Coynoa Inc. ("Company", "we", "us") establishes and publishes this paletti Privacy Policy ("Policy") in accordance with Article 30 of the Personal Information Protection Act of Korea ("PIPA") and Article 31 of its Enforcement Decree, to protect personal information of data subjects ("Users", "you") and promptly handle related concerns.
The Korean version of this Policy is the official, binding text. In case of any inconsistency between the Korean and English versions, the Korean version shall prevail.
We adhere to the following data-protection principles:
- Minimization: We collect only the minimum information necessary to provide the Service.
- Purpose limitation: Collected personal information is used only for the purposes specified in this Policy.
- Retention minimization: Personal information whose purpose has been fulfilled is destroyed without delay.
- No operator viewing: Our personnel process personal information only through automated pipelines and do not directly view User photographs.
Article 1 (Purposes of Processing)
We process personal information for the following purposes. Processed information will not be used for any other purpose, and if the purpose changes, we will obtain separate consent under PIPA Article 18.
- Provision of the AI personal-color diagnosis service
- Entrusting the User's photograph to an external AI service provider to generate and deliver a personal-color catalog
- Email delivery of the resulting catalog and provision of a result page for viewing
- Identity verification and result delivery
- Confirming the identity of the diagnosis applicant and recipient by email
- Delivering the catalog and notification emails
- Service operation and inquiry handling
- Handling inquiries and complaints, responding to rights-exercise requests
- Preventing abuse and resolving disputes
- Service improvement and statistical analysis
- Producing pseudonymized or anonymized usage statistics and improving service quality
- Compliance with legal obligations
- Preservation and provision of records pursuant to law or lawful requests from investigative agencies
- (With optional consent) Marketing communications
- Sending newsletters, new-service announcements, and event information by email to Users who have given marketing consent
Article 2 (Items and Methods of Collection)
1. Mandatory items (required for the Service)
| Category | Item | Time of collection |
|---|---|---|
| Identification / contact | Email address | At diagnosis request |
| Image data | One photograph including the face (JPEG / PNG / WEBP / HEIC, max 5 MB, automatically compressed to within 1920 px) | At diagnosis request |
| Consent records | Consent to Terms, Privacy Policy, and cross-border transfer | At diagnosis request |
2. Optional items
| Category | Item | Time of collection |
|---|---|---|
| Marketing consent | Consent to receive marketing / promotional communications | At diagnosis request |
Declining the optional item does not restrict your access to the core Service.
3. Automatically collected information
| Category | Item | Tool |
|---|---|---|
| Access data | IP address, access timestamp, browser type / version, OS, device information | Web server logs |
| Behavioral data | Page navigation, click / scroll / session length, error reports | Google Analytics 4, Microsoft Clarity |
| Advertising identifiers | Advertising ID and ad-interaction data | Google AdSense |
| Cookies | Session cookies, analytics cookies, advertising cookies | Browser cookies |
4. Methods of Collection
- Direct input or upload through forms on the Service
- Automatic generation and collection during service use (cookies, logs)
- Information provided by payment processors or partners (applicable only if and when paid plans are introduced)
5. Sensitive Information
Photographs processed by the Service are used only for appearance analysis (recognition of color characteristics such as hue, brightness, chroma, and visual features of skin / hair / eyes). They are not used for personal identification or for processing that falls under "biometric information" defined in PIPA Article 23 (i.e., technical processing aimed at identifying a specific individual). We do not use photographs for identity verification, authentication, or biometric matching.
6. Composition of the Result Catalog
The result catalog (Total / Makeup / Hair) automatically generated and delivered by email contains the personal-color classification, recommended palettes, and text/images for makeup and hair styles, together with composite images generated by an external AI service provider from the photograph the User uploaded (which may include the User's face). The catalog, in combination with the recipient's email address and the unique result-page URL, is treated as personal information and is managed under the retention rules in Article 3.
Article 3 (Retention and Use Periods)
We retain personal information only as long as required by law or to fulfill the purposes for which it was collected.
| Item | Retention period | Basis |
|---|---|---|
| Email address | Destroyed 90 days after the result is sent | Result resend / inquiry handling |
| Uploaded original photograph (including compressed copy) | Auto-destroyed 7 days after diagnosis is complete | Purpose fulfilled, minimization principle |
| Result catalog (composite images including the User's face, plus text) | Result page made private 90 days after delivery, then permanently destroyed within 30 days | Allowing the User to view, download, and share the result |
| Consent records (Terms, Policy, cross-border transfer, marketing consent and timestamps) | 3 years from consent withdrawal or termination of use | Dispute and complaint handling (Enforcement Decree of the Act on Consumer Protection in Electronic Commerce) |
| Auto-collected access logs | 3 months from collection | Article 15-2 of the Protection of Communications Secrets Act |
| Abuse records | 1 year | Preventing recurrence of abuse |
After the periods above, personal information is destroyed without delay pursuant to PIPA Article 21. Result emails remain in the User's mailbox; the Company does not retain copies of sent emails.
Why the retention periods differ between the original photograph and the result catalog: The original photograph becomes unnecessary immediately after AI diagnosis processing and is therefore destroyed after 7 days under the minimization principle. The result catalog, on the other hand, must remain accessible for some time so that the User can view, share, and download it; it is therefore retained for 90 days. The result page is served at a non-guessable unique URL (e.g., a UUID) so that only the User (and any party the User chooses to share the URL with) can access it; the Company additionally applies search-engine-index blocking (noindex) and similar measures to prevent inadvertent exposure.
Article 4 (Children Under 14)
- We do not process personal information of children under 14. The Service is intended for Users aged 14 or older, and Users represent that they are at least 14 years of age by agreeing to the Terms of Service and this Policy.
- If a User is found to be under 14, or upon request by a guardian, we destroy that child's personal information without delay.
- Inquiries regarding children's data may be sent to
privacy@paletti.coynoa.com.
Article 5 (Third-Party Provision)
- We do not, in principle, provide your personal information to third parties.
- We may exceptionally provide it in the following cases:
- With your separate consent;
- Where required by law, or in response to lawful requests by investigative agencies pursuant to statutory procedures.
- Before any such provision (unless legally mandated and exempt from consent), we will notify you of the recipient, the purpose, items provided, and the retention period, and obtain your consent.
Article 6 (Entrustment of Processing)
For smooth service operation, we entrust certain processing tasks to external specialists. Pursuant to PIPA Article 26, we ensure that the entrustment agreement includes the necessary safeguards and we periodically verify that entrusted parties handle personal information securely.
| Entrusted task | Entrusted party (category) | Period |
|---|---|---|
| AI diagnosis processing (image analysis, text / image generation) | Global AI service providers (may be located outside Korea) | Until service termination or expiration of the entrustment contract |
| Cloud infrastructure (storage, database, compute) | Global cloud infrastructure providers | Same as above |
| Email delivery | Email delivery service provider | Same as above |
| Web analytics | Web analytics service provider | Same as above |
| Ad serving and measurement | Advertising network provider | Same as above |
The specific list of entrusted parties is disclosed through revisions to this Policy. The list may change to reflect operational efficiency, service quality, or security requirements, and we will update this Policy when changes occur. You may request the current list of entrusted parties at privacy@paletti.coynoa.com.
Article 7 (Cross-Border Transfer)
For AI diagnosis processing and cloud infrastructure operations, we transfer your personal information abroad (including entrustment and storage). This transfer is based on PIPA Article 28-8, paragraph 1, item 3, sub-item (a) — entrustment or storage necessary for the conclusion and performance of a contract (the Service) with the data subject — and is made by disclosing the following information in this Policy in advance, without requiring a separate consent.
| Item | Description |
|---|---|
| Items transferred | Photograph (facial image), email address, diagnosis metadata, system logs |
| Recipient countries | United States and other data-processing locations operated by the global cloud and AI providers we use (varies by provider) |
| Time and method of transfer | At diagnosis request and during processing, up to 7 days after diagnosis completion; transmission over TLS 1.2 or higher encrypted channels |
| Recipients | Global AI service providers, global cloud infrastructure providers, etc. (see the table in Article 6). You may request the specific list at privacy@paletti.coynoa.com |
| Purpose of use | Generating and delivering AI personal-color diagnosis catalogs, system operation and security |
| Retention and use period | Same as Article 3 (photograph destroyed within 7 days of processing completion) |
| Refusal method and effect | Because this cross-border transfer is essential for performance of the contract and is disclosed in advance in this Policy, no separate refusal mechanism is provided. You can avoid the transfer only by not using the Service. |
We implement the protections required by PIPA for cross-border transfers and require entrusted parties to apply equivalent safeguards. If we later switch to a consent-based legal basis for cross-border transfer, we will amend this Policy and clearly notify Users.
Article 8 (Rights Regarding Automated Decisions)
Pursuant to PIPA Article 37-2, we disclose the following:
- Existence of automated decisions: The Company uses AI models operated by external AI service providers to automatically analyze User photographs and generate personal-color catalogs. No human intervention by Company personnel is involved in this generation.
- Criteria and procedure:
- The uploaded photograph is forwarded to the automated pipeline;
- The external AI model identifies visual features (hue, brightness, chroma, skin / hair / eye tones, etc.) and infers personal-color candidates;
- The external AI model produces makeup / hair catalog text and images matching the inferred category;
- The catalog is delivered by email.
- How personal information is processed: Photographs are processed for color and appearance analysis, not for identification. We do not use photographs for any other purpose (e.g., ad targeting, AI training).
- Your rights:
- Voluntary acceptance of objections — Because the automated decisions in this Service are made based on the data subject's consent (PIPA Article 15(1)(1)), the statutory right to object under PIPA Article 37-2(1) does not directly apply (per the proviso of that paragraph). However, the Company voluntarily accepts objection requests and, absent justifiable reason otherwise, will take reasonable measures such as discontinuing use of the result, reprocessing, or destroying associated data;
- Right to explanation — You may request an explanation of the criteria, procedure, and basis used to generate the result;
- Right to reprocessing or human review — You may request that the automated decision not be applied or that the matter be reprocessed with human involvement.
- How to exercise your rights: Send a request to
privacy@paletti.coynoa.comtogether with proof of your data-subject status (e.g., sending from the email address used at diagnosis). Unless there is justifiable reason otherwise, we will take the necessary actions and reply within 10 days of receipt.
Article 9 (Destruction Procedure and Method)
- Principle: We destroy personal information without delay once the retention period has expired or the purpose has been fulfilled.
- Timing:
- Photographs: automatically destroyed by a scheduled job that runs at a fixed time each day, 7 days after diagnosis completion;
- Email and result catalog: auto-destroyed 90 days after result delivery;
- Consent records, access logs, abuse records: auto-destroyed after the periods set out in Article 3.
- Procedure: After the retention period ends, personal information is either destroyed immediately or moved to a separate database / area and retained for the period required by law (if any) before destruction.
- Method:
- Electronic files: deleted permanently in a manner that prevents recovery (e.g., permanent deletion in object storage, permanent deletion of database columns / records);
- Printed records: shredded or incinerated.
Article 10 (Data Subject Rights and How to Exercise Them)
- You may exercise the following rights with respect to the Company at any time:
- Access — Request to view how your personal information is processed;
- Correction / deletion — Request to correct errors or delete your information;
- Suspension of processing — Request the Company to stop processing your information;
- Withdrawal of consent — Withdraw consent to collection, use, provision, cross-border transfer, marketing, etc.
- Methods of exercise:
- Email:
privacy@paletti.coynoa.com; - Unsubscribe link in marketing emails: click the "Unsubscribe" link included in marketing / promotional emails.
- Email:
Marketing email labeling: Pursuant to Article 50 of the Information and Communications Network Act, marketing emails we send carry "(광고)" ("Advertisement") in the subject line and include the sender's name and contact information and a one-click unsubscribe link in the body. Sending between 9 PM and 8 AM the following morning requires separate consent.
- We may verify your identity before acting on a rights request.
- We will respond to your request and inform you of the outcome within 10 days of receipt.
- The legal representative of a child under 14 may exercise these rights on the child's behalf.
- You are responsible for entering accurate information when using the Service. Using another person's information without authorization may result in service restrictions and may be punishable under applicable law.
Article 11 (Cookies and Other Automatic Collection Devices)
We use cookies and similar technologies to provide personalized services and advertising.
1. Purposes of cookies
| Type | Purpose |
|---|---|
| Strictly necessary | Session maintenance, security |
| Analytics (Google Analytics 4, Microsoft Clarity) | Page-visit / dwell / exit statistics and usability improvement (heatmaps and session replays are pseudonymized or anonymized) |
| Advertising (Google AdSense) | Ad serving, frequency capping, performance measurement |
2. Refusing cookies
You can configure your browser to accept all cookies, prompt before storing a cookie, or refuse all cookies.
- Chrome: Settings → Privacy and security → Cookies and other site data
- Safari: Preferences → Privacy → Block all cookies
- Edge: Settings → Cookies and site permissions
- Firefox: Settings → Privacy & Security → Cookies and Site Data
Refusing cookies may impair certain features (personalized advertising, analytics-driven improvements).
3. Opting out of personalized ads
You may change advertising personalization settings here:
- Google Ads Settings:
https://adssettings.google.com/ - Korean Digital Advertising Association:
https://digitalad.or.kr/
Article 12 (Security Measures)
Pursuant to PIPA Article 29 and Article 30 of its Enforcement Decree, we take the following security measures:
- Administrative measures
- Establishment and execution of an internal personal-information management plan;
- Regular personal-information protection training for personnel;
- Policy prohibiting Company personnel from directly viewing original photographs — personnel process photographs only through automated pipelines and review only outputs (text and metadata).
- Technical measures
- Minimization of access privileges to personal-information processing systems and role-based access control;
- Encryption in transit (TLS 1.2 or higher) and encryption at rest (server-side encryption in object storage, column-level encryption in databases);
- Retention of access logs and protection against tampering;
- Installation and updates of security software, periodic vulnerability assessments.
- Physical measures
- Data center access controls operated by the cloud infrastructure provider (relying on entrusted-party security measures).
Article 13 (Privacy Officer)
We have appointed a Privacy Officer to oversee personal-information processing and to address complaints and remediation requests.
Privacy Officer
- Name:
Privacy Officer Name - Department / Position:
Operations / Team Lead - Email:
privacy@paletti.coynoa.com
You may direct any privacy-related inquiries, complaints, or remediation requests arising from your use of the Service to the Privacy Officer. We will respond and take action without undue delay.
Article 14 (Grievance Channels)
You may seek dispute resolution or consultation regarding privacy violations through the following Korean agencies:
| Agency | Contact | Notes |
|---|---|---|
| Personal Information Dispute Mediation Committee | 1833-6972 (no area code) / https://www.kopico.go.kr | Personal-information dispute and class mediation |
| KISA Privacy Infringement Report Center | 118 (no area code) / https://privacy.kisa.or.kr | Privacy infringement reports and consultation |
| Cyber Investigation Division, Supreme Prosecutors' Office | 1301 / https://www.spo.go.kr | Criminal cases involving privacy infringement |
| Cyber Investigation Bureau, National Police Agency | 182 / https://ecrm.police.go.kr | Criminal cases involving privacy infringement |
If you are dissatisfied with the Company's actions under PIPA Articles 35 (access), 36 (correction / deletion), and 37 (suspension of processing), you may also file an administrative appeal with the Personal Information Protection Commission or the Central Administrative Appeals Commission.
Article 15 (Changes to this Policy)
- This Policy takes effect on
2026-06-01. - Where this Policy is amended, we will give notice on the Service at least 7 days before the effective date. For changes that materially affect data-subject rights, we will give notice at least 30 days before and may additionally notify you by reasonable means such as the email you provided.
- Previous versions of this Policy can be located as follows.
| Version | Effective date | Reference |
|---|---|---|
| v1.0 (current) | 2026-06-01 | This document |
Supplementary Provisions
This paletti Privacy Policy takes effect on 2026-06-01.