Privacy Policy

1. Purpose of Processing Personal Information

Carduu (the "Company") processes personal information for the purposes below and does not use it for other purposes.

• Member registration and account management
• Providing the Service and performing service agreements
• Customer support and complaint handling
• Improving the Service and developing new services
• Delivering notices required by law or Company policy

2. Processing and Retention Period

The Company processes and retains personal information within the period agreed to by the data subject when the information is collected or within the period required by applicable law.

Purpose	Retention period
Member registration and management	Until account withdrawal
Service provision	Until the Service ends
Customer support and complaint handling	3 years
Legal compliance	Period required by applicable law

3. Items Collected and Collection Methods

A. Personal information collected

Required items:

• Email address
• Nickname or username
• Social login linkage information, including Kakao, Naver, and Google

Optional items:

• Profile image
• Phone number, only when included in an invitation or survey
• Address information, only when included in an invitation or survey

Automatically collected items:

• IP address
• Browser information
• Access logs
• Cookies
• Service usage records

B. Collection methods

• Direct input during registration or use of the Service
• Connection with social login services
• Collection during customer support communications
• Collection during event or promotion participation

4. Provision to Third Parties

The Company processes personal information only within the purposes described in Section 1 and provides it to third parties only when the data subject consents or when applicable law allows it.

5. Outsourcing of Personal Information Processing

The Company outsources the following processing tasks to provide the Service smoothly.

Processor	Task	Retention and use period
Amazon Web Services	Server hosting and data storage	Until the outsourcing agreement ends or the purpose is achieved
Google Analytics	Service usage analytics	Until the outsourcing agreement ends or the purpose is achieved

6. Rights and How to Exercise Them

Data subjects may exercise the following privacy rights against the Company at any time:

1. Request notification of personal information processing status
2. Request access to personal information
3. Request correction or deletion of personal information
4. Request suspension of personal information processing

These rights may be exercised in writing, by phone, or by email. The Company will respond without delay.

7. Destruction of Personal Information

A. Destruction procedure

After the purpose of use is achieved, user information is moved to a separate database or storage area and retained for a required period under internal policy and applicable law, then destroyed.

B. Destruction deadline

When the retention period expires or personal information is no longer necessary because the processing purpose has been achieved, the Service has been discontinued, or the business has ended, the Company destroys the information within 5 days.

C. Destruction method

• Electronic files are deleted using technical methods that prevent recovery.
• Paper records are shredded or incinerated.

8. Security Measures

The Company takes technical, administrative, and physical measures required by applicable privacy laws, including the following:

1. Minimizing and training personnel
   The Company limits personal information handling to designated personnel and trains them.
2. Regular internal audits
   The Company conducts regular internal audits to maintain processing security.
3. Internal management plan
   The Company establishes and implements an internal management plan for safe processing.
4. Encryption
   Passwords are encrypted, and important data may be encrypted in files or during transmission.
5. Technical safeguards against hacking
   The Company installs and updates security programs and monitors systems in controlled areas.
6. Access controls
   The Company grants, changes, and removes database access rights and uses intrusion prevention systems.
7. Access log retention and protection
   The Company retains access records for at least 6 months and protects them against alteration, theft, and loss.
8. Document security
   Documents and storage media containing personal information are stored in locked places.
9. Physical access control
   The Company maintains separate physical storage areas for personal information and controls access to them.

9. Privacy Officer

The Company designates the following privacy officer to oversee personal information processing and handle complaints and remedies.

Data subjects may contact the privacy officer or responsible department for privacy inquiries, complaints, and remedies related to use of the Service. The Company will respond and handle inquiries without delay.

10. Changes to This Privacy Policy

This Privacy Policy applies from the effective date. If additions, deletions, or corrections are made due to changes in laws or policies, the Company will announce the changes 7 days before they take effect.

11. Department for Access Requests

Data subjects may request access to personal information from the department below. The Company will make efforts to process access requests promptly.

12. Remedies for Rights Infringement

Data subjects may contact the following organizations for privacy infringement reports and consultations.