Privacy policy

Ameli Global Co., Ltd. (the “Company,” “we,” “us,” or “our”) complies with the Personal Information Protection Act of Korea, the Act on Promotion of Information and Communications Network Utilization and Information Protection, and other applicable laws and regulations, and is committed to protecting users’ personal information and rights. This Privacy Policy (this “Policy”) applies to all services we provide and to users worldwide, including those located in the Republic of Korea. Where your local laws (e.g., EU GDPR, U.S. CCPA/CPRA) grant additional rights or require separate notices, we provide details in regional addenda at the end of this Policy. If any part of this Policy conflicts with mandatory provisions of the laws of your place of residence, those laws will prevail.

 

Article 1 (Purposes of Processing Personal Information)

We process personal information for the purposes below. We do not use personal information for purposes other than those stated, and if the purpose of use changes, we will obtain separate consent or take other necessary measures in accordance with applicable laws. 

  1. Provision and operation of services: Providing core features (e.g., AI beauty consultation, product recommendations), shipping products and prizes, performing contracts and providing content, handling purchases and billing/settlement, and providing conversation history storage and retrieval features. 

  2. Member management: Confirming intent to sign up, identity verification/authentication, maintaining and managing membership status, preventing fraudulent or unauthorized use, retaining records for dispute resolution, and providing notices (e.g., Terms updates). 

  3. Service analysis and improvement: Improving existing services through statistical analysis, developing new services and personalized features, training and enhancing AI models, ensuring service stability and resolving errors, and preventing abuse. 

  4. Customer support: Verifying identity, receiving and handling inquiries/requests/complaints, and notifying results. 

  5. Marketing and advertising (with optional consent): Informing users about new services/products and events, offering participation opportunities, and sending marketing communications including personalized advertising. 

  6. Security and legal compliance: Maintaining a secure operating environment, complying with legal obligations, and protecting users.



Article 2 (Items of Personal Information Processed and Methods of Collection) 

① We collect the following personal information to provide our services.

Category

Items Collected

Purpose of Processing

Membership registration & management

[Required] Email address (ID), password, full name, mobile phone number, nickname

Member identification, duplicate account checks, identity verification, customer support

Social login

[Required] User identifiers, email, mobile phone number provided by Naver/Kakao/Google/Facebook

[Optional] Nickname, profile photo, gender, date of birth, age range

Enabling social login and syncing member information

Order & delivery

[Required] Purchaser information (name, contact, email), recipient information (name, address, contact)

Contract performance, shipping products and prizes

Payment & refunds

[Optional] Payment information such as credit card details, bank account details, carrier information

Payment processing, settlement, and refunds


Personalized AI services

[Optional] Age range, gender, skin type, skin concerns, preferred products/ingredients, user-uploaded images (e.g., skin photos)

Personalized AI beauty consultations and product recommendations


Customer inquiries

[Required] Email address, inquiry content (including attachments)

Handling inquiries and replying with results


Automatically collected data

Service usage records (IP address, cookies, visit timestamps, features used), device information (OS, device identifiers, ad ID), error logs, conversation content (user inputs and AI outputs), AI analysis/inference information (e.g., interests, preferences)

Service quality improvement, personalized services, fraud prevention



② We collect personal information through the following methods:

  1. Registration, service use, and orders via our website/app; paper forms; boards; event entries

  2. Telephone, fax, and email communications with customer support

  3. Automatic collection via generation/collection tools

  4. Collection of de-identified statistical data through third-party analytics tools (e.g., Google Analytics)

 

Article 3 (Retention and Processing Periods)

① We process and retain personal information within the retention/use periods prescribed by law or agreed by the data subject.

② Retention periods are as follows. In principle, we promptly destroy information once the relevant purpose has been achieved.

  1. Member information: Retained until membership withdrawal. However, we retain it until the end of the applicable period if:

    • An investigation due to a violation of laws is ongoing: until the investigation ends;

    • Settlement of rights/obligations arising from service use remains: until settlement is completed;

    • Under our internal policy for fraud prevention: for 6 months after withdrawal (fraud records and identifiers).

  2. Conversation content:

    • Members: Retained until membership withdrawal to provide prior conversation history;

    • Non-members: Retained up to 30 days after the session ends.

  3. Personal Information Validity System (dormant accounts):

    • If there is no service activity for 1 year, we separately store/manage personal information and provide prior notice (e.g., email) 30 days before conversion.

  4. Retention required by law:

Legal Basis

Records Retained

Period

Act on the Consumer Protection in Electronic Commerce, etc.


Records of contracts or withdrawal of offers, payment and supply of goods/services


5 years


Act on the Consumer Protection in Electronic Commerce, etc.


Records of consumer complaints and dispute resolution


3 years


Act on the Consumer Protection in Electronic Commerce, etc.


Records of advertisements and labeling


6 months


Protection of Communications Secrets Act


Access logs and service usage records


3 months



  1. De-identified data:

    • Data de-identified for AI model training and service improvement may be retained and used for as long as the research or service improvement purpose continues, but will be safely destroyed after a certain period in accordance with laws and internal policies.


Article 4 (Provision of Personal Information to Third Parties)

① We do not provide personal information to third parties without the data subject’s prior consent, except in the following cases:

  1. Where separate consent from the data subject has been obtained;

  2. Where required by law or unavoidably necessary to comply with legal obligations;

  3. Where required by competent authorities for investigative purposes pursuant to lawful procedures.

② We may share personal information to the extent necessary with service providers and partners for joint promotions, co-selling, outsourced shipping/payment, and advertising/analytics. The partner’s own privacy policy will apply to their processing. If we provide personal information to third parties through future partnerships, we will clearly notify and obtain consent in advance by specifying the recipient, items, purpose, and retention period.


Article 5 (Outsourcing of Processing)

We outsource certain processing activities as follows to provide services smoothly.

Delegatee

Outsourced Activities

Google, LLC

Cloud infrastructure, generating responses using AI model (Gemini), behavioral analytics

Shopify

Platform/system operation

Paypal

Easy payment services

Amazon

Logistics and product delivery


Retention/Use Period: Until membership withdrawal or the end of the outsourcing agreement (or longer if required by law).

 

Article 6 (Cross-Border Transfers of Personal Information)

We transfer personal information overseas as necessary to provide and operate our services. We implement safeguards required by applicable laws—such as Standard Contractual Clauses—to ensure transferred personal information is managed securely. If additional overseas processors or countries are added, we will disclose them transparently through this Policy.

Delegatee

Location (Country)

Items Transferred

Purpose

Google, LLC

United States

All personal information collected/generated through service use

Cloud operations, AI model processing, data analytics




Article 7 (Transfer of Personal Information in Corporate Transactions)

In the event of a merger, split, business transfer, or similar transaction under which our rights and obligations as service provider are transferred, personal information may also be transferred in accordance with applicable laws. In such cases, we will comply with legal procedures, including prior notice of the transfer, the identity and contact information of the transferee, and how data subjects may exercise their rights.


Article 8 (Rights of Data Subjects and Legal Representatives and How to Exercise Them)

① Data subjects (or legal representatives for those under 14 in Korea) may exercise the following rights at any time:

  1. Request access to personal information;

  2. Request correction of inaccuracies;

  3. Request deletion;

  4. Request restriction of processing;

  5. Withdraw consent.

② You may exercise your rights via the in-app/website Settings menu, or by written request, email, or contacting customer support/the Privacy Officer. After verifying your or your authorized agent’s identity, we will act without undue delay.

③ AI-related rights:

  1. Withdrawal of consent for AI training data: You may withdraw your overarching consent to AI model training by withdrawing membership. Please note that data already used for model training after de-identification may not be technically or practically separable for deletion; however, from the time of withdrawal of consent, your information will be excluded from any future AI model training and enhancement.

  2. Rights concerning AI-generated/inferred information: You may request access, correction, deletion, or restriction of processing for AI-generated or inferred personal information (e.g., predicted skin type, preferred ingredients). Upon request through customer support, we will make commercially reasonable efforts within technical limits.

④ To process rights requests, we may ask for additional information within a reasonable scope (e.g., account details, contact information, recent order information) to verify identity. For requests by an agent, we may require a power of attorney and other supporting documents.


Article 9 (Destruction of Personal Information)

① When personal information becomes unnecessary due to expiry of the retention period or fulfillment of the processing purpose, we promptly destroy such personal information.

② Destruction procedures and methods are as follows:

  1. Electronic files: Secure deletion using technical methods that prevent recovery or reproduction;

  2. Paper documents: Shredding or incineration.


Article 10 (Security Measures to Protect Personal Information)

We implement reasonable security measures such as encryption, access control, and anomaly detection. If a personal data (or privacy) incident is confirmed, we will promptly notify affected users by email/in-app notice/announcement in accordance with applicable laws and provide support to minimize harm.

  1. Administrative measures: Establishing/implementing internal management plans; periodic employee training;

  2. Technical measures: Access rights management; access control systems; encryption of passwords and other key data; security software;

  3. Physical measures: Access controls for server rooms and records storage;

  4. AI data security: Access control for AI models and training data; anti-exfiltration technologies; and efforts to address potential vulnerabilities in AI systems.


Article 11 (Cookies and Similar Technologies: Installation, Operation, and Refusal)

We use cookies to provide personalized services. A cookie is a small piece of data sent by the web server to your browser and stored on your device.

  1. Purpose of cookies: Analyzing visit frequency and times to provide optimized information, serving personalized ads, and maintaining cart functionality.

  2. Cookie settings and refusal: You can allow all cookies, be prompted each time a cookie is stored, or refuse all cookies through your browser settings. Refusing cookies may limit certain features (e.g., logging in).


Article 12 (Detailed Disclosure on AI Data Use)

In line with transparency, we disclose our data use for AI services as follows:

  1. AI model training data: As a rule, we use user-entered text, uploaded images, and conversation content after de-identifying them for service improvement.

  2. Processing methods: We prioritize technical de-identification such as pseudonymization, aggregation, or deletion of personal identifiers. However, human review of limited portions of “conversation content” may occur for specific, limited purposes, such as investigating severe service errors, harmful content filtering, and reducing AI bias. Such reviews are performed only by a minimal number of personnel with strictly controlled access.

  3. Purposes of data use: Improving AI accuracy and safety, developing new features, personalizing services, and reducing harmful or biased outputs.


Article 13 (Protection of Minors’ Personal Information)

We do not knowingly collect personal information from children under 14 in Korea and restrict their membership registration. For services provided in jurisdictions such as the United States, we do not directly collect personal information from children under 13 without verifiable parental consent, as required by applicable law.


Article 14 (Privacy Officer)

We appoint the following Privacy Officer to take overall responsibility for personal information processing and to handle complaints and relief of damages.

  • Privacy Officer

    • Name: Jonghan Seo

    • Tel: +82-2-566-7889

    • Email: contact@ameliheva.com



Article 15 (Remedies and Contact Points for Infringement of Rights)

If you need assistance with disputes or counseling related to personal information infringement, you may contact the organizations below:

  • Personal Information Infringement Report Center (KISA): 118 (privacy.kisa.or.kr)

  • Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)

  • Supreme Prosecutors’ Office Cybercrime Investigation Dept.: 1301 (www.spo.go.kr)

  • National Police Agency Cyber Bureau: 182 (ecrm.police.go.kr)


Article 16 (Changes to this Privacy Policy)

If we add to, delete from, or amend this Policy, we will notify users at least 7 days in advance via our website/app announcements (or 30 days in advance where changes materially affect user rights).

  • Effective Date: September 16, 2025