Dapanda (the "Operator") establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act (PIPA) to protect the personal information of data subjects and safeguard their rights and interests.
Last revised 2026-05-13 · Effective 2026-05-13
1. Purposes of Processing
The Operator processes personal information for the following purposes only. Information will not be used beyond these purposes; prior consent will be obtained for any change.
- Verifying intent to join, identifying and authenticating members, confirming identity
- Creating and managing posts and comments, handling reports and sanctions
- Communication between the Operator and members (notices, responses to inquiries)
- Preventing fraudulent use of the service and analyzing usage statistics
- (Phase 2) Processing payments, subscriptions, and refunds; managing transaction history
2. Personal Information Collected
Required
- Email address
- Password (stored as a one-way hash only; plaintext is never retained)
- Display name
- Sign-up and access timestamps, IP address, browser information
Additional items collected via OAuth sign-up
- Google: email, profile image, display name
- Kakao / WeChat (planned): identifier and profile provided by each provider
Automatically collected
- Cookies (session maintenance, authentication tokens)
- Access logs (URL, timestamp, response code), error logs
3. Retention and Use Period
The Operator retains and processes personal information only within the period prescribed by law or as agreed with the data subject.
- Member information: Until account deletion. Identifying information of members who have not logged in for one year since sign-up or since their last login is automatically anonymized once daily (Korean Standard Time 03:00). The display name is changed to "Withdrawn Member" and the bio and profile image are deleted immediately.
- Access and error logs: 1 year from collection
- E-commerce transaction records (Phase 2): Per E-Commerce Act §6 — display/advertising records 6 months; contracts, withdrawal, payment, and delivery records 5 years; consumer complaints and disputes 3 years
4. Disclosure to Third Parties
The Operator processes personal information solely within the purposes stated in Section 1 of this policy, and does not disclose personal information to third parties except with the data subject's consent or as required by applicable law.
5. Outsourcing of Personal Information Processing
For stable service operation, the Operator has outsourced personal information processing as follows.
| Processor | Tasks | Country |
|---|---|---|
| Supabase, Inc. | Account authentication, database, storage | USA |
| Vercel, Inc. | Web hosting, CDN, build | USA |
| Google LLC | OAuth authentication (user's choice) | USA |
Outsourcing agreements with the above processors include mandatory security measures as required by Article 26 of PIPA.
6. Rights and Obligations of Data Subjects and Legal Representatives
Data subjects may exercise the following rights against the Operator at any time.
- Right to request access to personal information (PIPA Art. 35)
- Right to request correction or deletion of errors (PIPA Art. 36)
- Right to request suspension of processing (PIPA Art. 37)
- Right to withdraw membership (retention period in Section 3 applies)
Rights may be exercised directly through the settings menu in the member dashboard, or by contacting the Privacy Officer at the address provided in Section 10.
7. Destruction of Personal Information
The Operator destroys personal information without delay when it is no longer necessary — for example, when the retention period has expired or the processing purpose has been achieved.
- Destruction procedure: Upon account withdrawal or when the retention period arrives, records are automatically anonymized and deleted by an automated trigger.
- Destruction method: Electronic files are permanently deleted in a manner that makes recovery impossible. Backup copies are automatically purged after a set retention period.
8. Security Measures
The Operator implements the following administrative, technical, and physical measures pursuant to Article 29 of PIPA and Article 30 of its Enforcement Decree. These measures are implemented on a single-operator SaaS infrastructure (Vercel · Supabase).
8.1 Administrative Measures
- This policy serves as the internal management plan and is reviewed and updated quarterly.
- Access to the admin console is restricted to a single responsible person (the Operator), and the Operator's personal email is kept separate from the publicly disclosed contact email.
- Member and admin permissions are separated by a database column (role), and permission changes are recorded as auditable SQL change history.
- Major operational decisions and changes are cumulatively recorded in the change log of this policy.
8.2 Technical Measures
- Encryption in transit — HTTPS (TLS 1.2 or higher) is enforced for all pages and API calls; HTTP requests are automatically redirected.
- One-way password hashing — Supabase Auth stores passwords using bcrypt; plaintext passwords are never stored anywhere.
- Row-level access control (RLS) — Postgres Row Level Security policies are applied to all member, post, comment, and profile tables to block access to data other than one's own.
- SECURITY DEFINER function boundaries — Operations requiring elevated privileges (e.g., view count increments, withdrawal anonymization) are exposed only through explicit PostgreSQL functions with a fixed search_path.
- PKCE-based OAuth — Google sign-in uses the PKCE flow to reduce token-hijacking risks, and sessions are stored as HttpOnly cookies.
- Principle of least privilege — Three roles (anonymous, authenticated, admin) are separated; anonymous keys are granted only to the scope safe for client-side exposure. Service keys are confined to environment variables.
- Access log retention — Authentication and admin operation logs are retained for one year, and the Operator is alerted upon abnormal access.
- Dependency and security updates — Core dependencies (Next.js, React, Supabase SDK) are kept at the latest stable version, and security patches are applied with priority over unrelated work.
8.3 Physical Measures
- The Operator does not operate its own data center or servers. All data is stored in certified facilities of the sub-processors (Supabase · Vercel).
- The Operator's personal devices used for administrative work have disk encryption (FileVault/BitLocker) and screen lock activated at all times.
8.4 Incident Response Procedures
- The Operator or the relevant sub-processor immediately investigates the scope of impact upon becoming aware of a breach.
- If a serious breach is confirmed, data subjects will be notified without delay, and the incident will be reported to the Korea Internet & Security Agency and relevant authorities pursuant to Article 34 of PIPA.
- Analysis of the cause and preventive measures will be documented in the change log of this policy and disclosed to affected members through the same channel.
9. Cookies — Operation and Opt-Out
The Operator uses cookies to maintain authenticated sessions and analyze service usage.
- Essential cookies: Login session, CSRF protection — the service cannot function without these
- Analytics cookies(planned): anonymous usage statistics — can be blocked in browser settings
To block cookies: browser settings → Privacy and security → Cookies → Block all cookies or block by site.
10. Privacy Officer
The Operator has designated a Privacy Officer responsible for overseeing all personal information processing activities.
Officer The Operator (sole operator)
Contact club.dapanda@gmail.com
11. Remedies for Rights Violations
Data subjects may apply for dispute resolution or counseling at the institutions below to seek relief for personal information infringements.
- Personal Information Dispute Mediation Committee — +82-1833-6972, www.kopico.go.kr
- Personal Information Infringement Report Center — 118, privacy.kisa.or.kr
- Supreme Prosecutors' Office Cyber Investigation Division — 1301, www.spo.go.kr
- National Police Agency Cyber Investigation Bureau — 182, ecrm.police.go.kr
12. Change History
| Effective Date | Version | Summary of Changes |
|---|---|---|
| 2026-05-12 | v1.0 | Initial adoption (Phase 1: membership, posts, and comments) |
| 2026-05-13 | v1.1 | Section 8 expanded into four categories — administrative, technical, physical, and incident response (per Enforcement Decree §30). No change to data subject rights. |
| 2026-05-13 | v1.2 | Section 3 — documented the scheduled time (KST 03:00), frequency (once daily), and items covered by the automatic anonymization process for members inactive for one year. Formalized the PIPA-002 auto-destruction mechanism. |