Privacy Policy
Effective Date: June 1, 2026 · Last Updated: June 1, 2026
1. Introduction
Lululab Inc. (주식회사 룰루랩) ("Lululab", "we", "our", or "us") operates lulu-at.com and related services (collectively, the "Services").
This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our Services. It also describes your rights regarding your personal information and how to exercise them.
By using the Services, you consent to the practices described in this Privacy Policy. If you do not agree, please do not use the Services.
This Privacy Policy complies with the Personal Information Protection Act (PIPA) of the Republic of Korea and applicable international data protection laws.
2. Personal Information We Collect
We collect the following categories of personal information:
2.1 Information You Provide Directly
| Category | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, password | Account creation and login |
| Profile Information | Date of birth, gender, country, phone number | Personalized service delivery |
| Skin Images (Sensitive) | Facial photographs uploaded for AI skin analysis | AI skin analysis, personalized recommendations |
| Consultation Requests | Treatment interests, health concerns, preferred clinics | Clinic matching and booking |
| Communications | Messages, support requests | Customer support |
2.2 Information Collected Automatically
When you use our Services, we automatically collect certain technical information:
- Log Data: IP address, browser type and version, pages visited, time and date of visits, time spent on pages, referring URLs
- Device Information: Device type, operating system, unique device identifiers
- Usage Data: Features used, interactions with content, search queries
- Cookies and Similar Technologies: See Section 9 (Cookies) below
2.3 Information from Third Parties
If you sign in using a third-party service (Google, Apple, etc.), we receive basic profile information (name, email address) from that service, subject to your privacy settings with that provider. We do not receive your password from third-party authentication providers.
3. Sensitive Personal Information
Sensitive Information Notice
Skin photographs you upload for AI analysis may constitute sensitive personal information under applicable law, as they can reveal physical characteristics and health-related information. We collect this information only with your explicit consent and handle it with heightened protection measures.
Specifically, we collect:
- Skin images: Facial photographs for AI-based skin analysis (LuluTI)
- Skin condition data: Derived analysis results (skin type, concerns, scores) associated with your profile
- Health-related preferences: Treatment interests and skin concerns you voluntarily share
You have the right to refuse consent for the collection of sensitive information. However, without this data, AI skin analysis and personalized recommendations will not be available. You may still access other Services, such as clinic discovery and content.
4. How We Use Your Information
We use your personal information for the following purposes:
- Service Delivery: Providing AI skin analysis, generating personalized skin type assessments, and delivering recommendations
- Account Management: Creating and managing your account, authenticating your identity
- Clinic Matching: Matching your skin profile and treatment interests with appropriate Clinic Partners and facilitating consultation requests
- Personalization: Tailoring content, treatment recommendations, and product suggestions to your skin profile
- Communications: Sending service-related notifications, transactional emails, and, with your consent, marketing communications
- Service Improvement: Analyzing usage patterns to improve our Services, AI model accuracy, and user experience
- Safety and Security: Detecting and preventing fraudulent activity, abuse, and security incidents
- Legal Compliance: Complying with applicable laws and regulations, responding to legal requests
AI Model Improvement: With your separate consent, we may use de-identified skin images and analysis outcomes to improve the accuracy of our AI models. You may withdraw this consent at any time without affecting your use of other Services.
5. Sharing Your Information
We do not sell your personal information. We may share it with the following parties:
5.1 Clinic Partners
When you submit a consultation or booking request, we share your relevant profile information (name, contact information, skin profile, treatment interests) with the selected Clinic Partner to facilitate the consultation. Clinic Partners are independent third parties and handle your information according to their own privacy policies.
5.2 Service Providers
We use third-party service providers who process personal information on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Clerk | User authentication and account management | USA |
| Supabase | Database and file storage | USA (AWS us-east-1) |
| PostHog | Product analytics and event tracking | USA / EU |
| Mux | Video streaming and hosting | USA |
| Vercel | Web hosting and edge delivery | Global (AWS) |
These providers are contractually bound to protect your information and may only process it as directed by us.
5.3 Legal Requirements
We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
5.4 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred as part of the transaction. We will notify you via email or a prominent notice on our Services before your information is subject to a different privacy policy.
6. International Data Transfers
Lululab is headquartered in the Republic of Korea. Our service providers operate servers in the United States and other countries. When your personal information is transferred outside of Korea, we ensure appropriate safeguards are in place, including:
- Standard contractual clauses approved by data protection authorities
- Processing only with service providers who maintain adequate data protection
By using the Services, you acknowledge that your information may be processed in countries with data protection laws that may differ from those in your jurisdiction.
7. Data Retention
| Information Type | Retention Period |
|---|---|
| Account & profile information | Until account deletion + 1 year |
| Skin images & analysis results | Until deletion request or account closure |
| Consultation request records | 5 years (consumer dispute resolution) |
| Transaction records | 5 years (Act on Consumer Protection in E-Commerce) |
| Access logs | 3 months (Communications Secrets Protection Act) |
| Marketing consent records | Until consent withdrawal + 1 year |
After the applicable retention period, personal information is securely deleted or anonymized. Some information may be retained longer if required by law or necessary for legitimate business purposes, such as pending legal proceedings.
8. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal information:
8.1 Rights Under Korean PIPA
- Right to Access: Request to view the personal information we hold about you
- Right to Correction: Request correction of inaccurate or incomplete information
- Right to Deletion: Request deletion of your personal information (subject to legal retention requirements)
- Right to Suspend Processing: Request suspension of processing of your personal information
- Right to Withdraw Consent: Withdraw consent at any time; this does not affect the lawfulness of processing before withdrawal
8.2 Additional Rights (United States)
California residents (CCPA/CPRA): You have the right to: (1) know what personal information we collect, use, and share; (2) delete personal information we hold about you; (3) correct inaccurate personal information; (4) opt out of the sale or sharing of personal information for cross-context behavioral advertising; (5) limit our use of sensitive personal information to necessary purposes; and (6) non-discrimination for exercising your privacy rights. We do not sell or share personal information. To submit a request, contact us at lululab@lulu-lab.com with subject "CCPA Request."
Other US states: Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with comprehensive privacy laws have similar rights to access, correct, delete, and opt out of certain processing of their personal information. We honor these rights to the extent required by applicable state law.
Biometric data notice (Illinois, Texas, Washington, and other states): Skin photographs you submit for AI analysis may be processed in a manner that implicates state biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA). By submitting facial images, you explicitly consent to such processing. We do not profit from biometric data, and we retain biometric-derived data only as long as necessary to provide the Services or as required by law. You may request deletion of your biometric data at any time.
8.3 How to Exercise Your Rights
To exercise any of these rights, contact us at lululab@lulu-lab.com with the subject line "Privacy Request". We will respond within 10 business days. We may need to verify your identity before processing your request.
You may also delete your account directly from your profile settings, which will initiate deletion of your personal information.
9. Cookies and Tracking Technologies
We use the following types of cookies and similar technologies:
| Type | Purpose | Can Opt Out |
|---|---|---|
| Essential | Authentication, session management, security | No (required for service) |
| Functional | Language preference, UI settings | Yes |
| Analytics | Usage patterns, feature adoption (PostHog) | Yes |
| Marketing | Personalized recommendations | Yes |
You can control cookies through your browser settings. Disabling essential cookies may impair service functionality. Most browsers allow you to refuse or delete cookies. See your browser's help documentation for instructions.
10. Data Security
We implement industry-standard security measures to protect your personal information:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Access controls limiting employee access to personal information
- Regular security assessments and vulnerability testing
- Incident response procedures for data breach notification
In the event of a data breach that poses a significant risk to your rights and freedoms, we will notify you and relevant authorities in accordance with applicable law.
No method of transmission over the internet or electronic storage is 100% secure. While we use commercially reasonable measures, we cannot guarantee absolute security.
11. Children's Privacy
Our Services are not directed to individuals under the age of 14. We do not knowingly collect personal information from children under 14. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will take steps to delete such information promptly.
For users between 14 and 18 years of age, parental or guardian consent may be required in certain jurisdictions.
12. Marketing Communications
We send marketing communications only with your explicit prior consent. You may withdraw your consent at any time by:
- Clicking the "Unsubscribe" link in any marketing email
- Updating your preferences in your account settings
- Contacting us at lululab@lulu-lab.com
Withdrawal of marketing consent does not affect the lawfulness of processing based on consent before its withdrawal, and does not prevent us from sending transactional or service-related communications.
13. Personal Information Protection Officer
In accordance with the Personal Information Protection Act (PIPA) of the Republic of Korea, we have designated a Personal Information Protection Officer:
Lululab Inc. (주식회사 룰루랩)
CEO: Yongjoon Choe (최용준) | Business Reg. No.: 435-88-00655 | Distance Selling No.: 2019-서울강남-04187
Email: lululab@lulu-lab.com
Phone: +82-2-3446-3727
You may contact the Privacy Officer for any privacy-related inquiries, complaints, or to exercise your rights.
If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Information Protection Commission (PIPC) of Korea (privacy.go.kr) or your local data protection authority.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:
- Posting the updated policy on this page with a revised effective date
- Sending a notification to your registered email address
- Displaying a prominent notice on our Services
Material changes will take effect no earlier than 7 days after notification. For changes requiring your consent (such as new uses of sensitive information), we will seek your explicit consent before proceeding.
Your continued use of the Services after the effective date of the updated Privacy Policy constitutes acceptance of the changes.
15. Contact Us
For questions, concerns, or requests related to this Privacy Policy or the processing of your personal information, please contact us:
Lululab Inc. (주식회사 룰루랩)CEO: Yongjoon Choe (최용준)
Business Registration No.: 435-88-00655
Distance Selling Report No.: 2019-서울강남-04187
13F Units 1–2, SB Tower, 318 Dosan-daero,
Gangnam-gu, Seoul, Republic of Korea
Email: lululab@lulu-lab.com
Phone: +82-2-3446-3727
Business Hours: Monday–Friday, 09:00–18:00 KST