← Home

Privacy Policy

Y2do ("Company") recognizes the importance of the personal information of Itdasy ("Service") users and establishes this Privacy Policy in accordance with the Personal Information Protection Act of the Republic of Korea (PIPA) and related laws.

1. Information We Collect and Purpose

1-1. Member (salon owner) data

Type	Items	Purpose	Retention
Required	Email, hashed password, name	Authentication, support	Until account deletion
Optional	Shop name, address, phone, Instagram handle, industry	AI caption personalization	Until account deletion
Auto-collected	IP, device info (model/OS), usage logs, cookies	Security, quality improvement	1 year
Billing	App Store/Play transaction IDs	Subscription status, refunds	5 years (e-commerce law)

1-2. End-customer data (processed on behalf of salon owners)

Information entered by salon owners about their own customers is treated as entrusted processing on behalf of the owner as controller. Salon owners are responsible for obtaining valid consent from their end-customers before entering data into Itdasy.

2. Third-Party Entrustment and International Transfer

Recipient	Country	Purpose	Data
Google LLC	United States	AI generation (Gemini API), analytics	Pseudonymized customer labels (e.g., "Customer#1"), booking times, revenue amounts, service names, caption text
Meta Platforms, Inc.	United States / Ireland	Instagram OAuth, post publishing, tone analysis	Instagram user ID, public posts, access tokens
Railway App, Inc.	United States	Server hosting (Docker)	All service data (encrypted at rest)
Supabase, Inc.	United States	Managed Postgres database	All DB records (encrypted)
Cloudflare, Inc.	United States	Image CDN and R2 storage	Uploaded photos/videos
Replicate, Inc. / Remove.bg	United States / Germany	AI image processing (background removal)	Uploaded photos (discarded immediately after processing)

2-1. Consent for cross-border transfer

Explicit opt-in consent is collected at sign-up via a checkbox. Users may withdraw consent from the app settings; AI features will be disabled but core features remain available.

2-2. Pseudonymization

Before any call to external AI services (e.g., Google Gemini), customer identifiers are replaced with pseudonyms (e.g., "Customer#1"). Per Google Gemini API terms, input data is not used to train models.

3. Retention and Deletion

• Upon account deletion request, all personal data is deleted immediately, except records required by law.
• Minimum retention by law: contracts/refunds 5 years, payment records 5 years, complaint records 3 years, login logs 3 months.
• Deletion method: electronic files are overwritten/purged beyond recovery; physical records are shredded.

4. Your Rights

• Access, rectification, erasure, restriction of processing under PIPA Articles 35–37.
• Data portability: CSV export via app settings → Account → Export Data.
• Account deletion in-app: Settings → 🗑 Delete Account → type "탈퇴" (withdraw) → confirmation → permanent deletion (Apple 5.1.1(ix) and Google Play compliant).
• Right to object to automated decision-making (see Section 6-bis).
• Requests: contact@itdasy.com — processed within 10 days.

5. Security Measures

• Passwords: bcrypt hash. Instagram tokens: Fernet (AES) encryption.
• Access control: 2FA for admins, DB restricted to allowed IPs.
• Transport: HTTPS/TLS 1.2+ for all API traffic.
• Multi-tenancy isolation enforced by user_id filter on every query.
• Audit logs for personal data access/changes retained for 90 days.

6. Cookies and Tracking

We do not use third-party advertising or cross-site tracking cookies. Only first-party session tokens (localStorage), preference settings, and offline cache are used. All can be cleared via OS/browser settings.

6-bis. Automated Decision-Making (AI Disclosure)

The Service uses AI (Google Gemini API) for: caption suggestions, chat assistant drafts, retention risk scoring. These are advisory only and do not produce legal or financial effects without user confirmation. Users may disable AI features at any time. Inappropriate AI output can be reported via the in-app 🚩 button; we review within 24 hours.

7. Data Protection Officer

• Officer: Yeonjun Kang (CEO)
• Email: contact@itdasy.com

Users may also contact the Korean Personal Information Dispute Mediation Committee (+82-1833-6972, kopico.go.kr) or KISA Privacy Complaint Center (118, privacy.kisa.or.kr).

8. Children's Privacy

The Service is not intended for children under 14. If we learn that a child under 14 has registered, we will immediately delete the account and all related data. For children under 14 requiring access, verifiable parental consent is required.

9. Data Breach Notification

In the event of a data breach, affected users will be notified via email and in-app notice within 72 hours, including details of what was leaked, mitigation steps, and contact information for reporting. Breaches involving 1,000+ users are reported to the Personal Information Protection Commission and KISA.

10. Changes to this Policy

Material changes (new entrustment, expanded collection, longer retention) will be notified at least 30 days before taking effect, and re-consent will be requested where applicable. Other changes will be notified at least 7 days in advance via in-app announcement and email.

Version	Effective	Changes
v1.0	2026-04-22	Initial publication — full PIPA compliance framework
v1.1	2026-04-22	Added GDPR (EU/UK), CCPA/CPRA (California), LGPD (Brazil), APPI (Japan), PIPEDA (Canada), Australia Privacy Act regional notices

11. Notice to EU/EEA and UK Residents (GDPR / UK GDPR)

11-1. Controller and Contact

• Controller: Y2do (Business Registration No. 179-36-01681), Republic of Korea
• Contact / DPO-equivalent: contact@itdasy.com
• EU Representative (Art. 27): We process personal data on a limited scale targeting professional beauty salon operators. If our EU data subject volume exceeds the Art. 27 threshold, we will formally designate a representative and update this Policy. Until then, EU/EEA residents may contact us directly at the email above for any GDPR matter.

11-2. Legal Bases for Processing (Art. 6)

Purpose	Legal Basis
Account creation, authentication, service delivery	Art. 6(1)(b) — Contract performance
Billing (IAP transaction records)	Art. 6(1)(b) Contract; Art. 6(1)(c) Legal obligation (tax)
AI processing via Google Gemini (captions, assistant)	Art. 6(1)(a) — Explicit opt-in consent at signup
Cross-border data transfer to US providers	Art. 6(1)(a) Consent + Art. 46 SCCs
Security, fraud prevention, error monitoring	Art. 6(1)(f) — Legitimate interest (service integrity)
End-customer data entered by salon owners	Processor role under Art. 28 — owner as controller, Y2do as processor

11-3. Your Rights under GDPR / UK GDPR

• Access (Art. 15): confirmation of processing and a copy of your data.
• Rectification (Art. 16): correct inaccurate data.
• Erasure / "right to be forgotten" (Art. 17): in-app one-tap Delete Account in Settings.
• Restriction of processing (Art. 18).
• Data portability (Art. 20): download your data in CSV/JSON via in-app Export Data.
• Object (Art. 21): object to processing based on legitimate interest, including profiling (retention risk scoring).
• Automated decision-making (Art. 22): AI output is advisory only; no solely-automated decision producing legal effect is made. You can disable AI features at any time.
• Withdraw consent (Art. 7(3)) without affecting lawfulness of prior processing.
• Lodge a complaint with your local Data Protection Authority (see 11-6).

We respond to all verified requests free of charge within 30 days.

11-4. International Data Transfers (Chapter V)

• South Korea adequacy decision: the European Commission issued an adequacy decision for the Republic of Korea on 17 December 2021. Transfers from the EU to our Korean operations do not require additional safeguards.
• US processors (Google, Meta, Railway, Supabase, Cloudflare, Replicate, Sentry): we rely on the 2021 EU Standard Contractual Clauses (SCCs) and supplementary measures — TLS in transit, encryption at rest, pseudonymization of customer identifiers before AI calls, least-privilege access.
• A copy of the SCCs is available upon request at contact@itdasy.com.

11-5. Supervisory Authorities (non-exhaustive)

• Germany — BfDI (bfdi.bund.de)
• France — CNIL (cnil.fr)
• Spain — AEPD (aepd.es)
• Italy — Garante (garanteprivacy.it)
• Netherlands — AP (autoriteitpersoonsgegevens.nl)
• Ireland — DPC (dataprotection.ie)
• United Kingdom — ICO (ico.org.uk)
• Other EU/EEA member states — see EDPB members list.

12. Notice to California Residents (CCPA / CPRA)

12-1. Categories of Personal Information Collected (last 12 months)

Category (§1798.140)	Collected?	Source	Purpose	Disclosed to
A. Identifiers (name, email, user ID)	Yes	You	Account, service	Processors (Supabase, Railway)
B. §1798.80 customer records	Yes	You	Billing, support	Apple/Google (IAP); processors
D. Commercial info (purchase history)	Yes	Apple/Google stores	Billing, subscription	Apple, Google
F. Internet/network activity (error logs)	Limited	Device	Security/debug	Sentry
G. Geolocation	No	—	—	—
I. Professional/employment	Yes (shop info)	You	Personalization	Processors
K. Inferences (retention risk)	Limited	Your usage	Churn alerts	Not shared
L. Sensitive Personal Info (SSN, precise geo, biometric, health, genetic, religion, union, sex life)	No	—	—	—

12-2. "Do Not Sell or Share My Personal Information"

We do not sell personal information for money, and we do not share personal information for cross-context behavioral advertising. A "Do Not Sell or Share" link is therefore not required under §1798.135. If our practices change, we will update this Policy and provide an opt-out in the app.

12-3. Your CCPA / CPRA Rights

• Right to know (§1798.110) — categories and specific pieces of PI collected.
• Right to delete (§1798.105) — in-app Delete Account.
• Right to correct (§1798.106).
• Opt-out of sale/sharing — N/A (we don't sell/share).
• Limit use of sensitive PI — N/A (we don't collect sensitive PI).
• Non-discrimination (§1798.125) — exercising rights will not affect service quality or price.

Exercise rights: email contact@itdasy.com with subject "CCPA Request — [right]". We verify identity by email confirmation and respond within 45 days.

12-4. Shine the Light (Cal. Civ. Code §1798.83)

We do not disclose PI to third parties for their direct marketing, so no such disclosure is required.

12-5. Minors

We do not knowingly collect PI from users under 16 without affirmative consent (CPRA). Users under 14 are prohibited from registering (see Section 8).

13. Notice to Brazilian Residents (LGPD — Law 13.709/2018)

You have rights analogous to GDPR — confirmation, access, correction, anonymization, portability, deletion, information on sharing, and revocation of consent. Exercise via contact@itdasy.com. Complaints: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd.

14. Notice to Japanese Residents (APPI — 個人情報の保護に関する法律)

• Purposes of use are specified in Section 1 of this Policy.
• Cross-border transfers to the US: we provide equivalent protection through SCC-style contractual measures with US processors, consistent with APPI Art. 24.
• Rights: disclosure, correction, cessation of use, deletion — contact@itdasy.com.
• Complaints: Personal Information Protection Commission (PPC) — ppc.go.jp/en.

15. Notice to Canadian Residents (PIPEDA)

We process in accordance with PIPEDA and applicable provincial laws (Quebec Law 25, Alberta PIPA, BC PIPA). Rights of access, correction, and withdrawal of consent. Complaints: Office of the Privacy Commissioner of Canada — priv.gc.ca.

16. Notice to Australian Residents (Privacy Act 1988)

Handled per the 13 Australian Privacy Principles (APPs). Complaints: OAIC — oaic.gov.au.

17. Children's Privacy — Multi-jurisdictional

• Republic of Korea (PIPA): minimum age 14; under 14 requires verifiable guardian consent.
• United States (COPPA): we do not knowingly collect PI from children under 13.
• EU/EEA and UK (GDPR Art. 8): the age of digital consent varies by state (13–16); for users under the applicable age, verifiable parental consent is required.
• California (CPRA): additional opt-in for users under 16.
• Upon learning of non-compliant registration, we will promptly delete the account.

18. Cookies, Tracking, and Consent

We use only strictly necessary first-party storage to operate the service (session JWT, preference settings, offline cache). We do not use cross-site tracking cookies, advertising identifiers, or third-party analytics for profiling. For EU/EEA/UK users, we present a consent banner at first launch for optional items such as crash-reporting telemetry (Sentry). Declining does not affect core functionality.

19. Security — International Standards

• Encryption in transit: TLS 1.2+/HTTPS everywhere.
• Encryption at rest: Supabase/Postgres native; Cloudflare R2 server-side.
• Password hashing: bcrypt.
• Instagram OAuth tokens: Fernet (AES) application-layer encryption.
• Access control: least privilege, MFA for admins, multi-tenant row-level isolation enforced by user_id filter.
• Incident response: documented breach notification procedure (72 hours under GDPR Art. 33).
• No sale of personal data, ever.