Privacy Policy
Effective Date: June 1, 2026 · Last Updated: June 1, 2026
1. Introduction
Lululab Inc. (주식회사 룰루랩) ("Lululab", "we", "our", or "us") operates lulu-at.com and related services (collectively, the "Services").
This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our Services. It also describes your rights regarding your personal information and how to exercise them.
By using the Services, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Services.
This Privacy Policy complies with the Personal Information Protection Act (PIPA) of the Republic of Korea and applicable international data protection laws, including applicable US federal and state privacy laws.
2. Personal Information We Collect
2.1 Information You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, password | Account creation and login |
| Profile Information | Date of birth, gender, country, phone number | Personalized service delivery |
| Skin Images (Sensitive) | Facial photographs for AI skin analysis | AI skin analysis, personalized recommendations |
| Consultation Requests | Treatment interests, health concerns, preferred clinics | Clinic matching and booking |
| Payment Information | Billing details handled by our payment processor; transaction records (we do not store full card numbers) | Processing payments, vouchers, subscriptions, and refunds |
| Reviews | Ratings, review text, and price-experience responses you submit | Publishing reviews and improving service quality |
| Communications | Messages, support requests | Customer support |
2.2 Information Collected Automatically
When you use our Services, we automatically collect:
- Log Data: IP address, browser type and version, pages visited, time and date of visits
- Device Information: Device type, operating system, unique device identifiers
- Usage Data: Features used, interactions with content, search queries
- Cookies and Similar Technologies: See Section 9 below
2.3 Information from Third Parties
If you sign in using a third-party service (Google, Apple, etc.), we receive basic profile information (name, email address) from that service, subject to your privacy settings with that provider. We do not receive your password from third-party authentication providers.
3. Sensitive Personal Information
Sensitive Information Notice
Skin photographs you upload for AI analysis may constitute sensitive personal information under applicable law, as they can reveal physical characteristics and health-related information. We collect this only with your explicit, separate consent and handle it with heightened protection measures.
You have the right to refuse consent for the collection of sensitive information. Without this data, AI skin analysis and personalized recommendations will not be available. You may still access other Services, such as clinic discovery and content.
4. How We Use Your Information
- Service Delivery: Providing AI skin analysis, generating personalized skin type assessments, and delivering recommendations
- Account Management: Creating and managing your account, authenticating your identity
- Clinic Matching: Matching your skin profile and treatment interests with appropriate Clinic Partners and facilitating consultation requests
- Payment Processing: Processing payments, vouchers, subscriptions, and refunds through our payment processor
- Personalization: Tailoring content, treatment recommendations, and product suggestions to your skin profile
- Communications: Sending service-related notifications, transactional emails, and, with your consent, marketing communications
- Service Improvement: Analyzing usage patterns to improve our Services, AI model accuracy, and user experience
- Safety and Security: Detecting and preventing fraudulent activity, abuse, and security incidents
- Legal Compliance: Complying with applicable laws and regulations, responding to legal requests
AI Model Improvement: With your separate consent, we may use de-identified skin images and analysis outcomes to improve the accuracy of our AI models. You may withdraw this consent at any time without affecting your use of other Services.
5. Sharing Your Information
We do not sell your personal information, and we do not share it with third parties for cross-context behavioral advertising.
Clinic Partners: When you submit a consultation or booking request, we share your relevant profile information with the selected Clinic Partner to facilitate the consultation. Clinic Partners are independent third parties and handle your information according to their own privacy policies.
Legal Requirements: We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred. We will notify you before your information is subject to a different privacy policy.
Service Providers
| Provider | Purpose | Location |
|---|---|---|
| Clerk | User authentication and account management | USA |
| Supabase | Database and file storage | USA (AWS us-east-1) |
| Payment Processors | Payment processing, refund handling, and fraud prevention. Specific processors vary by country and payment method and may change over time. | Varies by processor |
| PostHog | Product analytics (third-party analytics platform) | USA / EU |
| Mux | Video streaming and hosting | USA |
| Vercel | Web hosting and edge delivery | Global (AWS) |
These providers are contractually bound to protect your information and may only process it as directed by us.
6. International Data Transfers
Lululab is headquartered in the Republic of Korea. Our service providers operate servers in the United States and other countries. When your personal information is transferred outside of Korea, we ensure appropriate safeguards are in place, including standard contractual clauses approved by data protection authorities. Where required by Korean PIPA, we will obtain your separate consent for the cross-border transfer of your personal information, disclosing the items transferred, the recipient, the destination country, and the purpose and retention period.
7. Data Retention
| Information Type | Retention Period |
|---|---|
| Account & profile information | Until account deletion + 1 year |
| Skin images & analysis results | Until your deletion request or account closure, and no later than 1 year after your last interaction with the Services |
| Consultation request records | As required by applicable consumer protection law (typically 5 years) |
| Transaction records | As required by applicable consumer protection law (typically 5 years) |
| Access logs | As required by applicable law (typically 3 months) |
| Marketing consent records | Until consent withdrawal + 1 year |
8. Your Rights
8.1 Rights Under Korean PIPA
- Right to Access: Request to view the personal information we hold about you
- Right to Correction: Request correction of inaccurate or incomplete information
- Right to Deletion: Request deletion of your personal information (subject to legal retention requirements)
- Right to Suspend Processing: Request suspension of processing of your personal information
- Right to Withdraw Consent: Withdraw consent at any time; this does not affect the lawfulness of processing before withdrawal
8.2 Additional Rights (United States)
California residents (CCPA/CPRA): You have the right to: (1) know what personal information we collect, use, and share; (2) delete personal information we hold about you; (3) correct inaccurate personal information; (4) opt out of the sale or sharing of personal information for cross-context behavioral advertising; (5) limit our use of sensitive personal information to necessary purposes; and (6) non-discrimination for exercising your privacy rights. We do not sell or share personal information. To exercise the right to limit the use of sensitive personal information, or to submit any other request, contact lululab@lulu-lab.com with the subject "CCPA Request."
Other US states: Residents of US states with applicable comprehensive privacy laws have similar rights to access, correct, delete, and opt out of certain processing of their personal information. We honor these rights to the extent required by applicable state law.
Biometric Data Notice: Skin photographs submitted for AI analysis may be processed in a manner that implicates applicable state biometric privacy laws (such as the Illinois Biometric Information Privacy Act (BIPA) and similar laws in other states). Where required by applicable state biometric privacy laws, we will obtain your separate written consent prior to collecting biometric data. We do not sell, lease, trade, or otherwise profit from biometric data. We retain biometric-derived data only as long as necessary to provide the Services and, in any event, no later than 1 year after your last interaction with the Services or within the period required by applicable law, after which it is permanently destroyed. You may request deletion of your biometric data at any time.
8.3 How to Exercise Your Rights
To exercise any of these rights, contact us at lululab@lulu-lab.com with the subject line "Privacy Request." We will respond within 10 business days. We may need to verify your identity before processing your request.
You may also delete your account directly from your profile settings, which will initiate deletion of your personal information.
9. Cookies and Tracking Technologies
| Type | Purpose | Can Opt Out |
|---|---|---|
| Essential | Authentication, session management, security | No (required for service) |
| Functional | Language preference, UI settings | Yes |
| Analytics | Usage patterns and feature adoption (third-party analytics platform) | Yes |
| Marketing | First-party personalization of recommendations | Yes |
We use marketing and personalization data on a first-party basis only. We do not share your personal information with third parties for cross-context behavioral advertising. If this practice ever changes, we will provide an opt-out mechanism and update this Policy in advance. You can control cookies through your browser settings; disabling essential cookies may impair service functionality.
10. Data Security
We implement industry-standard security measures to protect your personal information:
- Encryption in transit and at rest using industry-standard protocols
- Access controls limiting employee access to personal information
- Regular security assessments and vulnerability testing
- Incident response procedures, including notification to affected users and relevant authorities within the timeframes required by applicable law
No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable measures, we cannot guarantee absolute security.
11. Children's Privacy
The Services are intended for adults. You must be at least 18 years of age to use the Services (see our Terms of Service), and we do not knowingly collect personal information from anyone under 18. Consistent with the U.S. Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13, and consistent with Korean PIPA we apply additional protections to individuals under 14. If you believe a minor has provided us with personal information, contact us immediately at lululab@lulu-lab.com and we will delete it.
12. Marketing Communications
We send marketing communications only with your explicit prior consent. You may withdraw your consent at any time by:
- Clicking the "Unsubscribe" link in any marketing email
- Updating your preferences in your account settings
- Contacting us at lululab@lulu-lab.com
13. Personal Information Protection Officer
In accordance with the Personal Information Protection Act (PIPA) of the Republic of Korea, we have designated a Personal Information Protection Officer:
Lululab Inc. (주식회사 룰루랩)
CEO: Yongjoon Choe (최용준) | Business Reg. No.: 435-88-00655 | Distance Selling No.: 2019-서울강남-04187
Email: lululab@lulu-lab.com
Phone: +82-2-3446-3727
If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Information Protection Commission (PIPC) of Korea (privacy.go.kr) or your local data protection authority.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:
- Posting the updated policy on this page with a revised effective date
- Sending a notification to your registered email address
- Displaying a prominent notice on our Services
Material changes will take effect no earlier than 7 days after notification. For changes requiring your consent (such as new uses of sensitive information), we will seek your explicit consent before proceeding.
15. Contact Us
For questions, concerns, or requests related to this Privacy Policy or the processing of your personal information, please contact us:
Lululab Inc. (주식회사 룰루랩)CEO: Yongjoon Choe (최용준)
Business Registration No.: 435-88-00655
Distance Selling Report No.: 2019-서울강남-04187
13F Units 1–2, SB Tower, 318 Dosan-daero,
Gangnam-gu, Seoul, Republic of Korea
Email: lululab@lulu-lab.com
Phone: +82-2-3446-3727
Business Hours: Monday–Friday, 09:00–18:00 KST