min | Unavailable after expiration |
| Share token | Default 72 hrs | Inaccessible after expiration |
| Uploaded photos | Default 1 day | Permanently deleted from storage and database |
| 3D model/results | Default 365 days | Permanently deleted from storage and database |
4. Outsourced Processing / External Integrations
| Service | Purpose |
|---|---|
| Cloud Infrastructure Providers | Image/3D object storage and email delivery |
| Internal Cache Storage | OTP state and session token storage |
| AI Pipeline Processing Providers | Body measurement pipeline execution |
| OpenAI | Style recommendation generation |
| Payment Gateway | Payment processing and status verification |
| Cookiebot by Usercentrics | Cookie consent banner and consent state management (including Consent Mode signals) |
| Google Ads (Google tag) | Ad traffic and conversion performance measurement (consent-based) |
| Google/Naver/Kakao | Social login authentication |
Except where required by law or with user consent, we do not arbitrarily provide personal data to third parties.
5. Data Deletion and Security Measures
- Data is deleted without delay when retention expires or processing purpose is fulfilled.
- Electronic files are removed in a non-recoverable manner, and database references are securely erased.
- Standardized token-based authentication, role-based authorization, OTP attempt limits, and payment request verification are applied.
- Advertising/analytics tags operate based on user consent status, and related storage access is restricted after consent withdrawal.
- Authentication tokens are managed via industry-standard secure cookies and secure session management tools.
6. User Rights and Contact
Users may request access, correction, deletion, or suspension of processing. Requests can be submitted through support.
Privacy inquiries: [email protected]