Paprika Data Lab Inc. (hereinafter the “Company”), in order to protect the freedom and rights of data subjects, complies with the Personal Information Protection Act and relevant laws and regulations, lawfully processes personal information, and manages it safely.
In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and discloses this Privacy Policy to inform data subjects of the procedures and standards for personal information processing and to handle complaints related thereto swiftly and efficiently.

1. Purpose of Personal Information Processing

Paprika Data Lab Inc. processes personal information for the following purposes. The personal information being processed shall not be used for purposes other than the following, and if the purpose of use changes, necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act will be taken.

1. Membership Registration and Management:
   To confirm the intention to register, identify and authenticate the member for the provision of membership-based services, maintain and manage membership status, prevent unauthorized use of the service, verify the consent of a legal guardian when processing the personal information of children under the age of 14, send various notices and announcements, and handle complaints.

2. Provision of Services:
   To provide services, send contracts and invoices, deliver content, offer customized services, verify identity and age, process payments and settlements, and collect claims. (Also includes statistical purposes using non-personally identifiable information.)

3. Personal Information Handling by the Data Processor:
   Personal information may be accessed by data processors for the purpose of handling inquiries and resolving errors arising from the use of Paprika Data Lab Inc.’s services.

4. Marketing and Promotional Use:
   When a member has already publicly conducted or is conducting a survey using Walla, the fact that they are a Walla user may be used for promotional purposes.

5. Use in Marketing and Advertising:
   To provide basic service information, promote new services, offer event and promotional information and participation opportunities, analyze access frequency or user service usage statistics, and verify service effectiveness.

2. Retention and Use Period of Personal Information

   Paprika Data Lab Inc. processes and retains personal information within the period of retention and use as stipulated by applicable laws or as agreed upon by the data subject at the time of collection. The processing and retention periods for each type of personal information are as follows:

   1. Website Membership Registration and Management:
      Until the user withdraws from the Company’s website.

      However, in the following cases, until the relevant reason no longer exists:

      • If an investigation or inquiry is in progress due to a violation of relevant laws: until the investigation or inquiry is concluded

      • If there are remaining claims or debts resulting from the use of the website: until such claims or debts are settled

   2. Provision of Goods or Services:
      Until the supply of goods/services is completed and payment/settlement is finalized.

      However, in the following cases, data will be retained until the respective period ends:

      • Records related to transactions under the Act on the Consumer Protection in Electronic Commerce, etc.:

        • Records on labeling and advertising: 6 months

        • Records on contract, withdrawal of subscription, payment, and supply of goods: 5 years

        • Records on consumer complaints or dispute resolution: 3 years

      • Retention of communication verification data under the Protection of Communications Secrets Act:

        • Date and time of telecommunications by the subscriber, start/end time, subscriber numbers of both parties, call duration, location tracking data of the originating base station: 1 year

        • Computer communications and internet log data, IP address tracking data: 3 months

      • Records under the Act on the Use and Protection of Credit Information:

        • Records related to the collection, processing, and use of credit information: 3 years

3. Items of Personal Information Processed

Paprika Data Lab Inc. processes the following personal information items:

1. The Company processes the following personal information items for membership registration:

   • Required items: Google account email address, nickname, profile photo set by the user

   • Optional item: Institutional affiliation

   • Collection method: Entered by the user on the website

2. The Company processes the following items during the course of service use or business operation:

   • IP address, cookies, date and time of visit, records of misuse, service usage records, etc.

   • Collection method: Automatically generated and collected

3. Additionally, to provide stable service, the Company may collect the following items through lawful procedures and with the user’s consent:

   • IP address, cookies, date and time of visit, service usage history, misuse records, payment history, geographic location of the user’s device at the time of service use

   • Collection method: Collected via data collection tools for generated information

4. Walla complies with the Google API Services User Data Policy, including the Limited Use requirements, regarding the use and transfer of information received from Google APIs.

   • Access and use of Google user data: Information such as email, nickname, and profile photo retrieved from the Google account is used only for the core functionalities of the service—such as membership registration, profile creation, and login—with the user’s explicit consent. This is to provide the user with the best service experience, and the data is not used for any purpose other than improving service functionality.

   • Storage of Google user data: Google user data is securely stored in Google Firebase, and the stored data is protected to ensure it is not leaked externally without the user’s consent.

   • Sharing of Google user data: Google user data is not shared with third parties, and unless necessary for service provision, is not transferred or shared externally without the user’s consent. In accordance with the Google API Services User Data Policy, the data is used only for the purpose of providing and improving the core functionalities of the service.

5. Walla uses OpenAI’s GPT throughout its services, and information processed via AI features (such as open-ended response analysis) is shared with OpenAI Inc.

4. Provision of Personal Information to Third Parties

1. Paprika Data Lab Inc. processes personal information of data subjects only within the scope specified for the purpose of processing personal information, and provides personal information to third parties only in cases falling under Articles 17 and 18 of the Personal Information Protection Act—such as with the data subject's consent or where specifically stipulated by law. Outside of these cases, personal information is not provided to third parties.

   • Information submitted by individuals who wish to apply for the Walla service in order to proceed with the service

   • Information submitted for the purpose of payment by individuals wishing to use the Walla service

   • In cases other than the items above, unless otherwise specifically stipulated by another law, personal information is not used beyond the notified/specified scope or provided to third parties.

2. Paprika Data Lab Inc. for the smooth provision of services, may obtain the data subject’s consent and provide personal information only to the minimum necessary extent in the following cases.

3. In addition, in the event of emergencies such as disasters, infectious diseases, incidents or accidents causing imminent danger to life or physical safety, or urgent property loss, Paprika Data Lab Inc.may provide personal information to related agencies without the data subject's consent.

4. Furthermore, in accordance with Article 59 (Prohibited Acts) of the Personal Information Protection Act, personnel who handle or have handled personal information for the purpose of providing the Company’s services shall not engage in the following acts:

   • Acquiring personal information or obtaining consent for processing through false or other fraudulent means or methods

   • Leaking personal information learned during the course of duty or providing it for use by others without authorization

   • Damaging, destroying, altering, forging, or leaking another person’s personal information without proper authority or beyond permitted authority

5. Entrustment of Personal Information Processing

1. Paprika Data Lab Inc. entrusts personal information processing tasks as follows to ensure smooth handling of personal information operations:

   • Stripe, Inc.

     • Entrusted party (Trustee): Stripe, Inc.

     • Entrusted task: Use of PG (payment gateway) services

     • Retention and usage period: [Go to this location]

   • Google Cloud Platform

     • Entrusted party (Trustee): Google Cloud Platform

     • Entrusted task: Server operation for service provision

     • Retention and usage period: Until member withdrawal, service termination, or end of outsourcing contract

   • Cloudflare

     • Entrusted party (Trustee): Cloudflare

     • Entrusted task: Server operation for service provision

     • Retention and usage period: Until member withdrawal, service termination, or end of outsourcing contract

   • OpenAI

     • Entrusted party (Trustee): OpenAI

     • Entrusted task: Automatic survey generation and automatic analysis in the results page

     • Retention and usage period: [Go to this location]

2. When signing an outsourcing agreement, Paprika Data Lab Inc. specifies the following in the contract documents, in accordance with Article 26 of the Personal Information Protection Act: prohibition of personal information processing for purposes other than the fulfillment of the consigned task, technical and administrative protection measures, restrictions on re-consignment, management and supervision of the trustee, and liability such as compensation for damages. The Company also supervises the trustee to ensure that personal information is handled safely.

3. If the content of the consigned task or the trustee is changed, such changes will be disclosed without delay through this Privacy Policy.

4. Paprika Data Lab Inc. entrusts its payment processing operations to an overseas corporation, Stripe, Inc., as follows:

   • Stripe, Inc.

     • Entrusted party (Trustee): Stripe, Inc.

     • Entrusted task: Use of PG (payment gateway) services

     • Retention and usage period: Until member withdrawal, service termination, or end of outsourcing contract

   • Google Cloud Platform

     • Entrusted party (Trustee): Google Cloud Platform

     • Entrusted task: Server operation for service provision

     • Retention and usage period: Until member withdrawal, service termination, or end of outsourcing contract

   • Cloudflare

     • Entrusted party (Trustee): Cloudflare

     • Entrusted task: Server operation for service provision

     • Retention and usage period: Until member withdrawal, service termination, or end of outsourcing contract

6. Procedure and Method for the Destruction of Personal Information

1. Paprika Data Lab Inc. promptly destroys personal information without delay when it becomes unnecessary, such as when the retention period has expired or the purpose of processing has been achieved.

2. If the personal information retention period agreed to by the data subject has expired or the purpose of processing has been achieved, but the personal information must continue to be retained under other applicable laws, the information will be stored separately—either transferred to a separate database (DB) or stored in a different location.

3. The procedures and methods for destroying personal information are as follows:

   • Destruction Procedure
     Paprika Data Lab Inc. selects personal information for which a destruction reason has occurred, obtains approval from the Personal Information Protection Officer of Paprika Data Lab Inc.,Ltd., and proceeds to destroy the personal information.

   • Destruction Method
     Personal information recorded and stored in electronic file format is destroyed in a way that makes it unrecoverable. Personal information recorded and stored on paper is shredded using a shredder or incinerated.

7. Rights and Obligations of the Data Subject and Legal Representative, and Methods of Exercise

1. The data subject may exercise the following rights at any time with respect to Paprika Data Lab Inc.:

   • Request to view personal information

   • Request to correct errors, etc.

   • Request for deletion

   • Request to suspend processing

2. The rights may be exercised by submitting a request to Paprika Data Lab Inc. in writing, by email, or by fax in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act. Paprika Data Lab Co., Ltd. will take immediate action in response.

3. These rights may also be exercised through a legal representative of the data subject or an authorized agent. In such a case, a power of attorney form in accordance with Form No. 11 of the “Public Notice on Methods of Processing Personal Information” (Notice No. 2020-7) must be submitted.

4. Requests to view or suspend the processing of personal information may be restricted under Article 35, Paragraph 4 and Article 37, Paragraph 2 of the Personal Information Protection Act.

5. Requests to correct or delete personal information cannot be accepted if that personal information is specified as a subject for collection under another law.

6. When a request is made by the data subject for access, correction, deletion, or suspension of processing, Paprika Data Lab Inc. will verify whether the requester is the data subject or a legitimate representative.

8. Measures to Ensure the Security of Personal Information

1. Paprika Data Lab Inc. takes the following measures to ensure the security of personal information:

   • Administrative Measures:
     Establishment and implementation of an internal management plan, operation of a dedicated organization, and regular employee training

   • Technical Measures:
     Management of access rights to personal information processing systems, installation of access control systems, encryption of personal information, and installation and updates of security programs

2. In addition to legal requirements, Paprika Data Lab Inc. implements the following additional activities to ensure the safety of personal information:

   • Minimization and Training of Staff Handling Personal Information:
     Staff who handle personal information are designated and access is limited only to authorized personnel, in order to implement management measures that minimize data exposure.

   • Regular Internal Audits:
     Regular internal audits (once per quarter) are conducted to ensure security in relation to personal information handling.

   • Encryption of Personal Information:
     Users’ personal information and passwords are stored and managed in encrypted form so that only the user knows them. Important data is protected using additional security measures such as encryption of files and transmission data, or the use of file locking functions.

   • Installation and Maintenance of Security Programs:
     Security programs are installed and regularly updated and checked to prevent leakage or damage to personal information caused by hacking or computer viruses. Systems are installed in zones with restricted access and are monitored and blocked both technically and physically.

   • Access Restriction to Personal Information:
     Access rights to the personal information database systems are granted, changed, or revoked as necessary to control access. Unauthorized access from outside is blocked using intrusion prevention systems.

   • Retention and Tamper-Proofing of Access Logs:
     Access records to the personal information processing system are retained and managed for at least six months. Security functions are used to prevent the records from being forged, stolen, or lost.

9. Installation, Operation, and Rejection of Automatic Personal Information Collection Devices

1. Paprika Data Lab Inc. may use ‘cookies’ that store and retrieve user information from time to time in order to provide users with individualized, customized services.

   • Provide differentiated information per member during survey creation

   • Analyze connection frequency or time spent on the site by members and non-members to identify users’ preferences and areas of interest and provide specialized services

   • Track completed surveys to offer personalized response services

   • Notify users about usage periods when using paid services

   • Analyze user habits to serve as a benchmark for service improvements

   
   

2. Cookies are small pieces of data sent by the server (http) used to operate the website to the user's computer browser, and may be stored on the user’s PC hard drive.

   • Purpose of Using Cookies:
     Cookies are used to identify visit and usage patterns of the user for each service and website visited, popular search terms, secure connections, etc., in order to provide users with optimized information.

   • Installation, Operation, and Rejection of Cookies:
     Users can reject the storage of cookies by setting options in the web browser menu: Tools > Internet Options > Privacy.

   • If cookie storage is rejected, it may become difficult to use personalized services.

10. Matters Related to the Collection, Use, and Refusal of Behavioral Information

1. Paprika Data Lab Inc. collects and uses behavioral information in the course of providing services to offer optimized, customized services, benefits, and online personalized advertisements to data subjects.

2. Paprika Data Lab Inc. collects behavioral information as follows:

   • Items of behavioral information collected: User’s website/app service visit history, search history, and purchase history

   • Method of collection: Automatically collected when the user visits/launches the website and app

   • Purpose of collection: To provide personalized product recommendation services (including advertisements) based on the user’s interests and preferences

   • Retention/use period and subsequent processing: Destroyed one year after the date of collection

3. Paprika Data Lab Inc. collects only the minimum behavioral information necessary for online personalized advertising and does not collect sensitive behavioral information that may clearly infringe on the individual’s rights, interests, or privacy—such as ideology, beliefs, family and kinship relationships, academic or medical history, and other social activity records.

4. Paprika Data Lab Inc. does not collect behavioral information for personalized advertising purposes from children known to be under the age of 14 or from online services primarily used by children under 14. Personalized advertisements are not provided to children known to be under 14.

5. Paprika Data Lab Inc. collects and uses advertising identifiers for personalized advertising within mobile apps. Data subjects can block or allow personalized app advertisements by changing the settings on their mobile devices.

6. Blocking/Allowing Advertising Identifiers on Smartphones

   • (Android)
     ① Settings → ② Privacy → ③ Ads → ④ Reset advertising ID or Delete advertising ID

   • (iPhone)
     ① Settings → ② Privacy → ③ Tracking → ④ Turn off “Allow Apps to Request to Track”
     ※ Menu names and methods may vary depending on the mobile OS version.

7. Data subjects can also block or allow online personalized advertising altogether by changing the cookie settings in their web browser. However, changing cookie settings may affect the use of some services, such as automatic website login.

   • Blocking/Allowing Personalized Ads via Web Browser

     • Internet Explorer (Internet Explorer 11 for Windows 10)
       Click the Tools button in Internet Explorer, then select Internet Options.
       Select the Privacy tab, click Advanced in Settings, then choose to block or allow cookies.

     • Microsoft Edge
       Click the “…” in the upper-right corner of Edge, then click Settings.
       On the left side of the Settings page, click “Privacy, Search, and Services,”
       and in the “Tracking Prevention” section, select the desired tracking prevention level.
       Choose whether to “Always use ‘Strict’ tracking prevention when browsing InPrivate.”
       In the “Privacy” section below, choose whether to send “Do Not Track” requests.

     • Chrome Browser
       Click the “⋮” icon (Customize and control Chrome) in the upper-right corner of Chrome, then click Settings.
       At the bottom of the Settings page, click “Advanced,” then click “Content Settings” in the “Privacy” section.
       In the “Cookies” section, check the box for “Block third-party cookies and site data.”

8. Data subjects may contact the following to inquire about behavioral information, exercise their right to refusal, or file complaints:

   • Personal Information Protection Department

     • Contact Person: Yonggwan Cho

     • Email: yonggwan@paprikadatalab.com

11. Processing of Pseudonymized Information

1. Paprika Data Lab Inc. pseudonymizes collected personal information in a manner that makes it impossible to identify a specific individual, and processes it as follows for purposes such as statistical analysis, scientific research, and public record preservation.

   • Matters related to the processing of pseudonymized information

   • Matters related to the provision of pseudonymized information to third parties (only applicable if relevant)

12. Personal Information Protection Officer

1. Paprika Data Lab Inc. appoints the following Personal Information Protection Officer who is responsible for overseeing personal information processing operations and handling complaints and damage relief requests from data subjects:

   • Name: Yonggwan Cho

   • Position: Data Engineer

   • Contact: yonggwan@paprikadatalab.com (connects to the personal information protection department)

13. Remedies for Infringement of Rights

1. The data subject may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Personal Information Infringement Report Center of the Korea Internet & Security Agency, etc., to receive remedies for damages caused by a personal information breach. For other reports or inquiries about the infringement of personal information, please contact the following agencies:

   • Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)

   • Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)

   • Supreme Prosecutors' Office: 1301 (www.spo.go.kr)

   • National Police Agency: 182 (ecrm.cyber.go.kr)

2. Paprika Data Lab Inc. endeavors to guarantee the data subject’s right to self-determination over personal information and to provide support for consultation and relief for any damage caused by personal information breaches. For inquiries or reports, please contact the department below:

   • Personal Information Protection Inquiry and Reporting

     • Person in charge: Yonggwan Cho

     • Contact: yonggwan@paprikadatalab.com

3. In accordance with Article 35 (Access to Personal Information), Article 36 (Correction or Deletion of Personal Information), and Article 37 (Suspension of Processing, etc.) of the Personal Information Protection Act, a person whose rights or interests have been infringed due to a disposition or omission by the head of a public institution may file for an administrative appeal as prescribed in the Administrative Appeals Act.

   • Central Administrative Appeals Commission: 110 (www.simpan.go.kr)

14. Changes to the Privacy Policy

1. The Company shall post the contents of this privacy policy, including the company name, representative's name, business address, email address, business registration number, online sales registration number, and personal information protection officer, through a linked page.

2. At the time of sign-up, the Company shall inform users that their sign-up act constitutes agreement to the privacy policy and shall provide access to the privacy policy through a linked page.

3. The Company may revise this privacy policy within the bounds of the law.

   In the event of a revision to the privacy policy, the Company will specify the reason for the revision, and post both the current and revised policies on the service bulletin board for the period starting 7 days prior to the effective date until the day before.

4. The revised policy will also be sent to each member via email at least 7 days before the effective date.

5. The revised privacy policy shall be effective from the date of enforcement, and in the event of any addition, deletion, or correction due to changes in legislation, government policy, or internal company policy, such changes will be notified through the notice board 7 days before they take effect. If the user does not express an objection within this period, the Company will consider it as agreement to the revised privacy policy.

• Walla complies with the Google API Services User Data Policy, including the Limited Use requirements, in its use of information received from Google APIs and in its transmission of such data to other applications.