MarZlog Privacy Policy
JJSIM Inc. (주식회사 제이제이에스아이엠; hereinafter the "Company") complies with the Personal Information Protection Act (PIPA) and related laws to protect the freedom and rights of data subjects, and processes personal information lawfully and manages it securely. In accordance with Article 30 of PIPA, the Company hereby establishes and discloses the following Privacy Policy to inform data subjects of the procedures and standards regarding the processing of personal information in connection with the mobile application MarZlog (hereinafter the "Service") operated by the Company, and to handle related grievances promptly and effectively.
Table of Contents
- Purposes of Processing, Items Collected, and Retention and Use Period
- Processing of Personal Information of Children Under 14
- Procedures and Methods for Destruction of Personal Information
- Provision of Personal Information to Third Parties
- Criteria for Additional Use or Provision
- Entrustment of Personal Information Processing
- Overseas Collection and Transfer of Personal Information
- Automated Decisions
- Measures to Ensure the Security of Personal Information
- Rights and Obligations of Data Subjects and Legal Representatives, and How to Exercise Them
- Installation, Operation, and Refusal of Automatic Collection Devices
- Privacy Officer and Grievance Handling Department
- Department for Receiving and Processing Personal Information Access Requests
- Remedies for Infringement of Data Subjects' Rights
- Changes to the Privacy Policy
1. Purposes of Processing, Items Collected, and Retention and Use Period
In accordance with PIPA, the Company collects and uses personal information to the minimum extent necessary to provide the Service. Personal information processed will not be used for purposes other than those set forth below, and if the purpose of use changes, the Company will take necessary measures such as obtaining separate consent pursuant to Article 18 of PIPA.
| Purpose of Processing | Items Collected | Retention and Use Period |
|---|---|---|
| Account registration and management | Email address, social login identifiers (Google / Apple / Kakao user IDs) | Until account withdrawal |
| Photo diary recording and memory recall features | User-uploaded photos and videos, AI-generated diary text, photo metadata (EXIF: capture date/time, GPS coordinates, camera information) | Until deletion by the user or account withdrawal |
| AI-based natural language search and automatic diary generation | Search history (natural language queries), photo metadata | Until account withdrawal |
| Push notification delivery | Push tokens (Expo Push Token, FCM Token) | Until the user disables notifications or withdraws from the account |
| Ensuring service stability and preventing fraudulent use | Device identifiers, OS version, app version, IP address, access logs, crash and performance data | 3 months (Article 15-2 of the Protection of Communications Secrets Act) |
| Customer inquiry handling | Email address, inquiry contents | 3 years after completion of inquiry handling |
1.1 Methods of Collection
- Direct input by the data subject during account registration and service use
- Automatic collection when launching the app and using its features
- Provision from external authentication services (Google, Apple, Kakao) as a third party
2. Processing of Personal Information of Children Under 14
- The Company does not accept account registration by children under the age of 14 and does not collect personal information of such children.
- If it is confirmed that the personal information of a child under 14 has been collected, the Company will immediately destroy such information.
- If a data subject or legal representative confirms that the personal information of a child under 14 has been registered with the Service, they may request deletion via the customer inquiry email (team@jjsim.com), and the Company will promptly destroy the relevant information.
3. Procedures and Methods for Destruction of Personal Information
- When personal information becomes unnecessary due to expiry of the retention period or achievement of the processing purpose, the Company will destroy it without delay.
- Where personal information must continue to be retained pursuant to other laws despite the consented retention period having passed or the purpose having been achieved, such personal information will be transferred to a separate database (DB) or stored in a different location.
- Procedures and methods of destruction are as follows:
- Procedure: Personal information subject to destruction is identified and destroyed upon approval from the Privacy Officer.
- Method: Personal information stored in electronic file form is permanently deleted by irrecoverable means; personal information recorded on paper is destroyed by shredding or incineration.
4. Provision of Personal Information to Third Parties
- The Company does not use personal information of data subjects for purposes other than those stated in this Policy, nor does it provide personal information to third parties.
- However, the following cases are exceptions:
- Where the data subject has given prior separate consent
- Where there is a special provision in the law, or where provision is unavoidable to comply with legal obligations
- Where a law enforcement agency requests it in accordance with procedures and methods prescribed by law for investigative purposes
5. Criteria for Additional Use or Provision
Pursuant to Article 15(3) or Article 17(4) of PIPA, the Company may additionally use or provide personal information without the data subject's consent, taking into account the matters set forth in Article 14-2 of the Enforcement Decree of PIPA. Accordingly, the Company has considered the following:
- Whether the additional use or provision of personal information is related to the original purpose of collection
- Whether the additional use or provision is reasonably foreseeable in light of the circumstances of collection or processing practices
- Whether the additional use or provision unjustly infringes on the interests of the data subject
- Whether measures necessary to ensure security, such as pseudonymization or encryption, have been taken
The Company may additionally use or provide personal information based on the above criteria. For specific details regarding the criteria, please contact the Privacy Officer.
6. Entrustment of Personal Information Processing
- For smooth provision of the Service, the Company entrusts personal information processing tasks as follows:
| Trustee | Entrusted Tasks | Processing Location |
|---|---|---|
| Amazon Web Services, Inc. | Server and database hosting, file storage | Seoul Region (ap-northeast-2) |
| Google LLC | Diary and caption generation via AI model (Gemini API), push notifications (FCM), social login (Google) | United States, etc. |
| Apple Inc. | Social login (Sign in with Apple), push notifications (APNs) | United States, etc. |
| Kakao Corp. | Social login (Kakao) | Republic of Korea |
| Functional Software, Inc. (Sentry) | Application error and performance monitoring | United States, etc. |
| Expo, Inc. | Push notification delivery infrastructure (Expo Push Service) | United States, etc. |
- When concluding entrustment contracts, the Company, in accordance with Article 26 of PIPA, specifies in writing matters such as the prohibition of processing personal information for purposes other than performing the entrusted work, technical and managerial protection measures, restrictions on re-entrustment, management and supervision of trustees, and liabilities including damages, and supervises whether trustees process personal information safely.
- When the content of entrusted tasks or the trustees change, the Company will disclose such changes through this Privacy Policy without delay.
7. Overseas Collection and Transfer of Personal Information
The Company transfers personal information overseas as follows for smooth service provision, and provides the following information regarding overseas transfer pursuant to Article 28-8 of PIPA.
| Recipient | Destination Country | Time and Method of Transfer | Items Transferred | Purpose and Retention Period |
|---|---|---|---|---|
| Google LLC | United States, etc. | At the time of service use, via encrypted network transmission | User content (photos, text), device identifiers | AI diary/caption generation, push notifications (FCM), social login / during the service use period |
| Apple Inc. | United States, etc. | At the time of service use, via encrypted network transmission | Social login identifier, device identifiers | Social login, push notifications (APNs) / during the service use period |
| Functional Software, Inc. (Sentry) | United States, etc. | When app errors occur, via encrypted network transmission | Crash data, performance data, device identifiers | Error and performance monitoring / 90 days |
| Expo, Inc. | United States, etc. | When push notifications are sent, via encrypted network transmission | Push tokens | Push notification delivery / during the service use period |
Pursuant to Article 28-8 of PIPA, data subjects may refuse the overseas transfer of their personal information. However, if overseas transfer is refused, the use of certain services including account registration, AI-based features, social login, and push notifications may be restricted. Requests to refuse overseas transfer may be submitted via the customer inquiry email (team@jjsim.com).
8. Automated Decisions
The Company uses AI technology to provide services such as automatic generation of photo captions and diary text, and natural language search results.
- Criteria and procedures of automated decisions: Photos and metadata uploaded by the user are sent to an AI model (Google Gemini API) to generate captions and diary text. For natural language search, search queries are vectorized through an AI embedding model and results are provided based on similarity.
- Types of personal information processed: User-uploaded photos, photo metadata (EXIF), search queries
- Results of automated decisions: AI-generated captions and diary text can be viewed, edited, and deleted by the user, and search results are provided as reference information. The results of automated decisions do not have a significant impact on the rights or obligations of users.
- Rights of the data subject: Users may edit or delete automatically generated diary entries and captions at any time. If users do not wish to use AI features, they can disable these features in the in-app settings.
- Use for AI training: The Company does not use users' personal information (photos, text, etc.) for training AI models, and has contracts with trustees (such as Google LLC) that prohibit use for training purposes.
9. Measures to Ensure the Security of Personal Information
The Company takes the following measures to ensure the security of personal information:
- Administrative measures: Establishment and implementation of internal management plans, regular employee training
- Technical measures:
- Passwords and authentication tokens are encrypted and stored using secure hash algorithms
- Network transmission is protected using TLS (HTTPS) encryption protocols
- Management of access rights to personal information processing systems and retention of access logs
- Operation of firewalls and intrusion detection systems to block unauthorized external access
- Installation and periodic updates/inspections of security programs
- Physical measures: Access control to server rooms and document storage rooms
10. Rights and Obligations of Data Subjects and Legal Representatives, and How to Exercise Them
- Data subjects may exercise the following personal information protection rights against the Company at any time:
- Request to access personal information
- Request for correction in case of errors
- Request for deletion
- Request to suspend processing
- Request to transfer personal information (Article 35-2 of PIPA)
- Request to refuse or seek an explanation regarding automated decisions
- The rights under Paragraph 1 may be exercised directly in the app's settings menu, or via the Privacy Officer's email (privacy@jjsim.com) or customer inquiry email (team@jjsim.com), and the Company will act on such requests without delay.
- Where a data subject requests correction or deletion of personal information due to errors, the Company will not use or provide such personal information until the correction or deletion is completed.
- The rights under Paragraph 1 may be exercised through a legal representative of the data subject or an authorized agent. In such cases, a power of attorney in the form of Form No. 11 of the Public Notice on Methods for Processing Personal Information must be submitted.
- The rights to request access to and suspension of processing of personal information may be limited pursuant to Articles 35(4) and 37(2) of PIPA.
11. Installation, Operation, and Refusal of Automatic Collection Devices
The Service uses the following automatic collection devices when the app is launched:
- Device identifiers and push tokens: Used for push notifications and identifying service users
- Access logs and IP addresses: Used to ensure security and service stability
Data subjects may refuse the installation of automatic collection devices through the following methods. However, refusal may result in limitations on the use of certain services.
- iOS: Settings > MarZlog > revoke individual permissions such as Notifications / Location
- Android: Settings > Apps > MarZlog > Permissions > revoke individual permissions
- Advertising identifier: Can be reset at iOS (Settings > Privacy & Security > Tracking) or Android (Settings > Privacy > Ads)
12. Privacy Officer and Grievance Handling Department
The Company has designated a Privacy Officer and a grievance handling department as follows in order to protect personal information and handle complaints related thereto:
Privacy Officer
- Title: Privacy Officer
- Email: privacy@jjsim.com
Privacy Inquiries and Grievance Handling
- Department: Customer Support
- Email: team@jjsim.com
Data subjects may direct any inquiries, complaints, or requests for remedy regarding personal information protection that arise during the use of the Company's services to the Privacy Officer or the grievance handling department. The Company will respond to and handle such inquiries without delay.
13. Department for Receiving and Processing Personal Information Access Requests
Data subjects may submit requests to access personal information pursuant to Article 35 of PIPA to the department below. The Company will endeavor to process such requests promptly.
- Department: Customer Support
- Email: privacy@jjsim.com
14. Remedies for Infringement of Data Subjects' Rights
Data subjects may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency (KISA) Privacy Infringement Report Center, and other agencies in order to obtain remedies for personal information infringement. For other inquiries, reports, or consultations regarding personal information infringement, please contact the agencies below.
- Personal Information Dispute Mediation Committee: 1833-6972 (toll-free), www.kopico.go.kr
- Privacy Infringement Report Center (KISA): 118 (toll-free), privacy.kisa.or.kr
- Supreme Prosecutors' Office (Cyber Investigation Division): 1301 (toll-free), www.spo.go.kr
- National Police Agency (Cyber Bureau): 182 (toll-free), ecrm.cyber.go.kr
Any person whose rights or interests have been infringed by a disposition or omission of the head of a public institution in response to requests under Article 35 (Access to Personal Information), Article 36 (Correction or Deletion of Personal Information), or Article 37 (Suspension of Processing, etc.) of PIPA may file an administrative appeal as prescribed by the Administrative Appeals Act.
15. Changes to the Privacy Policy
- This Privacy Policy is effective from April 21, 2026.
- This Policy may be modified due to changes in laws, policies, or security technology. Any additions, deletions, or modifications will be announced via in-app notices and on this page at least 7 days prior to the effective date. However, where changes materially affect the rights of data subjects, they will be announced at least 30 days in advance.