Privacy Policy
Effective Date: February 25, 2026
Doki (hereinafter referred to as the "Company") establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act to protect the personal information of data subjects and to handle related grievances promptly and smoothly.
Article 1 (Items Collected and Purposes of Collection)
The Company collects the minimum personal information necessary for the following purposes.
| Items Collected | Purpose of Collection |
|---|---|
| Email, name, profile image | User identification, account management, service provision |
| Date of birth | Age verification (for paid services) |
| Payment information (order history) | Payment processing, purchase history management, refund processing |
| Conversation content | AI response generation, service quality improvement |
| Service usage records, access logs | Service improvement, prevention of fraudulent use |
Article 2 (Methods of Collection)
- Collected with user consent during registration via Google OAuth
- Automatically generated and collected during service use
- Directly entered by the user during age verification
Article 3 (Purposes of Use of Personal Information)
- Member management: User identification, identity verification, age verification, confirmation of intent to register
- Service provision: AI interactive story and persona chat service provision, content generation
- Payment processing: Chat credit purchase payments, purchase history management
- Customer support: Complaint resolution, delivery of notices
- Service improvement: Service usage statistical analysis, new service development
Article 4 (Provision of Personal Information to Third Parties)
The Company does not, in principle, provide users' personal information to third parties. However, personal information may be provided to third parties in the following cases for service provision.
| Recipient | Items Provided | Purpose of Provision |
|---|---|---|
| OpenAI (United States) | Conversation content | Data processing for AI response generation |
| Toss Payments | Payment information | Payment processing |
* OpenAI is a company based in the United States. Users' conversation content is transferred overseas for AI response generation (Articles 17 and 28-8 of the Personal Information Protection Act).
Article 5 (Entrustment of Personal Information Processing)
The Company entrusts personal information processing as follows for service provision.
| Entrusted Company | Entrusted Tasks |
|---|---|
| OpenAI | AI-based content generation (conversation processing) |
| Vercel | Service hosting and infrastructure operation |
| Supabase | Database hosting |
Article 6 (Retention and Destruction of Personal Information)
The Company destroys personal information without delay once the purpose of collection and use has been achieved. However, where retention is required under applicable laws, the information is retained as follows.
| Retained Items | Retention Period | Legal Basis |
|---|---|---|
| Account information | Until account deletion | Purpose of service provision |
| Payment and transaction records | 5 years | Article 6 of the Enforcement Decree of the Act on Consumer Protection in Electronic Commerce |
| Consumer complaint or dispute resolution records | 3 years | Article 6 of the Enforcement Decree of the Act on Consumer Protection in Electronic Commerce |
| Access logs | 3 months | Article 15-2 of the Protection of Communications Secrets Act |
| Conversation content | Duration of service use | Purpose of service provision |
Article 7 (Rights of Users and Methods of Exercise)
- Users may request access to, correction of, deletion of, or suspension of processing of their personal information at any time.
- The above rights may be exercised by contacting us via email (contact@doki-world.xyz), and the Company will take action without delay.
- If a user requests correction of errors in their personal information, the Company will not use the relevant personal information until the correction is completed.
- Users may withdraw their consent to the collection and use of personal information. However, withdrawal of consent may result in restrictions on service use.
Article 8 (Cookies and Automatic Collection Devices)
- The Company uses session cookies (NextAuth JWT) for user authentication.
- These cookies are used solely for maintaining login status and are not used for marketing or behavioral tracking purposes.
- Users may refuse to store cookies through browser settings. However, doing so may limit the use of services that require login.
Article 9 (Measures to Ensure the Security of Personal Information)
The Company takes the following measures to ensure the security of personal information.
- Encryption of personal information: Important information such as passwords is encrypted for storage and management.
- Access control: Access to personal information is restricted to the minimum number of personnel necessary.
- Security programs: Security systems are operated to protect against hacking and other threats.
- Communication encryption: Encrypted communication such as HTTPS is used when transmitting personal information over networks.
Article 10 (Privacy Officer)
The Company designates a Privacy Officer as follows to oversee all matters related to personal information processing and to handle complaints and remedies for data subjects regarding personal information.
- Name: Seo Jung-lin
- Title: CEO
- Email: contact@doki-world.xyz
Article 11 (Remedies for Infringement of Rights)
Users may apply for dispute resolution or consultation with the following organizations to seek remedies for personal information infringement.
- Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office Cyber Investigation Division: 1301 (www.spo.go.kr)
- National Police Agency Cyber Investigation Bureau: 182 (ecrm.cyber.go.kr)
Article 12 (Changes to the Privacy Policy)
- This Privacy Policy may be amended by additions, deletions, or modifications in accordance with changes in laws, policies, or security technologies.
- Changes will be announced through in-service notices at least 7 days prior to the effective date.
This Privacy Policy is effective from February 25, 2026.