LimePost Privacy Policy

Version: v0.4 (English, business information incorporated + KR v0.3 alignment)

Drafted: 2026-05-12 (KR v0.1) / Translated: 2026-05-19 (EN v0.2) / Revised: 2026-05-19 (EN v0.3) / Revised: 2026-05-20 (EN v0.4)

Effective date: 2026-05-20

Governing law: Personal Information Protection Act (PIPA), Act on Promotion of Information and Communications Network Utilization and Information Protection of South Korea

Linked materials: Meta App Review Business Description v0.4 §5 Data Handling

v0.3 → v0.4 revisions:

Business information incorporated (Article 12 email + Supplementary Provisions effective date)
§8 / §8.1 rights exercise method: beta-stage table → prose (KR v0.3 5/20 alignment, no future date hardcoding)
Appendix v0.4 row added

Article 1 (General Provisions)

LimePost (hereinafter “the Company”) establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act of South Korea, in order to protect the personal information of data subjects and to handle related grievances promptly and smoothly.

This Policy applies to the AI-powered SNS marketing automation service for small business owners, “LimePost” (hereinafter “the Service”), provided by the Company.

Article 2 (Items of Personal Information Collected)

2.1 Items Collected at Account Sign-up

Type	Items
Required	Email address, password (stored after one-way encryption)
Optional	Name, mobile phone number

2.2 Items Collected at Store Registration

Type	Items
Required	Store name, Naver Place URL
Automatically collected	Public information from Naver Place (photos, reviews, menu, business hours, store description)

2.3 Items Collected upon Instagram Business Account Connection (Meta API)

When and only when the user explicitly approves the Instagram connection, the following information is collected via the Meta API.

instagram_business_basic permission (collected only upon explicit user approval):

Item	Purpose of use
Store's Instagram profile information (account name, profile picture, bio, follower count)	Analysis of store identity and reach baseline
Store's Instagram posts (captions, media URLs, hashtags, posting date)	Analysis of content tone and style
Post insights (reach, impressions, likes, comment counts)	Identification of content performance patterns

instagram_business_content_publishing permission (used only upon explicit user approval):

This permission is used solely to upload content to the user's store Instagram account, not for data collection. No separate data is collected under this permission.

2.4 Information Automatically Generated and Collected During Service Use

Item	Purpose of use
Service usage records (access date/time, features used, IP address)	Service operation and improvement
Content generated by the user within LimePost (AI analysis results, content drafts)	Service provision
Payment information (payment date/time, payment method, amount)	Payment processing (actual card information is stored by the PG provider)

Article 3 (Methods of Collecting Personal Information)

Direct input by the user at the time of account sign-up or store registration
Automatic collection of public information from a Naver Place URL provided by the user
Collection via the Meta API, only after the user explicitly approves the Instagram connection
Automatic generation during service use

Article 4 (Purposes of Collection and Use of Personal Information)

4.1 Member Management

Verification of intent to register, identification and authentication of the user
Password reset, delivery of notices

4.2 Service Provision

Generation of AI-based store diagnosis reports
Automatic generation of Instagram post content (images, captions, hashtags)
Publishing to the store's Instagram account upon explicit user approval (within the scope of the instagram_business_content_publishing permission)
Payment processing and payment history management

4.3 Service Operation and Improvement

Analysis of service usage statistics
Development of new features and quality improvement
Prevention of fraudulent use, security management

The Company does not use personal information for purposes other than those stated above. No sharing with ad networks. No sales to data brokers.

Article 5 (Retention and Use Period of Personal Information)

In principle, the Company destroys personal information without delay once the purposes of collection and use have been fulfilled. However, when retention is required by applicable laws, the Company stores the information for the specified period as follows.

Item	Retention period	Basis
Account registration information	Until withdrawal of membership (complete deletion within 30 days after withdrawal)	Service provision
Store information and Instagram connection data	Until the user deletes the store or revokes the connection (complete deletion within 30 days of revocation)	Service provision
Records on contracts or withdrawal of subscription, etc.	5 years	Act on Consumer Protection in Electronic Commerce
Records on payment and supply of goods, etc.	5 years	Act on Consumer Protection in Electronic Commerce
Records on consumer complaints or dispute resolution	3 years	Act on Consumer Protection in Electronic Commerce
Service access logs	3 months	Protection of Communications Secrets Act

Deletion procedure: Upon membership withdrawal, store deletion, or Instagram connection revocation, logical deletion is performed immediately and all backup copies are completely purged within 30 days. This 30-day window exists to provide a safe recovery period for accidental deletion requests by the user.

Article 6 (Provision of Personal Information to Third Parties)

The Company processes the personal information of users only within the scope specified in “Article 4 (Purposes of Collection and Use of Personal Information)” of this Policy, and does not, in principle, use such information beyond this scope or provide it to outside parties without the user's prior consent.

The following cases are exceptions.

When the user has given prior consent
When required by applicable laws, or when an investigative agency requests information for investigative purposes in accordance with the procedures and methods specified by law

Article 7 (Entrustment of Personal Information Processing)

Entrustee	Entrusted work	Retention and use period
Supabase (PostgreSQL database hosting)	Storage and processing of personal information	Until withdrawal of membership or termination of the entrustment contract
Vercel (web hosting)	Service operation	Same as above
Anthropic (Claude API)	AI analysis and content generation processing	Immediately after processing (no permanent storage)
Meta Platforms (Instagram API)	Instagram connection and publishing	Until the user revokes the connection
[PG provider — KakaoPay/Toss, to be updated when payment is activated]	Payment processing	Period specified by applicable laws

When entering into entrustment contracts, the Company specifies, in accordance with Article 26 of the Personal Information Protection Act, the prohibition of processing personal information for purposes other than the entrusted work, technical and managerial protection measures, restrictions on re-entrustment, and supervision of entrustees, so that entrustees process personal information safely.

Article 8 (Rights and Obligations of Data Subjects and Methods of Exercise)

Users may exercise the following rights related to personal information protection against the Company at any time.

Request to view personal information
Request to correct any errors
Request for deletion
Request to suspend processing

Such rights may be exercised by submitting a written or email request to the Company's Personal Information Protection Officer (email listed in Article 12). When the in-service “Settings > Account Management” menu is introduced in the future, the Company will provide a separate notice and an update to this Privacy Policy to inform users of the new method of exercise.

8.1 Meta · Instagram Data Deletion Request

When the user revokes the Instagram connection or deletes a store, all data collected via the Meta API is completely deleted from LimePost's servers within 30 days (immediate logical deletion + complete purge of backup copies within 30 days).

Separate data deletion requests may be submitted by email to the Company's Personal Information Protection Officer (song2yo@gmail.com). When the in-service “Settings > Store Management > Delete Store” or “Settings > Revoke Instagram Connection” menus are introduced in the future, the Company will provide a separate notice and an update to this Privacy Policy to inform users of the new method of exercise.

8.2 Membership Withdrawal

Upon withdrawal of membership, all personal information is completely deleted within 30 days. However, information whose retention is required by laws as specified in Article 5 will be separately stored for the required period before destruction.

Article 9 (Measures to Ensure the Safety of Personal Information)

9.1 Technical Measures

All communications are encrypted via HTTPS (TLS 1.2 or higher)
Passwords are stored using one-way encryption (hashing)
Database storage is encrypted (Supabase standard encryption)
Meta API access tokens are stored in a separate secure storage area and are not exposed in code or logs

9.2 Managerial Measures

Access to personal information is minimized (limited to the solo founder)
Regular security audits
Prompt notification in the event of a security incident

9.3 Physical Measures

Data centers apply the standard security measures of the entrustees (Supabase, Vercel)

Article 10 (Installation, Operation, and Refusal of Automatic Collection Devices)

The Company uses “cookies” to store and retrieve user information from time to time in order to provide individualized customized services.

10.1 Purpose of Use of Cookies

Maintenance of login state
Storage of user preferences

10.2 How to Refuse Cookie Settings

Users may control the acceptance or blocking of cookies through their web browser settings. However, if cookies are blocked, some service functions may be difficult to use.

10.3 Analytics Tools

The Company uses its own internal service usage logs for service operation. No external advertising tracking tools (such as Facebook Pixel or Google Analytics) are used.

Article 11 (Personal Information of Children under 14)

The Company does not collect personal information of children under the age of 14. The Service is intended for adult users who operate stores.

Article 12 (Personal Information Protection Officer)

Item	Details
Name	HYUNCHUL SONG (송현철)
Position	CEO
Email	song2yo@gmail.com

Users may direct any inquiries, complaints, or requests for remedies regarding personal information protection that arise while using the Service to the Personal Information Protection Officer.

Article 13 (Methods of Remedy for Infringement of Rights and Interests)

Personal Information Dispute Mediation Committee: (without area code) 1833-6972, www.kopico.go.kr
Personal Information Infringement Report Center: (without area code) 118, privacy.kisa.or.kr
Supreme Prosecutors' Office: (without area code) 1301, www.spo.go.kr
National Police Agency: (without area code) 182, ecrm.police.go.kr

Article 14 (Changes to the Privacy Policy)

This Privacy Policy is effective from the date of enforcement. In the event of any additions, deletions, or corrections to its contents in accordance with laws or policies, the Company will provide notice via the notices section at least 7 days prior to the effective date of such changes.

Supplementary Provisions

This Policy shall take effect from May 20, 2026.

Revision History

Version	Date	Key changes
v0.1 (KR)	2026-05-12	Initial Korean draft (Garam)
v0.2 (EN)	2026-05-19	English translation (Garam)
v0.3 (EN)	2026-05-19	Defect remediation × 3: §5·§8.1·§8.2 data retention specified as “complete deletion within 30 days” / §10.3 “internal service usage logs” wording / §8·§8.1 rights exercise method strengthened
v0.4 (EN)	2026-05-20	Business information incorporated (Article 12 email song2yo@gmail.com · Supplementary Provisions effective date May 20, 2026 + Article 12 name “HYUNCHUL SONG”) + KR v0.3 5/20 alignment (§8 / §8.1 beta-stage tables → prose, no future date hardcoding)