fitmi Privacy Policy

We process personal data for the following purposes. We will not use personal data for unrelated purposes without first obtaining your separate consent or relying on another lawful basis.

1. Account creation, identity verification, account management, and prevention of fraudulent use.
2. Generating, storing, and sharing AI virtual try-on results requested by you.
3. Processing payments, refunds, and chargebacks for Paid Services.
4. Customer support and operational notices.
5. Service quality improvement, statistical analytics, and security monitoring.
6. Compliance with legal obligations and the handling of legal claims.

Lawful bases under GDPR: performance of a contract (Art. 6(1)(b)), legitimate interests in operating and securing the Service (Art. 6(1)(f)), legal obligation (Art. 6(1)(c)), and your consent where required (Art. 6(1)(a)).

Photographs are processed only where you voluntarily upload them. We do not infer race, ethnicity, religion, or political opinion from photos and we do not use uploaded photos for biometric identification.

We do not sell personal data and we do not share it with third parties except (i) where you have given us separate consent, (ii) where the law permits or requires it (PIPA Articles 17 and 18), or (iii) where the recipient is a processor acting on our instructions under Section 5.

If, in the future, sharing for a new purpose becomes necessary, we will first notify you of the recipient, purpose, items, and retention period, and obtain consent where required.

Our processor agreements impose obligations of confidentiality, purpose limitation, technical and organisational safeguards, restrictions on sub-processing, and audit cooperation, as required by PIPA Article 26 and GDPR Article 28.

Several of our processors are located outside Korea, primarily in the United States. We rely on the following safeguards for international transfers:

1. Standard Contractual Clauses or equivalent contractual safeguards in our processor agreements.
2. Encryption of personal data in transit (TLS 1.2 or above) and at rest.
3. Disclosure of the recipient, country, items, and purpose under PIPA Article 28-8.
4. Your right, under PIPA Article 28-8(5), to refuse international transfer. Refusal may prevent us from delivering parts of the Service.

You may, at any time, exercise the following rights with respect to your personal data:

1. Access — request a description of how we process your data and a copy of it.
2. Rectification — ask us to correct inaccurate or incomplete data.
3. Erasure — ask us to delete data we no longer need to retain by law.
4. Restriction — ask us to suspend certain processing.
5. Object — object to processing based on legitimate interests.
6. Portability — receive your data in a commonly used machine-readable format where applicable.
7. Withdraw consent — withdraw consent at any time, without affecting prior lawful processing.
8. Lodge a complaint with a supervisory authority (see Section 14).

You can exercise these rights via the in-Service "Account settings" page or by writing to neu5563@naver.com. We respond within 10 days (PIPA) or one month (GDPR) of receiving a verified request.

If you are the legal guardian of a child under 14 (Korea) or under 16 (most EU member states), you may exercise these rights on the child's behalf.

When the retention period has elapsed or the purpose of processing has been fulfilled, we destroy the personal data without undue delay, unless another law requires continued retention.

• Procedure: destruction is authorised by the Data Protection Officer once a destruction trigger occurs.
• Electronic files: permanently deleted using techniques designed to prevent restoration (e.g., low-level format).
• Paper records: shredded or incinerated.

We implement administrative, technical, and physical safeguards required by PIPA Article 29 and equivalent international standards:

1. Minimising the number of personnel who handle personal data and training them regularly.
2. Encrypting authentication tokens (one-way hash) and sensitive payment-recurrence credentials (AES-256-GCM).
3. Recording access logs and protecting them against tampering.
4. Access control: privilege management, intrusion prevention and detection systems.
5. Server-side request forgery (SSRF) defences: blocking private IP ranges (RFC1918, loopback, link-local, IPv6 ULA) for outbound URL processing.
6. Access controls and audit logging across the personal-data processing system.
7. End-to-end transport encryption (HTTPS/TLS) for all traffic.

We use cookies and similar technologies to maintain login sessions, identify guest users (cookie name fitme_guest_session), maintain administrative sessions, store language preferences, and produce aggregate usage statistics.

1. You can refuse or delete cookies via your browser settings. Some features (such as sign-in) may not function correctly if cookies are blocked.
2. We do not use mobile advertising identifiers (IDFA, GAID) and do not transmit them to third-party advertising networks.

We do not collect sensitive data within the meaning of PIPA Article 23 (e.g., political opinions, religion, health, sex life) or unique identifiers within the meaning of PIPA Article 24 (e.g., resident registration numbers).

The Service is not intended for children under the age of 14 (Korea) or under 16 (most EU member states). We do not knowingly collect personal data from such children. If we discover that we have collected data from a child without verifiable parental consent, we will delete the data and close the account.

• Data Protection Officer: 이태희
• Contact: neu5563@naver.com
• Organisation: 마조리카 (Business registration 895-37-01612)
• Registered address: 서울특별시 관악구 문성로25길 19, 301호(신림동)

You may contact the Data Protection Officer with any question, complaint, or rights request relating to your personal data. We will respond promptly.

If you believe your rights have been infringed, you may approach the following supervisory authorities:

• Korean Personal Information Dispute Mediation Committee — www.kopico.go.kr / 1833-6972
• Korea Internet & Security Agency, Privacy Infringement Reporting Centre — privacy.kisa.or.kr / 118
• Supreme Prosecutors' Office Cybercrime Division — www.spo.go.kr / 1301
• National Police Agency Cyber Bureau — ecrm.cyber.go.kr / 182
• EU/EEA residents: the data protection supervisory authority of your member state of residence.
• UK residents: the Information Commissioner's Office (ico.org.uk).

This Privacy Policy is effective from 2026-05-11. We will announce any change at least 7 days before the effective date through an in-Service notice. For changes that are adverse or material to you, we will provide at least 30 days' notice and send an individual notice to your registered email.