SoMa Privacy Policy

SoMa Inc. (hereinafter “the Company”) fully complies with the Personal Information Protection Act and related statutes, and strives to protect the personal information of data subjects. This Privacy Policy applies to the processing of personal information of members who use the SoMa service platform (including website and mobile app) operated by the Company, and sets forth the following:

Article 1 (Items of Personal Information Collected and Collection Methods)

  1. Items collected: The Company collects only the minimum personal information necessary for membership registration and service provision:
    • Registration: Mobile phone number (required)
    • Service use & consultations: Name, date of birth, gender, age, contact details, occupation, address, referral source; exercise goals, medical history, preferences, consultation details; preferred day/time, session count & duration, payment date & method, tuition, installment status, ticket usage & cancellation deadlines; membership tier, digital rewards, physical data (weight, muscle mass, BMI, body fat %); instructor assignment, assessment results, satisfaction ratings, session history, InBody trends, etc.
  2. Collection methods: Direct user input at registration; OCR extraction from consultation forms; additional web/app inputs; information provided via customer support; automatic log creation via cookies and log analysis.
  3. Sensitive & unique identifiers: Sensitive data (race, creed, political views, criminal records) not collected. Health data collected with explicit consent; unique identifiers collected only when legally required with separate consent.
  4. User rights protection: Members may refuse optional data without affecting basic service use. Personal information used only for stated purposes; any changes require separate consent.

Article 2 (Purposes of Personal Information Collection and Use)

  1. Membership registration & management: identity verification, age check, account management, withdrawal processing.
  2. Consultation & personalized services: member consultations, tailored exercise programs, scheduling, instructor assignment.
  3. Member benefits & analytics: tier & reward management, satisfaction surveys, exercise & body data analysis, AI-driven reports.
  4. Payments & settlements: billing, payment processing, refunds, instructor compensation.
  5. Customer support: inquiry response, complaint resolution, notice delivery.
  6. Marketing & events: new service/event information, promotional messages (consented members only).
  7. Legal compliance & risk management: usage restrictions, fraud prevention, security, record retention.

Article 3 (Retention and Use Period of Personal Information)

  1. General deletion: data deleted upon withdrawal; may retain up to 3 years post-withdrawal for re-registration convenience and analysis, then destroyed or moved to secure storage.
  2. Statutory retention: contracts & withdrawal records – 5 years; payment & supply records – 5 years; complaints & disputes – 3 years; access logs – 3 months.
  3. Dormant accounts: data of inactive members (1+ year) moved to secure storage, destroyed after retention period; members notified 30 days prior.

Article 4 (Provision of Personal Information to Third Parties)

  1. Principle: no third-party provision without consent; if required, notify purpose, recipient, items, retention period, and obtain consent.
  2. Exceptions: lawful requests by authorities; urgent life/safety protection; other legal exceptions.
  3. Current status: no third-party sharing; policy will be updated and consent obtained if this changes.

Article 5 (Commissioned Processing of Personal Information)

  1. Tasks such as development, maintenance, payment processing, SMS/LMS, and cloud hosting may be outsourced to specialized providers.
  2. Contracts ensure prohibition of secondary use, technical & managerial safeguards, restriction on subcontracting, oversight, and liability.
  3. Commissioned provider list not currently disclosed; policy will be updated and published upon changes.

Article 6 (Procedures and Methods for Data Destruction)

  1. Destruction procedures: data selected and destroyed upon retention expiry or purpose fulfillment, with Data Protection Officer approval. Deleted immediately or moved for legal retention then destroyed.
  2. Destruction methods: electronic files permanently deleted (data wiping/overwriting); paper records shredded or incinerated.

Article 7 (Rights of Data Subjects and How to Exercise Them)

  1. Member rights: access, correction/deletion, processing suspension, consent withdrawal & account deletion. Requests processed without delay, identity verification required.
  2. Exercise methods: via website/app menu, customer support email, written request or fax.
  3. Representation: legal representatives or authorized agents may act with power of attorney.
  4. Limitations: may refuse requests for legal compliance, protection of others, or unreasonably repetitive requests.
  5. Correction handling: inaccurate data not used or provided until corrected; third parties notified if necessary.

Article 8 (Protection of Personal Information of Children Under Age 14)

Services target ages 14 and above. Under-14 users require guardian consent. Guardians may exercise all rights on behalf of children. Minimum data is collected; no unjust sharing or outsourcing.

Article 9 (Measures to Ensure Data Security)

Article 10 (Data Protection Officer and Responsible Department)

Article 11 (Policy Change Notification)

This Policy may be amended due to legal or policy changes or security improvements. Significant changes will be notified at least 7 days in advance; those affecting rights materially will be notified 30 days in advance. Effective as of June 16, 2025.