Leaper Privacy Policy

English version for App Store publication and international service operation · v2.0

Item Details
Document name Leaper Privacy Policy
Document version v2.0 - Based on the Korean privacy policy enactment template
Controller Heritage Inc. (Korean corporate name: 주식회사 헤리티지) - Business registration no. 208-87-03941
Representative Jimin Jang
Service Leaper iOS application, related webpages, customer support, account, payment, and security operation services
Effective date June 20, 2026
Last updated June 20, 2026
Privacy/Security contact [email protected] - +82-10-8425-7201
Address 501, Daejin Village A-dong, 51, Paldal-ro 165beon-gil, Paldal-gu, Suwon-si, Gyeonggi-do, Republic of Korea

Key summary

The Company respects the freedoms and rights of data subjects and complies with the Personal Information Protection Act and other applicable laws. The Company lawfully processes personal information and manages it securely. In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and publishes this Privacy Policy to inform data subjects of the procedures and standards for personal information processing and to handle privacy-related complaints promptly and smoothly.

This Policy applies to the Leaper iOS app, related webpages, customer support channels, account/payment/security operations, and reviewer/contribution features that may be provided in the future. If the actual production build, SDKs, servers, processors, or international transfer structure changes, this Policy will be updated without delay.

This English version is provided for App Store publication and international users. If there is any inconsistency between this English version and the Korean version, the Korean version will prevail to the extent permitted by applicable law.

1. Categories of personal information processed, purposes of collection and use, and retention periods

The Company collects and uses personal information only to the minimum extent necessary to provide the Service. Personal information necessary for contract formation and performance may be processed without separate consent where permitted by applicable law. Optional functions, marketing, personalized advertising, and other items requiring separate consent are processed only within the scope of the relevant consent.

1) Personal information processed without separate consent

Category Purpose of collection and use Personal information processed Retention and use period Legal basis
Service contract formation and performance Provision of basic app use and user settings Selected subjects linked to the device or account, learning level, language/font/notification/app settings, last learning position, app version information During the period of service use. Deleted within 30 days after membership withdrawal or account deletion, unless statutory retention or dispute response requires longer retention. Article 15(1)4 of the Personal Information Protection Act (contract formation and performance)
Service contract formation and performance Provision of learning services and review functions Question-answer history, correctness data, progress rate, streaks, bookmarks, Wrong Notebook, Concept Recap, seals/titles/reward status, selected subjects/tracks/plan entitlements Until the user deletes the data or within 30 days after account withdrawal. Local records stored on the device may be deleted when the app is deleted. Article 15(1)4 of the Personal Information Protection Act
Service contract formation and performance Account creation, sign-in, recovery, and cross-device synchronization, where available Email address, sign-in provider identifier, display name, profile image URL (optional), account status, authentication result values rather than authentication tokens themselves Within 30 days after account withdrawal. Records related to abuse, disputes, or security incidents may be retained for the period necessary for the relevant purpose. Article 15(1)4 of the Personal Information Protection Act
Service contract performance and e-commerce Subscription, in-app purchase, and plan entitlement verification Apple transaction identifier, StoreKit receipt/validation result, product/plan name, subscription status, expiration date, refund/cancellation/renewal status, entitlement information. The Company generally does not collect card numbers, bank account numbers, or other detailed payment instrument data. For the statutory period under the Act on Consumer Protection in Electronic Commerce, etc., or until related disputes are resolved. Article 15(1)4 of the Personal Information Protection Act, the Act on Consumer Protection in Electronic Commerce, etc.
Service stability and security operations Detection of abnormal access, error analysis, prevention of and response to security incidents IP address, access time, device model, OS version, app version, language/country settings, advertising or app instance identifier if used, crash/error logs, access success/failure records, security event logs Ordinarily within 12 months. If needed for security incidents, disputes, or investigations, for the relevant period. Logs subject to the Protection of Communications Secrets Act may be retained for 3 months. Article 15(1)4 and Article 29 of the Personal Information Protection Act, the Protection of Communications Secrets Act, etc.

2) Personal information processed with the data subject's consent

Category Purpose of collection and use Personal information processed Retention and use period Legal basis
Customer support and rights requests Receiving and responding to inquiries, handling outages, refunds, and privacy rights requests Name or nickname, email address, inquiry details, attachments, response history, information necessary to verify a rights request 3 years after closure of the inquiry. If a dispute remains pending, until the dispute is resolved. Article 15(1)1 of the Personal Information Protection Act (consent) or Article 15(1)4
Content suggestion and reviewer/contribution features, if provided Review of proposed questions and explanations, quality control, abuse prevention, dispute response Submitted questions, explanations, attachments, reviewer comments, approval/rejection history, timestamps, author account information 3 years after withdrawal of the submission or account deletion. If a dispute remains pending, until the dispute is resolved. Article 15(1)1 of the Personal Information Protection Act
Personalized advertising and behavioral information, including free-plan advertising Advertising delivery, ad frequency control, prevention of fraudulent ad traffic, ad performance measurement Mobile advertising/device identifiers such as IDFA/IDFV, app-use events, ad impression/click/conversion data, device/OS/app information, approximate region/language settings, ATT/consent status Up to 13 months from collection or the period set by the advertising provider policy. Users may restrict tracking or personalized advertising through iOS settings and app settings. Article 15(1)1 of the Personal Information Protection Act, Apple ATT consent and related notices
Push notifications, if used Learning reminders, payment/security/service notices, optional notification delivery APNs token, notification settings, device information, notification delivery/receipt history Until notification opt-out, app deletion, or account deletion. Records of legally required notices may be retained for the necessary period. Article 15(1)1 of the Personal Information Protection Act or contract performance
Marketing and events Event notices, promotions, surveys, community news Email address, nickname, marketing opt-in status, delivery/open/opt-out history Until consent is withdrawn. Delivery records may be retained for the period required by applicable law. Article 15(1)1 of the Personal Information Protection Act

The Company does not, as a general rule, collect resident registration numbers, passport numbers, driver's license numbers, alien registration numbers, or other unique identification information, nor does it collect sensitive information. If a new category of personal information becomes necessary for Service operation, the Company will disclose the item, purpose, and retention period in this Policy or through a separate consent screen before collection.

Leaper does not use question-answer results for automated decisions that produce legal or similarly significant social effects. Learning recommendations, Wrong Notebook, seals/titles, and review-queue configuration are learning support features within the Service. Users may request deletion or correction of related records through settings or customer support.

2. Processing and retention period of personal information

The Company destroys personal information without delay when the processing purpose is achieved or the retention period expires. However, information that must be preserved under applicable law, or information necessary for disputes, abuse prevention, or security-incident response, may be segregated and retained for the minimum period necessary for the relevant purpose.

Record type Applicable law or retention basis Retention period
Records on display and advertisement Act on Consumer Protection in Electronic Commerce, etc. 6 months
Records on contracts or withdrawal of offers Act on Consumer Protection in Electronic Commerce, etc. 5 years
Records on payment and supply of goods or services Act on Consumer Protection in Electronic Commerce, etc. 5 years
Records on consumer complaints or dispute resolution Act on Consumer Protection in Electronic Commerce, etc. 3 years
Logs corresponding to communication confirmation data, such as website visit records Protection of Communications Secrets Act 3 months
Tax transaction and evidence records Framework Act on National Taxes, Value-Added Tax Act, etc. Statutory period

3. Destruction procedures and methods

4. Provision of personal information to third parties

The Company processes personal information only within the scope of the purposes described in this Policy. Except where separate consent has been obtained, a special legal provision applies, or a lawful request is made by investigative or supervisory authorities, the Company does not provide personal information to third parties beyond the cases permitted under Articles 17 and 18 of the Personal Information Protection Act.

Recipient Purpose of provision Items provided Retention and use period
Apple Inc. / Apple Distribution International Ltd. and other Apple App Store operators In-app purchase processing, subscription/refund/receipt verification, app distribution, and App Store account-based services Apple ID and payment information are processed directly by Apple. The Company may receive only information necessary to confirm entitlements, such as transaction identifiers, product IDs, subscription status, and validation results. According to Apple policy and applicable statutory retention periods. Information retained by the Company is kept until the payment or dispute handling purpose is achieved.
Investigative authorities, courts, supervisory authorities, and other competent public bodies Compliance with legal obligations, response to lawful data production requests, rights protection, and security incident investigation Minimum information necessary within the scope of the lawful request For the period required by the relevant law or procedure

5. Criteria for additional use or provision

The Company may additionally use or provide personal information without additional consent within a scope reasonably related to the original collection purpose, in accordance with Article 15(3) and Article 17(4) of the Personal Information Protection Act and Article 14-2 of the Enforcement Decree. In such cases, the Company comprehensively considers the following criteria:

6. Entrustment of personal information processing

For smooth service provision, the Company may entrust certain personal information processing activities or use external SDKs and platforms as follows. SDKs or processors not used in the actual production build must be removed before publication, and this Policy must be updated when new processors are added.

Processor or external service Entrusted function Data processed Management standard
Apple App Store / StoreKit In-app purchase processing, subscription status verification, receipt validation, refund and purchase restoration support Transaction identifier, product ID, subscription status, validation result, payment/refund-related status values According to Apple policy and statutory retention periods. The Company retains its own records until the service purpose is achieved or for the statutory period.
Google AdMob / Google Mobile Ads SDK Free-plan advertising, ad impression/frequency management, fraudulent traffic prevention, ad performance measurement Advertising identifiers (IDFA/IDFV), IP address, device/OS/app information, ad impression/click data, approximate location/language information, ATT/consent status According to Google policy and consent settings. Personalized advertising can be restricted through iOS tracking permission and app/OS settings.
Firebase / Google LLC App stability analysis, crash/error logs, performance/security diagnostics, app configuration management App instance identifier, device/OS/app version, crash/error logs, access/event information According to Google policy and service settings. Unnecessary event collection will be disabled or minimized.
Heritage Inc. (주식회사 헤리티지) Inquiry receipt and response, rights request handling, outage/refund support Email address, name/nickname, inquiry details, attachments, response history 3 years after inquiry closure or until termination of the entrustment contract
Heritage Inc. (주식회사 헤리티지) Hosting of webpages and policy documents, server operation, log storage, backup Access logs and the account, learning, and payment entitlement information necessary for service operation Until termination of the entrustment contract or achievement of the purpose. Statutory retention items are retained for the applicable period.

When entering into an entrustment contract, the Company specifies in writing matters required under Article 26 of the Personal Information Protection Act, including prohibition of processing personal information outside the entrusted purpose, technical and managerial safeguards, restriction on sub-processing, management and supervision of processors, and liability for damages. The Company manages and supervises whether processors handle personal information securely. If a processor sub-processes the entrusted work, the Company requires prior approval or compliance with the procedure permitted under the relevant contract.

7. International transfer of personal information

Leaper may use infrastructure operated by overseas providers in connection with App Store services, advertising, app stability analysis, customer support, and cloud operations. In accordance with applicable law, the Company discloses the recipient, country of transfer, transferred items, time and method of transfer, purpose of use, and retention period.

Recipient Country of transfer Transferred items Purpose Time and method of transfer Retention period and refusal method
Apple Inc. / Apple Distribution International Ltd. United States, Ireland, and other countries where Apple services are operated Transaction identifier, product ID, subscription status, receipt validation result, refund/purchase restoration status values App Store payment, subscription, entitlement verification, and customer support Transferred through the network during service use or payment, or processed directly by Apple According to Apple policy and statutory retention periods. Users who do not wish to use App Store payments may choose not to proceed with paid purchases.
Google LLC / Google Asia Pacific Pte. Ltd. United States, Singapore, and other countries where Google services are operated Advertising identifiers, device/OS/app information, IP address, ad impression/click data, crash/error logs if enabled AdMob advertising delivery and Firebase stability/security diagnostics Transferred through the network when the app runs, an ad is displayed, or an error occurs According to Google policy and consent settings. Users may restrict tracking in iOS settings or withdraw applicable consent in the app.
Discord Inc. United States and other countries where Discord services are operated Discord account information is generally processed directly by Discord. If OAuth is introduced, disclosed items may include Discord ID, nickname, profile information, and community participation status. Community connection, user inquiries, and feedback handling When the user opens an external link or consents to OAuth According to Discord policy. If only a simple external link is provided, the Company does not collect Discord account information.

If a user refuses an international transfer, certain external SDKs, advertising, paid purchase, purchase restoration, or customer support functions may be limited. However, users may withdraw consent for personalized advertising or marketing processing that is not essential to contract performance.

8. Security measures for personal information

The Company implements security measures under Article 29 of the Personal Information Protection Act and its Enforcement Decree. Considering the scope directly applicable to a private mobile app service and the scale of the Service, the Company also refers to relevant managerial and technical control concepts from the National Cybersecurity Basic Guidelines as an internal security benchmark. The National Cybersecurity Basic Guidelines primarily apply to public-sector organizations and similar institutions, but Leaper uses their log, account, server, cloud, and incident-response controls as internal reference points.

Control area Leaper application measure Reference standard
Governance Designation of a privacy officer, minimum-necessary access for personnel handling personal information, recording of access-right grants/changes/revocations, regular security checks and training Article 29 of the Personal Information Protection Act; security governance, cybersecurity officer, training, and inspection concepts referenced from the National Cybersecurity Basic Guidelines
Accounts and privileges Separation of administrator accounts, deletion of unnecessary accounts, lockout or additional authentication after five or more authentication failures, revocation of privileges upon resignation, contract termination, or role change, and multi-factor authentication for administrators Control concepts corresponding to Articles 75 and 76 of the National Cybersecurity Basic Guidelines
Logs and audit Retention of logs including accessor, accessed target, type and time of work, success/failure result, and external transmission information; time synchronization; tamper prevention; detection of unauthorized access; review of security events Control concepts corresponding to Article 55 of the National Cybersecurity Basic Guidelines. Operational logs are ordinarily retained within 1 year or for the period necessary for law or incident response.
Encryption and transmission protection HTTPS/TLS, encryption or equivalent protection for stored information, one-way hashing for passwords where passwords are used, and access restriction for tokens, keys, and receipt validation values Security measures under the Personal Information Protection Act and control concepts corresponding to Article 76 of the National Cybersecurity Basic Guidelines
Servers and public services Restriction of access to public servers, removal of unnecessary accounts/services/ports, vulnerability checks, DDoS and intrusion response, minimization of compilers/development tools in production, and separation of development, test, and production environments Control concepts corresponding to Articles 53, 54, and 27 of the National Cybersecurity Basic Guidelines
Cloud and processors Contractual prohibition of processing outside the entrusted purpose, control of sub-processing, cooperation for incident investigation, management of logs/backups/access rights, and processor security checks Article 26 of the Personal Information Protection Act and cloud/contractor-security control concepts referenced from the National Cybersecurity Basic Guidelines
Incident response Access blocking, root-cause analysis, evidence preservation, impact assessment, reporting/notification to relevant authorities, recurrence-prevention measures, and recordkeeping of remedial actions Personal Information Protection Act breach notification/reporting framework and incident-response concepts corresponding to Articles 140 and 142 of the National Cybersecurity Basic Guidelines

9. Installation, operation, and refusal of automatic personal information collection tools

A mobile app may use device-, app-, or session-based identifiers instead of ordinary web-browser cookies. If the Company operates webpages, it may use cookies or similar technologies for service provision, secure connection verification, statistics, and error analysis.

10. Collection, use, provision, and refusal of behavioral information

The Company may process behavioral information or device/app event information that does not directly identify users for free-plan advertising, service stability improvement, and security-incident prevention. Tracking for personalized advertising is processed only when Apple ATT consent and any legally required consent have been obtained.

Category Collection method Purpose of use Collected items Retention/refusal method
App use and advertising behavioral information Google Mobile Ads SDK, in-app ad impression/click events, OS advertising identifier and consent status Free-plan advertising, ad frequency control, fraudulent traffic prevention, ad performance measurement, service quality improvement IDFA/IDFV, app instance identifier, ad impression/click/conversion information, device/OS/app version, approximate region/language information, IP address Up to 13 months or the period set by Google policy. Personalized advertising can be restricted through iOS Settings > Privacy & Security > Tracking.
App stability and error behavioral information Automatic crash/error event collection when Firebase or a similar stability tool is enabled Outage analysis, app stability improvement, security-incident root-cause analysis Crash time, app state, device/OS/app version, error stack/diagnostic information, app instance identifier Ordinarily within 12 months or the period set by the service provider policy. If needed for incident or dispute response, for the necessary period.

The Company does not collect sensitive behavioral information, such as ideology, beliefs, medical history, sexual life, or political opinions, for advertising purposes. The Company also does not collect behavioral information to provide personalized advertising to children under 14.

11. Rights and obligations of data subjects and legal representatives, and how to exercise them

12. Children's personal information

The Company does not design the Service primarily for children under 14. If the Company processes personal information of children under 14, it will apply additional protective measures required by applicable law, including verification of consent from a legal representative, procedures for the legal representative to exercise rights, and restrictions on personalized advertising.

13. Privacy officer

The Company designates the following privacy officer to oversee personal information processing and handle complaints and remedies for data subjects.

Item Details
Privacy officer Jimin Jang / Representative
Privacy/Security contact [email protected]
Phone +82-10-8425-7201
Address 501, Daejin Village A-dong, 51, Paldal-ro 165beon-gil, Paldal-gu, Suwon-si, Gyeonggi-do, Republic of Korea

14. Remedies for infringement of rights

Data subjects may contact the following institutions for consultation or remedy regarding personal information infringement.

Institution Contact Website
Personal Information Dispute Mediation Committee 1833-6972 (without area code in Korea) www.kopico.go.kr
Personal Information Infringement Report Center 118 (without area code in Korea) privacy.kisa.or.kr
Supreme Prosecutors Office 1301 (without area code in Korea) www.spo.go.kr
Korean National Police Agency Cybercrime Reporting System 182 (without area code in Korea) ecrm.police.go.kr

15. Generative AI and external AI model training

Leaper does not provide users' question-answer records, Wrong Notebook records, inquiry details, or attachments to external generative AI models for training. If the Company later introduces AI-based learning explanations, personalized recommendations, question review, customer support automation, or similar features that process user inputs or learning records through AI, the Company will disclose the processed items, purpose, retention period, whether the data is used for model training, and refusal method in this Policy or a separate notice, and will obtain any required consent.

16. Changes to this Privacy Policy

Appendix

End of Policy.