Leaper Privacy Policy
English version for App Store publication and international service operation · v2.0
| Item | Details |
|---|---|
| Document name | Leaper Privacy Policy |
| Document version | v2.0 - Based on the Korean privacy policy enactment template |
| Controller | Heritage Inc. (Korean corporate name: 주식회사 헤리티지) - Business registration no. 208-87-03941 |
| Representative | Jimin Jang |
| Service | Leaper iOS application, related webpages, customer support, account, payment, and security operation services |
| Effective date | June 20, 2026 |
| Last updated | June 20, 2026 |
| Privacy/Security contact | [email protected] - +82-10-8425-7201 |
| Address | 501, Daejin Village A-dong, 51, Paldal-ro 165beon-gil, Paldal-gu, Suwon-si, Gyeonggi-do, Republic of Korea |
Key summary
- Leaper processes only the minimum personal information necessary for learning services, plan entitlements, in-app purchase verification, customer support, and security response.
- Detailed payment instrument information, such as card numbers or bank account numbers, is generally processed directly by Apple or other payment providers. The Company receives only transaction identifiers and entitlement data needed to confirm access rights.
- This version assumes that Google Sign-In has been removed. If Discord is used only as an external community link, the Company does not collect Discord account information. If OAuth or account-linking is introduced, this Policy must be updated immediately.
- This English version follows the structure of the Korean privacy policy enactment template and reflects the 2026 Korean privacy policy drafting guidance, the Personal Information Protection Act, and security-control concepts referenced from the National Cybersecurity Basic Guidelines.
The Company respects the freedoms and rights of data subjects and complies with the Personal Information Protection Act and other applicable laws. The Company lawfully processes personal information and manages it securely. In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and publishes this Privacy Policy to inform data subjects of the procedures and standards for personal information processing and to handle privacy-related complaints promptly and smoothly.
This Policy applies to the Leaper iOS app, related webpages, customer support channels, account/payment/security operations, and reviewer/contribution features that may be provided in the future. If the actual production build, SDKs, servers, processors, or international transfer structure changes, this Policy will be updated without delay.
This English version is provided for App Store publication and international users. If there is any inconsistency between this English version and the Korean version, the Korean version will prevail to the extent permitted by applicable law.
1. Categories of personal information processed, purposes of collection and use, and retention periods
The Company collects and uses personal information only to the minimum extent necessary to provide the Service. Personal information necessary for contract formation and performance may be processed without separate consent where permitted by applicable law. Optional functions, marketing, personalized advertising, and other items requiring separate consent are processed only within the scope of the relevant consent.
1) Personal information processed without separate consent
| Category | Purpose of collection and use | Personal information processed | Retention and use period | Legal basis |
|---|---|---|---|---|
| Service contract formation and performance | Provision of basic app use and user settings | Selected subjects linked to the device or account, learning level, language/font/notification/app settings, last learning position, app version information | During the period of service use. Deleted within 30 days after membership withdrawal or account deletion, unless statutory retention or dispute response requires longer retention. | Article 15(1)4 of the Personal Information Protection Act (contract formation and performance) |
| Service contract formation and performance | Provision of learning services and review functions | Question-answer history, correctness data, progress rate, streaks, bookmarks, Wrong Notebook, Concept Recap, seals/titles/reward status, selected subjects/tracks/plan entitlements | Until the user deletes the data or within 30 days after account withdrawal. Local records stored on the device may be deleted when the app is deleted. | Article 15(1)4 of the Personal Information Protection Act |
| Service contract formation and performance | Account creation, sign-in, recovery, and cross-device synchronization, where available | Email address, sign-in provider identifier, display name, profile image URL (optional), account status, authentication result values rather than authentication tokens themselves | Within 30 days after account withdrawal. Records related to abuse, disputes, or security incidents may be retained for the period necessary for the relevant purpose. | Article 15(1)4 of the Personal Information Protection Act |
| Service contract performance and e-commerce | Subscription, in-app purchase, and plan entitlement verification | Apple transaction identifier, StoreKit receipt/validation result, product/plan name, subscription status, expiration date, refund/cancellation/renewal status, entitlement information. The Company generally does not collect card numbers, bank account numbers, or other detailed payment instrument data. | For the statutory period under the Act on Consumer Protection in Electronic Commerce, etc., or until related disputes are resolved. | Article 15(1)4 of the Personal Information Protection Act, the Act on Consumer Protection in Electronic Commerce, etc. |
| Service stability and security operations | Detection of abnormal access, error analysis, prevention of and response to security incidents | IP address, access time, device model, OS version, app version, language/country settings, advertising or app instance identifier if used, crash/error logs, access success/failure records, security event logs | Ordinarily within 12 months. If needed for security incidents, disputes, or investigations, for the relevant period. Logs subject to the Protection of Communications Secrets Act may be retained for 3 months. | Article 15(1)4 and Article 29 of the Personal Information Protection Act, the Protection of Communications Secrets Act, etc. |
2) Personal information processed with the data subject's consent
| Category | Purpose of collection and use | Personal information processed | Retention and use period | Legal basis |
|---|---|---|---|---|
| Customer support and rights requests | Receiving and responding to inquiries, handling outages, refunds, and privacy rights requests | Name or nickname, email address, inquiry details, attachments, response history, information necessary to verify a rights request | 3 years after closure of the inquiry. If a dispute remains pending, until the dispute is resolved. | Article 15(1)1 of the Personal Information Protection Act (consent) or Article 15(1)4 |
| Content suggestion and reviewer/contribution features, if provided | Review of proposed questions and explanations, quality control, abuse prevention, dispute response | Submitted questions, explanations, attachments, reviewer comments, approval/rejection history, timestamps, author account information | 3 years after withdrawal of the submission or account deletion. If a dispute remains pending, until the dispute is resolved. | Article 15(1)1 of the Personal Information Protection Act |
| Personalized advertising and behavioral information, including free-plan advertising | Advertising delivery, ad frequency control, prevention of fraudulent ad traffic, ad performance measurement | Mobile advertising/device identifiers such as IDFA/IDFV, app-use events, ad impression/click/conversion data, device/OS/app information, approximate region/language settings, ATT/consent status | Up to 13 months from collection or the period set by the advertising provider policy. Users may restrict tracking or personalized advertising through iOS settings and app settings. | Article 15(1)1 of the Personal Information Protection Act, Apple ATT consent and related notices |
| Push notifications, if used | Learning reminders, payment/security/service notices, optional notification delivery | APNs token, notification settings, device information, notification delivery/receipt history | Until notification opt-out, app deletion, or account deletion. Records of legally required notices may be retained for the necessary period. | Article 15(1)1 of the Personal Information Protection Act or contract performance |
| Marketing and events | Event notices, promotions, surveys, community news | Email address, nickname, marketing opt-in status, delivery/open/opt-out history | Until consent is withdrawn. Delivery records may be retained for the period required by applicable law. | Article 15(1)1 of the Personal Information Protection Act |
The Company does not, as a general rule, collect resident registration numbers, passport numbers, driver's license numbers, alien registration numbers, or other unique identification information, nor does it collect sensitive information. If a new category of personal information becomes necessary for Service operation, the Company will disclose the item, purpose, and retention period in this Policy or through a separate consent screen before collection.
Leaper does not use question-answer results for automated decisions that produce legal or similarly significant social effects. Learning recommendations, Wrong Notebook, seals/titles, and review-queue configuration are learning support features within the Service. Users may request deletion or correction of related records through settings or customer support.
2. Processing and retention period of personal information
The Company destroys personal information without delay when the processing purpose is achieved or the retention period expires. However, information that must be preserved under applicable law, or information necessary for disputes, abuse prevention, or security-incident response, may be segregated and retained for the minimum period necessary for the relevant purpose.
| Record type | Applicable law or retention basis | Retention period |
|---|---|---|
| Records on display and advertisement | Act on Consumer Protection in Electronic Commerce, etc. | 6 months |
| Records on contracts or withdrawal of offers | Act on Consumer Protection in Electronic Commerce, etc. | 5 years |
| Records on payment and supply of goods or services | Act on Consumer Protection in Electronic Commerce, etc. | 5 years |
| Records on consumer complaints or dispute resolution | Act on Consumer Protection in Electronic Commerce, etc. | 3 years |
| Logs corresponding to communication confirmation data, such as website visit records | Protection of Communications Secrets Act | 3 months |
| Tax transaction and evidence records | Framework Act on National Taxes, Value-Added Tax Act, etc. | Statutory period |
3. Destruction procedures and methods
- Destruction procedure: The Company selects personal information for which a destruction ground has occurred and destroys it after confirmation by the privacy officer or an authorized manager.
- Electronic files: Electronic files are deleted by technical methods that make recovery or reproduction difficult. Information included in backups is deleted sequentially according to the backup cycle and retention policy and is not used except for recovery purposes.
- Paper documents: If paper documents are generated through printing, submission, or contract processes, they are shredded or incinerated.
- Statutorily retained information: Information retained by law is stored logically or physically separately from operational data and is not used for unrelated purposes.
4. Provision of personal information to third parties
The Company processes personal information only within the scope of the purposes described in this Policy. Except where separate consent has been obtained, a special legal provision applies, or a lawful request is made by investigative or supervisory authorities, the Company does not provide personal information to third parties beyond the cases permitted under Articles 17 and 18 of the Personal Information Protection Act.
| Recipient | Purpose of provision | Items provided | Retention and use period |
|---|---|---|---|
| Apple Inc. / Apple Distribution International Ltd. and other Apple App Store operators | In-app purchase processing, subscription/refund/receipt verification, app distribution, and App Store account-based services | Apple ID and payment information are processed directly by Apple. The Company may receive only information necessary to confirm entitlements, such as transaction identifiers, product IDs, subscription status, and validation results. | According to Apple policy and applicable statutory retention periods. Information retained by the Company is kept until the payment or dispute handling purpose is achieved. |
| Investigative authorities, courts, supervisory authorities, and other competent public bodies | Compliance with legal obligations, response to lawful data production requests, rights protection, and security incident investigation | Minimum information necessary within the scope of the lawful request | For the period required by the relevant law or procedure |
5. Criteria for additional use or provision
The Company may additionally use or provide personal information without additional consent within a scope reasonably related to the original collection purpose, in accordance with Article 15(3) and Article 17(4) of the Personal Information Protection Act and Article 14-2 of the Enforcement Decree. In such cases, the Company comprehensively considers the following criteria:
- Whether the additional use or provision is related to the original collection purpose.
- Whether the data subject could reasonably expect such use or provision in light of the circumstances or customary processing practices at the time of collection.
- Whether the data subject's interests are unfairly infringed.
- Whether safety measures such as encryption, access restriction, log review, and separate storage have been implemented.
- When additional use or provision occurs, the privacy officer reviews whether the criteria are satisfied and keeps records where necessary.
6. Entrustment of personal information processing
For smooth service provision, the Company may entrust certain personal information processing activities or use external SDKs and platforms as follows. SDKs or processors not used in the actual production build must be removed before publication, and this Policy must be updated when new processors are added.
| Processor or external service | Entrusted function | Data processed | Management standard |
|---|---|---|---|
| Apple App Store / StoreKit | In-app purchase processing, subscription status verification, receipt validation, refund and purchase restoration support | Transaction identifier, product ID, subscription status, validation result, payment/refund-related status values | According to Apple policy and statutory retention periods. The Company retains its own records until the service purpose is achieved or for the statutory period. |
| Google AdMob / Google Mobile Ads SDK | Free-plan advertising, ad impression/frequency management, fraudulent traffic prevention, ad performance measurement | Advertising identifiers (IDFA/IDFV), IP address, device/OS/app information, ad impression/click data, approximate location/language information, ATT/consent status | According to Google policy and consent settings. Personalized advertising can be restricted through iOS tracking permission and app/OS settings. |
| Firebase / Google LLC | App stability analysis, crash/error logs, performance/security diagnostics, app configuration management | App instance identifier, device/OS/app version, crash/error logs, access/event information | According to Google policy and service settings. Unnecessary event collection will be disabled or minimized. |
| Heritage Inc. (주식회사 헤리티지) | Inquiry receipt and response, rights request handling, outage/refund support | Email address, name/nickname, inquiry details, attachments, response history | 3 years after inquiry closure or until termination of the entrustment contract |
| Heritage Inc. (주식회사 헤리티지) | Hosting of webpages and policy documents, server operation, log storage, backup | Access logs and the account, learning, and payment entitlement information necessary for service operation | Until termination of the entrustment contract or achievement of the purpose. Statutory retention items are retained for the applicable period. |
When entering into an entrustment contract, the Company specifies in writing matters required under Article 26 of the Personal Information Protection Act, including prohibition of processing personal information outside the entrusted purpose, technical and managerial safeguards, restriction on sub-processing, management and supervision of processors, and liability for damages. The Company manages and supervises whether processors handle personal information securely. If a processor sub-processes the entrusted work, the Company requires prior approval or compliance with the procedure permitted under the relevant contract.
7. International transfer of personal information
Leaper may use infrastructure operated by overseas providers in connection with App Store services, advertising, app stability analysis, customer support, and cloud operations. In accordance with applicable law, the Company discloses the recipient, country of transfer, transferred items, time and method of transfer, purpose of use, and retention period.
| Recipient | Country of transfer | Transferred items | Purpose | Time and method of transfer | Retention period and refusal method |
|---|---|---|---|---|---|
| Apple Inc. / Apple Distribution International Ltd. | United States, Ireland, and other countries where Apple services are operated | Transaction identifier, product ID, subscription status, receipt validation result, refund/purchase restoration status values | App Store payment, subscription, entitlement verification, and customer support | Transferred through the network during service use or payment, or processed directly by Apple | According to Apple policy and statutory retention periods. Users who do not wish to use App Store payments may choose not to proceed with paid purchases. |
| Google LLC / Google Asia Pacific Pte. Ltd. | United States, Singapore, and other countries where Google services are operated | Advertising identifiers, device/OS/app information, IP address, ad impression/click data, crash/error logs if enabled | AdMob advertising delivery and Firebase stability/security diagnostics | Transferred through the network when the app runs, an ad is displayed, or an error occurs | According to Google policy and consent settings. Users may restrict tracking in iOS settings or withdraw applicable consent in the app. |
| Discord Inc. | United States and other countries where Discord services are operated | Discord account information is generally processed directly by Discord. If OAuth is introduced, disclosed items may include Discord ID, nickname, profile information, and community participation status. | Community connection, user inquiries, and feedback handling | When the user opens an external link or consents to OAuth | According to Discord policy. If only a simple external link is provided, the Company does not collect Discord account information. |
If a user refuses an international transfer, certain external SDKs, advertising, paid purchase, purchase restoration, or customer support functions may be limited. However, users may withdraw consent for personalized advertising or marketing processing that is not essential to contract performance.
8. Security measures for personal information
The Company implements security measures under Article 29 of the Personal Information Protection Act and its Enforcement Decree. Considering the scope directly applicable to a private mobile app service and the scale of the Service, the Company also refers to relevant managerial and technical control concepts from the National Cybersecurity Basic Guidelines as an internal security benchmark. The National Cybersecurity Basic Guidelines primarily apply to public-sector organizations and similar institutions, but Leaper uses their log, account, server, cloud, and incident-response controls as internal reference points.
| Control area | Leaper application measure | Reference standard |
|---|---|---|
| Governance | Designation of a privacy officer, minimum-necessary access for personnel handling personal information, recording of access-right grants/changes/revocations, regular security checks and training | Article 29 of the Personal Information Protection Act; security governance, cybersecurity officer, training, and inspection concepts referenced from the National Cybersecurity Basic Guidelines |
| Accounts and privileges | Separation of administrator accounts, deletion of unnecessary accounts, lockout or additional authentication after five or more authentication failures, revocation of privileges upon resignation, contract termination, or role change, and multi-factor authentication for administrators | Control concepts corresponding to Articles 75 and 76 of the National Cybersecurity Basic Guidelines |
| Logs and audit | Retention of logs including accessor, accessed target, type and time of work, success/failure result, and external transmission information; time synchronization; tamper prevention; detection of unauthorized access; review of security events | Control concepts corresponding to Article 55 of the National Cybersecurity Basic Guidelines. Operational logs are ordinarily retained within 1 year or for the period necessary for law or incident response. |
| Encryption and transmission protection | HTTPS/TLS, encryption or equivalent protection for stored information, one-way hashing for passwords where passwords are used, and access restriction for tokens, keys, and receipt validation values | Security measures under the Personal Information Protection Act and control concepts corresponding to Article 76 of the National Cybersecurity Basic Guidelines |
| Servers and public services | Restriction of access to public servers, removal of unnecessary accounts/services/ports, vulnerability checks, DDoS and intrusion response, minimization of compilers/development tools in production, and separation of development, test, and production environments | Control concepts corresponding to Articles 53, 54, and 27 of the National Cybersecurity Basic Guidelines |
| Cloud and processors | Contractual prohibition of processing outside the entrusted purpose, control of sub-processing, cooperation for incident investigation, management of logs/backups/access rights, and processor security checks | Article 26 of the Personal Information Protection Act and cloud/contractor-security control concepts referenced from the National Cybersecurity Basic Guidelines |
| Incident response | Access blocking, root-cause analysis, evidence preservation, impact assessment, reporting/notification to relevant authorities, recurrence-prevention measures, and recordkeeping of remedial actions | Personal Information Protection Act breach notification/reporting framework and incident-response concepts corresponding to Articles 140 and 142 of the National Cybersecurity Basic Guidelines |
9. Installation, operation, and refusal of automatic personal information collection tools
A mobile app may use device-, app-, or session-based identifiers instead of ordinary web-browser cookies. If the Company operates webpages, it may use cookies or similar technologies for service provision, secure connection verification, statistics, and error analysis.
- Purpose of cookies: maintaining webpage access status, verifying secure connection status, access statistics, and error analysis.
- Cookie refusal method: Users may block or delete cookies through browser settings such as Chrome, Safari, or Edge.
- Mobile app identifier refusal method: Users may disable app tracking through iOS Settings > Privacy & Security > Tracking, or restrict personalized ads through Settings > Privacy & Security > Apple Advertising.
- If cookies or identifiers are restricted, some functions such as login persistence, ad frequency control, error analysis, or personalization may be limited.
10. Collection, use, provision, and refusal of behavioral information
The Company may process behavioral information or device/app event information that does not directly identify users for free-plan advertising, service stability improvement, and security-incident prevention. Tracking for personalized advertising is processed only when Apple ATT consent and any legally required consent have been obtained.
| Category | Collection method | Purpose of use | Collected items | Retention/refusal method |
|---|---|---|---|---|
| App use and advertising behavioral information | Google Mobile Ads SDK, in-app ad impression/click events, OS advertising identifier and consent status | Free-plan advertising, ad frequency control, fraudulent traffic prevention, ad performance measurement, service quality improvement | IDFA/IDFV, app instance identifier, ad impression/click/conversion information, device/OS/app version, approximate region/language information, IP address | Up to 13 months or the period set by Google policy. Personalized advertising can be restricted through iOS Settings > Privacy & Security > Tracking. |
| App stability and error behavioral information | Automatic crash/error event collection when Firebase or a similar stability tool is enabled | Outage analysis, app stability improvement, security-incident root-cause analysis | Crash time, app state, device/OS/app version, error stack/diagnostic information, app instance identifier | Ordinarily within 12 months or the period set by the service provider policy. If needed for incident or dispute response, for the necessary period. |
The Company does not collect sensitive behavioral information, such as ideology, beliefs, medical history, sexual life, or political opinions, for advertising purposes. The Company also does not collect behavioral information to provide personalized advertising to children under 14.
11. Rights and obligations of data subjects and legal representatives, and how to exercise them
- Data subjects may at any time request access to, correction or deletion of, suspension of processing of, withdrawal of consent for, account deletion concerning, or objection/explanation regarding automated decisions involving their personal information.
- Rights may be exercised through in-app settings, customer support channels, email, or written request. The Company will take action without delay within the period required by law.
- Rights concerning personal information of children under 14 may be exercised directly by their legal representatives. Minors aged 14 or older may exercise their rights directly or through a legal representative.
- If a representative exercises rights, the Company may verify valid authority through a power of attorney or equivalent document.
- Requests for access, deletion, or suspension of processing may be restricted where retention is required by another law or where fulfillment of the request could infringe the rights or interests of a third party.
- Leaper's learning recommendations, seals, and review-queue configuration are automated processes for learning support and are not used as automated decisions that produce legal or similarly significant effects.
12. Children's personal information
The Company does not design the Service primarily for children under 14. If the Company processes personal information of children under 14, it will apply additional protective measures required by applicable law, including verification of consent from a legal representative, procedures for the legal representative to exercise rights, and restrictions on personalized advertising.
13. Privacy officer
The Company designates the following privacy officer to oversee personal information processing and handle complaints and remedies for data subjects.
| Item | Details |
|---|---|
| Privacy officer | Jimin Jang / Representative |
| Privacy/Security contact | [email protected] |
| Phone | +82-10-8425-7201 |
| Address | 501, Daejin Village A-dong, 51, Paldal-ro 165beon-gil, Paldal-gu, Suwon-si, Gyeonggi-do, Republic of Korea |
14. Remedies for infringement of rights
Data subjects may contact the following institutions for consultation or remedy regarding personal information infringement.
| Institution | Contact | Website |
|---|---|---|
| Personal Information Dispute Mediation Committee | 1833-6972 (without area code in Korea) | www.kopico.go.kr |
| Personal Information Infringement Report Center | 118 (without area code in Korea) | privacy.kisa.or.kr |
| Supreme Prosecutors Office | 1301 (without area code in Korea) | www.spo.go.kr |
| Korean National Police Agency Cybercrime Reporting System | 182 (without area code in Korea) | ecrm.police.go.kr |
15. Generative AI and external AI model training
Leaper does not provide users' question-answer records, Wrong Notebook records, inquiry details, or attachments to external generative AI models for training. If the Company later introduces AI-based learning explanations, personalized recommendations, question review, customer support automation, or similar features that process user inputs or learning records through AI, the Company will disclose the processed items, purpose, retention period, whether the data is used for model training, and refusal method in this Policy or a separate notice, and will obtain any required consent.
16. Changes to this Privacy Policy
- This Policy may be amended when laws, Service features, integrated SDKs, storage infrastructure, processor/international transfer arrangements, advertising tools, or analytics tools change.
- For material changes, the Company will provide prior notice of the effective date, reason for change, and key changes through in-app notice, webpage notice, email, or another reasonable method.
- The last updated date and effective date of this Policy are June 20, 2026.
Appendix
- Confirm the SDKs activated in the actual production build, including AdMob, Firebase, StoreKit, APNs, and any analytics, crash, or customer support tools.
- Finalize the processor and international transfer tables according to the actual contracting parties, transfer countries, retention periods, and refusal methods.
- Finalize the public contact method for the privacy officer, including whether the phone number should be disclosed or replaced with another contact method.
- Verify that the categories entered in the App Store Privacy Nutrition Label match the categories disclosed in this Policy.
End of Policy.