Privacy Policy
Effective Date: November 4, 2025
Article 1 (Purpose of Processing Personal Information)
Cookka (hereinafter referred to as "the Company") processes personal information for the following purposes. The personal information being processed shall not be used for any purpose other than the following purposes, and if the purpose of use is changed, necessary measures such as obtaining separate consent shall be implemented in accordance with Article 18 of the Personal Information Protection Act.
- Membership registration and management: maintaining and managing membership qualifications, preventing fraudulent use of services, and providing various notices and notifications
- Service provision: providing recipe extraction and generation services, content provision, and customized service provision
- Service improvement: developing new services and providing customized services, providing services according to statistical characteristics
Article 2 (Items of Personal Information Processed)
The Company collects only the minimum personal information through social login (OAuth 2.0) methods.
1. Google Social Login
- Required items: email address, profile information (name), unique identifier (OAuth Provider ID)
- Collection method: Google OAuth 2.0 authentication process
2. Naver Social Login
- Required items: email address, profile information (name), unique identifier (OAuth Provider ID)
- Collection method: Naver OAuth 2.0 authentication process
3. Information Automatically Generated During Service Use
- Service usage records, access logs, cookies, access IP information
- Created recipe information and metadata
Article 3 (Processing and Retention Period of Personal Information)
The Company processes and retains personal information within the period of retention and use of personal information under the relevant laws and regulations or the period of retention and use of personal information consented to when collecting personal information from data subjects.
1. Member Information
- Retention period: Until membership withdrawal
- However, to prevent re-registration and fraudulent use, minimum information (OAuth Provider, Provider ID) is retained for 30 days after membership withdrawal and then destroyed without delay
2. Retention According to Relevant Laws
When it is necessary to preserve according to the provisions of relevant laws such as the Act on Consumer Protection in Electronic Commerce, the Protection of Communications Secrets Act, etc., the Company retains member information for a certain period as stipulated by relevant laws.
- Personal information related to service use (login records): 3 months (Protection of Communications Secrets Act)
- Records regarding consumer complaints or dispute resolution: 3 years (Electronic Commerce Act)
Article 4 (Provision of Personal Information to Third Parties)
The Company processes personal information only within the scope specified in Article 1 (Purpose of Processing Personal Information) and provides personal information to third parties only in cases corresponding to Articles 17 and 18 of the Personal Information Protection Act, such as the consent of the data subject or special provisions of the law.
Currently, the Company does not provide users' personal information to third parties.
Article 5 (Consignment of Personal Information Processing)
The Company consigns certain personal information processing tasks within the necessary scope for smooth service provision.
| Consignee | Consigned Tasks |
|---|---|
| Paddle.com Market Ltd. | Electronic payment services |
Article 6 (Cross-Border Transfer of Personal Information)
The Company transfers personal information collected from service users abroad as follows. Since cross-border transfer is essential for data storage and infrastructure operations necessary to provide the service, service use will not be possible if you refuse the cross-border transfer.
| Consignee | Contact | Consigned Tasks | Personal Information Items Transferred | Country of Transfer | Transfer Time and Method | Transfer Purpose | Personal Information Retention and Use Period | Legal Basis |
|---|---|---|---|---|---|---|---|---|
| DigitalOcean, Inc. | privacy@digitalocean.com | Information storage, infrastructure operations | Encrypted internal identifiers, device identification information, etc. | United States | Encrypted communication during service use | Data storage and operations | Upon membership withdrawal or contract termination | Personal Information Protection Act Article 28-8, Paragraph 1, Item 3 (Processing consignment/storage for contract fulfillment) |
Article 7 (Rights and Obligations of Data Subjects and Methods of Exercise)
Data subjects may exercise the following personal information protection-related rights against the Company at any time.
- Request for access to personal information
- Request for correction in case of errors
- Request for deletion
- Request for suspension of processing
The exercise of rights can be made to the Company in writing, by telephone, email, etc., and the Company will take action without delay.
Article 8 (Destruction of Personal Information)
The Company shall destroy the personal information without delay when personal information becomes unnecessary, such as when the retention period of personal information has elapsed or the purpose of processing has been achieved.
Destruction Procedure
Information entered by users is transferred to a separate DB (separate documents in case of paper) after achieving the purpose and is stored for a certain period according to internal policies and other relevant laws or destroyed immediately.
Destruction Method
- Electronic file format: destroyed using methods such as Low Level Format so that records cannot be reproduced
- Paper documents: destroyed by shredding with a shredder or by incineration
Article 9 (Measures to Ensure Safety of Personal Information)
The Company is taking the following measures to ensure the safety of personal information.
- Administrative measures: establishment and implementation of internal management plans, regular employee training
- Technical measures: management of access rights to personal information processing systems, installation of access control systems, encryption of personal information, installation of security programs
- Physical measures: access control to computer rooms, data storage rooms, etc.
Article 10 (Personal Information Protection Officer)
The Company has designated a personal information protection officer as follows to take overall responsibility for personal information processing and to handle complaints and remedy damages related to personal information processing by data subjects.
If you have any questions regarding personal information protection, please use the inquiry function within the service.
Article 11 (Changes to the Privacy Policy)
This Privacy Policy shall be applied from the effective date, and if there are additions, deletions, or corrections according to laws and policies, it will be announced through announcements from 7 days before the implementation of changes.
Article 12 (Remedy for Rights Infringement)
Data subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, relevant privacy authorities, etc., to receive relief for personal information infringement.
- Personal Information Dispute Mediation Committee: 1833-6972 (without area code) (www.kopico.go.kr)
- Personal Information Infringement Report Center: 118 (without area code) (privacy.kisa.or.kr)
- Supreme Prosecutors' Office: 1301 (without area code) (www.spo.go.kr)
- National Police Agency: 182 (without area code) (ecrm.cyber.go.kr)