Thank you for using Candy Camera. Candyplus Studio Inc. (“we” or “Company”) respects your privacy and is committed to protecting your personal data as you (“you” or “User”) use our Services. This Privacy Policy (this “Policy”) describes how we collect, use, and handle your personal data when you use our platforms, websites, and services, including our Candy Camera applications (“Services”).
If you have any questions regarding this Policy or our privacy practices, please contact our Data Protection Department as listed in this Policy. It is crucial that you thoroughly read and understand the terms of this Policy, as it details your rights concerning your personal data under applicable data protection laws. Please note that this Policy should be read in conjunction with our Terms of Service as well as any other privacy notices we may issue in relation to specific occasions or services.
Personal information, or personal data, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
During your use of the Services or any interaction with us, we may collect and use the following types of personal data below:
Registration Information: Device Operating System (OS) and OS Version, Login Method, nickname, name, date and time of birth, gender, device language settings, nationality, profile image, email address, and push token
Consent and Notification Preferences: Consent to notification preferences and consent records
Account Activity and Administrative Metadata: Last login date and time, account creation date and time, last application update date, ban status (blacklist indicator), ban imposition timestamp, unban timestamp
For improvement of AI Face Reader Service: photos, gender, name, device and country information (This excludes users residing in and users of European Economic Area, Switzerland, and the United Kingdom.)
Automatically generated information: browser type and operating system, visit records (IP address, access time), device information, cookies, Device Identifier (Device ID)
We collect personal data from and about you through various methods, including:
Direct Interactions:
You may provide personal data to us directly by filling out forms or communicating with us through our Services, by phone, email, or other channels. This typically occurs when you apply for our products or Services, create an account, subscribe to our updates or publications, request or consent to marketing communications, participate in competitions, events, promotions, or surveys, or when you provide feedback or contact us directly.
Automated Technologies and Cookies:
As you interact with our Services, we may automatically collect technical data about your device, browsing actions, and usage patterns. This data is gathered through cookies, server logs, and other similar technologies. Cookies refer to small amounts of data that is sent by the server that operates the website or the Services on your browser, which may be stored on the hard disk of your computer. They are used to manage security measures, enhance and develop services, offer personalized Services and provide tailored advertisements through analyzing user access, such as the frequency and timing of access, identify patterns in the user’s usage, track user activities, and access to security measures. You may set your browser to not accept cookies, but this may limit your ability to use the Services. We may also use third-party service providers that set cookies and similar technologies to promote our Services.
We process your personal data as follows to facilitate your better use of our Services as follows:
Registration and Provision of Service
Service Improvement and Development: to enhance existing Services, develop new services, enhance AI performance, and create customized offerings based on user preferences and needs, develop Service-related statistics.
We only collect and process your personal data when we have a lawful basis to do so. The specific legal basis depends on the context in which we process the personal data, including the Service you use and the nature of the personal data involved.
The legal bases we rely on for processing your personal data include:
Performance of a Contract: We process your personal data to fulfill our contractual obligations to you. This includes providing the Service, communicating with you regarding your use of the Service, and ensuring your compliance with our Terms of Service.
Legitimate Interests: We process your personal data when necessary for our legitimate interests or the legitimate interests of third parties, provided that such processing is not overridden by your data protection rights. This may include preventing fraud, securing our Services, protecting our legal rights, conducting market research, developing products, and for marketing purposes.
Compliance with Legal Obligations: We process your personal data to comply with applicable laws, regulations, court orders, or official requests from government or law enforcement authorities.
Consent: We process your personal data when you have provided your explicit consent, such as when you agree to receive marketing communications from us. You may withdraw your consent at any time by contacting us at our Data Protection Department.
If you wish to withdraw your consent or object to the processing of your personal data, please contact us at our Data Protection Department. If you feel your concerns have not been addressed adequately or believe we have violated applicable data protection laws, you may file a complaint with your local data protection supervisory authority.
To provide the Services, we may share your personal data as discussed below. Please note that we will not sell your personal data to advertisers or other third parties.
Disclosure of Personal Data to a Third Party
We may engage certain third-party service providers (including, but not limited to, providers of customer support and IT services) to assist us in delivering, improving, protecting, and promoting our Services. These service providers may process your personal data on our behalf, but only to the extent necessary for the fulfillment of these business purposes. The processing of your personal data by these third parties is subject to strict contractual obligations to ensure compliance with applicable data protection laws.
Entrustment of Personal Data Processing to a Third Party
We entrust the following personal data processing tasks to the third parties listed below in order to provide the Servies effectively.
Third Party Recipient | Description of Entrusted Task |
|---|---|
Amazon Web Services, Inc | Cloud infrastructure hosting, storage, and database management for the secure processing and retention of user data. |
Disclosure of personal data to other users
Some features of our Services may display your personal data, such as your username, profile picture, device information, and usage details, to other users with whom you collaborate or choose to share information. Additional personal data may also be made visible to other users if you choose to do so through certain features.
Other applications.
You may choose to connect your account with third-party services. When you do so, the Company and the third-party services may exchange information about you and your data to enhance, protect, and promote both services. Please note that this Policy does not apply to the collection and processing of personal data by third-party services, and we recommend reviewing their respective privacy policies for more information.
Required Disclosure
We may disclose your personal data to third parties if we reasonably determine that such disclosure is necessary to:
Comply with any applicable law, regulation, legal process, or government request;
Protect the safety or life of any individual;
Prevent fraud or abuse of the Company’s Services or protect our users;
Safeguard the rights, property, safety, or interests of the Company or our users; or
Perform a task carried out in the public interest.
To provide you with the Services, we may store, process, and transmit your personal data in the Republic of Korea or other locations outside your country. Data may also be stored locally on the devices you use to access the Services. When we transfer your personal data outside, we will ensure that the transfer complies with applicable data protection laws by implementing appropriate safeguards such as those provided under the GDPR as follows or other legally recognized mechanisms.
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
Where we use certain service providers, we may use standard contractual clauses approved by the European Commission which give personal data the same protection it has in Europe.
Safeguarding your personal data is a top priority and a responsibility we take seriously. We are committed to ensuring the security of your personal data and regularly test for vulnerabilities in our Services. To prevent accidental loss, unauthorized access, use, alteration, or disclosure of your personal data, we employ robust security measures designed to protect your information at all times.
Our comprehensive security measures include:
Regular Internal Audits: To maintain the security of personal data, we conduct regular internal audits to evaluate and strengthen our data protection practices.
Minimization and Training of Data Handling Staff: We restrict access to personal data to designated employees only and limit the number of personnel involved in handling personal data. These individuals receive regular training on data protection and security.
Technical Safeguards Against Hacking and Viruses: To protect against data breaches from hacking or malware, we have installed security programs that are regularly updated and monitored. Systems are housed in secured zones with limited external access, protected through both technical and physical barriers to monitor and prevent unauthorized entry.
Access Restriction: We control access to databases containing personal data. We also use intrusion prevention systems to block unauthorized external access.
Controlled Physical Access: Physical locations housing personal data are secured, with entry control measures in place to prevent unauthorized access to storage facilities.
In addition to these measures, access to personal data is strictly limited to employees, agents, contractors, and third parties who have a legitimate business need to process it, and all are bound by confidentiality obligations. These individuals and entities are required to follow our instructions and are bound by strict confidentiality obligations.
In the event of a suspected data breach, we have established comprehensive procedures to promptly address and mitigate any risks. Where legally required, we will notify both you and the relevant regulatory authorities of any data breach that may impact your personal data.
We will retain your personal data only for as long as is reasonably necessary to fulfill the purposes for which it was collected, including to comply with any legal, regulatory, tax, accounting, or reporting obligations. In certain circumstances, such as in the event of a complaint or where there is a reasonable expectation of litigation related to our relationship with you, we may retain your personal data for a longer period of time.
To determine the appropriate retention period, we take into account several factors, including the volume, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we are processing the data and whether those purposes can be achieved through other means, as well as any relevant legal, regulatory, tax, accounting, or other applicable requirements.
Subject to the foregoing, in principle, we will destruct your personal data without delay when (i) the purpose of collection and use has been achieved; (ii) you withdraw your account from the Service; (iii) the legal or management needs have been achieved; (iv) or receipt of your request for deletion.
You are responsible for ensuring the security of your personal data. This includes choosing a sufficiently strong password and keeping your credentials, including your password, confidential at all times. You are also obligated to respect the privacy and personal data of others and must not infringe upon or misuse third-party personal data. Please avoid disclosing your personal data, such as your password, and refrain from actions that may harm or compromise the personal data or privacy of others.
While we employ rigorous security measures to protect your personal data, we will not be liable for any loss, unauthorized access, or misuse of your personal data that results from your own actions, such as failing to secure your account or sharing your password with others. It is your responsibility to safeguard your personal data and respect the privacy and security of others.
It is equally important that the personal data we hold about you is accurate and up to date. Please notify us promptly if any of your personal data changes during your use of our Services, to help us maintain the accuracy and integrity of the information. We will not be liable for any loss, unauthorized access, or misuse of your personal data that occurs as a result of your failure to promptly update your personal data.
You have control over your personal data and how it is collected, used, and shared by the Company. As a user of our Services, you may exercise the following rights concerning your personal data:
Right to access to personal data: You have the right to request access to the personal data we hold about you.
Right to deletion: You may request the deletion of personal data from your account or our databases.
Right to correction: You can manage your account, including editing your personal data at any time.
Right to restrict processing and objection: You may object to the processing of your personal data or request a temporary suspension or restriction of data processing.
Right to data portability: You may request the transfer of your personal data to another party.
Right to avoid automated decision-making: You may request to stop automated processing of personal data.
Right to withdraw consent: You may withdraw your consent to the processing of your personal data at any time. Withdrawal of consent will not affect the lawfulness of processing conducted prior to withdrawal. However, withdrawing consent may limit our ability to provide certain Services to you. We will inform you if this is the case at the time of withdrawal.
To exercise any of the above rights, please contact us at our Data Protection Department. We will take appropriate action without undue delay. Note that we may deny your request if there is a legitimate reason prescribed by law.
If we collect personal data from children under the age of 16 (or the equivalent minimum age in the relevant jurisdiction) for, we will take additional steps to ensure the protection of that personal data, including:
Verification: We will make reasonable efforts to verify that the individuals are children of an age requiring parental or guardian consent, and that the person providing consent is authorized to do so.
Parental Consent: We will obtain verifiable consent from the parent or legal guardian before collecting personal data or providing services directly to children.
Parental Notification: We will provide parents or guardians with notice of this Policy, detailing the types of personal data collected, the purpose of collection, and any sharing of the data.
Parental Rights: We will grant parents or guardians the right to:
Access their child’s personal data;
Request correction or deletion of their child’s personal data;
Request the suspension of processing their child’s personal data;
Withdraw their consent for the processing of their child’s personal data.
Data Minimization: We will collect only the personal data necessary for the provision of our Services.
Our application uses Apple’s TrueDepth camera system to power features such as [e.g., facial recognition filters, AR experiences, face tracking]. The data from the TrueDepth camera is used in real-time to detect facial movement and expressions and is used solely for visual effects and interactions within the app.
The facial data, including depth information and facial expressions, is not collected, stored, or shared by us. All processing is done locally on your device, and the data is not used for identity verification, user tracking, or marketing purposes.
Access to the camera is requested only with the user’s permission and is handled in accordance with Apple’s privacy standards. Users can revoke camera access at any time through their device settings.
Out of respect for your privacy, we have implemented additional measures to comply with the obligations and rights associated with the collection of personal data as dictated by the laws governing the regions of our users.
Disclosures for residents of the EU/EEA
If you are a resident of the European Union (“EU”) or the European Economic Area (“EEA”), you have certain rights in relation to your personal data based on the GDPR that we comply with as part of our commitment to your privacy. Unless otherwise expressly stated, all terms in this section have the same meaning as defined in the GDPR.
Right to withdraw consent: You have the right to withdraw consent where you have previously given your consent to the processing of your personal data. To the extent that the legal basis for our processing of your personal data is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
Right to access: You have the right to learn if your personal data is being processed by us, obtain disclosure regarding certain aspects of the processing, and obtain a copy of your personal data undergoing processing.
Right to rectification: You have the right to verify the accuracy of your information and ask for it to be updated or corrected. You also have the right to request us to complete the personal data you believe is incomplete.
Right to object to the processing: You have the right to object to the processing of your information if the processing is carried out on a legal basis other than consent. Where personal data is processed for the public interest, in the exercise of an official authority vested in us, or for the purposes of the legitimate interests pursued by us, you may object to such processing by providing a ground related to your particular situation to justify the objection. You must know that, however, should your personal data be processed for direct marketing purposes, you can object to that processing at any time without providing any justification.
Right to restrict processing: You have the right, under certain circumstances, to restrict the processing of your personal data. These circumstances include: the accuracy of your personal data is contested by you and we must verify its accuracy; the processing is unlawful, but you oppose the erasure of your personal data and request the restriction of its use instead; we no longer need your personal data for the purposes of processing, but you require it to establish, exercise or defend your legal claims; you have objected to processing pending the verification of whether our legitimate grounds override your legitimate grounds. Where processing has been restricted, such personal data will be marked accordingly and, with the exception of storage, will be processed only with your consent or for the establishment, to exercise or defense of legal claims, for the protection of the rights of another natural, or legal person or for reasons of important public interest.
Right to delete: You have the right, under certain circumstances, to obtain the erasure of your personal data from us. These circumstances include: the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are exclusions of the right to erasure such as where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, to exercise or defense of legal claims.
Right to data portability: You have the right to receive your personal data that you have provided to us in a structured, commonly used, and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance from us, provided that such transmission does not adversely affect the rights and freedoms of others.
Right to complaint: You have the right to complain to a data protection authority about our collection and use of your personal data. If you are not satisfied with the outcome of your complaint directly with us, you have the right to lodge a complaint with your local data protection authority.
Other rights granted to you under the GDPR are listed in Appendix 1, which has been incorporated into this Policy.
If you are a resident of California, you have certain rights and we aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your personal data. This supplemental section, together with other relevant sections of the Policy, provides information about your rights and how to exercise them under the California Consumer Privacy Act and the California Privacy Rights Act (collectively, “CCPA”), and any and all regulations arising therefrom. Unless otherwise expressly stated, all terms in this section have the same meaning as defined in the CCPA.
Right to know and right to access: You have the right to request certain information we have collected about you. Once we receive and confirm a verifiable request from you, we will disclose to you, to the extent permitted by law:
The categories of personal data we collected about you.
The purposes the categories of personal data are collected or used for.
The specific pieces of personal data we hold about you.
The categories of sources from which Information about you is collected.
The purposes for collecting, selling, or sharing your personal data.
You have the right to request that the personal data is delivered in a format that is both portable and easily usable, as long as it is technically possible to do so.
Right to correct: You have the right to request that we correct your inaccurate personal data taking into account the nature of the personal data and the purposes of the processing of the personal data.
Right to delete: You have the right to request deletion of your personal data.
Right to opt-out of the sale and sharing: You have the right to opt-out of the sale of your personal data which may include selling, disclosing, or transferring personal data to another business or a third-party for monetary or other valuable consideration.
Right to limit the use of your personal data, including any sensitive personal data: You have the right to restrict our use of your personal data and disclosure solely to what is essential for carrying out or delivering the Services or operating the Website in a manner reasonably anticipated by an average user, or for certain business objectives as specified by law. However, we do not use personal data for any purposes other than those legally permitted or beyond the scope of this Privacy Policy.
Right to non-discrimination: You have the right to not be discriminated against in the Services or quality of Services you receive from us for exercising your rights. We may not, and will not, treat you differently because of your data subject request activity, or charge different rates for goods or Services, or suggest that we would treat you differently because of your data subject request activity.
Shine the Light: California residents that have an established business relationship with us have the right to know how their personal data is disclosed to third parties for their direct marketing purposes under California’s “Shine the Light” law, or the right to opt out of such practices.
To exercise any of your rights, simply contact us using the details below. After we receive and verify your request, we will process it to the extent possible within our capabilities.
If you have any questions about this Policy or our privacy practices, please contact our Data Protection Department in the following ways:
Attention: Sunwoo Han
Email address: support@candyplus.ai
Postal address: 4, Seoripul3-gil, Seocho-gu, Seoul, Republic of Korea
If they cannot answer your question, you have the right to contact your local data protection supervisory authority.
We reserve the right to revise this Policy from time to time. In the event of any changes, we will provide notice by posting the updated policy on our Services or through other appropriate means, such as email notifications or a pop-up screen requesting acceptance when you sign in.
Last modified: June 18th, 2025
We lawfully process personal data under the conditions below:
A user explicitly consents to their personal data being processed.
The processing is necessary for executing a contract that a user is part of or for initiating steps required by a user before entering into a contract. This may involve member management, identification, service provision, payment, and settlement of fees, among others.
The processing is a legal requirement for us, such as adherence to relevant legislation, rules, legal procedures, or governmental requests.
The processing is crucial to protect users or other individuals’ vital interests, for example, detecting, preventing, and responding to fraud, abuse, security threats, and technical issues that could harm users or other individuals.
The processing is necessary for a task conducted in public interest or in the execution of official authority given to us.
The processing is essential for the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or basic rights and freedoms of the data subject, especially where the data subject is a child.
Users or their legal representatives have the following rights in relation to the collection, use, and sharing of personal data by us:
Right to access personal data: Users or their legal representatives can request access to their data and verify the records of the collection, usage, and sharing of their data under the law.
Right to correction: Users or their legal representatives can request corrections for any inaccurate or incomplete data.
Right to deletion: Users or their legal representatives can request the deletion of their data after the completion of its purpose and the revocation of their consent.
Right to restrict processing: Users or their legal representatives can request a temporary suspension of data processing in the event of disputes over data accuracy and the legality of data processing, or if data retention is necessary.
Right to data portability: Users or their legal representatives can request the provision or transfer of their data.
Right to object: Users or their legal representatives can object to data processing if the data is used for direct marketing, legitimate interests, official duty execution, and research and statistics.
Right to avoid automated individual decision-making, including profiling: Users or their legal representatives can request to stop automated processing of personal data, including profiling, which significantly impacts or can legally affect them.
Given our worldwide operations, users’ personal data may be shared with entities in other countries for explicitly stated purposes in this Policy. In regions where personal data is transferred, stored, or processed, we enforce adequate measures to protect the data. If personal data from the European Union or Switzerland is used or disclosed, we align with the US-EU Privacy Shield, Swiss-US Privacy Shield, or employ other measures or secures user consent following EU regulations, using a standardized agreement clause approved by EU executing organizations or ensuring suitable safeguards.
Our websites, products, or Services may include links to third-party websites. The privacy policies of these third-party sites may be different from ours. Users are therefore advised to review the privacy policies of any third-party sites accessed via links on our site.
We have the right to update this Policy as needed. If significant changes are made, we will notify users via the website or other suitable means, providing users with a chance to review the changes before they become effective. If a user continues to use our services after changes have been notified, it will be regarded as the user’s acceptance of the changes.
For users or their legal representatives wishing to exercise their rights as described in this Policy, or for those with any queries or complaints about our privacy practices, they can reach out to our Data Protection Officer or equivalent representative through the contact information available on our website.
Revision Date: June 11th, 2025
Effective Date: July 15th, 2025
Contact for Terms and Conditions: support@candyplus.ai