K
K-BeautyPICK
β—† PRIVACY POLICY

How we handle your data

Effective: 2026-04-22

This Privacy Policy explains how Connected Co., Ltd. ("Connected", "we", "us") collects, uses, shares, and protects personal information when you use the K-Beauty Pick website at k-beautypick.com (the "Service"). We comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), Korea's Personal Information Protection Act (PIPA), and Japan's Act on the Protection of Personal Information (APPI).

1. Who we are

Connected Co., Ltd. is a licensed foreign-patient facilitator registered in Seoul, Republic of Korea. We operate K-Beauty Pick as a curation service that connects non-Korean visitors with verified aesthetic dermatology and plastic surgery clinics in Korea. For this Policy, Connected is the data controller as defined by GDPR Article 4(7) and the equivalent under PIPA/APPI.

2. Information we collect

We collect the minimum personal information needed to respond to your booking inquiry and operate our service:

  • Contact form submissions β€” name, email (optional), country code, preferred chat channel (WhatsApp, LINE, KakaoTalk, email), channel handle (optional), and any message you type.
  • Technical data β€” IP address, browser user-agent, referring URL, pages viewed, and timestamps, collected automatically via server logs and cookies.
  • Analytics data β€” de-identified usage patterns collected via Google Analytics 4 (anonymize_ip enabled).
  • Communications β€” records of any chat, email, or voucher-confirmation messages exchanged with you after you submit a booking inquiry.

We do not collect sensitive data (health records, payment card numbers, government IDs) through this website. Any medical information you share directly with a clinic is covered by that clinic's own privacy notice.

3. How we use your information

We use your personal data for the following purposes:

  • To respond to your booking inquiry and connect you with the relevant clinic (GDPR Art. 6(1)(b) β€” performance of pre-contractual steps you request).
  • To send you booking vouchers, appointment confirmations, and related service messages (same legal basis).
  • To measure and improve the Service, detect fraud, and maintain security (GDPR Art. 6(1)(f) β€” legitimate interests).
  • To comply with legal obligations, tax records, and responses to lawful authority requests (GDPR Art. 6(1)(c)).
  • With your consent, to use cookies for analytics (GDPR Art. 6(1)(a); ePrivacy Directive). You may withdraw consent at any time.

We do not sell your personal information and we do not use it for advertising outside of our own Service.

4. How we share information

We share personal data only with the following categories of recipients, each under a written data-processing agreement where required by law:

  • Partner clinics β€” we forward your name and inquiry details to the clinic you are booking so they can confirm the appointment.
  • Hosting and infrastructure β€” Vercel Inc. (USA) hosts the website; Supabase Inc. (USA, Singapore) stores the database.
  • Communications β€” Resend Inc. (USA) sends transactional emails if you provide an email address.
  • Analytics β€” Google LLC (Google Analytics 4) with IP anonymization.
  • Chat platforms β€” if you choose to contact us via WhatsApp, LINE, or KakaoTalk, their privacy policies apply to messages sent through their apps.
  • Legal authorities β€” when required by valid legal process in Korea or applicable jurisdictions.

5. International data transfers

Because Connected operates in Korea and our vendors are located in the United States, European Union, Singapore, and Japan, your personal data may be transferred to countries outside your own. When transferring data out of the EU/UK, we rely on the European Commission's Standard Contractual Clauses and, where applicable, additional safeguards. For transfers to Korea, the European Commission has recognized Korea's data-protection framework as providing an adequate level of protection (Adequacy Decision, 17 December 2021).

6. How long we keep your data

  • Active booking inquiries and related messages: up to 3 years from last contact, then deleted or anonymized.
  • Completed booking records (for tax and contract records): 5 years as required by Korean commercial law.
  • Website server logs: 90 days.
  • Google Analytics data: 14 months (default retention).
  • You may request earlier deletion at any time (see "Your rights" below).

7. Your rights

Depending on where you live, you have some or all of the following rights:

  • Access β€” request a copy of the personal data we hold about you.
  • Rectification β€” ask us to correct inaccurate data.
  • Erasure ("right to be forgotten") β€” ask us to delete your data, subject to legal retention obligations.
  • Restriction β€” ask us to pause processing while we verify a concern.
  • Portability β€” receive your data in a common machine-readable format.
  • Objection β€” object to processing based on legitimate interests or for direct marketing.
  • Withdrawal of consent β€” at any time, without affecting prior processing.
  • Right not to be subject to solely automated decision-making that produces legal effects. We do not make such decisions.
  • California residents (CCPA/CPRA) β€” additionally, right to know, delete, correct, limit use of sensitive information, opt-out of sale or sharing (we do not sell or share), and non-discrimination for exercising these rights.
  • Korean residents (PIPA) β€” additionally, right to demand suspension of processing and to complain to the Personal Information Protection Commission (privacy.go.kr).
  • Japanese residents (APPI) β€” additionally, right to demand disclosure, correction, addition, deletion, and suspension of use; right to complain to the Personal Information Protection Commission (ppc.go.jp).

To exercise any right, contact us using the details at the bottom of this page. We will respond within 30 days (or 45 days for CCPA, extendable once).

8. Cookies

We use the following cookie categories:

  • Strictly necessary β€” required for login sessions (admin area only) and basic navigation. Cannot be disabled.
  • Analytics β€” Google Analytics 4 with anonymize_ip. Loaded only after you give consent (where required by law).

You can block cookies through your browser settings. Blocking strictly necessary cookies may break site functionality.

9. Children's privacy

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we will delete it.

10. Security

We protect personal data using industry-standard measures: TLS 1.3 transport encryption, AES-256 at-rest encryption on our database, Row Level Security policies in PostgreSQL, and access controls requiring multi-factor authentication for administrative accounts. No method of transmission over the internet is 100% secure, but we work to continually improve our safeguards.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced on this page with a revised effective date at the top. Continued use of the Service after an update constitutes acceptance of the updated terms.

12. Contact and complaints

For any privacy question, request, or complaint, use the contact details below. EU/UK data subjects may also lodge a complaint with their local supervisory authority. Korean residents may contact the Personal Information Protection Commission (privacy.go.kr). Japanese residents may contact the PPC (ppc.go.jp). California residents may contact the Attorney General (oag.ca.gov/privacy).

Contact the data controller

Connected Co., Ltd.
Email: hello@k-beautypick.com
Phone: +82 10 8180 8812
Address: Seoul, Republic of Korea
← Back to K-Beauty Pick