WHOTAG Privacy Policy
This Policy applies as of September 25, 2025
ARTICLE 1. WHOTAG Privacy Policy
When you access or use the Services, VAIV processes and manages your personal information (“Personal Data”) lawfully and securely in accordance with the Relevant Laws, including the Personal Information Protection Act of the Republic of Korea (“PIPA”), to protect your rights and freedoms as a data subject. Pursuant to Article 30 of PIPA, we establish and publish this WHOTAG Privacy Policy (this “Policy”) to explain our practices for handling Personal Data and to ensure prompt and appropriate resolution of related grievances.
Any capitalized terms used but not defined herein shall have the meaning ascribed to such terms under the WHOTAG Terms of Service or other Supplemental Terms.
ARTICLE 2. PURPOSE OF PROCESSING
We collect and use your Personal Data solely for the following purposes. For any processing beyond these purposes, we will take necessary measures stipulated under Article 18 of PIPA, including obtaining your separate consent:
(1) Membership Registration and Management.
① To verify your identity and confirm your registration intent
② To manage your Account and maintain security
③ To prevent fraudulent or unauthorized use
④ To send essential notifications regarding your Account or use of the Services, such as Service announcements, administrative notices, or updates
(2) Provision of Services.
① To provide core features of the Services, including AI-based influencer recommendations and personalized search results
② To debug, troubleshoot, and ensure the proper functioning of the Services.
(3) Service Improvement and AI Development. Where these activities involve the use of pseudonymized data, they will be conducted solely with your separate consent.
① To analyze user behavior to enhance service quality and User experience
② To train and improve AI models and algorithms
③ To develop and test new Service features
(4) User Support and Communication. To respond to your inquiries, requests, and technical support needs
(5) Marketing and Advertising. To provide promotional information, with your separate consent
(6) Payment Processing and Subscription Management.
① To process payments for paid Services through our authorized payment processors
② To manage subscription billing and recurring payments
③ To prevent fraudulent transactions and ensure payment security
④ To maintain transaction records for accounting and legal compliance
⑤ To manage refunds, chargebacks, and billing disputes
ARTICLE 3. PERSONAL DATA PROCESSED
(1) Child Protection We do not knowingly process the personal information of children below the age at which consent from a Legal Representative is required by their jurisdiction’s laws, unless verifiable consent is provided by their Legal Representative. A “Legal Representative” means an individual holding parental authority over the respective child in accordance with the Applicable Laws. We reserve the right to request and verify proof of such consent from the Legal Representative at any time. The information requested may include name, date of birth, and contact information of the Legal Representative.
(2) Categories of Personal Data We process the following categories of Personal Data to the extent necessary for the purpose of processing stipulated in this Policy:
① PERSONAL DATA PROCESSING REQUIRED FOR CORE SERVICES:
A. For Membership Registration and Management:
a. Data Processed: (a) Required Data: user name (or display name), email address, password (b) Optional Data: profile photo, organization (name, industry), contact information (phone number, address), professional interest and preferences, marketing communication preferences
b. Legal Basis: necessary for contractual performance in accordance with Subparagraph 15①4 of PIPA
c. Right to Withhold Consent: you may withhold consent to the processing of your Personal Data described above; however, doing so will prevent your access to core Services. Providing Optional Data is voluntary and will not affect such access, although certain features may be unavailable.
B. For Provision of Services:
a. Data Processed: search queries and filters, saved influencers and campaigns, Account activity and preferences
b. Legal Basis: necessary for contractual performance in accordance with Subparagraph 15①4 of PIPA
c. Right to Withhold Consent: you may withhold consent to the processing of your Personal Data described above; however, doing so will prevent your access to core Services.
② PERSONAL DATA PROCESSING REQUIRING SEPARATE CONSENT:
A. For Provision of Services:
a. Sensitive Personal Data processed: geolocation collected based on IP address
b. Legal Basis: permitted under the data subject’s consent in accordance with Subparagraph 23①1 of PIPA
c. Right to Withhold Consent: you may withhold consent to the processing of your sensitive Personal Data described above; however, doing so will prevent your access to core Services.
B. For User Support and Communication:
a. Data Processed: user name (or display name), email address, password, contact information, content of inquiry or complaint
b. Legal Basis: permitted under the data subject’s consent in accordance with Subparagraph 15①1 of PIPA
c. Right to Withhold Consent: you may withhold consent to the processing of your Personal Data described above; doing so will not prevent your access to core Services, although it may limit VAIV’s ability to respond to inquiries or provide support.
C. For Marketing and Advertising:
a. Data Processed: user name (or display name), email address, contact information
b. Legal Basis: permitted under the data subject’s consent in accordance with Article 50 of the Act on Promotion of Information and Communications Network Utilization and Information Protection of the Republic of Korea
c. Right to Withhold Consent: you may withhold consent to the processing of your Personal Data described above; doing so will not prevent your access to core Services, although you may not receive marketing materials, event updates, or promotional offers.
D. For Payment Processing and Subscription Management:
a. Data Processed: billing information, payment method details (processed by third-party payment processors), transaction history, subscription status
b. Third-Party Processing: Payment data is processed by authorized payment service providers that maintain PCI DSS compliance. We do not store complete payment card information on our servers.
c. Legal Basis: necessary for contractual performance in accordance with Subparagraph 15①4 of PIPA
d. Right to Withhold Consent: you may withhold consent to the processing of your Personal Data described above; however, doing so will prevent your access to paid Services.
ARTICLE 4. RETENTION PERIOD
We retain your Personal Data for the duration to which you consented at the time of collection, unless a longer retention period is required or permitted under Relevant Laws. Specifically, we may retain Personal Data beyond the original period as necessary to comply with legal obligations, respond to investigations or legal inquiries, resolve outstanding debts or claims related to your use of the Services, or for other legitimate purposes recognized by law. In such cases, the data will be retained solely for those purposes and only for as long as necessary. Once the extended retention period ends, we will securely delete the Personal Data in accordance with this Policy.
ARTICLE 5. PERSONAL DATA PROTECTION
(1) Safeguards Implementation We implement the following administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of Personal Data in accordance with Article 29 of the Personal Information Protection Act (PIPA):
① Administrative Safeguards.
A. Establishment and enforcement of internal data protection policies
B. Designation of a Privacy Officer responsible for compliance
C. Regular privacy and security training for employees
D. Supervision and access restriction for personnel handling Personal Data
E. Enforcement of strict need-to-know access policies
F. Incident response procedures for breach detection and escalation
② Technical Safeguards.
A. Encryption: Personal Data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption standards
B. Access Controls: Implementation of role-based access and multi-factor authentication
C. Network Security: Firewalls, intrusion detection systems (IDS), and continuous monitoring
D. Logging and Monitoring: Secure storage and monitoring of access logs
E. Regular Testing: Periodic security assessments and penetration testing
F. Timely installation and updates of security software and patches
③ Physical Safeguards.
A. Secure, access-controlled data centers with 24/7 surveillance
B. Environmental controls such as climate regulation and power backups
C. Restricted access to server rooms and data storage areas
D. Secure disposal of hardware and storage media in accordance with industry standards
While we implement industry-standard security measures, no system is entirely immune to vulnerabilities. We cannot guarantee the absolute security of your Personal Data.
(2) Data Protection Impact Assessments In addition to the above, we conduct data protection impact assessments when our processing activities are likely to result in high risks to the rights and freedoms of individuals. Our assessments include:
① a description of the processing activities and their purposes;
② an assessment of the necessity and proportionality of the processing in relation to its purposes;
③ an evaluation of the potential risks to individuals’ privacy and rights; and
④ the measures we implement to mitigate identified risks and ensure compliance with applicable privacy laws.
(3) Breach Notification Upon any breach of data, we will notify the authorities and the affected individuals promptly in accordance with the laws of your jurisdiction.
(4) Liability Limitations We are not liable for any Personal Data breaches resulting from the User’s own negligence (e.g., loss or sharing of login credentials), unless caused by our willful misconduct or gross negligence. This Privacy Policy does not apply to the processing of Personal Data on external sites or applications not operated by us.
ARTICLE 6. PERSONAL DATA DESTRUCTION
(1) Destruction Timeline We promptly destroy Personal Data without delay when the retention period has expired or the purpose of processing has been achieved, and the Personal Data is no longer necessary.
(2) Separate Storage If retention is required under Relevant Laws after the consented retention period expires or the processing purpose is fulfilled, the Personal Data will be stored and managed separately from other Personal Data.
(3) Destruction Procedures and Methods The procedures and methods for the destruction of Personal Data are as follows:
① Destruction Procedure. We identify the Personal Data for which a reason for destruction has arisen and proceed with destruction upon approval from our Privacy Officer, as identified below.
② Destruction Method.
A. Personal Data recorded or stored in electronic format is permanently deleted using a method that renders the records unrestorable.
B. Personal Data in paper format is destroyed by shredding or incineration.
ARTICLE 7. THIRD-PARTY TRANSFER
(1) Permitted Disclosures We process your Personal Data only for the purposes of processing specified in this Policy and disclose it to third parties solely in the following cases, as permitted under Articles 17 and 18 of PIPA:
① with your separate consent;
② where required by Relevant Laws; or
③ where clearly necessary to protect you or a third party from imminent risk to life, body, or property.
(2) Payment Processing We transfer certain Personal Data to authorized third-party payment processors to process payments and manage subscriptions. This transfer is necessary for contractual performance and occurs with your consent when you make a purchase.
ARTICLE 8. ENTRUSTMENT
(1) Current Entrustments To ensure stable and efficient processing of your Personal Data, we entrust certain processing tasks as follows:
ENTRUSTED PARTY
ASSIGNED TASKS
Cloudflare
Website security and performance monitoring
Payment Service Providers (PCI DSS compliant)
Payment processing and subscription management
(2) Disclosure Requirements In accordance with Article 26 of PIPA, we will disclose in this Policy any entrustment of Personal Data processing, including the entrusted party, assigned tasks, and any subsequent changes.
(3) Contractual Obligations If and when we entrust Personal Data processing, we specify in writing the obligations of the entrusted party in accordance with Article 26 of PIPA, including purpose limitation, security safeguards, sub-entrustment restrictions, supervision, and liability. We also monitor entrusted parties to ensure the secure handling of Personal Data.
(4) Overseas Transfers Entrustment involving the overseas transfer of Personal Data, if any, is not covered in this provision and will be addressed separately in another provision of this Policy.
ARTICLE 9. OVERSEAS TRANSFER
(1) AWS Transfer Details Upon your separate consent, we make the following overseas transfer of your Personal Data to entrust the processing and storage thereof to Amazon Web Services, Inc. (“AWS”). AWS acts as our entrusted data processor and processes your Personal Data solely in accordance with our instructions and for no other purpose. You may withhold consent to the overseas transfer of your Personal Data described above; however, doing so will prevent your use of core Services. The details of the overseas transfer of Personal Data under this entrustment are as follows:
① Information Transferred: all Personal Data necessary for the provision and operation of the Services.
② Time, Manner, and Destination of Transfer: Personal Data is transferred on a real-time or near-real-time basis via automated, encrypted network connections upon your use of the Services. Data may be processed at AWS data centers located in the United States, the European Union, and the Asia-Pacific regions. For the latest information regarding the names of the countries and/or territories where such data centers are located, please refer to https://aws.amazon.com/about-aws/global-infrastructure/.
③ Transferee: Amazon Web Services, Inc.
④ Purpose: To operate, store, and manage the cloud infrastructure required for the delivery, security, and performance of the Services.
⑤ Retention Period: Until your Subscription is cancelled, or until termination of the service agreement between VAIV and AWS, or as otherwise required under the Applicable Laws.
⑥ How to Opt-Out and Resulting Consequences: This transfer is necessary for the operation of the Services. If you do not consent to the overseas transfer to AWS, you may not be able to access or use the Services.
(2) Supervision and Updates We supervise AWS to ensure that your personal data is processed securely and in compliance with the Relevant Laws and our internal policies. If there are any changes to the entrusted party or the details of the entrusted tasks, we will notify you in advance through this Privacy Policy or other appropriate means.
(3) Future Changes Should there be any changes in the future regarding the overseas transfer of your Personal Data, we will notify you in advance and obtain your separate consent in accordance with applicable laws and regulations.
ARTICLE 10. RIGHTS OF DATA SUBJECTS
(1) General Rights You can exercise your rights over your Personal Data at any time, including the rights to access, correct, object to, or request an explanation of any automated decision-making.
(2) Deletion and Suspension Rights You have the right to request deletion or suspension of processing regarding your Personal Data, unless retention is necessary for legal compliance, claims, payment processing obligations, tax requirements, or other legitimate purposes (each, a “Legitimate Ground”). Payment-related data may be retained longer to comply with financial regulations and for dispute resolution. Upon your request to delete your Account, we will delete your Personal Data collected within thirty (30) days of receiving the request, provided that no Legitimate Ground applies.
(3) Sensitive Data Limitations You have the right to limit the use and disclosure of your sensitive Personal Data to what is necessary to perform the Services, as reasonably expected by an average consumer requesting services of such nature.
(4) Processing Restrictions You have the right to restrict our processing of your Personal Data when:
① the accuracy of your Personal Data is contested;
② the processing is unnecessary or unlawful, but you prefer not to have your Personal Data deleted, whether for the establishment, exercise, or defense of legal claims, or for any other reason; or
③ the verification of any Legitimate Grounds for retaining your Personal Data despite your objection is pending.
(5) Objection Rights Despite any Legitimate Ground for our processing your Personal Data, you have the right to object to such processing unless we demonstrate a compelling legitimate ground. Notwithstanding, you have the right to object at any time to our processing of your Personal Data for direct marketing purposes.
(6) Opt-Out Rights You have the right to opt-out of any sale or sharing of your Personal Data with a third party for cross-context behavioral advertising.
(7) Data Portability You have the right to request that we transfer your Personal Data collected to another organization or directly to you, under certain conditions.
(8) Non-Discrimination You have the right not to be discriminated against for exercising any of the rights listed under this Article, provided that the unavailability of our Services that require the processing of your Personal Data, which has been restricted or deleted as a result of exercising such rights, shall not be deemed discrimination.
(9) Consent Withdrawal You are entitled to withdraw your consent to VAIV’s processing of your Personal Data at any time. However, withdrawing your consent will not affect the lawfulness of any processing conducted before the withdrawal. We may retain your Personal Data collected before the withdrawal if it is necessary based on any Legitimate Grounds.
(10) Exercise Procedures You can exercise the above rights by submitting a request in writing, by email, or by fax pursuant to Paragraph 41① of the Enforcement Decree of the Personal Information Protection Act, and we will respond without undue delay.
(11) Legal Representatives You can exercise the above rights through a legal representative or an authorized agent by submitting a power of attorney using Annex Form No. 11 of the Public Notice Concerning Methods of Personal Information Processing.
(12) Legal Restrictions Your rights to access or suspend the processing of Personal Data may be restricted under Paragraphs 35④ and 37② of PIPA. You may not request deletion of Personal Data if its collection is mandated by the Relevant Laws.
(13) Opt-Out of Sales You have the right to opt out of the sale or the sharing of Personal Data with third parties, if any. However, please note that you may be unable to access Services that require such sale or sharing.
(14) Identity Verification We reserve the right to verify whether the person requesting the exercise of the above rights is the data subject or a duly authorized representative or delegate.
ARTICLE 11. AUTOMATIC COLLECTION AND OPT-OUT
(1) Automatic Collection When you access or use the Services, we automatically collect the following information to ensure secure operation, improve functionality, and enhance User experience:
① Device Information: IP address, browser type and version, operating system, device type, and screen resolution
② Usage Information: pages visited, links clicked, time spent, referral sources, search terms
③ Technical Information: Cookies, Session data, JavaScript settings, plugins
④ Location Information: approximate geographic location based on IP address
(2) Cookies We use cookies to provide login functionality and operate other features of the Services as follows:
① Essential Cookies
A. Purpose: Website functionality and security
B. Examples: Session management, authentication
C. Can be disabled: No (required for service operation)
② Analytics Cookies
A. Purpose: Website performance and usage analysis
B. Examples: Google Analytics, heatmap tools
C. Can be disabled: Yes (through browser settings or our cookie preferences)
③ Functional Cookies
A. Purpose: Enhanced user experience
B. Examples: Language preferences, personalization
C. Can be disabled: Yes (may affect functionality)
④ Marketing Cookies
A. Purpose: Personalized advertising and marketing
B. Examples: Social media pixels, advertising networks
C. Can be disabled: Yes (through cookie preferences)
(3) User Control and Opt-Out You can control cookies through:
① Browser Settings: most browsers allow you to refuse or delete cookies
② Cookie Preference Center: available on the Website
③ Third-Party Opt-Outs: direct opt-out links for advertising networks
Please note that disabling certain cookies may limit Website Functionality.
(4) Sessions Sessions are necessary for secure access to the Services and are automatically created upon connecting to our servers. These cannot be disabled.
(5) Assistance For more information regarding automatic collection of Personal Data and ways to opt out, please contact our Privacy Officer.
ARTICLE 12. AI DEVELOPMENT
(1) AI Training and Development To enhance the accuracy and personalization of our influencer recommendations, we may use your interactions with the Service to train and improve our AI models and recommendation algorithms. This processing of information supports the development of features tailored to your preferences. Data Used for AI Training may include:
① Search queries and applied filters
② Click-through rates and engagement behavior
③ Saved preferences and declared interests
④ Anonymized usage patterns and behavioral trends
Where required by applicable law, we will obtain your separate consent before using your data for AI training purposes.
ARTICLE 13. PRIVACY OFFICER
(1) Contact Information The following person is appointed as our privacy officer (“Privacy Officer”), responsible for handling inquiries and complaints regarding personal information processing, as well as remedies and other associated matters:
① Name: Ho Lee
② Title: Senior Managing Director
③ Email: support@whotag.ai
④ Telephone: +82 2 565 0531
(2) EU Representative We are currently evaluating the applicability of Article 27 of the General Data Protection Regulation regarding the designation of a European Union representative. Where legally required, we will appoint a representative and update this Privacy Policy accordingly. Until then, please contact our Privacy Officer with any inquiries.
ARTICLE 14. REMEDIES FOR PRIVACY INFRINGEMENT
(1) Korea-Based Resources If you need further assistance regarding personal information infringements, you can contact Korea Internet & Security Agency’s Personal Information Infringement Reporting Center, Korean National Policy Agency Cyber Safety Bureau, and other relevant institutions. For calls originating from outside Korea, dial the international calling code and the country code of Korea (82) before the numbers below:
① Personal Information Infringement Reporting Center: (without area code) 118 ( https://privacy.kisa.or.kr )
② Personal Information Dispute Mediation Committee: (without area code) 1833-6972 ( https://kopico.go.kr )
③ Supreme Public Prosecutors’ Office Cyber CID: 1301 (without area code) ( https://cybercid.spo.go.kr )
④ National Police Agency Cyber Safety Bureau: (without area code) 182 ( https://ecrm.cyber.go.kr )
(2) International Resources For residents outside Korea, if you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you can contact your local data protection authority. The following are examples of relevant authorities in certain jurisdictions:
① European Union
A. Your local Data Protection Authority
B. European Data Protection Board (https://edpb.europa.eu/)
② United Kingdom
A. Information Commissioner’s Office (https://ico.org.uk/)
③ United States
A. Federal Trade Commission (https://www.ftc.gov/)
ARTICLE 15. MISCELLANEOUS
(1) Changes This Policy may be updated in accordance with changes in laws or our policies. Any revisions will be publicly announced on the Website, specifying the effective date and the reason for the change. You will be provided with an opportunity to review the revised Policy before deciding if you would like to continue using the Services.
(2) Governing Language This Policy may be translated into other languages for reference and convenience. In the event of any conflict or inconsistency between the different versions, the English version shall prevail and govern.
(3) Matters Not Addressed Any matters not addressed in this Policy shall be governed by the Relevant Laws and any applicable Supplemental Terms.
(4) Version This Policy is the initial version, and there are no previous versions.