LEEDLAB (the "Company") lawfully processes and securely manages personal information in providing the MonkMate Service in order to protect the freedom and rights of data subjects. The Company discloses the following procedures and standards for personal information processing under Article 30 of the Personal Information Protection Act of the Republic of Korea.
- Effective date: June 10, 2026
- Last updated: June 10, 2026
Table of Contents
- Purpose of Processing, Collected Items, and Retention Period
- Provision of Personal Information to Third Parties
- Entrustment of Personal Information Processing
- Overseas Transfer of Personal Information
- Destruction Procedure and Method
- Rights and Obligations of Data Subjects and How to Exercise Them
- Measures to Ensure Safety of Personal Information
- Installation, Operation, and Refusal of Automatic Collection Tools
- Collection, Use, and Refusal of Behavioral Information
- Privacy Officer and Access Requests
- Remedies for Infringement of Rights
- Changes to This Privacy Policy
1. Purpose of Processing, Collected Items, and Retention Period
The Company collects and uses the minimum personal information necessary to provide the Service.
| Category | Purpose of processing | Personal information items | Processing and retention period | Legal basis |
|---|---|---|---|---|
| Membership registration and account management | Member identification and authentication, account creation and maintenance, prevention of unauthorized use, management of terms confirmation history | Social login provider (Google/Apple/GitHub), social provider identifier, email address, name or display name, profile image, account creation date, account status | Until membership withdrawal. Separate retention periods apply when required by law | Personal Information Protection Act Article 15(1)4 (contract formation and performance), Article 22(1) (consent) |
| Guest session provision | Limited use without an account, guest session recovery on the same device, prevention of unauthorized use | Guest identifier, device registration information, last access time | Until guest session deletion, app data deletion, or deletion of related information | Personal Information Protection Act Article 15(1)4 |
| Device registration and use limit management | macOS device identification, device count limits, duplicate registration prevention, license and session maintenance | HMAC-hashed machine identifier, macOS platform information, app version, first access time, last access time | Until membership withdrawal or guest information deletion. If response to unauthorized use is required, until related dispute resolution | Personal Information Protection Act Article 15(1)4 |
| Authentication, security, and operations | Maintaining login sessions, issuing, verifying, and rotating tokens, handling account-link conflicts, access control, security checks, failure response | Access token, refresh token hash, session ID, pending link token hash, authentication provider, token expiry, revocation and replacement information, request metadata | Refresh token: until expiry or revocation. Pending link token: until expiry or completion of use. Security logs: until purpose is achieved or for the retention period required by law | Personal Information Protection Act Article 15(1)4 |
| Blocked targets and focus sessions | App blocking, website blocking, session start, maintenance, expiration, repeat routine storage, session recovery | Blocked app name, bundle identifier, app path, running state, app icon data, website domain, subdomain setting, website title, favicon URL, session name, session start and end time, session duration, helper state, onboarding completion state | Mainly stored on the User's macOS device until the User deletes it or deletes app data | Personal Information Protection Act Article 15(1)4 |
| macOS helper and blocking maintenance | Installing and checking administrator-permission helper, website blocking based on hosts and Packet Filter, app termination detection, expiration cleanup | Helper installation state, helper path, helper version, LaunchDaemon state, blocking session state, blocked domains, blocking event identifier, whether system blocking settings are applied | Mainly stored on the User's macOS device until session expiration or User deletion | Personal Information Protection Act Article 15(1)4 |
| Payment and Paid Service provision | Monthly and yearly recurring payment, perpetual license, payment confirmation, refund, tax and accounting processing, customer support | Payment account identifier, payment product, payment amount, payment date, payment status, refund request and processing information, transaction identifier provided by the payment processor | Records on contract or withdrawal of subscription: 5 years. Records on payment and supply of goods or services: 5 years. Records on consumer complaints or dispute handling: 3 years | Personal Information Protection Act Article 15(1)4, Electronic Commerce Act |
| Customer inquiries and notices | Receiving inquiries, identity confirmation, providing replies, notices about policy changes, failures, payment, and security | Email address, inquiry content, attachments, reply history, processing status | 3 years after inquiry completion or until dispute resolution | Personal Information Protection Act Article 15(1)4 |
| Error tracking and service stabilization | Detecting server errors, analyzing failures, checking security events, improving service quality | Error logs, request path, runtime environment, browser or device information, IP address, user or guest identifier to the extent necessary for operations | Until purpose is achieved or for the period under processor policy | Personal Information Protection Act Article 15(1)4 |
If a processing purpose changes, the Company will take necessary measures under Article 18 of the Personal Information Protection Act.
However, the following records are retained under applicable laws.
- Telecommunications Secrets Protection Act: communication confirmation data such as website visit records (3 months)
- Electronic Commerce Act: records on contract or withdrawal of subscription (5 years)
- Electronic Commerce Act: records on payment and supply of goods or services (5 years)
- Electronic Commerce Act: records on consumer complaints or dispute handling (3 years)
- Electronic Commerce Act: records on labeling and advertising (6 months)
Membership Withdrawal and Long-Term Inactivity Policy
- When membership withdrawal is requested, account use is immediately blocked.
- After withdrawal, identifying information such as profiles, login integration information, device registration information, and tokens is deleted or anonymized.
- Records required to be retained by law for payment, refund, customer inquiry, unauthorized use response, or similar purposes may be separately retained for the relevant period.
- Blocked targets, sessions, helper state, and Keychain authentication information stored on the User's macOS device may need to be deleted through app deletion, app data deletion, or functions provided by the Service.
- The Company does not automatically classify long-term inactive accounts as dormant unless required by law. If a separate operating policy is needed, the Company will provide prior notice before applying it.
Sensitive Information, Pseudonymized Information, Automated Decisions, and Video Devices
- Sensitive information: The Company generally does not collect or process sensitive information.
- Pseudonymized information: The Company does not separately create or process pseudonymized information.
- Automated decisions: The Company does not operate automated decisions that have legal effect on data subjects or a similarly significant effect.
- Fixed or mobile video devices: The Company does not directly operate fixed or mobile video processing devices to provide the Service.
2. Provision of Personal Information to Third Parties
The Company generally does not provide personal information of data subjects to external parties. However, the Company may provide minimum information when the data subject consents or when there is a legal basis.
| Recipient | Purpose of provision | Items provided | Retention and use period | Legal basis |
|---|---|---|---|---|
| Google LLC | Google account-based login authentication | Identification information, email address, and profile information necessary for social authentication | After authentication processing, according to each provider's policy and applicable laws | Personal Information Protection Act Article 15(1)4, Article 17(1)1 (consent) |
| Apple Inc. | Apple account-based login authentication | Identification information, email address, and profile information necessary for social authentication | After authentication processing, according to each provider's policy and applicable laws | Personal Information Protection Act Article 15(1)4, Article 17(1)1 (consent) |
| GitHub, Inc. | GitHub account-based login authentication | Identification information, email address, and profile information necessary for social authentication | After authentication processing, according to each provider's policy and applicable laws | Personal Information Protection Act Article 15(1)4, Article 17(1)1 (consent) |
| Payment processor | Paid Service payment, cancellation, refund, receipt processing | Transaction identifier necessary for payment, payment product, payment amount, payment status | According to payment processor policy and applicable laws | Personal Information Protection Act Article 15(1)4, Electronic Commerce Act |
The Company may provide personal information without consent within the scope set by Articles 17 and 18 of the Personal Information Protection Act, including cases where urgent protection of life, body, or property interests is necessary under law.
3. Entrustment of Personal Information Processing
The Company may entrust personal information processing work as follows for smooth Service operation.
| Processor | Entrusted work | Sub-processing |
|---|---|---|
| SmileServe Co., Ltd. | Server operation and database operation | None |
| Amazon Web Services, Inc. | Operation of static file storage and delivery infrastructure for the marketing website | According to processor policy |
| GitHub, Inc. | App update distribution, release file provision, source repository and deployment workflow operation | According to processor policy |
| Google LLC | Google login integration | According to processor policy |
| Apple Inc. | Apple login integration | None |
| GitHub, Inc. | GitHub login integration | According to processor policy |
| Functional Software, Inc. (Sentry) | Error tracking and failure analysis when SENTRY_DSN is configured |
According to processor policy |
| Payment processor | Paid Service payment, cancellation, refund, receipt processing | According to processor policy |
When entering into an entrustment contract, the Company fulfills its management and supervision obligations for processors under Article 26 of the Personal Information Protection Act.
4. Overseas Transfer of Personal Information
The Company may transfer personal information overseas, including provision, entrusted processing, and storage, during Service provision. The Company provides the following information under Article 28-8 of the Personal Information Protection Act.
| Legal basis for overseas transfer | Transferred items | Country/address | Timing and method | Recipient/contact | Purpose | Retention and use period | Refusal method and effect |
|---|---|---|---|---|---|---|---|
| Personal Information Protection Act Article 28-8(1)1 (consent), Article 28-8(1)3 (overseas entrusted processing or storage for contract performance) | Google login identifier, email address, profile information | United States and other countries where Google services operate | When using Google login, through TLS encrypted communication | Google LLC (https://policies.google.com/privacy) | Google account-based login authentication | Until authentication processing is completed or membership withdrawal, depending on function | Request available through admin@monkmate.pro; however, Google login use may be restricted |
| Personal Information Protection Act Article 28-8(1)1 (consent), Article 28-8(1)3 | Apple login identifier, email address, and similar information | United States and other countries where Apple services operate | When using Apple login, through TLS encrypted communication | Apple Inc. (https://www.apple.com/legal/privacy) | Apple account-based login authentication | Until authentication processing is completed or membership withdrawal, depending on function | Request available through admin@monkmate.pro; however, Apple login use may be restricted |
| Personal Information Protection Act Article 28-8(1)1 (consent), Article 28-8(1)3 | GitHub login identifier, email address, profile information | United States and other countries where GitHub services operate | When using GitHub login, through TLS encrypted communication | GitHub, Inc. (https://docs.github.com/privacy) | GitHub account-based login authentication | Until authentication processing is completed or membership withdrawal, depending on function | Request available through admin@monkmate.pro; however, GitHub login use may be restricted |
| Personal Information Protection Act Article 28-8(1)3 | Error logs, request path, runtime environment, browser or device information, user or guest identifier to the extent necessary for operations | United States (service infrastructure) | When an error occurs or when using the Service, through TLS encrypted communication | Functional Software, Inc. (Sentry) (https://sentry.io) | Error tracking, failure analysis, service stabilization when SENTRY_DSN is configured |
Until purpose is achieved or for the period under processor policy | Request available through admin@monkmate.pro; however, failure analysis and stability quality may be reduced |
| Personal Information Protection Act Article 28-8(1)3 | App update request information, release file request information, browser or device information, IP address | United States and other countries where GitHub services operate | When checking app updates or downloading release files, through TLS encrypted communication | GitHub, Inc. (https://docs.github.com/privacy) | App update distribution and release file provision | Until purpose is achieved or for the period under processor policy | Request available through admin@monkmate.pro; however, app update checks and downloads may be restricted |
5. Destruction Procedure and Method
The Company destroys personal information without delay when the retention period expires or the processing purpose is achieved and the personal information is no longer necessary.
- Destruction procedure: select information subject to destruction when a destruction ground occurs, then destroy it after internal approval
- Destruction method for electronic files: delete by a technical method that makes recovery impossible
- Destruction method for printed materials: shred or incinerate
If retention is required under another law, the Company separately stores the information and destroys it when the statutory period ends.
Upon membership withdrawal, the Company blocks account use and deletes or anonymizes identifying information. However, some records may be retained for the period required by applicable laws or operations for payment, refund, customer inquiry, unauthorized use response, integrity maintenance, and history management.
Local data stored on the User's macOS device may not be automatically deleted by server-side withdrawal processing. The User may delete local data by deleting the app, deleting app data, deleting Keychain items, or using deletion functions provided by the Service.
6. Rights and Obligations of Data Subjects and How to Exercise Them
Data subjects may exercise the following rights against the Company at any time.
- Request access to personal information
- Request correction or deletion of personal information
- Request suspension of personal information processing
- Withdraw consent
Rights may be exercised through admin@monkmate.pro, and the Company will take action without delay under applicable laws.
However, some rights may be restricted by law. Also, local data stored only on the User's macOS device may be difficult for the Company to access or delete directly, so the Company may guide the User on how to delete it directly.
7. Measures to Ensure Safety of Personal Information
The Company implements the following measures to protect personal information.
- Administrative measures: establishing and operating internal management plans, minimizing access rights, regular checks
- Technical measures: transmission encryption (HTTPS/TLS), authentication token lifetime and rotation policy, HMAC processing of device identifiers, access control, security updates
- Operational measures: log monitoring, abnormal activity detection, failure response system operation
- Local protection measures: storing refresh token in macOS Keychain, storing blocked targets and session information on the User's device, checking helper permission state
8. Installation, Operation, and Refusal of Automatic Collection Tools
The Company may use cookies or similar technologies during Service provision.
- Marketing site (
monkmate.pro) purpose: language-specific page provision, static website provision, visitor request processing - Marketing site items: IP address, browser and device information, access logs, request path, and other web server or CDN operation logs
- Service API purpose: login state maintenance, security session management, authentication token verification, prevention of unauthorized use
- Service API items: access token in Authorization header, refresh token, request path, IP address, browser and device information, access logs
- macOS app purpose: maintaining login, saving blocked targets, recovering sessions, saving onboarding state, checking helper state
- macOS app items: refresh token in macOS Keychain, blocked targets, sessions, onboarding state, notification state in UserDefaults, helper state, app version, device identifier hash
- Refusal method: block or delete cookies in browser settings, log out of the app, delete app data, delete Keychain items, change macOS permission settings
- Effect of refusal: some functions may be restricted, including login maintenance, session recovery, blocked target storage, payment confirmation, and helper-based blocking maintenance
Cookie setting methods for each browser can be checked through guidance pages provided by each browser provider.
9. Collection, Use, and Refusal of Behavioral Information
The Company currently does not separately collect or use behavioral information for personalized advertising in the MonkMate Service.
However, access logs, error logs, request paths, runtime environments, browser or device information may be processed for service stabilization, security, and failure response. This information is used for Service provision and quality improvement, not for advertising.
If the Company later introduces personalized advertising or a separate behavioral information analytics tool, it will provide prior notice of processing purpose, collected items, retention period, and refusal method under applicable laws.
10. Privacy Officer and Access Requests
The Company operates the following contact channel to oversee personal information processing and handle inquiries from data subjects.
| Category | Person in charge | Contact |
|---|---|---|
| Privacy Officer | Lee Dongjoo (Representative) | admin@monkmate.pro |
| Personal information access request desk | Privacy Officer | admin@monkmate.pro |
11. Remedies for Infringement of Rights
Data subjects may contact the following institutions for reports or consultation on personal information infringement.
- Personal Information Dispute Mediation Committee: 1833-6972, https://www.kopico.go.kr
- Privacy Infringement Report Center: 118, https://privacy.kisa.or.kr
- Supreme Prosecutors' Office: 1301, https://www.spo.go.kr
- Korean National Police Agency: 182, https://ecrm.cyber.go.kr
- Central Administrative Appeals Commission: 110, https://www.simpan.go.kr
12. Changes to This Privacy Policy
This Privacy Policy applies from June 10, 2026.
If access to a previous version is needed, a request may be submitted to admin@monkmate.pro.