← Legal EU · EEA · UK · GDPR

Privacy Policy & Terms — European Region

Effective: 2026-04-23 · Applies to users in EU, EEA, Switzerland, United Kingdom.

This page supplements our Master Privacy Policy and Terms of Service with GDPR-specific disclosures required for users located in the European Economic Area, Switzerland, and the United Kingdom.

1. Data Controller

Hanlimworld (Korean legal entity, based in Seoul, Republic of Korea) is the Data Controller of personal data collected through the Hanlimworld mobile application.

Contact: privacy@hanlimworld.com
General inquiries: support@hanlimworld.com
Data Protection Officer (DPO): as Hanlimworld currently processes personal data at a scale below the GDPR Article 37(1) mandatory DPO threshold, a DPO is not formally designated. The role is fulfilled by the Privacy Team. Users may contact the team at the email above.

2. Legal Bases for Processing (GDPR Art. 6)

Purpose	Legal basis
Account creation, authentication, service delivery	Art. 6(1)(b) — Contract performance
AI dance analysis based on uploaded video	Art. 6(1)(b) — Contract performance
Service improvement, aggregated analytics	Art. 6(1)(f) — Legitimate interest
Marketing communications (opt-in only)	Art. 6(1)(a) — Consent
Legal obligation compliance	Art. 6(1)(c) — Legal obligation

3. Categories of Personal Data

Identification: email, hashed password, display name, OAuth ID.
User-generated content: dance videos uploaded for analysis.
Derived data: AI analysis scores, pose keypoints, rhythm accuracy.
Usage data: login timestamps, challenge attempt counts, streaks.
Device permissions used: Camera, Microphone, Photo Library (each only when invoked by the user).

We do not process special categories of data (Art. 9) such as biometric data intended to uniquely identify a person, health data, racial/ethnic origin, political opinions, religion, sexual life. Pose keypoint extraction is used solely for scoring, not for identification.

4. Data Subject Rights (GDPR Art. 15–22, 7(3))

You may exercise the following rights free of charge at any time:

Access (Art. 15) — obtain a copy of your personal data.
Rectification (Art. 16) — correct inaccurate data via in-app Settings.
Erasure / "Right to be forgotten" (Art. 17) — in-app "Settings → Account → Delete account", or email request.
Restriction of processing (Art. 18).
Data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON).
Object to processing (Art. 21) — particularly for legitimate interest purposes.
Withdraw consent (Art. 7(3)) — where processing is based on consent, without affecting prior lawful processing.
Not to be subject to automated decision-making (Art. 22) — we do not make automated decisions producing legal or similarly significant effects. AI scores are advisory only.
Lodge a complaint with your national Data Protection Authority. For a list, see EDPB member authorities.

Requests submitted to privacy@hanlimworld.com are acknowledged within 72 hours and resolved within 30 days (extendable by 60 days for complex cases, with notice).

5. International Data Transfers

Your data may be processed outside the EEA/UK, primarily in the Republic of Korea (headquarters), the United States (Google Cloud, Supabase), and Singapore (Google Cloud Run). Transfers are safeguarded by:

Standard Contractual Clauses (EU Commission 2021/914) with sub-processors.
Vendor-provided additional safeguards: encryption in transit (TLS 1.2+) and at rest (AES-256).
Assessment of destination country laws under Schrems II framework.

6. Retention

Account data: until account deletion + 30 days system backup purge.
Uploaded videos: deleted within 7 days of analysis completion (except where retained at user's explicit request).
Server logs: 90 days maximum.
Aggregated, fully anonymized statistics: retained indefinitely (not personal data).

7. Sub-processors

Sub-processor	Purpose	Location
Supabase Inc.	DB, Auth, Storage	USA (AWS ap-northeast-2 for primary data)
Google Cloud Platform	AI analysis (MediaPipe BlazePose)	asia-southeast1 (Singapore)
Google LLC	OAuth 2.0 authentication	Global

8. Cookies & Tracking

The mobile app does not use third-party advertising identifiers or cross-site tracking technologies. Session tokens (JWT) and local preferences are stored on the device for service functionality only (strictly necessary — no cookie banner required for mobile per ePrivacy Directive).

9. UK-specific Notes

For users in the United Kingdom, references to GDPR should be read as the UK GDPR and Data Protection Act 2018. The UK Information Commissioner's Office (ICO) is the supervisory authority: ico.org.uk.

10. Terms of Service — Regional Provisions

The Master Terms apply. The following provisions apply specifically to EU/EEA/UK consumers:

Right of withdrawal: Under EU Directive 2011/83/EU, consumers have a 14-day withdrawal right for digital contracts. Since the service is provided free of charge and no paid purchase is made via the app, this right is typically not triggered.
Statutory warranty: Your statutory consumer rights under EU law are not limited by these Terms.
Governing law: Notwithstanding the Master Terms, EU consumers retain the protection of mandatory provisions of the law of their country of residence.
Online Dispute Resolution: EU Regulation 524/2013 provides an ODR platform: ec.europa.eu/consumers/odr.