Privacy Policy

Service Name: Chubby Cat Teacher (뚱냥쌤) — Kids English Learning Target Age: 5+ (parental consent required for users under 13) Effective Date: April 11, 2026 Version: 3.1.0 Applicable Laws: Republic of Korea Personal Information Protection Act (PIPA), United States Children's Online Privacy Protection Act (COPPA), Japan Act on the Protection of Personal Information (APPI), Taiwan Personal Data Protection Act — The Service is not currently offered in the EU/EEA/UK market and therefore falls outside the territorial scope of GDPR; nevertheless, we voluntarily respect data subject rights

1. Purpose of This Policy

Chubby Cat Teacher (the "Service") respects the privacy of data subjects (children and their parents) and complies with applicable data protection laws. This Privacy Policy (the "Policy") explains what personal data the Service collects, the purposes and lawful bases for processing, with whom we share it, and what rights you have.

This Policy is drafted in accordance with:

  • Republic of Korea Personal Information Protection Act (PIPA)
  • European Union General Data Protection Regulation (Regulation (EU) 2016/679, GDPR)
  • United Kingdom Data Protection Act 2018 and UK GDPR
  • United States Children's Online Privacy Protection Act (16 CFR Part 312, COPPA)
  • Japan Act on the Protection of Personal Information (APPI)

2. Data Controller

| Field | Details | |---|---| | Controller | W78 | | Business Registration Number | 206-30-88843 | | Representative | Myungho Kim (김명호) | | Address | #102, 181-1 Jayang-ro, Gwangjin-gu, Seoul 05024, Republic of Korea | | Email (general) | info@chubbycat.net | | Email (privacy matters) | privacy@chubbycat.net | | Website | https://chubbycat.net |

3. Geographic Scope and EU Representative

3.1 Current Service Availability

The Service is currently available in the following regions:

  • Republic of Korea (primary market)
  • United States
  • Japan
  • China, Taiwan, Hong Kong
  • Southeast Asia (Singapore, Malaysia, Indonesia, Thailand, Vietnam, Philippines, etc.)

3.2 EU/EEA/UK — Availability Withheld

The Service is not currently available in the European Union, European Economic Area, or United Kingdom markets. Specifically:

  • Apple App Store and Google Play availability is disabled for the 32 regions comprising the 27 EU member states + 3 EEA members (Iceland, Liechtenstein, Norway) + the United Kingdom + Switzerland
  • The official website (chubbycat.net) does not support EU languages (German, French, Spanish, Italian, etc.) and does not conduct marketing activities targeted at EU residents
  • The Service does not "offer goods or services to data subjects in the Union" within the meaning of GDPR Article 3(2) and therefore falls outside the territorial scope of GDPR

3.3 EU Representative (GDPR Article 27)

Because the Service does not currently target the EU market, no EU representative has been designated under GDPR Article 27. Prior to any future EU market launch, the Service will designate an EU representative in writing, update §3 of this Policy, and provide at least 30 days' advance notice of the change.

3.4 Voluntary Respect for EU Residents' Rights

Notwithstanding the Service's non-targeting of the EU, we voluntarily respect the privacy rights of data subjects. If you are an EU resident using the Service and have any privacy-related inquiries, please contact privacy@chubbycat.net. The Service processes requests corresponding to GDPR Articles 15–22 (access, rectification, erasure, restriction of processing, data portability, objection, automated decision-making, withdrawal of consent) through the procedures set out in §12.

4. Data Protection Officer

| Field | Details | |---|---| | Privacy Officer (Korean PIPA) | Myungho Kim (김명호) | | Contact | privacy@chubbycat.net | | DPO (GDPR Art. 37) | Not appointed (small operation, not core large-scale processing of special-category data) |

For all questions, requests, complaints, and remedies regarding the processing of children's personal data, please contact the address above.

5. Scope of This Policy

This Policy applies to:

  • The "Chubby Cat Teacher" mobile application (iOS / Android)
  • The website https://chubbycat.net and its subpages
  • All backend APIs and Edge Functions operated by the Service

This Policy does not apply to third-party websites or apps reached from the Service.

6. Personal Data We Collect

6.1 Information Collected from Parents (Legal Guardians)

| Item | Collection Method | Required | |---|---|---| | Email address | Sign-up entry or Apple/Google Sign-In | Required | | Parent name (optional) | Sign-up entry | Optional | | Payment information | Processed by Apple App Store / Google Play (Service does not store directly) | Required for subscription | | Consent record (timestamp, accepted policy version) | Recorded automatically at sign-up | Required |

6.2 Information Collected from Children (under 13)

Important — Legal Classification of Voice Data

The child voice recordings processed by this Service are used solely for pronunciation accuracy scoring and speech-to-text (STT) conversionnot for speaker identification. Accordingly:

  • This processing does not fall within the special category of data under GDPR Article 9 (biometric data "for the purpose of uniquely identifying a natural person"). Voice recordings are deleted immediately after scoring and are never stored as voice prints or speaker signatures.
  • This processing does not fall within "sensitive information" under Article 23 of the Korean Personal Information Protection Act. Voice is processed as ordinary personal data for the sole purpose of providing learning feedback.
  • The Service commits that child voice data will not be used for speaker identification, behavioral profiling, advertising, AI model training, or any other secondary purpose. Any breach of this commitment would require obtaining new consent and amending this Policy.
  • Should the scope of processing ever expand to activities that would bring voice data under GDPR Art. 9 or PIPA Art. 23, the Service will provide advance notice to data subjects and obtain new explicit consent before implementing such changes.

The following information is collected only with verified parental consent:

| Item | Collection Method | Purpose | |---|---|---| | Child nickname (no real name) | Sign-up entry | Greetings, progress display | | Child age | Sign-up entry | Difficulty calibration | | Learning progress (scores, study days, completed words/sentences) | Automatic | Progress saving, parent dashboard | | Pronunciation scores | Automatic | Learning feedback | | Learning session voice recordings | Captured ephemerally for pronunciation scoring | Deleted immediately after scoring; never permanently stored | | AI conversation transcripts | Captured during AI chat | Brief retention for learning analysis | | App settings (volume, theme, notification preferences) | Automatic | Personalization |

6.3 Information Collected Automatically

| Item | Purpose | Identifiability | |---|---|---| | Anonymized crash logs (Sentry) | App stability | De-identified (email/IP/name automatically removed) | | App launch counts and feature usage frequency | Service improvement statistics | Aggregate, non-identifiable | | Device model / OS version | Compatibility debugging | Non-identifiable | | Language setting | UI localization | Non-identifiable |

6.4 Information We Do NOT Collect

We never collect any of the following:

  • Child's real name, government ID number, date of birth, address
  • Photos or videos of the child (no photo library permission requested)
  • Location data (no GPS permission requested; "Walk Mode" is a game metaphor)
  • Phone numbers or contacts
  • Advertising identifiers (no IDFA, no Android Ad ID)
  • Friend lists or social network information
  • Payment card details (handled by Apple/Google; the Service has no access)
  • Biometric information (fingerprint, face ID, etc.)

6.5 Nickname-Only Policy for Children

ddung does NOT collect the child's real (legal) name. For learning-screen personalization, we collect only a nickname freely chosen by the parent or child (e.g., "Serena", "Star", "Spark").

  • The nickname does not need to be the child's real name — character names, pet names, or initials are all acceptable
  • It is used only inside the app: parent dashboard child profile display, learning-screen greetings ("Hi Serena!"), and progress charts
  • It is never exposed to external sites, social media, or search engines, and is not shared with any third party outside the family
  • Parents may change the nickname or delete the child profile at any time (Settings → Child Profiles)
  • This policy is a voluntary application of the Data Minimization principle recommended by Korea PIPA, US COPPA, and Japan APPI

7. Purposes of Processing and Lawful Bases (GDPR Art. 6 / Art. 13(1)(c))

The lawful basis for each processing activity is as follows:

| Processing Activity | Data Categories | Lawful Basis (GDPR Art. 6) | Purpose | |---|---|---|---| | Account creation and authentication | Parent email, child nickname/age | Contract (Art. 6(1)(b)) | Essential for service delivery | | Storing and syncing learning progress | Learning progress data | Contract (Art. 6(1)(b)) | Core feature requested by user | | AI pronunciation scoring | Child voice recording (ephemeral), text | Parental consent (Art. 6(1)(a) + Art. 8) | Learning feedback | | AI conversation (chat) | Child conversation text and voice | Parental consent (Art. 6(1)(a) + Art. 8) | Conversation practice | | Parent dashboard | Learning progress statistics | Contract (Art. 6(1)(b)) | Parent monitoring of child's learning | | Subscription billing | Parent email, subscription state | Contract (Art. 6(1)(b)) | Provision of paid features | | Email notifications (renewal, important announcements) | Parent email | Contract (Art. 6(1)(b)) | Operationally necessary | | Marketing emails (launches, discounts, new features) | Parent email | Explicit consent (Art. 6(1)(a)) | Only with user opt-in | | Crash reporting and debugging | Anonymous crash logs | Legitimate interest (Art. 6(1)(f)) | Service stability (no personal identification) | | Security threat detection | Anonymous access logs | Legal obligation + Legitimate interest (Art. 6(1)(c), (f)) | Fraud prevention | | Legal dispute response | Whatever data is necessary | Legal obligation (Art. 6(1)(c)) | Compliance |

8. Children's Privacy Protection

The Service is primarily intended for children aged 5–10. Children's personal data receives enhanced protection under the following laws:

8.1 GDPR Article 8 (European Union)

GDPR sets the digital age of consent at 16 years, and member states may lower it to 13 (Germany 16, France 15, UK 13, Spain 14, etc.). For all minors residing in the EU, this Service requires verifiable consent of the parent or legal guardian.

8.2 Korean Personal Information Protection Act + Information & Communications Network Act

Pursuant to Article 31 of the "Act on Promotion of Information and Communications Network Utilization and Information Protection" and the Enforcement Decree of PIPA, legal guardian consent is required to collect personal data of children under 14.

8.3 United States COPPA (16 CFR Part 312)

Pursuant to the U.S. Children's Online Privacy Protection Act, we obtain verifiable parental consent before collecting personal information from children under 13.

8.4 Parental Consent Verification Procedure

The Service verifies parental consent through the following steps:

  1. Parent enters their email address at sign-up
  2. Parent reviews and consents via four separated checkboxes (Terms of Service, Privacy Policy + Parental Consent, Microphone/AI Processing, [Optional] Marketing)
  3. The consent timestamp, accepted policy version, and IP address hash are recorded
  4. A verification email is sent to the parent's address; the account is activated only after the parent clicks the verification link (to be implemented in Group 6)
  5. Parents can at any time access, correct, or delete their child's data after passing the parental gate (math problem)

8.5 Special Protections for Children's Data

  • No advertising of any kind: No banners, no pop-ups, no rewarded ads, no native ads
  • No behavioral analytics: We do not use Google Analytics, Facebook Pixel, Mixpanel, or any analytics SDK
  • No advertising identifiers: We do not collect IDFA or Android Ad ID
  • No third-party marketing use: A child's data is never provided to any third party for marketing purposes

9. Sub-processors (GDPR Art. 13(1)(e), PIPA Art. 17 / Art. 26)

The Service uses the following third-party services to process personal data on its behalf:

| # | Service | Provider | Purpose | Data Processed | Storage Location | Safeguards | |---|---|---|---|---|---|---| | 1 | Cloud database | Supabase Inc. | Storing and syncing learning data | Child nickname/age, learning progress, conversation text | Supabase Seoul (Korea) | DPA + SCCs | | 2 | Crash reporting | Functional Software Inc. (Sentry) | App stability debugging | Anonymized crash stack (PII auto-stripped) | United States | DPA + SCCs | | 3 | Authentication (Apple) | Apple Inc. | Sign in with Apple | Parent email (or Apple relay email) | Global (Apple) | Apple DPA | | 4 | Authentication (Google) | Google LLC | Google Sign-In | Parent email | Global (Google) | Google DPA + SCCs | | 5 | Text-to-Speech | Amazon Web Services (AWS Polly) | Learning audio synthesis | Text only (no personal data) | United States (us-east-1) | AWS DPA + SCCs | | 6 | Text-to-Speech (alternative) | Google Cloud Text-to-Speech | Alternative TTS | Text only | United States / EU regions | Google Cloud DPA + SCCs | | 7 | AI pronunciation scoring | SpeechAce LLC | Phoneme-level scoring of child voice | Child voice recording (deleted immediately after scoring) | United States | DPA + SCCs (standard terms apply) | | 8 | AI conversation (Vertex AI) | Google LLC (Cloud Vertex AI Gemini) | Generating conversational responses to the child's English speech | Child conversation text, learning context | United States / EU regions | Google Cloud DPA + SCCs | | 9 | AI conversation (fallback) | OpenAI, L.L.C. (GPT) | Fallback conversation generation when Vertex fails | Child conversation text | United States | OpenAI Enterprise DPA + SCCs (standard terms apply) | | 10 | Speech recognition (STT) | Google LLC (Cloud Speech-to-Text V2 / Chirp 2) | Transcribing child voice to text | Child voice recording (deleted immediately after transcription) | United States / EU regions | Google Cloud DPA + SCCs | | 11 | Speech recognition (fallback) | OpenAI, L.L.C. (Whisper) | Fallback transcription when Google STT fails | Child voice recording (deleted immediately after transcription) | United States | OpenAI Enterprise DPA + SCCs (standard terms apply) | | 12 | Payment processing | Apple Inc. / Google LLC | In-app subscription | Payment info (Service has no access) | Global | Apple/Google DPA | | 13 | Push notifications | Apple APNs / Google FCM | Sending learning reminders | Ephemeral device token (not stored in DB) | Global | Apple/Google DPA |

Important — newly added items (#7, #8, #9, #10, #11): These five sub-processors were missing from v2.0.0 of this Policy. They are explicitly added in v3.0.0 in compliance with GDPR Art. 13(1)(e) and Korean PIPA Art. 17 / Art. 26.

We do not provide, sell, or rent personal data to any third party other than those listed above.

10. International Data Transfers (GDPR Art. 44–49)

The Service is operated from Korea, and certain data is transferred to the following jurisdictions:

| Destination | Data Transferred | Safeguard Mechanism | |---|---|---| | United States | Crash logs (Sentry), TTS text (AWS), child voice (SpeechAce, OpenAI), child conversations (OpenAI fallback) | Prefer EU-US Data Privacy Framework (DPF) certified processors; Standard Contractual Clauses (SCCs) for non-certified processors | | EU member states | AI processing (Vertex AI EU regions, Google Cloud STT/TTS EU regions) | Processed within the EEA, no additional safeguards required | | Global (Apple/Google) | Authentication, push notifications | Apple/Google DPA + SCCs | | Korea | Learning progress, child profile, parent email | Domestic processing under Korean PIPA |

Note — EU availability withheld: The Service is not currently offered in the EU/EEA/UK market; therefore, the adequacy requirements of GDPR Articles 44–49 do not currently apply. Prior to any future EU launch, the Service will implement the following measures:

  1. Prioritize EU-US Data Privacy Framework (DPF) certified processors, or execute Standard Contractual Clauses (SCCs, Module II/III, 2021/914) with each non-certified processor.
  2. Apply supplementary measures required post-Schrems II (CJEU C-311/18), including:
    • TLS 1.2 or higher encryption in transit for all transfers
    • Transparency reporting for government access requests
    • Data minimization (voice recordings deleted immediately after scoring)
    • Regular security audits and access control logging
  3. Compliance with Article 17 of Korea's Personal Information Protection Act for cross-border transfers, including advance notice to data subjects.

These measures will be explicitly documented in this section and at least 30 days' advance notice will be provided before implementation.

11. Retention and Deletion (GDPR Art. 13(2)(a))

| Data Category | Retention Period | Disposal Trigger | |---|---|---| | Parent email (account) | Account lifetime | Account deletion | | Child nickname / age | Account lifetime | Account deletion | | Learning progress data | Account lifetime | Account deletion | | Learning session voice recordings | Immediately deleted (post-scoring, no permanent storage) | Scoring complete | | AI conversation text | 30 days (then anonymized or deleted post-analysis) | Analysis complete | | Parental consent records | 5 years after account closure (legal proof) | Retention period expiry | | Crash logs (Sentry) | 90 days (auto-deleted) | Retention period expiry | | Subscription payment records | 5 years (statutory retention under e-commerce law) | Statutory period expiry | | Anonymous statistics | Indefinite (non-identifiable) | N/A |

Upon account deletion: When a parent requests account deletion, all personal data is permanently destroyed within 30 days. Items with statutory retention obligations are kept separately only for the period required by law.

12. Rights of the Data Subject (GDPR Art. 15–22, PIPA Art. 35–37)

Parents (legal guardians) and children may exercise the following rights:

12.1 Right of Access (Art. 15)

Parents may obtain a copy of all personal data being processed about their child.

  • In-app: Parental gate → Parent dashboard → Learning records
  • Written: Email request to privacy@chubbycat.net

12.2 Right to Rectification (Art. 16)

Request correction of inaccurate data.

  • In-app: Settings → Child profile → Edit nickname/age
  • Written: Email request

12.3 Right to Erasure / Right to be Forgotten (Art. 17)

Request deletion of all personal data.

  • In-app: Settings → Parental gate → Delete account (immediate; complete destruction within 30 days)
  • Exception: Items under statutory retention obligations (e.g., payment records) are kept separately for the legally required period

12.4 Right to Restriction of Processing (Art. 18)

Request temporary restriction of processing (e.g., during accuracy verification).

  • Written: privacy@chubbycat.net

12.5 Right to Data Portability (Art. 20)

Right to receive personal data in a structured, commonly used, machine-readable format.

  • In-app: Settings → Parental gate → "Export My Data" → JSON file download
  • Written: privacy@chubbycat.net

12.6 Right to Object (Art. 21)

Object to processing based on legitimate interests.

  • Written: privacy@chubbycat.net

12.7 Rights Related to Automated Decision-Making (Art. 22)

Right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects. (See §13 — the Service's automated processing serves learning feedback purposes only and does not produce legal or similarly significant effects.)

12.8 Right to Withdraw Consent (Art. 7(3))

Withdraw consent for consent-based processing at any time. Withdrawal does not affect the lawfulness of processing prior to the withdrawal.

  • In-app: Settings → Consent management → Per-purpose toggle
  • Written: privacy@chubbycat.net

12.9 Exercise Procedures and Response Times

| Method | Response Time | |---|---| | In-app direct exercise | Immediate | | Email request to privacy@chubbycat.net | Within 1 month per GDPR Art. 12(3) (extendable by 2 months for complex requests, with prior notification) | | Korean PIPA standard | Within 10 days |

To verify identity, please send requests from the email address used at sign-up. If a legal guardian exercises rights on behalf of a child, please provide information confirming the guardianship relationship.

13. Automated Decision-Making (GDPR Art. 22)

The Service performs the following automated processing:

| Automated Process | Description | Effect on User | |---|---|---| | AI pronunciation scoring (SpeechAce) | Phoneme-level scoring of child English pronunciation | No legal/significant effects — for learning feedback, no external consequences | | AI conversation generation (Vertex AI / OpenAI) | Generating natural responses to the child's English speech | No legal/significant effects — conversation practice purpose | | Adaptive difficulty adjustment | Recommending next learning content based on progress | No legal/significant effects — learning experience personalization |

The Service's automated processing does not constitute "decisions based solely on automated processing producing legal or similarly significant effects" under GDPR Art. 22. Nevertheless, data subjects may at any time request human review of any automated processing (privacy@chubbycat.net).

14. Security of Processing (GDPR Art. 32)

The Service implements the following technical and organizational measures:

14.1 Technical Safeguards

  • Encryption in transit: TLS 1.2 or higher for all data transmission
  • Encryption at rest: Auth tokens stored in SecureStore (iOS Keychain / Android Keystore)
  • Database access control: Supabase Row Level Security (RLS) for per-user data isolation
  • API authentication: JWT-based authentication + rate limiting on all backend APIs
  • Sentry PII auto-stripping: Email/IP/name automatically scrubbed from crash logs
  • Ephemeral voice processing: Audio recordings for pronunciation scoring are deleted from memory/disk immediately after scoring
  • Encrypted backups: Backup data is stored encrypted

14.2 Organizational Safeguards

  • Minimization of personnel with access to personal data (currently single developer)
  • Periodic review of personal data processing activities
  • Access control on personal data processing systems
  • Personal data breach response procedures in place

15. Personal Data Breach Notification (GDPR Art. 33–34)

In the event of a personal data breach:

  1. Notification to supervisory authority: Within 72 hours of becoming aware, where EU data subjects are affected, to the relevant DPA (Art. 33)
  2. Notification to data subjects: Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, without undue delay to the affected data subjects (Art. 34)
  3. Korean PIPA: Where Korean data subjects are affected, notification to PIPC and KISA, and to the affected data subjects
  4. Notification content: Nature of the breach, categories of data affected, likely consequences, measures taken or proposed

16. Right to Lodge a Complaint with a Supervisory Authority (GDPR Art. 13(2)(d))

You have the right to lodge a complaint with the supervisory authority:

16.1 Korea

  • Personal Information Protection Commission (PIPC): https://www.pipc.go.kr
  • Privacy Infringement Reporting Center (KISA): 118 (Korea) / https://privacy.kisa.or.kr
  • Personal Information Dispute Mediation Committee: https://www.kopico.go.kr

16.2 EU / EEA

EU residents may lodge a complaint with the supervisory authority of their habitual residence, place of work, or place of the alleged infringement.

  • European Data Protection Board (EDPB): https://edpb.europa.eu (provides directory of national DPAs)

Major member state DPAs:

  • 🇩🇪 Germany: BfDI — https://www.bfdi.bund.de
  • 🇫🇷 France: CNIL — https://www.cnil.fr
  • 🇮🇪 Ireland: DPC — https://www.dataprotection.ie
  • 🇪🇸 Spain: AEPD — https://www.aepd.es
  • 🇮🇹 Italy: Garante — https://www.garanteprivacy.it

16.3 United Kingdom

  • Information Commissioner's Office (ICO): https://ico.org.uk

16.4 United States

  • Federal Trade Commission (FTC): https://www.ftc.gov/complaint
  • California Privacy Protection Agency (CPPA): https://cppa.ca.gov (California residents)

17. Policy Version History and Changes

17.1 Version History

| Version | Effective Date | Major Changes | |---|---|---| | 3.1.0 | 2026-04-11 | Geographic scope clarification: EU/EEA/UK launch withheld, §3 restructured as "Geographic Scope and EU Representative", explicit statement of no EU representative designated, §10 international transfer safeguards adjusted to reflect EU withholding, voluntary respect for EU rights added | | 3.0.0 | 2026-04-11 | Introduction of full GDPR compliance framework: controller identity, EU representative (placeholder), all 9 sub-processors disclosed, 8 data subject rights, lawful bases, automated processing disclosure | | 2.0.0 | 2026-04-09 | Initial COPPA-focused policy |

17.2 Change Procedure

When this Policy is updated:

  1. Advance notice (30 days before effect): In-app notification, email to registered parents, website posting
  2. Material changes (e.g., new processing purposes, new sub-processors): Renewed parental consent required
  3. Minor changes (e.g., wording corrections): Take effect after advance notice through implied consent
  4. The updated Policy is published on this page; previous versions are available upon request

18. Contact and Reporting

| Inquiry Type | Contact | |---|---| | General inquiries | info@chubbycat.net | | Privacy / data subject rights | privacy@chubbycat.net | | Reports (abuse, security vulnerabilities, etc.) | security@chubbycat.net |

Version: 3.0.0 Effective Date: April 11, 2026 Language: English. This English version applies to non-Korean residents. In the event of any discrepancy between language versions, the Korean version shall prevail for Korean residents. Governing Law: Republic of Korea Personal Information Protection Act + EU GDPR (for EU residents) + COPPA (for U.S. children under 13)